-
Notifications
You must be signed in to change notification settings - Fork 174
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
31 changed files
with
2,966 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
ARG REGISTRY | ||
ARG VERSION | ||
|
||
############################################################################### | ||
# ansible is the base Python image with ansible and azure-cli | ||
############################################################################### | ||
FROM ${REGISTRY}/ubi9/python-311:1-66 AS ansible | ||
# Versions | ||
# pipx https://pypi.org/project/pipx/#history | ||
# azure-cli https://pypi.org/project/azure-cli/#history | ||
# ansible https://pypi.org/project/ansible/#history | ||
# ansible.azcollection https://galaxy.ansible.com/ui/repo/published/azure/azcollection/ | ||
ARG PIPX_VERSION=1.7.1 \ | ||
ANSIBLE_VERSION=10.4.0 \ | ||
AZURE_CLI_VERSION=2.64.0 | ||
# ANSIBLE_AZCOLLECTION_VERSION=2.7.0 # ansible now ships with this | ||
|
||
# Have Ansible to print task timing information | ||
ENV ANSIBLE_CALLBACKS_ENABLED=profile_tasks | ||
USER root | ||
|
||
# Using pipx here because ansible and azure-cli have differing required core Azure modules | ||
# They each need a separate venv to avoid collisions | ||
RUN --mount=type=cache,target=/root/.cache/pip/,sharing=locked \ | ||
${APP_ROOT}/bin/pip install "pipx==${PIPX_VERSION}" | ||
RUN --mount=type=cache,target=/root/.cache/pip/,sharing=locked \ | ||
${APP_ROOT}/bin/pipx install "azure-cli==${AZURE_CLI_VERSION}" | ||
RUN --mount=type=cache,target=/root/.cache/pip/,sharing=locked \ | ||
${APP_ROOT}/bin/pipx install "ansible==${ANSIBLE_VERSION}" --include-deps && \ | ||
# ${HOME}/.local/bin/ansible-galaxy collection install "azure.azcollection==${ANSIBLE_AZCOLLECTION_VERSION}" && \ | ||
${APP_ROOT}/bin/pipx runpip ansible install -r "${HOME}/.local/share/pipx/venvs/ansible/lib/python3.11/site-packages/ansible_collections/azure/azcollection/requirements.txt" | ||
RUN --mount=type=cache,target=/root/.cache/pip/,sharing=locked \ | ||
${APP_ROOT}/bin/pipx list && \ | ||
rm -rf ${HOME}/.ansible ${HOME}/.azure | ||
|
||
COPY ansible /ansible | ||
WORKDIR /ansible | ||
RUN --mount=type=cache,target=/root/.cache/pip/,sharing=locked \ | ||
${APP_ROOT}/bin/pipx runpip ansible install -r "/ansible/ansible-requirements.txt" | ||
|
||
############################################################################### | ||
# linter takes the ansible image and injects ansible-lint. Ansible-lint needs | ||
# ansible itself and all ansible modules and python modules installed to correctly lint | ||
############################################################################### | ||
FROM ansible AS linter | ||
ARG ANSIBLE_LINT_VERSION=24.7.0 | ||
RUN --mount=type=cache,target=/root/.cache/pip/,sharing=locked \ | ||
${APP_ROOT}/bin/pipx inject --include-apps ansible "ansible-lint==${ANSIBLE_LINT_VERSION}" | ||
RUN ${HOME}/.local/bin/ansible-lint --offline -c /ansible/.ansible_lint.yaml --project-dir /ansible --format sarif | tee /opt/app-root/src/sarif.txt | ||
|
||
############################################################################### | ||
# Final image is the base image plus ansible-lint's output | ||
############################################################################### | ||
FROM ansible | ||
COPY --from=linter /opt/app-root/src/sarif.txt /opt/app-root/src/sarif.txt | ||
ENTRYPOINT ["/opt/app-root/src/.local/bin/ansible-playbook"] |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
profile: production | ||
exclude_paths: [] | ||
use_default_rules: true | ||
skip_list: | ||
- no-changed-when | ||
enable_list: | ||
- args | ||
- empty-string-compare | ||
- no-same-owner | ||
- name[prefix] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
kubernetes==29.0.0 | ||
microsoft-kiota-http==1.3.1 | ||
msal==1.28.1 | ||
msgraph-core==1.0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
- name: Cleanup clusters | ||
hosts: all | ||
gather_facts: false | ||
serial: "{{ max_simultaneous_clusters | default(1) }}" | ||
environment: | ||
AZURE_CORE_SURVEY_MESSAGE: "false" | ||
roles: | ||
- cleanup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
- name: Deploy simple clusters | ||
hosts: standard_clusters | ||
gather_facts: false | ||
serial: "{{ max_simultaneous_clusters | default(1) }}" | ||
environment: | ||
AZURE_CORE_SURVEY_MESSAGE: "false" | ||
roles: | ||
- standard_cluster | ||
- smoketest | ||
- cleanup | ||
- name: Bring your own keys disk encryption | ||
hosts: byok_clusters | ||
gather_facts: false | ||
serial: "{{ max_simultaneous_clusters | default(1) }}" | ||
environment: | ||
AZURE_CORE_SURVEY_MESSAGE: "false" | ||
roles: | ||
- byok_cluster | ||
- smoketest | ||
- cleanup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
delegation: localhost | ||
upgrade_paths: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
--- | ||
all: | ||
|
||
standard_clusters: | ||
# "standard" in the sense that the unspecialized standard_cluster role will work | ||
# See byok_cluster for an example that is not "standard" | ||
hosts: | ||
basic: | ||
# The simplest possible cluster | ||
name: aro | ||
preview: | ||
name: aro | ||
AZAROEXT_VERSION: 1.0.9 | ||
vars: | ||
resource_group: "{{ CLUSTERPREFIX }}-{{ inventory_hostname }}-{{ location }}" | ||
network_prefix_cidr: 10.0.0.0/22 | ||
master_cidr: 10.0.0.0/23 | ||
master_size: Standard_D8s_v3 | ||
worker_cidr: 10.0.2.0/23 | ||
worker_size: Standard_D4s_v3 | ||
children: | ||
baddns_clusters: | ||
encrypted_clusters: | ||
private_clusters: | ||
udr_clusters: | ||
|
||
baddns_clusters: | ||
# Custom DNS pointing to something that doesn't work to make sure | ||
# we still work with uncooperative DNS servers | ||
# https://learn.microsoft.com/en-us/azure/openshift/howto-custom-dns | ||
hosts: | ||
baddns: | ||
private_baddns: | ||
apiserver_visibility: Private | ||
ingress_visibility: Private | ||
domain: baddns.private | ||
baddns413: | ||
version: 4.13.40 | ||
private_baddns413: | ||
version: 4.13.40 | ||
apiserver_visibility: Private | ||
ingress_visibility: Private | ||
domain: baddns.private | ||
baddns415: | ||
version: 4.15.27 | ||
private_baddns415: | ||
version: 4.15.27 | ||
apiserver_visibility: Private | ||
ingress_visibility: Private | ||
domain: baddns.private | ||
vars: | ||
name: aro | ||
resource_group: "{{ CLUSTERPREFIX }}-{{ inventory_hostname }}-{{ location }}" | ||
dns_servers: | ||
- 172.16.0.0 | ||
network_prefix_cidr: 10.0.0.0/22 | ||
master_cidr: 10.0.0.0/23 | ||
master_size: Standard_D8s_v3 | ||
worker_cidr: 10.0.2.0/23 | ||
worker_size: Standard_D4s_v3 | ||
|
||
byok_clusters: | ||
# Cluster with customer-managed disk encryption key | ||
# https://learn.microsoft.com/en-us/azure/openshift/howto-byok | ||
hosts: | ||
byok: | ||
name: aro | ||
vars: | ||
resource_group: "{{ CLUSTERPREFIX }}-{{ inventory_hostname }}-{{ location }}" | ||
network_prefix_cidr: 10.0.0.0/22 | ||
master_cidr: 10.0.0.0/23 | ||
master_size: Standard_E8s_v5 | ||
worker_cidr: 10.0.2.0/23 | ||
worker_size: Standard_D4s_v5 | ||
|
||
encrypted_clusters: | ||
# Basic cluster with encryption-at-host enabled | ||
hosts: | ||
enc: | ||
name: aro | ||
vars: | ||
resource_group: "{{ CLUSTERPREFIX }}-{{ inventory_hostname }}-{{ location }}" | ||
network_prefix_cidr: 10.0.0.0/22 | ||
master_cidr: 10.0.0.0/23 | ||
worker_cidr: 10.0.2.0/23 | ||
master_size: Standard_E8s_v5 | ||
master_encryption_at_host: true | ||
worker_size: Standard_D4s_v5 | ||
worker_encryption_at_host: true | ||
|
||
private_clusters: | ||
hosts: | ||
private: | ||
# Simple private cluster, no UDR | ||
name: aro | ||
resource_group: "{{ CLUSTERPREFIX }}-private-{{ location }}" | ||
vars: | ||
apiserver_visibility: Private | ||
ingress_visibility: Private | ||
network_prefix_cidr: 10.0.0.0/22 | ||
master_cidr: 10.0.0.0/23 | ||
master_size: Standard_D8s_v3 | ||
worker_cidr: 10.0.2.0/23 | ||
worker_size: Standard_D4s_v3 | ||
|
||
|
||
udr_clusters: | ||
# https://learn.microsoft.com/en-us/azure/openshift/howto-create-private-cluster-4x | ||
hosts: | ||
udr: | ||
name: aro | ||
HAS_INTERNET: false | ||
routes: | ||
- name: Blackhole | ||
address_prefix: 0.0.0.0/0 | ||
next_hop_type: none | ||
udr_no_null: | ||
name: aro | ||
routes: | ||
- name: To Internet | ||
address_prefix: 0.0.0.0/0 | ||
next_hop_type: internet | ||
udr413: | ||
name: aro | ||
version: 4.13.40 | ||
HAS_INTERNET: false | ||
routes: | ||
- name: Blackhole | ||
address_prefix: 0.0.0.0/0 | ||
next_hop_type: none | ||
udr_no_null413: | ||
name: aro | ||
version: 4.13.40 | ||
routes: | ||
- name: To Internet | ||
address_prefix: 0.0.0.0/0 | ||
next_hop_type: internet | ||
vars: | ||
resource_group: "{{ CLUSTERPREFIX }}-{{ inventory_hostname }}-{{ location }}" | ||
network_prefix_cidr: 10.0.0.0/22 | ||
master_cidr: 10.0.0.0/23 | ||
worker_cidr: 10.0.2.0/23 | ||
apiserver_visibility: Private | ||
ingress_visibility: Private | ||
outbound_type: UserDefinedRouting |
Oops, something went wrong.