Support Proxy installation in shiftstack-qa automation

https://issues.redhat.com/browse/OSPRH-4174

- Add a job definition for OCP 4.16 IPI proxy installation.
- Prepare a restricted network for the installer-host.
- Configure the installer VM for OpenShift proxy installation:
  - Configure squid on the installer vm.
  - Install and configure dnsmasq on the installer host.
  - Install NTP server on the installer host.
- Add a template for generating an OpenShift install-config.yaml in a
  proxy installation.
- Configure the NTP server of the workers and masters in the proxy
  installation post.

Depends-on: https://review.gerrithub.io/c/shiftstack/shiftstack-qa/+/1196079

Change-Id: I64ddebfa53d3a41ec6193bb29fd31c6d6d9511fe
Reviewed-on: https://review.gerrithub.io/c/shiftstack/shiftstack-qa/+/1194955
Tested-by: rhosqeauto <[email protected]>
Reviewed-by: Ramón Lobillo <[email protected]>
Tested-by: Itay Matza <[email protected]>

Author: imatza-rh

Diff for: .ansible-lint

@@ -20,3 +20,4 @@ skip_list:
   - metadata
   - var-naming[no-role-prefix]
   - name[template]
+  - package-latest

Diff for: collection/stages/roles/install/defaults/main.yml

@@ -12,8 +12,8 @@ upi_inventory_file_values:
   - {regexp: "os_subnet:.*", replace: "os_subnet: '{{ openshift_upi.subnets.ipv4.name }}'"}
   - {regexp: "os_subnet_range:.*", replace: "os_subnet_range: '{{ topology.machine_cidr }}'"}
   - {regexp: "os_external_network:.*", replace: "os_external_network: '{{ infra.external_network }}'"}
-  - {regexp: "os_api_fip:.*", replace: "os_api_fip: '{{ resources.api_fip }}'"}
-  - {regexp: "os_ingress_fip:.*", replace: "os_ingress_fip: '{{ resources.apps_fip }}'"}
+  - {regexp: "os_api_fip:.*", replace: "os_api_fip: '{{ resources.api_accessible_ip }}'"}
+  - {regexp: "os_ingress_fip:.*", replace: "os_ingress_fip: '{{ resources.apps_accessible_ip }}'"}
   - {regexp: "os_bootstrap_fip:.*", replace: "os_bootstrap_fip: '{{ resources.bootstrap_fip }}'"}
   - {regexp: "ansible_python_interpreter:", replace: "#ansible_python_interpreter:"}
 

Diff for: collection/stages/roles/install/tasks/generate_ocp_install-config.yml

@@ -11,7 +11,7 @@
     api_filter: "api.{{ ocp_cluster_name }}.{{ user_cloud }}.com"
     ingress_filter: "oauth-openshift.apps.{{ ocp_cluster_name }}.{{ user_cloud }}.com"
 
-- name: Generate install-config.yaml from template
+- name: Generate an OpenShift install-config.yaml in a non-proxy installation
   ansible.builtin.template:
     src: install-config.yaml.j2
     dest: "{{ user_cloud_installation_dir }}/install-config.yaml"
@@ -29,6 +29,34 @@
     installcfg_dns_servers: "{{ infra.dns_servers }}"
     installcfg_api_floating_ip: "{{ precreated_api_fip }}"
     installcfg_ingress_floating_ip: "{{ precreated_ingress_fip }}"
+  when: not openshift_proxy_installation
+
+- name: Generate an OpenShift install-config.yaml in a proxy installation
+  when: openshift_proxy_installation
+  block:
+    - name: Include vars from registered resources
+      ansible.builtin.include_vars:
+        file: "{{ resources_file }}"
+        name: resources
+
+    - name: Generate install-config.yaml from install-config-proxy.yaml.j2 template
+      ansible.builtin.template:
+        src: install-config-proxy.yaml.j2
+        dest: "{{ user_cloud_installation_dir }}/install-config.yaml"
+        mode: u=rw,g=rw,o=r
+      vars:
+        installcfg_cluster_name: "{{ ocp_cluster_name }}"
+        installcfg_worker_flavor: "{{ topology.flavors.worker.name }}"
+        installcfg_worker_replicas: "{{ (installation_type == 'upi') | ternary('0', topology.replicas.worker) }}"
+        installcfg_master_flavor: "{{ topology.flavors.master.name }}"
+        installcfg_master_replicas: "{{ topology.replicas.master }}"
+        installcfg_machine_cidr: "{{ resources.restricted_cidr }}"
+        installcfg_network_type: "{{ openshift_network_type }}"
+        installcfg_region: "{{ infra.region }}"
+        installcfg_machines_subnet: "{{ resources.machines_subnet }}"
+        installcfg_api_vip: "{{ precreated_api_fip }}"
+        installcfg_ingress_vip: "{{ precreated_ingress_fip }}"
+        installcfg_additional_trust_bundle: "{{ resources.additional_trust_bundle }}"
 
 - name: Copy the install-config.yaml to installation dir
   ansible.builtin.copy:

Diff for: collection/stages/roles/install/templates/install-config-proxy.yaml.j2

@@ -0,0 +1,45 @@
+# This file is autogenerated by shiftstack-qe automation
+apiVersion: v1
+baseDomain: "{{ user_cloud }}.com"
+compute:
+- name: worker
+  platform:
+    openstack:
+      type: "{{ installcfg_worker_flavor }}"
+  replicas: {{ installcfg_worker_replicas }}
+controlPlane:
+  name: master
+  platform:
+    openstack:
+      type: "{{ installcfg_master_flavor }}"
+  replicas: {{ installcfg_master_replicas }}
+metadata:
+  name: "{{ installcfg_cluster_name }}"
+networking:
+  clusterNetworks:
+  - cidr: 10.128.0.0/14
+    hostSubnetLength: 9
+  serviceNetwork:
+    - 172.30.0.0/16
+  machineNetwork:
+    - cidr: "{{ installcfg_machine_cidr }}"
+  networkType: "{{ installcfg_network_type }}"
+platform:
+  openstack:
+    cloud:            "{{ user_cloud }}"
+    externalNetwork:  ""
+    region:           "{{ installcfg_region }}"
+    machinesSubnet: {{ installcfg_machines_subnet }}
+    apiVIP: "{{ installcfg_api_vip }}"
+    ingressVIP: "{{ installcfg_ingress_vip }}"
+proxy:
+  httpProxy: http://dummy:dummy@{{restricted_network.installer_ip}}:3128/
+  httpsProxy: https://dummy:dummy@{{restricted_network.installer_ip}}:3130/
+pullSecret: |
+  {{ ocp_pull_secret }}
+sshKey: |
+  {{ ocp_public_key }}
+additionalTrustBundle: |
+{% for line in installcfg_additional_trust_bundle %}
+  {{ line }}
+{% endfor %}

Diff for: collection/stages/roles/post/tasks/main.yml

@@ -11,3 +11,7 @@
         name: version
       spec:
         channel: ""
+
+- name: Set the workers and masters NTP server
+  ansible.builtin.include_tasks: set_ntp.yml
+  when: openshift_proxy_installation

Diff for: collection/stages/roles/post/tasks/set_ntp.yml

@@ -0,0 +1,82 @@
+---
+# We follow the procedure at:
+# https://docs.openshift.com/container-platform/4.10/post_installation_configuration/machine-configuration-tasks.html#installation-special-config-chrony_post-install-machine-configuration-tasks
+- name: Install Butane
+  become: yes
+  ansible.builtin.get_url:
+    url: https://mirror.openshift.com/pub/openshift-v4/clients/butane/latest/butane
+    dest: /usr/local/bin/butane
+    mode: u=rwx,g=rwx,o=rwx
+
+- name: Get OCP GA version from release.txt and Build the chronyc manifest
+  block:
+    - name: Download the OCP GA version from openshift mirror
+      ansible.builtin.get_url:
+        url: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable/release.txt
+        dest: /tmp/release.txt
+        mode: u=rw,g=rw,o=r
+
+    - name: Extract OpenShift version
+      ansible.builtin.shell: |
+        grep -oP "Version:\s*\K4\.\d+" /tmp/release.txt
+      changed_when: false
+      register: openshift_ga_version
+
+    - name: Set ocp_latest_ga variable
+      ansible.builtin.set_fact:
+        ocp_latest_ga: "{{ openshift_ga_version.stdout }}"
+
+    - name: Build the chronyc manifest
+      vars:
+        ntp_server: "{{ openshift_mirror | default(False) | ternary(installer_vm.installer_fqdn, restricted_network.installer_ip) }}"
+      ansible.builtin.template:
+        src: 99-node-chronyc.j2
+        dest: "{{ home_dir }}/99-{{ item }}-chrony"
+        mode: u=rw,g=rw,o=r
+      loop:
+        - worker
+        - master
+
+# Use Butane to translate a human readable Butane config into a machine readable Ignition config
+- name: Build the chrony machine config
+  ansible.builtin.shell: |
+    butane {{ home_dir }}/99-{{ item }}-chrony -o {{ home_dir }}/99-{{ item }}-chrony.yaml
+  changed_when: true
+  loop:
+    - worker
+    - master
+
+- name: Apply the chrony manifest
+  kubernetes.core.k8s:
+    state: present
+    src: "{{ home_dir }}/99-{{ item }}-chrony.yaml"
+  loop:
+    - worker
+    - master
+  environment:
+    KUBECONFIG: "{{ kubeconfig }}"
+
+- name: Wait for the MCP to finish the cluster updates
+  ansible.builtin.include_role:
+    name: tools_cluster_checks
+    tasks_from: wait_mcp_updated.yml
+
+- name: Wait until cluster nodes are ready
+  ansible.builtin.include_role:
+    name: tools_cluster_checks
+    tasks_from: wait_until_nodes_ready.yml
+
+# Go over all the OCP nodes and check that NTP is configured correctly by checking that the Stratum from
+# The chronyc tracking command is not 0 in any of them
+- name: Check that the NTP server is reachable from all the OCP nodes
+  ansible.builtin.shell: |
+    set -o pipefail &&
+    for i in $(oc get nodes -o name);
+    do  oc debug -q $i -- chroot /host sudo chronyc tracking|awk '/Stratum/{print $3}'; done | tr -d '\n' |  awk '/0/{exit 1}'
+  environment:
+    KUBECONFIG: "{{ kubeconfig }}"
+  changed_when: false
+  register: ntp_output
+  until: ntp_output is not failed
+  retries: 5
+  delay: 30

Diff for: collection/stages/roles/post/templates/99-node-chronyc.j2

@@ -0,0 +1,22 @@
+variant: openshift
+{% if discovered_openshift_release is version(ocp_latest_ga, '<=') %}
+version: {{ discovered_openshift_release }}.0
+{% else %}
+version: {{ ocp_latest_ga }}.0
+{% endif %}
+metadata:
+  name: 99-{{ item }}-chrony
+  labels:
+    machineconfiguration.openshift.io/role: {{ item }}
+storage:
+  files:
+  - path: /etc/chrony.conf
+    mode: 0664
+    overwrite: true
+    contents:
+      inline: |
+        server {{ ntp_server }} iburst
+        driftfile /var/lib/chrony/drift
+        makestep 1.0 3
+        rtcsync
+        logdir /var/log/chrony

Diff for: collection/stages/roles/prepare/tasks/external_access.yml

@@ -1,29 +1,38 @@
 ---
-- name: Create (if needed) API FIP and get the FIP info
-  ansible.builtin.include_tasks: create_fip.yml
-  vars:
-    description: "{{ ocp_api_description }}"
+- name: Create Floating IPs for API and APPS for a non-proxy installation
+  when: not openshift_proxy_installation
+  block:
+    - name: Create (if needed) API FIP and get the FIP info
+      ansible.builtin.include_tasks: create_fip.yml
+      vars:
+        description: "{{ ocp_api_description }}"
 
-- name: Store API FIP
-  ansible.builtin.set_fact:
-    api_fip: "{{ fip_address }}"
+    - name: Store API FIP
+      ansible.builtin.set_fact:
+        api_accessible_ip: "{{ fip_address }}"
 
-- name: Create (if needed) APPS FIP and get the FIP info
-  ansible.builtin.include_tasks: create_fip.yml
-  vars:
-    description: "{{ ocp_apps_description }}"
+    - name: Create (if needed) APPS FIP and get the FIP info
+      ansible.builtin.include_tasks: create_fip.yml
+      vars:
+        description: "{{ ocp_apps_description }}"
+
+    - name: Store APPS FIP
+      ansible.builtin.set_fact:
+        apps_accessible_ip: "{{ fip_address }}"
 
-- name: Store APPS FIP
+- name: Store restricted network IPs for API and APPS for a openshift-proxy installation
   ansible.builtin.set_fact:
-    apps_fip: "{{ fip_address }}"
+    api_accessible_ip: "{{ restricted_network.ocp_api_ip }}"
+    apps_accessible_ip: "{{ restricted_network.ocp_apps_ip }}"
+  when: openshift_proxy_installation
 
-- name: Register Installer API and APP FIPS  in resources.yml
+- name: Register Installer API and APP FIPS in resources.yml
   ansible.builtin.include_role:
     name: shiftstack.tools.tools_register_resources_file
   vars:
     input:
-      api_fip: "{{ api_fip }}"
-      apps_fip: "{{ apps_fip }}"
+      api_accessible_ip: "{{ api_accessible_ip }}"
+      apps_accessible_ip: "{{ apps_accessible_ip }}"
 
 - name: Add resulting API and APPS fip/vip to /etc/hosts file
   become: true
@@ -33,8 +42,8 @@
     line: "{{ item.row }}"
     unsafe_writes: true
   vars:
-    api_ip: "{{ api_fip }}"
-    apps_ip: "{{ apps_fip }}"
+    api_ip: "{{ api_accessible_ip }}"
+    apps_ip: "{{ apps_accessible_ip }}"
   loop: "{{ etc_hosts_entries }}"
 
 - name: Bootstrap fip pre-creation for UPI

Diff for: collection/stages/roles/prepare/tasks/main.yml

@@ -5,6 +5,11 @@
 - name: Update clouds.yml file with new Project
   ansible.builtin.include_tasks: clouds.yml
 
+- name: Restricted Network Preparations
+  ansible.builtin.include_tasks: restricted_network.yml
+  when:
+    - openshift_proxy_installation
+
 - name: Prepare setup for accessing the OCP Cluster
   ansible.builtin.include_tasks: external_access.yml
 

Diff for: collection/stages/roles/prepare/tasks/restricted_network.yml

@@ -0,0 +1,29 @@
+---
+- name: Create restricted network
+  openstack.cloud.network:
+    cloud: "{{ user_cloud }}"
+    name: "{{ restricted_network.network_name }}"
+    state: present
+
+- name: Create restricted subnet
+  openstack.cloud.subnet:
+    cloud: "{{ user_cloud }}"
+    name: "{{ restricted_network.subnet_name }}"
+    network_name: "{{ restricted_network.network_name }}"
+    cidr: "{{ restricted_network.cidr }}"
+    dns_nameservers:
+      - "{{ restricted_network.installer_ip }}"
+    # OVNKubernetes requirement,further info in BZ1983951
+    gateway_ip: "{{ (openshift_network_type == 'OVNKubernetes') |
+      ternary(restricted_network.installer_ip, restricted_network.default_gw) }}"
+    allocation_pool_start: "{{ restricted_network.pool_start }}"
+    allocation_pool_end: "{{ restricted_network.pool_end }}"
+  register: restricted_subnet
+
+- name: Register restricted subnet cidr and subnet id for machinesSubnet var in install-config
+  ansible.builtin.include_role:
+    name: shiftstack.tools.tools_register_resources_file
+  vars:
+    input:
+      restricted_cidr: "{{ restricted_subnet.subnet.cidr }}"
+      machines_subnet: "{{ restricted_subnet.subnet.id }}"

Diff for: collection/stages/roles/verification/tasks/main.yml

@@ -86,7 +86,7 @@
       vars:
         # Using internal-lb annotation when cluster is deployed on restricted or provider network (FIPless):
         internal_lb: |
-          {{ (openshift_proxy | default(False) or bm_workers | default(False) or provider_network_primary | default(False)) | bool }}
+          {{ (openshift_proxy_installation | default(False) or bm_workers | default(False) or provider_network_primary | default(False)) | bool }}
       ansible.builtin.include_tasks: check_lb_svc.yml
       when:
         - edge_nova_az is not defined # Skip due to Openstack Manila is not supported at the Edge

Diff for: collection/tools/roles/tools_installer_host/defaults/main.yml

@@ -93,3 +93,11 @@ installer_vm:
       protocol: udp
       port_range_min: '53'
       port_range_max: '53'
+  ntp:
+    sg_rules:
+      - direction: 'ingress'
+        ethertype: 'IPv4'
+        remote_ip_prefix: '0.0.0.0/0'
+        protocol: udp
+        port_range_min: '123'
+        port_range_max: '123'

Diff for: collection/tools/roles/tools_installer_host/tasks/configuration_hosts.yml

@@ -11,6 +11,6 @@
     regexp: "{{ item.regex }}"
     line: "{{ item.row }}"
   vars:
-    api_ip: "{{ resources.api_fip }}"
-    apps_ip: "{{ resources.apps_fip }}"
+    api_ip: "{{ resources.api_accessible_ip }}"
+    apps_ip: "{{ resources.apps_accessible_ip }}"
   loop: "{{ etc_hosts_entries }}"

Diff for: collection/tools/roles/tools_installer_host/tasks/install_cert.yml

@@ -0,0 +1,38 @@
+---
+- name: Generate a self-signed SSL certificate using OpenSSL
+  ansible.builtin.shell: |
+    openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key \
+      -x509 -days 30  -addext "subjectAltName = IP:{{ restricted_network.installer_ip }},DNS:{{ installer_vm.installer_fqdn }}" \
+      -subj "/C=US/ST=Denial/L=Springfield/O=RedHat/CN=shiftstack.com" \
+      -out domain.crt
+  args:
+    chdir: "{{ certs_dir }}"
+  changed_when: true
+  become: "{{ openshift_proxy_installation | ternary('yes', omit) }}"
+
+- name: Copy certificate to root chain dir
+  ansible.builtin.copy:
+    src: "{{ certs_dir }}/domain.crt"
+    dest: /etc/pki/ca-trust/source/anchors/domain.crt
+    remote_src: yes
+    mode: u=rwx,g=rw,o=r
+  become: yes
+
+- name: Add the CA cert to the trusted root chain in the installer host VM
+  ansible.builtin.command: update-ca-trust extract
+  changed_when: true
+  become: yes
+
+# Store certificate on resources.yaml to be used on install-config.yaml on install role:
+- name: Register cacert content
+  ansible.builtin.command: "cat {{ certs_dir }}/domain.crt"
+  changed_when: false
+  register: cacert_content
+  become: "{{ openshift_proxy_installation | ternary('yes', omit) }}"
+
+- name: Register cacert to resources.yml
+  ansible.builtin.include_role:
+    name: shiftstack.tools.tools_register_resources_file
+  vars:
+    input:
+      additional_trust_bundle: "{{ cacert_content.stdout_lines }}"