DEV Community: Baptiste Mille-Mathias The latest articles on DEV Community by Baptiste Mille-Mathias (@baptistemm). https://dev.to/baptistemm https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F272678%2F843266a0-66bc-47fa-8eb7-995e08000895.jpeg DEV Community: Baptiste Mille-Mathias https://dev.to/baptistemm en Openshift Z-patch upgrade in restricted environment without mirroring quay.io Baptiste Mille-Mathias Thu, 10 Sep 2020 14:27:29 +0000 https://dev.to/baptistemm/openshift-z-patch-upgrade-in-restricted-environment-without-mirroring-quay-io-5em3 https://dev.to/baptistemm/openshift-z-patch-upgrade-in-restricted-environment-without-mirroring-quay-io-5em3 <p>Since version 4.2 Openshift features a disconnected installation method that permits to setup and upgrade a cluster that is not connected to internet.</p> <p>This methods implies you prior copy <a href="https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.28/release.txt">the artifacts from the release</a> you will install into your internal registry and to declare using an <code>imagecontentsourcepolicy</code> manifest the mirror so all url from <code>quay.io</code> will substitute on-the-fly by your internal.</p> <p>On the day to day management this is not very convenient because it requires you to monitor and to copy when necessary, or to have a script regularly running and that will copy (even if you'll never use it) the latest release available.</p> <p>However if you have a reverse-cache (or even a registry with reverse-cache like <a href="https://jfrog.com/artifactory/">JFrog Artifactory</a> setup for quay.io you can upgrade directly through it without having to mirror.</p> <p>I assume you already setup for the remote-mirror so the following works<br> </p> <div class="highlight"><pre class="highlight shell"><code>podman pull repository.mycorp.com:5000/openshift-release-dev/ocp-release@sha256:4841bd519be0d5c533d9b4da2996a6d0d340ae1eddb8a6ea213958c7460dcdb4 </code></pre></div> <h1> Create/Update an imagecontentsourcepolicy to point to your artifactory </h1> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">operator.openshift.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ImageContentSourcePolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">artifactory-remote</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">repositoryDigestMirrors</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mirrors</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">repository.mycorp.com:5000/openshift-release-dev</span> <span class="na">source</span><span class="pi">:</span> <span class="s">quay.io/openshift-release-dev</span> </code></pre></div> <p>Now generate a digest of the images from a node that has access to internet.<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># TARGET_VERSION should be in format x.y.z, for example 4.3.28</span> <span class="nb">export </span><span class="nv">OCP_RELEASE_NUMBER</span><span class="o">=</span><span class="k">${</span><span class="nv">TARGET_VERSION</span><span class="k">}</span> <span class="nb">export </span><span class="nv">DIGEST</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>oc adm release info quay.io/openshift-release-dev/ocp-release:<span class="k">${</span><span class="nv">OCP_RELEASE_NUMBER</span><span class="k">}</span><span class="nt">-x86_64</span> | <span class="nb">sed</span> <span class="nt">-n</span> <span class="s1">'s/Pull From: .*@//p'</span><span class="si">)</span><span class="s2">"</span> <span class="nb">export </span><span class="nv">SIGNATURE_BASE64</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$DIGEST</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f1</span><span class="si">)</span><span class="s2">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$DIGEST</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f2</span><span class="si">)</span><span class="s2">/signature-1"</span> | <span class="nb">base64</span> <span class="nt">-w0</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span><span class="si">)</span> <span class="nb">export </span><span class="nv">DIGEST_ALGO</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$DIGEST</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f1</span><span class="si">)</span> <span class="nb">export </span><span class="nv">DIGEST_SIGNATURE</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$DIGEST</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f2</span><span class="si">)</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: release-image-</span><span class="k">${</span><span class="nv">OCP_RELEASE_NUMBER</span><span class="k">}</span><span class="sh"> namespace: openshift-config-managed labels: release.openshift.io/verification-signatures: "" binaryData: </span><span class="k">${</span><span class="nv">DIGEST_ALGO</span><span class="k">}</span><span class="sh">-</span><span class="k">${</span><span class="nv">DIGEST_SIGNATURE</span><span class="k">}</span><span class="sh">: </span><span class="k">${</span><span class="nv">SIGNATURE_BASE64</span><span class="k">}</span><span class="sh"> </span><span class="no">EOF </span></code></pre></div> <p>Now you are ready to use the upgrade procedure from redhat as if you had mirrored quay.io</p> openshift devops docker Kubernetes Configuration Management with Ansible (Part 2) Baptiste Mille-Mathias Mon, 22 Jun 2020 19:03:34 +0000 https://dev.to/baptistemm/kubernetes-configuration-management-with-ansible-part-2-4bep https://dev.to/baptistemm/kubernetes-configuration-management-with-ansible-part-2-4bep <p>Follow-up of this <a href="https://dev.to/baptistemm/kubernetes-configuration-management-with-ansible-part-1-4aem">post</a>. We explained the directory organization and the manifest files naming convention, now let's explore the ansible part.</p> <p>Ansible was chosen because I knew it a bit since 2015 when I started automating some repetitive tasks to create a Kafka cluster prototype. Ansible is a good candidate because it can talk to HTTP API and it comes with a list of <a href="https://docs.ansible.com/ansible/latest/modules/list_of_clustering_modules.html">k8s</a> related modules that make easy to query or manage Kubernetes objects (they were rewritten a couple of time before being now really good).</p> <h2> Overview of the Code </h2> <p>I don't plan to review all code, but have a look of key parts of the Ansible code.</p> <ul> <li>The cluster accept a parameter which is the target cluster, then we load the common variables file then the cluster variable file from <code>config</code> directory </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Deploy</span><span class="nv"> </span><span class="s">manifests</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">cluster</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">target_cluster</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">connection</span><span class="pi">:</span> <span class="s">local</span> <span class="na">gather_facts</span><span class="pi">:</span> <span class="no">false</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">authorized_cluster</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">dev"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">prod"</span><span class="pi">]</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">pre_tasks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check if the target_cluster variable was properly set</span> <span class="na">fail</span><span class="pi">:</span> <span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">You</span><span class="nv"> </span><span class="s">need</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">specify</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">variable</span><span class="nv"> </span><span class="s">target_cluster</span><span class="nv"> </span><span class="s">with</span><span class="nv"> </span><span class="s">one</span><span class="nv"> </span><span class="s">value</span><span class="nv"> </span><span class="s">({{</span><span class="nv"> </span><span class="s">authorized_cluster</span><span class="nv"> </span><span class="s">}})"</span> <span class="na">when</span><span class="pi">:</span> <span class="s">target_cluster not in authorized_cluster</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Load common variables</span> <span class="na">include_vars</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s">configs/common.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Load</span><span class="nv"> </span><span class="s">cluster-scoped</span><span class="nv"> </span><span class="s">variables</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">target_cluster</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">include_vars</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s2">"</span><span class="s">config/{{</span><span class="nv"> </span><span class="s">target_cluster</span><span class="nv"> </span><span class="s">}}.yml"</span> </code></pre></div> <ul> <li>for the given cluster, we create a list of all yaml files from the <code>common</code> and <code>$cluster</code> directories. We will also define some variables than will be used later </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Retrieve</span><span class="nv"> </span><span class="s">manifests</span><span class="nv"> </span><span class="s">files</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">common</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">cluster</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">directories"</span> <span class="na">find</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">yaml_dir</span><span class="nv"> </span><span class="s">}}/common"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">yaml_dir</span><span class="nv"> </span><span class="s">}}/{{</span><span class="nv"> </span><span class="s">cluster</span><span class="nv"> </span><span class="s">}}"</span><span class="pi">]</span> <span class="na">patterns</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">*.yaml'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">*.yml'</span><span class="pi">]</span> <span class="na">file_type</span><span class="pi">:</span> <span class="s">file</span> <span class="na">recurse</span><span class="pi">:</span> <span class="no">true</span> <span class="na">register</span><span class="pi">:</span> <span class="s">manifests_list</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Define</span><span class="nv"> </span><span class="s">variable</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">manifests</span><span class="nv"> </span><span class="s">filename"</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">filename</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.path</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">basename</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.path</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">basename</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">regex_replace('.*_(.*)_.*_.*_.*</span><span class="se">\\</span><span class="s">.ya?ml',</span><span class="nv"> </span><span class="s">'</span><span class="se">\\</span><span class="s">1')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.path</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">basename</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">regex_replace('.*_.*_(.*)_.*_.*</span><span class="se">\\</span><span class="s">.ya?ml',</span><span class="nv"> </span><span class="s">'</span><span class="se">\\</span><span class="s">1')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.path</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">basename</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">regex_replace('.*_.*_.*_(.*)_.*</span><span class="se">\\</span><span class="s">.ya?ml',</span><span class="nv"> </span><span class="s">'</span><span class="se">\\</span><span class="s">1')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">state</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.path</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">basename</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">regex_replace('.*_.*_.*_.*_(.*)</span><span class="se">\\</span><span class="s">.ya?ml',</span><span class="nv"> </span><span class="s">'</span><span class="se">\\</span><span class="s">1')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">set_fact</span><span class="pi">:</span> <span class="na">manifests_information</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">manifests_information</span><span class="nv"> </span><span class="s">+</span><span class="nv"> </span><span class="s">[{</span><span class="nv"> </span><span class="s">'filepath':</span><span class="nv"> </span><span class="s">item.path,</span><span class="nv"> </span><span class="s">'filename':</span><span class="nv"> </span><span class="s">filename,</span><span class="nv"> </span><span class="s">'kind':</span><span class="nv"> </span><span class="s">kind,</span><span class="nv"> </span><span class="s">'name':</span><span class="nv"> </span><span class="s">name,</span><span class="nv"> </span><span class="s">'namespace':</span><span class="nv"> </span><span class="s">namespace,</span><span class="nv"> </span><span class="s">'state':</span><span class="nv"> </span><span class="s">state</span><span class="nv"> </span><span class="s">}]</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">loop</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">manifests_list.files</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sort(attribute='path')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">loop_control</span><span class="pi">:</span> <span class="na">label</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">filename</span><span class="nv"> </span><span class="s">}}"</span> </code></pre></div> <ul> <li>Now we check each file honors the filename convention else we throw an error. </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Check</span><span class="nv"> </span><span class="s">files</span><span class="nv"> </span><span class="s">match</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">naming</span><span class="nv"> </span><span class="s">convention"</span> <span class="na">fail</span><span class="pi">:</span> <span class="na">msg</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">The file {{ item.filepath }} does not observe the manifest naming convention.</span> <span class="na">when</span><span class="pi">:</span> <span class="s">item.filename == item.kind or</span> <span class="s">item.filename == item.name or</span> <span class="s">item.filename == item.namespace or</span> <span class="s">item.state not in [ "present", "absent" ]</span> <span class="na">with_items</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">manifests_information</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">loop_control</span><span class="pi">:</span> <span class="na">label</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.filepath</span><span class="nv"> </span><span class="s">}}"</span> </code></pre></div> <ul> <li>for each file, call the <code>k8s</code> module, the path of of the file is passed to argument using the <a href="https://docs.ansible.com/ansible/latest/plugins/lookup/template.html">lookup plugin template</a>, so the manifest can have logic and variables inside. </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Deploy</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">item.kind</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">item.name</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">namespace</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">item.namespace</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">item.state</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">k8s</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://xxxxxx:6443"</span> <span class="na">api_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">token</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">state</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.state</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">definition</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup</span><span class="nv"> </span><span class="s">('template',</span><span class="nv"> </span><span class="s">item.filepath)</span><span class="nv"> </span><span class="s">}}"</span> </code></pre></div> <p>For the code we're done, for a stripped down version it does not require much than that to work.</p> <h2> Coding your Manifests </h2> <p>One of the feature this small playbook permits is to have simple manifest yaml file like this<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">project.openshift.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Project</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">cluster-admin-ns</span><span class="nv"> </span><span class="s">}}"</span> <span class="nn">...</span> </code></pre></div> <p>but you can also using feature like Ansible variables and Jinja templating together.<br> For instance, I had to put a config file into a secret, which require to have the content base64 encoded. It's convenient when you can do that automatically.</p> <ul> <li>In this example, the content for the key <code>fluent.conf</code> come from a file <code>fluent.conf.j2</code> loaded by the <code>template</code> lookup (so the variable are replaced) then passed to the filter <code>b64encode</code>. </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="s">fluent.conf</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('template',</span><span class="nv"> </span><span class="s">'fluent.conf.j2')</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">b64encode</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fluent-forwarder-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">logging</span> <span class="nn">...</span> </code></pre></div> <p>with the configuration file treated as a template<br> </p> <div class="highlight"><pre class="highlight plaintext"><code># fluent.conf.j2 # As this file is interpreted as a ansible template, you can add # jinja code inside to put some logic. &lt;source&gt; @type forward port 24224 tag logs.openshift &lt;/source&gt; &lt;match **&gt; # Send all types to Splunk @type splunk_hec hec_host {{ splunk.host }} hec_port {{ splunk.port }} hec_token {{ splunk.token }} index {{ splunk.index }} &lt;/match&gt; </code></pre></div> <p>so it gives once loaded something like<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="s">fluent.conf</span><span class="pi">:</span> <span class="s">IyBmbHVlbnQuY29uZi5qMgojIEFzIHRoaXMgZmlsZSBpcyBpbnRlcnByZXRlZCBhcyBhIGFuc2libGUgdGVtcGxhdGUsIHlvdSBjYW4gYWRkCiMgamluamEgY29kZSBpbnNpZGUgdG8gcHV0IHNvbWUgbG9naWMuCgo8c291cmNlPgogIEB0eXBlICBmb3J3YXJkCiAgcG9ydCAgMjQyMjQKICB0YWcgbG9ncy5vcGVuc2hpZnQKPC9zb3VyY2U+Cgo8bWF0Y2ggKio+CiAgIyBTZW5kIGFsbCB0eXBlcyB0byBTcGx1bmsKICBAdHlwZSBzcGx1bmtfaGVjCiAgaGVjX2hvc3Qgc3BsdW5rLmRvbS50bGQKICBoZWNfcG9ydCA4MDg5CiAgaGVjX3Rva2VuIDM1NDM0My0zNDUzMzMtMTUyMzMKICBpbmRleCBmYWtlLWluZGV4CjwvbWF0Y2g+</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> </code></pre></div> <p>... Just what expect the secret API.<br> So I think we're good for now, I just wanted to give you an idea of what it is possible to do. This is a skeleton that can be enhanced with more check and feature.</p> <p>Perhaps I'll come back with new idea.</p> ansible devops kubernetes automation Kubernetes Configuration Management with Ansible (Part 1) Baptiste Mille-Mathias Mon, 22 Jun 2020 16:52:04 +0000 https://dev.to/baptistemm/kubernetes-configuration-management-with-ansible-part-1-4aem https://dev.to/baptistemm/kubernetes-configuration-management-with-ansible-part-1-4aem <p>Since day 0 I started to administrate Openshift last year, one of the core thing I wanted we tackle with the team was how to manage all customization we would have to do. I'm used to automation software, from bare shell scripts (yes this is automation :) to things like Puppet, CFengine or Ansible and I can't imagine now managing an application, a fleet of nodes, a cluster without being able to automate the deployment of the configuration.</p> <p>So I share here - not in details - what we did in our team. I'll split the explanation in a couple of posts. This is quite simple but effective, we started recently to run regularly this job from AWX in check mode to observe configuration drift and may run it in run mode sooner or later.</p> <h3> Set a plan </h3> <p>We started to make some status &amp; requirements with the colleagues (this is ALWAYS important to do so)</p> <ul> <li>We will administrate several clusters.</li> <li>A big part of the clusters configuration will be the same for all clusters.</li> <li>We must be able to deploy for each cluster some specific manifests</li> <li>The same manifests will deployed on several cluster but may differ slightly (quota values for instance), and we don't want to store all these manifests just for the sake of different values inside. So we must be able have placeholder in the manifests which would be filled with each cluster values.</li> <li>We must be able to add manifests but also to remove manifests from the cluster.</li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--HrygYgpf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/5kbc773hwytxuqjdk8g6.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--HrygYgpf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/5kbc773hwytxuqjdk8g6.jpg" alt="Alt Text"></a></p> <h3> Directory structure </h3> <p>Here is an example of the structure we choose<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>project-dir ├── config │ ├── common.yml │ ├── dev.yml │ └── prod.yml └── manifests ├── common │ ├── 05_authentication │ ├── 10_feature_foo │ └── 30_feature_baz ├── dev │ ├── 40_feature_dev_buz │ └── 60_feature_dev_buu └── prod ├── 50_feature_prod_bar └── 70_feature_prod_boo </code></pre></div> <p>Directory <code>config</code> contains a yaml file for each cluster, with the connection details and all specific variables, the file <code>common.yml</code> contains common and default variables.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="c1"># prod config file</span> <span class="na">connection</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://prd.prj.domain.tld</span> <span class="na">token</span><span class="pi">:</span> <span class="kt">!vault....</span> <span class="na">ldap_connection</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">bind_user</span><span class="pi">:</span> <span class="s">cn=ldap-prd-user,...</span> <span class="na">bind_password</span><span class="pi">:</span> <span class="kt">!vault...</span> <span class="na">authorized_groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">group-dev-1</span> <span class="pi">-</span> <span class="s">group-dev-2</span> <span class="pi">-</span> <span class="s">group-dev-3</span> <span class="c1"># other prod specific variables</span> </code></pre></div> <h3> File naming Convention </h3> <p>We think after about a naming convention for the manifest files, not that it would enforce the content in the file (exception made to the <code>status</code> field), but to permit to easily spot a manifest file on the disk. We came up with convention <code>XX_kind_name_namespace_status.yml</code> where</p> <ul> <li> <code>XX</code> is a number to which help applying manifest in a specific order.</li> <li> <code>kind</code> is the kind of the manifest (<code>deployment</code>, <code>configMap</code>, ...).</li> <li> <code>name</code> is the value of the file <code>metadata.name</code> of the object to be modified.</li> <li> <code>namespace</code> is the namespace the object belongs to. If the object is not namespaced, like namespace or clusterrole, we set the value to <code>global</code>.</li> <li> <code>status</code> has either value <code>present</code> to ensure it exists or <code>absent</code> to ensure it does not exist. This value in the name of the file will be to the module <code>k8s</code> and will enforce the state of the manifest.</li> </ul> <p><strong>few examples</strong></p> <p>To better understand how it works, let have a look</p> <ul> <li>a manifest file to create a namespace <code>foobar</code> would be named <code>10_namespace_foobar_global_present.yml</code> </li> <li>a deployment named fluentd in namespace <code>cluster-logging</code> would be named <code>30_deployment_fluentd_cluster-logging_present.yml</code> </li> <li>a manifest to delete a <code>configMap</code> named <code>my-config</code> in namespace <code>dev-hideout</code> would be named <code>XX_configmap_my-config_dev-hideouts_absent.yml</code> </li> </ul> <p>Now we had an overview of the structure of the project, the next post will explain the ansible playbook.</p> ansible kubernetes automation devops