Initial ansible proof of concept

[ventifus]

What this PR does / why we need it:

This PR leverages Ansible to automate cluster creation in predefined configurations. These configurations are intended to exercise ARO features in a repeatable manner. A formal proposal is under development, see

https://docs.google.com/document/d/1AIcP1jMQS-9hsI_bS6Qhr3IoqtD97LqKfw6c9PNXD5g

We have been running smoketests in regions manually. This is error-prone and needs to be automated. As a first step here is the minimum viable Ansible playbook that creates a cluster, waits for it to become healthy via kube api, runs az aro update, then deletes the cluster. This is designed to run Ansible from a container so that users' development hosts don't need to have Ansible installed and will facilitate running smoketests in an automated fashion in the future.

This will allow us to evaluate the following questions:

• Do we want an Ansible dependency in our codebase?
• What smoke tests do we want? (see https://docs.google.com/document/d/1K9Qffl5CuRr_PpeAKI4ik6Rl4je1p-rdf6_xZXJZzVM)

Test plan for issue:

To test, make sure you've got a valid az login session. This is passed through to the container via your ~/.azure directory.

Then run

$ make cluster

This will first build the required aro-ansible container image if it doesn't exist, then it will execute ansible-playbook in the container.

There are several variables implemented to control aspects of the playbook execution. These can be combined with each other as needed.

To personalize the resulting resource groups, set the CLUSTERPREFIX as desired. This variable defaults to your current shell's $USER.

$ make cluster CLUSTERPREFIX=ocpbugs35300

The default region used is eastus. Set the REGION parameter to choose a different region:

$ make cluster REGION=centraluseuap

To choose one or more cluster configurations, set the CLUSTERPATTERN parameter to a wildcard string that matches the cluster scenarios you wish to test:

$ make cluster CLUSTERPATTERN=udr

To clean up at the end of the run, set CLEANUP to True. This will delete the cluster, the resource group, then the Entra Service Principal and Application.

$ make cluster CLEANUP=True

Currently implemented cluster configurations are:

• basic: Simplest cluster, nothing fancy
• private: Simple cluster with apiserver and ingress visibility set to private.
• enc: Encryption-at-host enabled
• udr: UserDefinedRouting with a blackhole Route Table
• byok: Disk encryption using bring-your-own-key

Private clusters such as private and udr will cause the creation of a jumphost to access the cluster API. Your local SSH public key will be passed to the jumphost, then ansible will use your corresponding private key to tunnel SSH through it. If your local SSH configuration differs from defaults, the Makefile supports two variables to tweak things:

SSH_CONFIG_DIR := $(HOME)/.ssh/
SSH_KEY_BASENAME := id_rsa

Is there any documentation that needs to be updated for this PR?

Yes

How do you know this will function as expected in production?

[lranjbar]

This is really great! I'd love to move this into openshift/aro-e2e so we can use it more broadly.

But also if we turn it into an Ansible collection, we can set up ansible tests for it. Here is an example of the containerized ansible tests I set up for dev-scripts:

https://github.com/openshift-metal3/dev-scripts/blob/master/agent/tests/Dockerfile.agent-test
https://github.com/openshift-metal3/dev-scripts/blob/master/agent/agent_test_commands.sh
https://github.com/openshift-metal3/dev-scripts/blob/master/agent/agent_tests.sh

We can use the same pattern here. I'm really excited for this!

[github-actions]

Please rebase pull request.