correct note about machineNetwork, remove google from resolv.conf on workstation, make quay restarts solid, also postgresql, prepare install-config template for agent install (along with the 52-coreos-installer playbook)

10-quay-tmp-fixes.yml

@@ -1,5 +1,16 @@
 ---
-# These are the temporary tasks needed on workstation before classroom build is finished.
+# These are the temporary tasks needed on various machines before classroom build is finished.
+- name: Fixes required on workstation VM.
+  hosts: workstation.lab.example.com
+  become: yes
+  gather_subset: min
+  tasks:
+    - name: Remove Google from resolv.conf
+      ansible.builtin.lineinfile:
+        path: /etc/resolv.conf
+        line: "nameserver 8.8.8.8"
+        state: absent
+
 - name: Fixes required on utility VM.
   hosts: utility.lab.example.com
   become: yes

30-quay-pre-tasks.yml

@@ -5,6 +5,7 @@
   become: no
   gather_subset: min
   tasks:
+    # TODO: Only if necessary.
     - name: Create directories.
       ansible.builtin.file:
         path: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/newcerts"
@@ -12,12 +13,14 @@
         recurse: yes
         mode: 0700
 
+    # TODO: Only if necessary.
     - name: Create cert index.
       ansible.builtin.copy:
         dest: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/index.txt"
         mode: 0600
         content: ""
 
+    # TODO: Only if necessary.
     - name: Create cert serial tracker.
       ansible.builtin.copy:
         dest: "{{ ansible_facts['user_dir'] }}/ca/lab-ca/serial"

32-quay-deploy.yml

@@ -195,6 +195,17 @@
       retries: 12
       delay: 5
 
+    - name: Wait for the server inside container to start up.
+      containers.podman.podman_container_exec:
+        name: postgresql
+        command: 'psql -d quay -U postgres -c "SELECT 1"'
+      when: pg_started.changed
+      changed_when: no
+      register: pg_rdy
+      until: pg_rdy.rc == 0
+      retries: 10
+      delay: 3
+
     - name: Create the trigram extension if necessary.
       containers.podman.podman_container_exec:
         name: postgresql

33-clair-deploy.yml

@@ -79,6 +79,7 @@
       changed_when:
         - not "already exists" in pg_ext.stderr
 
+    # TODO: Make loop labels nicer.
     - name: Patch Quay config if necessary.
       ansible.builtin.lineinfile:
         path: "{{ ansible_facts['user_dir'] }}/config/config.yaml"
@@ -99,7 +100,7 @@
           fixre: "^SECURITY_SCANNER_V4_ENDPOINT: .*$"
           value: "SECURITY_SCANNER_V4_ENDPOINT: http://clair:8081"
       notify:
-        - restart quay
+        - restart quay and wait for ready
 
     - name: Create Clair config directory if necessary.
       ansible.builtin.file:
@@ -137,7 +138,7 @@
             name: "prometheus"
         mode: 0664
       notify:
-        - restart quay
+        - restart quay and wait for ready
         - restart clair
 
     - name: Ensure same TLS trust will be used for Clair as for workstation.
@@ -167,11 +168,30 @@
 
   handlers:
     - name: restart quay
+      listen: restart quay and wait for ready
       ansible.builtin.systemd_service:
         name: quay
         scope: user
         state: restarted
 
+    - name: wait for quay to become ready again
+      listen: restart quay and wait for ready
+      ansible.builtin.uri:
+        method: GET
+        url: https://registry.ocp4.example.com/
+        headers:
+          Accept: application/json
+          Content-Type: application/json
+        validate_certs: no
+        status_code:
+          - 200
+          - 404
+          - 502
+      register: startup_wait
+      until: startup_wait.status == 200
+      retries: 30
+      delay: 5
+
     - name: restart clair
       ansible.builtin.systemd_service:
         name: clair

34-clair-disable.yml

@@ -56,7 +56,7 @@
         regexp: "FEATURE_SECURITY_SCANNER:"
         line: "FEATURE_SECURITY_SCANNER: false"
       notify:
-        - restart quay
+        - restart quay and wait for ready
 
     - name: Disable and stop Clair.
       ansible.builtin.systemd_service:
@@ -73,9 +73,27 @@
 
   handlers:
     - name: restart quay
+      listen: restart quay and wait for ready
       ansible.builtin.systemd_service:
         name: quay
         scope: user
         state: restarted
-...
 
+    - name: wait for quay to become ready again
+      listen: restart quay and wait for ready
+      ansible.builtin.uri:
+        method: GET
+        url: https://registry.ocp4.example.com/
+        headers:
+          Accept: application/json
+          Content-Type: application/json
+        validate_certs: no
+        status_code:
+          - 200
+          - 404
+          - 502
+      register: startup_wait
+      until: startup_wait.status == 200
+      retries: 30
+      delay: 5
+...

52-coreos-installer.yml

@@ -67,13 +67,18 @@
         content_sources: "{{ lookup('ansible.builtin.file', ansible_facts['user_dir'] + '/mirror/working-dir/cluster-resources/idms-oc-mirror.yaml')
                               | ansible.builtin.from_yaml_all }}"
 
+    - name: Set the fact determining installation type (required for templating).
+      ansible.builtin.set_fact:
+        install_type: iso
+
     - name: Ensure install-config is there.
       ansible.builtin.template:
-        src: templates/install-config-embed.yaml.j2
+        src: templates/install-config-template.yaml.j2
         dest: "{{ ansible_facts['user_dir'] }}/install-config-embed.yaml"
         mode: 0644
         owner: student
         group: student
+      register: updated_install_config
 
     - name: Remove the installation directory if so required.
       ansible.builtin.file:
@@ -97,7 +102,7 @@
         mode: 0644
       register: published_install_config
       when:
-        - (not install_log.stat.exists) or (recreate_cluster_dir is defined)
+        - (not install_log.stat.exists) or (recreate_cluster_dir is defined) or updated_install_config.changed
 
     - name: Create installation manifests if install config was published.
       ansible.builtin.command:
@@ -141,13 +146,19 @@
         - recreated_sno_cfg is defined
         - recreated_sno_cfg.changed
 
+    - name: Check if custom ISO is there.
+      ansible.builtin.stat:
+        path: "{{ ansible_facts['user_dir'] }}/sno-embedded-cfg.iso"
+        get_attributes: no
+        get_checksum: no
+        get_mime: no
+      register: custom_iso
+
     - name: Embed install config in the ISO.
       ansible.builtin.command:
         cmd: coreos-installer iso ignition embed -fi ./embed/bootstrap-in-place-for-live-iso.ign -o sno-embedded-cfg.iso {{ ansible_facts['user_dir'] }}/Downloads/rhcos-418.94.202501221327-0-live.x86_64.iso
         chdir: "{{ ansible_facts['user_dir'] }}"
-      when:
-        - recreated_sno_cfg is defined
-        - recreated_sno_cfg.changed
+      when: not custom_iso.exists
 
 - name: Copy the ISO file to target machine and write it to /dev/sdb
   hosts: master01.ocp4.example.com

templates/install-config-embed.yaml.j2 → templates/install-config-template.yaml.j2

@@ -1,9 +1,11 @@
 apiVersion: v1
 metadata:
-  name: iso
+  name: {{ install_type }}
 baseDomain: ocp4.example.com
+{% if install_type == 'iso' %}
 bootstrapInPlace:
   installationDisk: /dev/sda
+{% endif %}
 compute:
   - hyperthreading: Enabled
     name: worker
@@ -17,6 +19,10 @@ networking:
     - cidr: 10.128.0.0/14
       hostPrefix: 23
   networkType: OVNKubernetes
+{% if install_type == 'agent' %}
+  machineNetwork:
+    - cidr: {{ hostvars[install_host]['ansible_facts']['default_ipv4']['address'] }}/32
+{% endif %}
   serviceNetwork:
     - 172.30.0.0/16
 platform: