Merge pull request #824 from IBM/aws-rosa-hotfix

Hotfixes for AWS
IBM · Oct 31, 2024 · 2bcb9c2 · 2bcb9c2
2 parents b00d248 + b11f9b1
commit 2bcb9c2
Show file tree

Hide file tree

Showing 15 changed files with 85 additions and 103 deletions.
diff --git a/automation-roles/10-validation/validate-variables-destroy/tasks/aws-validate-variables.yml b/automation-roles/10-validation/validate-variables-destroy/tasks/aws-validate-variables.yml
@@ -1,32 +1,4 @@
 ---
-- name: Get aws-access-key secret from in the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-access-key"
-    secret_group: "{{ environment_name }}" 
-    _p_secret_variable: _aws_access_key
-
-- name: Get aws-secret-access-key secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-secret-access-key"
-    secret_group: "{{ environment_name }}" 
-    _p_secret_variable: _aws_secret_access_key
-
-- name: Get aws-session-token secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-session-token"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _aws_session_token
-
-- name: Retrieve rosa-login-token secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "rosa-login-token"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _rosa_login_token
+- name: Get AWS credentials from the vault
+  include_role:
+    name: aws-get-credentials
diff --git a/automation-roles/10-validation/validate-variables/tasks/aws-validate-variables.yml b/automation-roles/10-validation/validate-variables/tasks/aws-validate-variables.yml
@@ -1,27 +1,7 @@
 ---
-- name: Get aws-access-key secret from in the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-access-key"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _aws_access_key
-
-- name: Get aws-secret-access-key secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-secret-access-key"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _aws_secret_access_key
-
-- name: Get aws-session-token secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-session-token"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _aws_session_token
+- name: Get AWS credentials from the vault
+  include_role:
+    name: aws-get-credentials
 
 - name: Retrieve pull secret from vault
   include_role: 
@@ -38,13 +18,4 @@
   vars:
     secret_name: "ocp-ssh-pub-key"
     secret_group: "{{ environment_name }}"
-    _p_secret_variable: _ocp_ssh_pub_key
-
-- name: Retrieve rosa-login-token secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "rosa-login-token"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _rosa_login_token
-
+    _p_secret_variable: _ocp_ssh_pub_key
diff --git a/automation-roles/30-provision-infra/destroy-aws/tasks/destroy-aws-rosa.yml b/automation-roles/30-provision-infra/destroy-aws/tasks/destroy-aws-rosa.yml
@@ -40,7 +40,7 @@
 
 - name: Delete operator roles for ROSA cluster {{ _current_openshift_cluster.name }} when STS was used
   shell: |
-    rosa delete operator roles -c {{ (_rosa_describe_cluster.stdout | from_json).id }} --mode auto --yes \
+    rosa delete operator-roles -c {{ (_rosa_describe_cluster.stdout | from_json).id }} --mode auto --yes \
       --region {{ _current_openshift_cluster.infrastructure.aws_region }} >> {{ status_dir }}/log/{{ _current_openshift_cluster.name }}-delete-cluster.log 2>&1
   environment:
     AWS_ACCESS_KEY_ID: "{{ _aws_access_key }}"

diff --git a/automation-roles/30-provision-infra/destroy-aws/tasks/main.yml b/automation-roles/30-provision-infra/destroy-aws/tasks/main.yml
@@ -8,29 +8,9 @@
   fail: msg="cloud_platform {{ cloud_platform }} is not implemented, current implemented cloud platforms are {{ implemented_cloud_platform_types }} "
   when: "cloud_platform not in implemented_cloud_platform_types"
 
-- name: Get aws-access-key secret from in the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-access-key"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _aws_access_key
-
-- name: Get aws-secret-access-key secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-secret-access-key"
-    secret_group: "{{ environment_name }}" 
-    _p_secret_variable: _aws_secret_access_key
-
-- name: Get aws-session-token secret from the vault
-  include_role: 
-    name: vault-get-secret
-  vars:
-    secret_name: "aws-session-token"
-    secret_group: "{{ environment_name }}"
-    _p_secret_variable: _aws_session_token
+- name: Get AWS credentials from the vault
+  include_role:
+    name: aws-get-credentials
 
 - name: Destroy Openshift with AWS ROSA
   include_tasks: destroy-aws-rosa.yml

diff --git a/automation-roles/30-provision-infra/provision-aws/tasks/aws-enable-openshift-fileserver.yml b/automation-roles/30-provision-infra/provision-aws/tasks/aws-enable-openshift-fileserver.yml
@@ -18,12 +18,12 @@
 - name: Set name of compute node security group for OpenShift < 4.16
   set_fact:
     _aws_compute_sg: "{{ _current_openshift_cluster.name }}*-worker-sg"
-  when: _current_openshift_cluster.ocp_version < '4.16'
+  when: (_current_openshift_cluster.ocp_version | string) < '4.16'
 
 - name: Set name of compute node security group for OpenShift >= 4.16
   set_fact:
     _aws_compute_sg: "{{ _current_openshift_cluster.name }}*-node"
-  when: _current_openshift_cluster.ocp_version >= '4.16'
+  when: (_current_openshift_cluster.ocp_version | string) >= '4.16'
 
 - name: Get security group for OpenShift cluster compute nodes using filter {{ _aws_compute_sg }}
   shell: |
@@ -40,9 +40,9 @@
 - debug:
     var: _aws_sg
 
-- name: Fail if security group was not found
+- name: Fail if security group {{ _aws_compute_sg }} was not found
   fail:
-    msg: "Security group with name {{ _current_openshift_cluster.name }}*-worker-sg not found"
+    msg: "Security group with name {{ _aws_compute_sg }} not found"
   when: (_aws_sg.stdout | from_json) == []
 
 - set_fact:

diff --git a/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml b/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml
@@ -45,6 +45,10 @@
     AWS_SESSION_TOKEN: "{{ _aws_session_token }}"
   when: _rosa_describe_cluster.rc != 0
 
+- name: Renew AWS credentials from the vault
+  include_role:
+    name: aws-get-credentials
+
 - name: Get details for cluster {{ _current_openshift_cluster.name }}
   shell: |
     rosa describe cluster \
@@ -108,7 +112,7 @@
       secret_payload: "{{ _cluster_admin_password }}"
       secret_group: "{{ environment_name }}"
 
-  when: _describe_cluster_admin is search("There is no admin")
+  when: _describe_cluster_admin.stderr is search("rosa create admin")
 
 - include_tasks: aws-enable-openshift-fileserver.yml
   loop: "{{ _current_openshift_cluster.openshift_storage | default([]) }}"

diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-ipi-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-ipi-configure-ocs.yml
@@ -43,7 +43,7 @@
   include_role: 
     name: odf-operator
   vars:
-    _p_credentials_mode: "{{ current_openshift_cluster.infrastructure.credentials_mode | default('') }}"
+    _p_openshift_cluster: "{{ current_openshift_cluster }}"
 
 - name: Check if StorageCluster ocs-storagecluster already exists
   command: |

diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-rosa-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-rosa-configure-ocs.yml
@@ -69,7 +69,9 @@
 - name: Install ODF operator
   include_role: 
     name: odf-operator
-
+  vars:
+    _p_openshift_cluster: "{{ current_openshift_cluster }}"
+
 - name: Check if StorageCluster ocs-storagecluster already exists
   command: |
     oc get StorageCluster -n openshift-storage ocs-storagecluster

diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-aro-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-aro-configure-ocs.yml
@@ -77,6 +77,8 @@
 - name: Install ODF operator
   include_role: 
     name: odf-operator
+  vars:
+    _p_openshift_cluster: "{{ current_openshift_cluster }}"
 
 - name: Check if StorageCluster ocs-storagecluster already exists
   command: |

diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-ipi-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-ipi-configure-ocs.yml
@@ -73,6 +73,9 @@
 - name: Install ODF operator
   include_role: 
     name: odf-operator
+  vars:
+    _p_openshift_cluster: "{{ current_openshift_cluster }}"
+
 
 - name: Check if StorageCluster ocs-storagecluster already exists
   command: |

diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/vsphere-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/vsphere-configure-ocs.yml
@@ -65,6 +65,8 @@
 - name: Install ODF operator
   include_role: 
     name: odf-operator
+  vars:
+    _p_openshift_cluster: "{{ current_openshift_cluster }}"
 
 - name: Check if StorageCluster ocs-storagecluster already exists
   command: |

diff --git a/automation-roles/40-configure-infra/odf-operator/tasks/main.yml b/automation-roles/40-configure-infra/odf-operator/tasks/main.yml
@@ -1,8 +1,23 @@
 ---
-- include_tasks: aws-s3-sts-role.yml
+- set_fact:
+    _aws_sts_mode: False
+
+- set_fact:
+    _aws_sts_mode: True
+  when: 
+  - cloud_platform == 'aws'
+  - (_p_openshift_cluster.infrastructure.type | default('self-managed')) == 'self-managed'
+  - (_p_openshift_cluster.infrastructure.credentials_mode | default('')) == 'Manual'
+
+- set_fact:
+    _aws_sts_mode: True
   when: 
   - cloud_platform == 'aws'
-  - (_p_credentials_mode | default('')) == 'Manual'
+  - (_p_openshift_cluster.infrastructure.type | default('self-managed')) == 'rosa'
+  - (_p_openshift_cluster.infrastructure.use_sts | default(False))
+
+- include_tasks: aws-s3-sts-role.yml
+  when: _aws_sts_mode
 
 - name: Create openshift-storage OpenShift project
   shell: |
@@ -54,6 +69,4 @@
     oc patch subscriptions.operators.coreos.com -n openshift-storage odf-operator \
         --type merge \
         --patch '{"spec":{"installPlanApproval":"Manual"}}'
-  when: 
-  - cloud_platform == 'aws'
-  - (_p_credentials_mode | default('')) == 'Manual'
+  when: _aws_sts_mode
diff --git a/automation-roles/40-configure-infra/odf-operator/templates/odf-operator.j2 b/automation-roles/40-configure-infra/odf-operator/templates/odf-operator.j2
@@ -21,7 +21,7 @@ spec:
   name: odf-operator
   source: redhat-operators
   sourceNamespace: openshift-marketplace
-{% if (_p_credentials_mode | default('')) == 'Manual' %}
+{% if _aws_sts_mode %}
   config:
     env:
     - name: ROLEARN

diff --git a/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml b/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml
@@ -16,15 +16,16 @@
       oc get sc {{ _p_openshift_cluster.mcg.storage_class }}
     when:  _p_openshift_cluster.mcg.storage_type == 'storage-class'
 
-  - name: Label all compute nodes as storage nodes to allow StorageCluster to be created
+  - name: Label all compute nodes as storage nodes to allow StorageCluster to be created, ignore failure
     shell: |
       oc label no -l node-role.kubernetes.io/worker cluster.ocs.openshift.io/openshift-storage=
+    failed_when: False
 
   - name: Install ODF operator
     include_role: 
       name: odf-operator
     vars:
-      _p_credentials_mode: "{{ current_openshift_cluster.infrastructure.credentials_mode | default('') }}"
+      _p_openshift_cluster: "{{ current_openshift_cluster }}"
 
   - name: Generate MCG StorageCluster ocs-storagecluster into {{ status_dir }}/openshift/openshift-{{ _p_openshift_cluster.name }}-mcg-storagecluster.yaml
     template:

diff --git a/automation-roles/99-generic/aws/aws-get-credentials/tasks/main.yml b/automation-roles/99-generic/aws/aws-get-credentials/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- name: Get aws-access-key secret from in the vault
+  include_role: 
+    name: vault-get-secret
+  vars:
+    secret_name: "aws-access-key"
+    secret_group: "{{ environment_name }}"
+    _p_secret_variable: _aws_access_key
+
+- name: Get aws-secret-access-key secret from the vault
+  include_role: 
+    name: vault-get-secret
+  vars:
+    secret_name: "aws-secret-access-key"
+    secret_group: "{{ environment_name }}"
+    _p_secret_variable: _aws_secret_access_key
+
+- name: Get aws-session-token secret from the vault
+  include_role: 
+    name: vault-get-secret
+  vars:
+    secret_name: "aws-session-token"
+    secret_group: "{{ environment_name }}"
+    _p_secret_variable: _aws_session_token
+
+- name: Retrieve rosa-login-token secret from the vault
+  include_role: 
+    name: vault-get-secret
+  vars:
+    secret_name: "rosa-login-token"
+    secret_group: "{{ environment_name }}"
+    _p_secret_variable: _rosa_login_token