initial revision

.gitignore

@@ -0,0 +1,4 @@
+.DS_Store
+.*.sw?
+*.vim
+tmp*

broker/bf-brokers.yml

@@ -0,0 +1,57 @@
+apiVersion: kafka.strimzi.io/v1beta2
+kind: Kafka
+metadata:
+  name: bf-brokers
+spec:
+  kafka:
+    version: 3.7.0
+    replicas: 3
+    resources:
+      requests:
+        memory: 512Mi
+        cpu: 500m
+      limits:
+        memory: 2Gi
+        cpu: 2
+    listeners:
+      - name: plain
+        type: internal
+        port: 9092
+        tls: false
+      - name: tls
+        type: internal
+        port: 9093
+        tls: true
+      - name: external
+        type: route
+        port: 9094
+        tls: true
+    storage:
+      deleteClaim: true
+      type: persistent-claim
+      size: 2Gi
+    config:
+      inter.broker.protocol.version: "3.7"
+      log.message.format.version: "3.7"
+      offsets.topic.replication.factor: 3
+      transaction.state.log.replication.factor: 3
+      transaction.state.log.min.isr: 2
+      default.replication.factor: 3
+      min.insync.replicas: 2
+      auto.create.topics.enable: "false"
+  zookeeper:
+    replicas: 1
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 512Mi
+        cpu: 500m
+    storage:
+      deleteClaim: true
+      type: persistent-claim
+      size: 1Gi
+  entityOperator:
+    topicOperator: {}
+    userOperator: {}

broker/kafka.properties

@@ -0,0 +1,3 @@
+security.protocol=SSL
+ssl.truststore.location=./bf-brokers.p12
+ssl.truststore.password=FIXME

broker/kt-test.yml

@@ -0,0 +1,12 @@
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: test-topic
+  labels:
+    strimzi.io/cluster: "bf-brokers"
+spec:
+  partitions: 15
+  replicas: 3
+  config:
+    retention.ms: 604800000   # 7 days
+    segment.bytes: 10485760   # 10MiB

playbooks/ansible.cfg

@@ -0,0 +1,12 @@
+[defaults]
+# required to evade implicit conversion to string in k8s resource_definition
+jinja2_native = True
+inventory = ./inventory.yml
+remote_user = student
+ask_pass = no
+
+[privilege_escalation]
+become = no
+become_method = sudo
+become_askpass = no
+

playbooks/inventory.yml

@@ -0,0 +1,25 @@
+---
+# A simplistic inventory for the classroom VMs.
+all:
+  hosts:
+    workstation.lab.example.com:
+      ansible_connection: local
+    utility.lab.example.com:
+      ansible_user: lab
+    bastion.lab.example.com:
+      ansible_user: root
+  vars:
+    # OpenShift versions.
+    ocp_maj: "4.14"
+    ocp_z: "4.14.0"
+
+    # Operator that needs to be installed.
+    op_cat: redhat-operators
+    op_pkg: amq-streams
+    op_chn: stable
+    desired_csv: amqstreams.v2.7.0-4
+
+    # The list of OpenShift clusters check-env will try to connect to.
+    clusters:
+      - ocp4
+...

playbooks/pre-flight.yml

@@ -0,0 +1,11 @@
+---
+- name: Pre-flight checks only.
+  hosts: workstation.lab.example.com
+  gather_subset: min
+  become: no
+  roles:
+    - role: check-env
+      tags: check
+    - role: fix-operators
+      tags: fix
+...

playbooks/roles/check-env/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+# Variables affecting this role:
+#
+#  clusters:
+#   just a simple list of clusters to check
+#
+- name: Make sure kubeconfig is there on utility
+  delegate_to: utility.lab.example.com
+  file:
+    path: /home/lab/{{ item }}/auth/kubeconfig
+    state: file
+  loop: "{{ clusters }}"
+
+- name: Create a temp dir
+  file:
+    path: tmp
+    state: directory
+
+- name: Copy over the kubeconfig
+  delegate_to: utility.lab.example.com
+  fetch:
+    src: /home/lab/{{ item }}/auth/kubeconfig
+    dest: tmp/kubeconfig-{{ item }}
+    flat: yes
+  loop: "{{ clusters }}"
+
+- name: We need some packages to be there
+  become: yes
+  yum:
+    name:
+      - java-17-openjdk-headless
+      - java-17-openjdk-devel
+      - python3-jmespath
+      - python3-kubernetes
+    state: latest
+
+#- name: Make sure stuff is in PATH
+#  lineinfile:
+#    path: "{{ ansible_facts['user_dir'] }}/.bashrc"
+#    line: 'PATH="${PATH}:/opt/amq/bin"'
+#    regexp: '^PATH=.*/opt/amq/bin'
+#    insertafter: "^# User specific environment$"
+#    state: present
+#  loop:
+#    - KAFKA_HOME
+
+- name: Verify cluster connectivity
+  kubernetes.core.k8s_cluster_info:
+    kubeconfig: tmp/kubeconfig-{{ item }}
+    validate_certs: no
+  loop: "{{ clusters }}"
+...

playbooks/roles/fix-operators/tasks/main.yml

@@ -0,0 +1,117 @@
+---
+# Fixes the openshift-marketplace catalogs by recreating them from original images.
+#
+# Needs the following vars from vars/main.yml:
+#
+#   removed_sources the catalog sources we remove
+#   catalog_sources the catalog sources we recreate
+#
+# These should come from inventory:
+#
+#   op_cat          catalog source
+#   op_pkg          operator package name
+#   op_chn          operator channel
+#   desired_csv     csv we look for
+#
+# This is necessary immediately after lab create.
+- name: Wait for the marketplace-operator to be up
+  k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: v1
+    kind: pod
+    namespace: openshift-marketplace
+    label_selectors:
+      - name=marketplace-operator
+  register: mktplc_pod
+  until:
+    - (mktplc_pod.resources | length) == 1
+    - mktplc_pod.resources[0].status.containerStatuses[0].ready
+  retries: 30
+  delay: 10
+
+- name: Make sure the course catalog is not there
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: catalogsource
+    namespace: openshift-marketplace
+    name: "{{ item }}"
+    state: absent
+  loop: "{{ removed_sources }}"
+
+- name: Make sure the pull secret will do for online sources
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: v1
+    kind: secret
+    namespace: openshift-config
+    name: pull-secret
+    state: present
+    definition: "{{ lookup('file', 'files/pull-secret.yml') | from_yaml }}"
+
+- name: Ensure the standard catalog sources are there
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: catalogsource
+    namespace: openshift-marketplace
+    name: "{{ item.name }}"
+    state: present
+    definition:
+      spec:
+        displayName: "{{ item.displ }}"
+        image: "{{ item.image }}"
+        publisher: "Red Hat"
+        sourceType: "grpc"
+  loop: "{{ catalog_sources }}"
+  loop_control:
+    label: "{{ item.displ }}"
+
+- name: Wait for the catalogsources to be ready.
+  k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: catalogsource
+    namespace: openshift-marketplace
+    name: "{{ item.name }}"
+  register: cat_stat
+  until:
+    - (cat_stat.resources | length) == 1
+    - cat_stat.resources[0].status is defined
+    - cat_stat.resources[0].status.connectionState.lastObservedState == "READY"
+  retries: 30
+  delay: 10
+  loop: "{{ catalog_sources }}"
+  loop_control:
+    label: "{{ item.displ }}"
+
+- name: Wait for the operator packagemanifest to appear.
+  k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: packages.operators.coreos.com/v1
+    kind: packagemanifest
+    namespace: openshift-marketplace
+    name: "{{ op_pkg }}"
+  register: op_mft
+  until:
+    - (op_mft.resources | length) == 1
+    - op_mft.resources[0].status.catalogSource == op_cat
+    - op_mft.resources[0].status.packageName == op_pkg
+  retries: 60
+  delay: 10
+
+- assert:
+    that:
+      - op_mft.resources is defined
+      - (op_mft.resources | length) > 0
+      - op_mft.resources[0].status.catalogSource == op_cat
+      - 'desired_csv in (op_mft.resources[0] | community.general.json_query("status.channels[*].currentCSV") | list)'
+    fail_msg: "ERROR: {{ op_pkg }} package manifest not deployed correctly."
+    success_msg: "OK: {{ op_pkg }} package manifest configured correctly."
+...

playbooks/roles/fix-operators/vars/main.yml

@@ -0,0 +1,17 @@
+---
+removed_sources:
+  - do280-catalog
+  - do280-catalog-cs
+  - do288-catalog-cs
+  - do380-catalog-cs
+catalog_sources:
+  - name: redhat-operators
+    displ: Red Hat Operators
+    image: registry.redhat.io/redhat/redhat-operator-index:v{{ ocp_maj }}
+  - name: certified-operators
+    displ: Certified Operators
+    image: registry.redhat.io/redhat/certified-operator-index:v{{ ocp_maj }}
+  - name: community-operators
+    displ: Community Operators
+    image: registry.redhat.io/redhat/community-operator-index:v{{ ocp_maj }}
+...