Initial Commit

Author: wintermi

.ansible-lint

@@ -0,0 +1,2 @@
+skip_list:
+  - package-latest

.gitignore

@@ -0,0 +1,37 @@
+__pycache__/
+*.py[cod]
+*$py.class
+dist/
+lib/
+*.egg-info/
+.cache
+pytestdebug.log
+source-contexts.json
+source-context.json
+client_secrets.json
+\#*\#
+.\#*
+*_flymake.py
+.DS_Store
+.eggs/
+.python-version
+.idea
+node_modules/
+*.code-workspace
+.envrc
+.coverage
+htmlcov/
+*.iml
+
+# Terraform
+# See: https://github.com/github/gitignore/blob/master/Terraform.gitignore
+**/.terraform/*
+*.tfstate
+*.tfstate.*
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.terraformrc
+terraform.rc
+/cloudbuild/.terraform.lock.hcl

README.md

@@ -0,0 +1,25 @@
+# Example Ansible Automation for Installing Anthos Bare Metal
+
+
+## Setup Remote User
+Make sure that the remote user account is configured to allow for the execution of sudo without the need to enter a password.  An example of how this can be achieved can be found below:
+
+```
+# Setup sudoers for remote user account e.g "ansible-runner"
+sudo rm -f /etc/sudoers.d/*
+cat <<EOF | sudo tee /etc/sudoers.d/00-ansible-runner
+ansible-runner   ALL=(ALL) NOPASSWD:ALL
+EOF
+```
+
+## Ansible Control Machine Setup
+On your Ansible Control Machine, ensure that you install and initialize the Google Cloud SDK using these [instructions](https://cloud.google.com/sdk/docs). This process will install gcloud and gsutil.
+
+Next we need to loging in with your Google Account which will be used by Ansible to manage the services and service accounts:
+```
+gcloud auth login --update-adc
+```
+and finally ensure that you setup the default Google Cloud Project
+```
+gcloud config set project "PROJECT_ID"
+```

ansible.cfg

@@ -0,0 +1,19 @@
+# Copyright 2021, Matthew Winter
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+[defaults]
+inventory = ./inventory/hosts.yml
+host_key_checking = False
+private_key_file = ~/.ssh/id_rsa

create-anthos-cluster.yml

@@ -0,0 +1,45 @@
+# Copyright 2021, Matthew Winter
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+#--------------------------------------------------------------------
+# Playbook to Create Anthos Cluster
+#--------------------------------------------------------------------
+
+---
+
+- name: Prepare the Anthos Cluster Nodes
+  hosts: "{{ target_nodes }}"
+  vars_files:
+    - vars/anthos.yml
+    - vars/timesync.yml
+  roles:
+    - role: remove-docker
+    - role: system-package-update
+    - role: disable-firewall
+    - role: setup-timesync
+    - role: setup-login-user
+    - role: copy-workstation-ssh
+
+
+- name: Setup the Anthos Cluster
+  hosts: "{{ target_workstation }}"
+  remote_user: "{{ login_user }}"
+  vars_files:
+    - vars/anthos.yml
+  roles:
+    - role: check-cluster-registered
+    - role: bmctl-create-config
+    - role: bmctl-check-config
+    - role: bmctl-create-cluster

create-anthos-workstation.yml

@@ -0,0 +1,56 @@
+# Copyright 2021, Matthew Winter
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+#--------------------------------------------------------------------
+# Playbook to Create Anthos Workstation
+#--------------------------------------------------------------------
+
+---
+
+- name: Prepare the Google Cloud Project for Anthos
+  hosts: localhost
+  vars_files:
+    - vars/anthos.yml
+  roles:
+    - role: enable-ansible-services
+    - role: enable-anthos-services
+    - role: create-anthos-service-accounts
+    - role: create-ansible-service-accounts
+
+
+- name: Prepare the Anthos Workstation
+  hosts: "{{ target_workstation }}"
+  vars_files:
+    - vars/anthos.yml
+    - vars/timesync.yml
+  roles:
+    - role: system-package-update
+    - role: disable-firewall
+    - role: setup-timesync
+    - role: setup-login-user
+
+
+- name: Setup the Anthos Workstation as "login_user"
+  hosts: "{{ target_workstation }}"
+  remote_user: "{{ login_user }}"
+  vars_files:
+    - vars/anthos.yml
+  roles:
+    - role: copy-service-account-keys
+    - role: setup-gcloud-sdk
+    - role: activate-gcloud-sdk
+    - role: setup-kubectl
+    - role: setup-bmctl
+    - role: setup-docker

inventory/hosts.yml

@@ -0,0 +1,9 @@
+anthos_workstations:
+  hosts:
+    anthos-workstation:
+      ansible_host: 10.0.200.1
+      
+anthos_cluster:
+  hosts:
+    anthos-edge:
+      ansible_host: 10.0.200.2

roles/activate-gcloud-sdk/tasks/main.yml

@@ -0,0 +1,51 @@
+# Copyright 2021, Matthew Winter
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+---
+
+- name: Add GOOGLE_APPLICATION_CREDENTIALS Environment Variable to ".bashrc"
+  ansible.builtin.lineinfile:
+    path: "{{ ansible_user_dir }}/.bashrc"
+    regexp: "^export GOOGLE_APPLICATION_CREDENTIALS="
+    line: "export GOOGLE_APPLICATION_CREDENTIALS=\"{{ gcp_keys_dir }}/{{ item }}.json\""
+  with_items:
+    - "{{ ansible_service_account }}"
+
+- name: Activate Ansible Service Account for "login_user"
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      gcloud auth activate-service-account "{{ item }}@{{ gcp_project_id }}.iam.gserviceaccount.com" --key-file="{{ item }}.json"
+      gcloud config set project "{{ gcp_project_id }}"
+    chdir: "{{ gcp_keys_dir }}"
+  args:
+    executable: /bin/bash
+  changed_when: false
+  with_items:
+    - "{{ ansible_service_account }}"
+
+- name: Activate Ansible Service Account for "root"
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      gcloud auth activate-service-account "{{ item }}@{{ gcp_project_id }}.iam.gserviceaccount.com" --key-file="{{ item }}.json"
+      gcloud config set project "{{ gcp_project_id }}"
+    chdir: "{{ gcp_keys_dir }}"
+  args:
+    executable: /bin/bash
+  become: true
+  changed_when: false
+  with_items:
+    - "{{ ansible_service_account }}"

roles/bmctl-check-config/tasks/main.yml

@@ -0,0 +1,36 @@
+# Copyright 2021, Matthew Winter
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+---
+
+- name: Check "bmctl" Configuration for Anthos Cluster
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      export GOOGLE_APPLICATION_CREDENTIALS="{{ gcp_keys_dir }}/{{ ansible_service_account }}.json"
+      bmctl check config -c "{{ cluster_name }}" --quiet
+  args:
+    executable: /bin/bash
+  register: cluster_check_fail
+  failed_when: false
+  changed_when: false
+
+- name: Check the Previous Task
+  ansible.builtin.debug:
+    msg: "{{ cluster_check_fail.stdout_lines + cluster_check_fail.stderr_lines }}"
+  failed_when: cluster_check_fail.rc != 0
+  when:
+    - cluster_check_fail.stdout_lines is defined
+    - cluster_check_fail.stderr_lines is defined

roles/bmctl-create-cluster/tasks/main.yml

@@ -0,0 +1,36 @@
+# Copyright 2021, Matthew Winter
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+---
+
+- name: Create Anthos Cluster
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      export GOOGLE_APPLICATION_CREDENTIALS="{{ gcp_keys_dir }}/{{ ansible_service_account }}.json"
+      bmctl create cluster -c "{{ cluster_name }}" --quiet
+  args:
+    executable: /bin/bash
+  register: create_cluster
+  failed_when: false
+  changed_when: false
+
+- name: Check the Previous Task
+  ansible.builtin.debug:
+    msg: "{{ create_cluster.stdout_lines + create_cluster.stderr_lines }}"
+  failed_when: create_cluster.rc != 0
+  when:
+    - create_cluster.stdout_lines is defined
+    - create_cluster.stderr_lines is defined

roles/bmctl-create-config/tasks/main.yml

@@ -0,0 +1,50 @@
+# Copyright 2021, Matthew Winter
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+---
+
+- name: Check if the "bmctl" Configuration YAML File Exists
+  ansible.builtin.stat:
+    path: "{{ bmctl_workspace_dir }}/{{ cluster_name }}/{{ cluster_name }}.yaml"
+  register: bmctl_config_exists
+
+- name: Create the Standard Workspace for a "NEW" Anthos Cluster
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      export GOOGLE_APPLICATION_CREDENTIALS="{{ gcp_keys_dir }}/{{ ansible_service_account }}.json"
+      bmctl create config -c "{{ cluster_name }}" --quiet
+  args:
+    executable: /bin/bash
+  register: create_config
+  failed_when: false
+  changed_when: false
+  when: not bmctl_config_exists.stat.exists
+
+- name: Check the Previous Task
+  ansible.builtin.debug:
+    msg: "{{ create_config.stdout_lines + create_config.stderr_lines }}"
+  failed_when: create_config.rc != 0
+  when:
+    - create_config.stdout_lines is defined
+    - create_config.stderr_lines is defined
+
+- name: Write the "bmctl" Configuration YAML File
+  ansible.builtin.template:
+    src: bmctl-config-{{ cluster_name }}.yaml.j2
+    dest: "{{ bmctl_workspace_dir }}/{{ cluster_name }}/{{ cluster_name }}.yaml"
+    owner: "{{ login_user }}"
+    group: "{{ login_user }}"
+    mode: u=rw,g=rw,o=r