fix: problems found when deploying kubernetes 1.24.3 cluster

fix: authentication

ansible/playbook/ocp/ocp_openstack_install.yml

@@ -1,18 +1,21 @@
 ---
+- name: "Build OpenStack authentication for v3password"
+  import_playbook: "../openstack/openstack_auth_passstore_v3password.yml"
+
 - name: "Install OCP"
   hosts: localhost
   gather_facts: true
 
-  pre_tasks:
-    - name: "Set openstack_auth facts"
-      set_fact:
-        openstack_auth: 
-          openstack_project_name: "{{ query('passwordstore', 'openstack/host/project_name')[0] }}"
-          openstack_console_user:  "{{ query('passwordstore', 'openstack/host/console_user')[0] }}"
-          openstack_console_password: "{{ query('passwordstore', 'openstack/host/console_pw')[0] }}"
-          openstack_user_domain:  "{{ query('passwordstore', 'openstack/host/console_domain')[0] }}"
-          openstack_project_domain: "{{ query('passwordstore', 'openstack/host/os_domain')[0] }}"
-          openstack_os_auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
+  # pre_tasks:
+  #   - name: "Set openstack_auth facts"
+  #     set_fact:
+  #       openstack_auth: 
+  #         openstack_project_name: "{{ query('passwordstore', 'openstack/host/project_name')[0] }}"
+  #         openstack_console_user:  "{{ query('passwordstore', 'openstack/host/console_user')[0] }}"
+  #         openstack_console_password: "{{ query('passwordstore', 'openstack/host/console_pw')[0] }}"
+  #         openstack_user_domain:  "{{ query('passwordstore', 'openstack/host/console_domain')[0] }}"
+  #         openstack_project_domain: "{{ query('passwordstore', 'openstack/host/os_domain')[0] }}"
+  #         openstack_os_auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
 
   tasks:
     - name: "Deploy OCP"

ansible/playbook/openstack/README.adoc

@@ -101,12 +101,12 @@ This name will be used both as hostname as well as Ansible Inventory name.
 
 [source,bash]
 ----
-$ VM_NAME=vm20230627-t01
+VM_NAME=vm20230627-t01
 ----
 
 [source,bash]
 ----
-$ ansible-playbook ansible/playbook/openstack/openstack_vm_create_passwordstore.yml -e '{"openstack": {"vm": {"network": "provider_net_shared","image": "Fedora-Cloud-Base-35", "flavor": "m1.medium"}}}' -e vm_name=${VM_NAME} 
+ansible-playbook ansible/playbook/openstack/openstack_vm_create_passwordstore.yml -e '{"openstack": {"vm": {"network": "provider_net_shared","image": "Fedora-Cloud-Base-35", "flavor": "m1.medium"}}}' -e vm_name=${VM_NAME} 
 ----
 
 Although some failures might occur some might be ignored which shouldn't affect thhe process. This playbook should finish with no failed tasks.

ansible/playbook/openstack/check.yml

@@ -0,0 +1,12 @@
+---
+- name: "Check OpenStack"
+  set_fact:
+    pass_provider: "openstack"
+  when: "pass_provider is not defined"
+
+- name: "Set OpenStack default variables"
+  set_fact:
+    use_generic_ssh_key: True
+    generic_ssh_key_name: generic-key
+  when: "use_generic_ssh_key is not defined or (use_generic_ssh_key | bool) "
+...

ansible/playbook/openstack/openstack_auth_passstore_v3applicationcredential.yml

@@ -0,0 +1,15 @@
+---
+- name: "OpenStack authentication with passwordstore and v3applicationcredential"
+  hosts: localhost
+
+  tasks:
+
+    - name: "Set facts"
+      ansible.builtin.set_fact:
+        rhos_authentication_type: v3applicationcredential
+        rhos_authentication:
+          auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
+          application_credential_id: "{{ query('passwordstore', 'openstack/host/app_cred_id')[0] }}"
+          application_credential_secret: "{{ query('passwordstore', 'openstack/host/app_cred_secret')[0] }}"
+
+...

ansible/playbook/openstack/openstack_auth_passstore_v3password.yml

@@ -1,5 +1,5 @@
 ---
-- name: "OpenStack Authentication v3password"
+- name: "OpenStack authentication with passwordstore and v3password"
   hosts: localhost
   gather_facts: false
 

ansible/playbook/openstack/openstack_list_objects_v3applicationcredential.yml

@@ -0,0 +1,55 @@
+---
+- name: "Instanciate RHOS authentication"
+  ansible.builtin.import_playbook: "openstack_auth_passstore_v3applicationcredential.yml"
+  vars:
+    vm_user: "snowdrop"
+    pass_provider: "openstack"
+
+- name: "OpenStack Authentication"
+  hosts: localhost
+
+  tasks:
+
+    - name: "Get auth_token"
+      openstack.cloud.auth:
+        auth_type: "{{ rhos_authentication_type }}"
+        auth: "{{ rhos_authentication }}"
+      register: auth_result
+
+    - name: "Print Openstack Authentication result"
+      ansible.builtin.debug:
+        msg: "auth_result: {{ auth_result }}"
+        verbosity: 0
+
+
+    - name: List Fedora images
+      openstack.cloud.image_info:
+        auth_type: "{{ rhos_authentication_type }}"
+        auth: "{{ rhos_authentication }}"
+        properties:
+          os_distro: "fedora"
+      register: image_info_result
+
+    - name: "Print Openstack output"
+      ansible.builtin.debug:
+        var: image_info_result
+
+    # https://docs.openstack.org/ocata/cli-reference/glance-property-keys.html
+    - name: List Fedora images
+      openstack.cloud.image_info:
+        # token, v2token, v3token, admin_token
+        auth_type: token
+        auth:
+          auth_url: "https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13000"
+          # token: "{{ auth_result.ansible_facts['auth_token'] }}"
+          token: "{{ auth_result.auth_token }}"
+        interface: "internal"
+        properties:
+          os_distro: "fedora"
+      register: image_info_result
+
+    - name: "Print Openstack output"
+      ansible.builtin.debug:
+        var: image_info_result
+...
+# ansible-playbook ansible/playbook/openstack/openstack_auth.yml

ansible/playbook/openstack/openstack_list_objects.yml → ansible/playbook/openstack/openstack_list_objects_v3password.yml

@@ -1,20 +1,14 @@
-# ansible-playbook ansible/playbook/openstack/openstack_auth.yml
 ---
+- name: "Instanciate RHOS authentication"
+  ansible.builtin.import_playbook: "openstack_auth_passstore_v3password.yml"
+  vars:
+    vm_user: "snowdrop"
+    pass_provider: "openstack"
+
 - name: "OpenStack Authentication"
   hosts: localhost
   gather_facts: false
 
-  pre_tasks:
-    - name: "Set openstack_auth facts"
-      ansible.builtin.set_fact:
-        openstack_auth: 
-          openstack_project_name: "{{ query('passwordstore', 'openstack/host/project_name')[0] }}"
-          openstack_console_user:  "{{ query('passwordstore', 'openstack/host/console_user')[0] }}"
-          openstack_console_password: "{{ query('passwordstore', 'openstack/host/console_pw')[0] }}"
-          openstack_user_domain:  "{{ query('passwordstore', 'openstack/host/console_domain')[0] }}"
-          openstack_project_domain: "{{ query('passwordstore', 'openstack/host/os_domain')[0] }}"
-          openstack_os_auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
-
   tasks:
 
     - name: "Print Openstack output"

ansible/playbook/openstack/openstack_vm_create_passwordstore.yml

@@ -10,37 +10,34 @@
 #  . k8s_version: Kubernetes version [117 ... 121], empty for no k8s installation
 
 - name: "Validate passwordstore"
-  import_playbook: "../passstore/passstore_controller_check.yml"
+  ansible.builtin.import_playbook: "../passstore/passstore_controller_check.yml"
 
 # tag::initialize_passwordstore_inventory[]
 - name: "Initialize passwordstore inventory"
-  import_playbook: "../passstore/passstore_controller_inventory.yml"
+  ansible.builtin.import_playbook: "../passstore/passstore_controller_inventory.yml"
   vars:
     vm_user: "snowdrop"
     pass_provider: "openstack"
 # end::initialize_passwordstore_inventory[]
 
+# tag::instanciate_rhos_auth[]
+- name: "Instanciate RHOS authentication"
+  ansible.builtin.import_playbook: "openstack_auth_passstore_v3password.yml"
+  vars:
+    vm_user: "snowdrop"
+    pass_provider: "openstack"
+# end::instanciate_rhos_auth[]
+
 - name: "Openstack VM create"
   hosts: localhost
   gather_facts: True
-
-  pre_tasks:
-    - name: "Set openstack_auth facts"
-      ansible.builtin.set_fact:
-        openstack_auth: 
-          openstack_project_name: "{{ query('passwordstore', 'openstack/host/project_name')[0] }}"
-          openstack_console_user:  "{{ query('passwordstore', 'openstack/host/console_user')[0] }}"
-          openstack_console_password: "{{ query('passwordstore', 'openstack/host/console_pw')[0] }}"
-          openstack_user_domain:  "{{ query('passwordstore', 'openstack/host/console_domain')[0] }}"
-          openstack_project_domain: "{{ query('passwordstore', 'openstack/host/os_domain')[0] }}"
-          openstack_os_auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
 
   tasks:
     # outputs: 
     #   . openstack_vm_ipv4
     #   . openstack_output
     - name: "Execute create inventory, if tagged as so"
-      include_role:
+      ansible.builtin.include_role:
         name: "snowdrop.cloud_infra.openstack_vm"
         apply:
           tags:
@@ -53,55 +50,6 @@
       set_fact:
         openstack_vm_ipv4: "{{ query('passwordstore', 'openstack/' + vm_name + '/ansible_ssh_host create=True userpass=' + openstack_vm_ipv4 )[0] }}"
 
-- name: "Refresh inventory"
-  hosts: localhost
-  gather_facts: True
-
-  tasks:
-    - name: Refresh the inventory so the newly added host is available
-      meta: refresh_inventory
-
-    - name: "Add host to known hosts {{ hostvars[vm_name]['ansible_ssh_host'] }}"
-      ansible.builtin.known_hosts:
-        name: "{{ hostvars[vm_name]['ansible_ssh_host'] }}"
-        key: "{{ lookup('pipe', 'ssh-keyscan {{ hostvars[vm_name].ansible_ssh_host }}') }}"
-        hash_host: true
-
-- name:  "Wait for the VM to boot and we can ssh"
-  hosts: "{{ vm_name }}"
-  gather_facts: no
-
-  tasks:
-    - name: "Show 'Wait for connection to host' output"
-      debug:
-        msg: 
-          - "ip : {{ query('passwordstore', 'openstack/' + vm_name + '/ansible_ssh_host')[0] }}"
-          - "port : {{ query('passwordstore', 'openstack/' + vm_name + '/ansible_ssh_port')[0] }}"
-
-    - name: "Wait for connection to host"
-      ansible.builtin.wait_for:
-        host: "{{ query('passwordstore', 'openstack/' + vm_name + '/ansible_ssh_host')[0] }}"
-        port: "{{ query('passwordstore', 'openstack/' + vm_name + '/ansible_ssh_port')[0] }}"
-        timeout: 120
-      register: wait_for_connection_reg
-
-  post_tasks:
-    - name: "DON'T FORGET TO SECURE YOUR SERVER"
-      debug:
-        msg: "Trying to start start server securization automatically For manual execution: $ ansible-playbook ansible/playbook/sec_host.yml -e vm_name={{ vm_name }} -e provider=openstack"
-
-- name: "Openstack VM init"
-  hosts: "{{ vm_name }}"
-  gather_facts: yes
-
-  roles:
-    - role: "openstack/init_vm"
-
-- name: "Secure new server"
-  import_playbook: "../sec_host.yml"
-  vars:
-    provider: "openstack"
-    hosts: "{{ vm_name }}"
-    vm_name: "{{ vm_name }}"
-  tags: [always]
+- name: "Execute post create actions"
+  ansible.builtin.import_playbook: "openstack_vm_create_post_passwordstore.yml"
 ...

ansible/roles/k8s_cluster/tasks/install_cni.yml

@@ -13,6 +13,14 @@
   set_fact:
     install_calico: "(kc_calico_ds is undefined or (kc_calico_ds.rc != 0 and 'NotFound' not in kc_calico_ds.stderr))"
 
+- name: "Pull Calico images"
+  shell: |
+    docker pull docker.io/calico/cni:{{ calico_version }}
+    docker pull docker.io/calico/typha:{{ calico_version }}
+    docker.io/calico/pod2daemon-flexvol:{{ calico_version }}
+  register: kc_tigera_calico
+  failed_when: kc_tigera_calico.rc > 0 and 'already exists' not in kc_tigera_calico.stderr
+
 - name: "Print Decide calico output"
   debug: 
     msg: "install_calico {{ install_calico }}"