add classroom fixes and catch-up playbooks

00-general-pre-flight.yml

@@ -0,0 +1,15 @@
+---
+- name: Ensure workstation has the collections it needs.
+  hosts: workstation.lab.example.com
+  become: no
+  gather_facts: no
+  tasks:
+    - name: Install the required collections.
+      become: yes
+      ansible.builtin.yum:
+        name:
+          - ansible-collection-ansible-posix
+          - ansible-collection-community-crypto
+          - ansible-collection-community-general
+        state: present
+...

10-quay-tmp-fixes.yml

@@ -0,0 +1,126 @@
+---
+# These are the temporary tasks needed on workstation before classroom build is finished.
+- name: Fixes required on utility VM.
+  hosts: utility.lab.example.com
+  become: yes
+  gather_facts: no
+  tasks:
+    # Fixing the DNS first.
+    - name: add ocp4.example.com hosts to /etc/hosts
+      become: yes
+      ansible.builtin.lineinfile:
+        path: /etc/hosts
+        mode: 0644
+        regex: "{{ item.hostname }}"
+        line: "{{ item.addr }} {{ item.hostname }}"
+        state: present
+      loop:
+        - addr: 192.168.50.40
+          hostname: idm.ocp4.example.com
+        - addr: 192.168.50.50
+          hostname: registry.ocp4.example.com
+        - addr: 192.168.50.10
+          hostname: master01.ocp4.example.com
+        - addr: 192.168.50.11
+          hostname: master02.ocp4.example.com
+        - addr: 192.168.50.12
+          hostname: master03.ocp4.example.com
+        - addr: 192.168.50.13
+          hostname: worker01.ocp4.example.com
+        - addr: 192.168.50.14
+          hostname: worker02.ocp4.example.com
+
+    - name: Ensure dnsmasq is installed.
+      ansible.builtin.yum:
+        name:
+          - dnsmasq
+          - dnsmasq-utils
+        state: present
+
+    - name: Ensure dnsmasq is listening on all interfaces
+      ansible.builtin.lineinfile:
+        path: /etc/dnsmasq.conf
+        mode: 0644
+        regex: "^interface=(.*)$"
+        line: '#interface=\g<1>'
+        backrefs: yes
+
+    - name: Ensure dnsmasq is enabled and running.
+      ansible.builtin.systemd_service:
+        name: dnsmasq
+        enabled: yes
+        state: started
+
+    - name: Ensure DNS is open in the firewall.
+      ansible.posix.firewalld:
+        immediate: yes
+        permanent: yes
+        zone: "{{ item }}"
+        service: dns
+        state: enabled
+      loop:
+        - external
+        - public
+
+    - name: Ensure utility allows forwarding traffic from external to public/trusted zones.
+      ansible.builtin.copy:
+        dest: /etc/firewalld/policies/fwd-stud-to-ocp.xml
+        mode: 0644
+        owner: root
+        group: root
+        content: |
+          <?xml version="1.0" encoding="utf-8"?>
+          <policy target="ACCEPT">
+            <ingress-zone name="external"/>
+            <egress-zone name="public"/>
+            <egress-zone name="trusted"/>
+          </policy>
+      notify:
+        - reload utility firewalld
+  handlers:
+    - name: reload utility firewalld
+      ansible.builtin.service:
+        name: firewalld
+        state: reloaded
+
+- name: Fix registry VM configuration.
+  hosts: registry.ocp4.example.com
+  become: yes
+  gather_facts: no
+  tasks:
+    - name: Ensure eth1 interface is in public zone.
+      ansible.builtin.firewalld:
+        zone: public
+        interface: eth1
+        immediate: yes
+        permanent: yes
+        state: enabled
+      notify:
+        - reload registry firewalld
+
+    #- name: Ensure registry is using bastion as the DNS
+    #  community.general.nmcli:
+    #    conn_name: "System eth1"
+    #    dns4: 172.25.250.254
+    #    state: present
+    #  notify:
+    #    - bounce eth1
+
+  handlers:
+    - name: reload registry firewalld
+      ansible.builtin.service:
+        name: firewalld
+        state: reloaded
+
+    #- name: reload connections
+    #  listen: bounce eth1
+    #  ansible.builtin.command: nmcli con reload
+
+    #- name: take eth1 down
+    #  listen: bounce eth1
+    #  ansible.builtin.command: nmcli con down "System eth1"
+
+    #- name: bring eth1 up
+    #  listen: bounce eth1
+    #  ansible.builtin.command: nmcli con up "System eth1"
+...

20-general-post-tmp.yml

@@ -0,0 +1,15 @@
+---
+- name: Post-fix adjustments and corrections - a good test of state of affairs.
+  hosts: all
+  become: no
+  gather_facts: no
+  tasks:
+    - name: remove annoying MOTDs
+      become: yes
+      ansible.builtin.file:
+        path: "/etc/motd.d/{{ item }}"
+        state: absent
+      loop:
+        - cockpit
+        - insights-client
+...

30-quay-pre-tasks.yml

@@ -0,0 +1,216 @@
+---
+# Tasks required as per 10-quay-prereq.adoc.
+- name: Create a CA on workstation.
+  hosts: workstation.lab.example.com
+  become: no
+  gather_subset: min
+  tasks:
+    - name: Create directories.
+      ansible.builtin.file:
+        path: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/newcerts"
+        state: directory
+        recurse: yes
+        mode: 0700
+
+    - name: Create cert index.
+      ansible.builtin.copy:
+        dest: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/index.txt"
+        mode: 0600
+        content: ""
+
+    - name: Create cert serial tracker.
+      ansible.builtin.copy:
+        dest: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/serial"
+        mode: 0600
+        content: "0000"
+
+    - name: Ensure openssl.cnf is there and correct.
+      ansible.builtin.copy:
+        dest: "{{ ansible_facts['user_dir'] }}/ca/openssl.cnf"
+        mode: 0600
+        content: |
+          [ ca ]
+          default_ca      = CA_default
+          
+          [ CA_default ]
+          
+          dir            = ./lab-ca
+          serial         = $dir/serial
+          database       = $dir/index.txt
+          new_certs_dir  = $dir/newcerts
+          
+          certificate    = ./ca-cert.pem
+          private_key    = ./ca-key.pem
+          
+          default_days   = 365
+          default_crl_days= 30
+          default_md     = sha256
+          
+          policy         = policy_any
+          email_in_dn    = no
+          
+          name_opt       = ca_default
+          cert_opt       = ca_default
+          copy_extensions = copy
+          
+          [ policy_any ]
+          countryName            = supplied
+          stateOrProvinceName    = optional
+          organizationName       = optional
+          organizationalUnitName = optional
+          commonName             = supplied
+          emailAddress           = optional
+
+    - name: Check if CA key exists to save time
+      ansible.builtin.stat:
+        path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
+      register: cakey_file
+
+    - name: Check if CA cert exists to save time
+      ansible.builtin.stat:
+        path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
+      register: cacert_file
+
+    - name: Create a new CA private key, if it does not exist yet.
+      community.crypto.openssl_privatekey:
+        path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
+        passphrase: verysecret
+        type: RSA
+        cipher: auto
+        size: 8192
+        mode: 0600
+      when: cakey_file.stat.exists == false
+
+    - name: Generate a CSR for the CA cert.
+      community.crypto.openssl_csr:
+        path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
+        privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
+        privatekey_passphrase: verysecret
+        basic_constraints: "CA:TRUE"
+        basic_constraints_critical: yes
+        subject:
+          C: US
+          ST: North Carolina
+          L: Raleigh
+          O: Red Hat
+          OU: RHT
+          CN: Classroom Root CA
+        mode: 0600
+      when: cacert_file.stat.exists == false
+
+    - name: Create a self-signed cert for the CA.
+      community.crypto.x509_certificate:
+        path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
+        csr_path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
+        privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
+        privatekey_passphrase: verysecret
+        provider: selfsigned
+        selfsigned_not_after: +510w
+        mode: 0600
+      when: cacert_file.stat.exists == false
+
+    - name: Get rid of the CSR.
+      ansible.builtin.file:
+        path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
+        state: absent
+
+    - name: Copy CA cert to ca-trust dir.
+      become: yes
+      ansible.builtin.copy:
+        src: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
+        dest: "/etc/pki/ca-trust/source/anchors/lab-ca.pem"
+        mode: 0644
+      register: copied
+
+    - name: Have workstation trust the CA.
+      become: yes
+      command: update-ca-trust
+      when: copied.changed
+
+- name: Have utility serve time.
+  hosts: utility.lab.example.com
+  become: no
+  gather_subset: min
+  tasks:
+    - name: Ensure we have the correct chrony.conf
+      become: yes
+      ansible.builtin.copy:
+        dest: /etc/chrony.conf
+        mode: 0644
+        content: |
+          # Use public servers from the pool.ntp.org project.
+          # Please consider joining the pool (http://www.pool.ntp.org/join.html).
+          server 172.25.254.254 iburst
+          
+          # Record the rate at which the system clock gains/losses time.
+          driftfile /var/lib/chrony/drift
+          
+          # Allow the system clock to be stepped in the first three updates
+          # if its offset is larger than 1 second.
+          makestep 1.0 3
+          
+          # Enable kernel synchronization of the real-time clock (RTC).
+          rtcsync
+          
+          # Enable hardware timestamping on all interfaces that support it.
+          #hwtimestamp *
+          
+          # Increase the minimum number of selectable sources required to adjust
+          # the system clock.
+          #minsources 2
+          
+          # Allow NTP client access from local network.
+          #allow 192.168.0.0/16
+          allow all
+          
+          bindcmdaddress 0.0.0.0
+          cmdallow all
+          
+          # Serve time even if not synchronized to a time source.
+          #local stratum 10
+          
+          # Specify file containing keys for NTP authentication.
+          keyfile /etc/chrony.keys
+          
+          # Get TAI-UTC offset and leap seconds from the system tz database.
+          leapsectz right/UTC
+          
+          # Specify directory for log files.
+          logdir /var/log/chrony
+          
+          # Select which information is logged.
+          #log measurements statistics tracking
+      notify:
+        - restart chronyd
+
+    - name: Ensure firewall allows NTP.
+      become: yes
+      ansible.posix.firewalld:
+        immediate: yes
+        permanent: yes
+        zone: "{{ item }}"
+        service: ntp
+        state: enabled
+      loop:
+        - external
+        - public
+
+    - name: Ensure firewall allows cmdport.
+      become: yes
+      ansible.posix.firewalld:
+        immediate: yes
+        permanent: yes
+        zone: "{{ item }}"
+        port: 323/udp
+        state: enabled
+      loop:
+        - external
+        - public
+
+  handlers:
+    - name: restart chronyd
+      become: yes
+      ansible.builtin.service:
+        name: chronyd
+        state: restarted
+...

ansible.cfg

@@ -0,0 +1,14 @@
+[defaults]
+# required to evade implicit conversion to string in k8s resource_definition
+jinja2_native = True
+inventory = ./inventory.yml
+remote_user = lab
+ask_pass = no
+
+# shut up about python interpreter
+interpreter_python = auto_silent
+
+[privilege_escalation]
+become = no
+become_method = sudo
+become_askpass = no

inventory.yml

@@ -0,0 +1,31 @@
+all:
+  hosts:
+    workstation.lab.example.com:
+      ansible_user: student
+      ansible_connection: local
+
+    bastion.lab.example.com:
+      ansible_host: 172.25.250.254
+      ansible_user: devops
+
+  children:
+    openshift:
+      children:
+        masters:
+          hosts:
+            master01.ocp4.example.com:
+            master02.ocp4.example.com:
+            master03.ocp4.example.com:
+        workers:
+          hosts:
+            worker01.ocp4.example.com:
+            worker02.ocp4.example.com:
+
+    infra:
+      hosts:
+        utility.lab.example.com:
+        # power is unreachable with student's key
+        #power.lab.example.com:
+        registry.ocp4.example.com:
+        idm.ocp4.example.com:
+