diff --git a/deploy.yml b/deploy.yml index 877f3b1..b9df7b5 100644 --- a/deploy.yml +++ b/deploy.yml @@ -62,6 +62,8 @@ - role: nsxt/nsxt-mgmt-appliance when: 'nsxt is defined' tags: ["nsxt", "nsxt-mgr"] + # TODO set password expiry + # su admin '-c set user admin set user admin password-expiration 9999' - role: nsxt/nsxt-mgmt-certificate when: 'nsxt is defined' tags: ["nsxt", "nsxt-mgr-cert"] diff --git a/roles/delete-deployment/defaults/main.yml b/roles/delete-deployment/defaults/main.yml new file mode 100644 index 0000000..bf69bf3 --- /dev/null +++ b/roles/delete-deployment/defaults/main.yml @@ -0,0 +1,4 @@ +--- +opsman_ip: "{{ tanzu_opsman_bosh.opsman_ip }}" +opsman_username: "{{ tanzu_opsman_bosh.opsman_username }}" +opsman_password: "{{ tanzu_opsman_bosh.opsman_password }}" diff --git a/roles/delete-deployment/tasks/main.yml b/roles/delete-deployment/tasks/main.yml index 93bcf8b..2494d2c 100644 --- a/roles/delete-deployment/tasks/main.yml +++ b/roles/delete-deployment/tasks/main.yml @@ -9,6 +9,7 @@ state: absent force: true delegate_to: localhost + when: 'nested_vcenter is defined' - name: Remove ESXi hosts VMs community.vmware.vmware_guest: @@ -21,6 +22,7 @@ force: true delegate_to: localhost loop: "{{ nested_hosts }}" + when: 'nested_hosts is defined' - name: Remove NSX-T Manager VM community.vmware.vmware_guest: @@ -45,3 +47,42 @@ force: true delegate_to: localhost when: 'nsx_alb is defined' + +- name: Check if Opsman is online + ansible.builtin.uri: + validate_certs: false + url: "http://{{ opsman_ip }}/" + method: GET + status_code: 200,302,301,503 + register: result_opsman_check + until: result_opsman_check.status == 200 + when: 'tanzu_opsman_bosh is defined and not nested_vcenter is defined' + +- name: Delete TAS deployment (if not nested) + args: + executable: /bin/bash + ansible.builtin.shell: + cmd: | + #/bin/bash + set -eu + + unset OM_PASSWORD OM_USERNAME OM_SKIP_SSL_VALIDATION OM_TARGET + + env=$(cat << EOF + {{ lookup('template', 'env.yml') | from_yaml | to_nice_yaml }} + EOF + ) + + om --env <(echo "$env") delete-installation --force + when: 'tanzu_opsman_bosh is defined and not nested_vcenter is defined and result_opsman_check.status == 200' + +- name: Remove Opsman VM + community.vmware.vmware_guest: + hostname: "{{ hosting_vcenter.ip }}" + username: "{{ hosting_vcenter.username }}" + password: "{{ hosting_vcenter.password }}" + validate_certs: false + name: "{{ environment_tag }}-ops-manager" + state: absent + force: true + delegate_to: localhost diff --git a/roles/delete-deployment/templates/env.yml b/roles/delete-deployment/templates/env.yml new file mode 100644 index 0000000..db25516 --- /dev/null +++ b/roles/delete-deployment/templates/env.yml @@ -0,0 +1,15 @@ +--- +target: https://{{ opsman_ip }} +# connect-timeout: 5 # default 5 +# request-timeout: 1800 # default 1800 +skip-ssl-validation: true # default false +username: "{{ opsman_username }}" +password: "{{ opsman_password }}" +# decryption-passphrase is optional, +# except for use with `import-installation`. +# OpsMan depends on the passphrase +# to decrypt the imported installation. +# For other commands, providing this key allows +# decryption of the OpsMan VM after reboot, +# which would otherwise need to be done manually. +decryption-passphrase: "{{ opsman_password }}{{ opsman_password }}" diff --git a/roles/display-configuration/tasks/main.yml b/roles/display-configuration/tasks/main.yml index c382a04..bb2e0fe 100644 --- a/roles/display-configuration/tasks/main.yml +++ b/roles/display-configuration/tasks/main.yml @@ -76,7 +76,8 @@ {% if tanzu_multi_cloud.generated_config_file is defined %} "tanzu_multi_cloud": { "config_file": "{{ tanzu_multi_cloud.generated_config_file }}", - "mgmt_create_command" : "tanzu management-cluster create --file {{ tanzu_multi_cloud.generated_config_file }}" + "mgmt_create_command" : "tanzu management-cluster create --file {{ tanzu_multi_cloud.generated_config_file }}", + "mgmt_reset_command" : "tanzu context delete {{ environment_tag }}-tkg-mgmt" }, {% endif %} diff --git a/roles/tanzu/application-service/defaults/main.yml b/roles/tanzu/application-service/defaults/main.yml index 3754a6c..9030d0a 100644 --- a/roles/tanzu/application-service/defaults/main.yml +++ b/roles/tanzu/application-service/defaults/main.yml @@ -3,21 +3,23 @@ opsman_ip: "{{ tanzu_opsman_bosh.opsman_ip }}" opsman_username: "{{ tanzu_opsman_bosh.opsman_username }}" opsman_password: "{{ tanzu_opsman_bosh.opsman_password }}" -tas_nsx_transport_zone: "{{ tanzu_application_service.nsx.transport_zone }}" -tas_nsx_manager_url: "{{ tanzu_application_service.nsx.nsx_manager_url }}" -tas_nsx_username: "{{ tanzu_application_service.nsx.username }}" -tas_nsx_password: "{{ tanzu_application_service.nsx.password }}" +tas_template_file: "{{ tanzu_application_service.tas_template_file }}" + +tas_nsx_manager_url: "{{ tanzu_application_service.nsx.nsx_manager_url |default(omit) }}" +tas_nsx_username: "{{ tanzu_application_service.nsx.username |default(omit) }}" +tas_nsx_password: "{{ tanzu_application_service.nsx.password |default(omit) }}" +tas_nsx_transport_zone: "{{ tanzu_application_service.nsx.transport_zone |default(omit) }}" tas_nsx_principal_identity: public_key: |- - {{ tanzu_application_service.nsx.principal_identity.public_key }} + {{ tanzu_application_service.nsx.principal_identity.public_key |default(omit) }} private_key: |- - {{ tanzu_application_service.nsx.principal_identity.private_key }} + {{ tanzu_application_service.nsx.principal_identity.private_key |default(omit) }} -tas_nsx_egress_pool_name: "{{ tanzu_application_service.nsx.egress_pool_name }}" -tas_nsx_egress_pool_cidr: "{{ tanzu_application_service.nsx.egress_pool_cidr }}" -tas_nsx_egress_pool_ranges: "{{ tanzu_application_service.nsx.egress_pool_ranges }}" -tas_nsx_container_block_name: "{{ tanzu_application_service.nsx.container_block_name }}" -tas_nsx_container_block_cidr: "{{ tanzu_application_service.nsx.container_block_cidr }}" +tas_nsx_egress_pool_name: "{{ tanzu_application_service.nsx.egress_pool_name |default(omit) }}" +tas_nsx_egress_pool_cidr: "{{ tanzu_application_service.nsx.egress_pool_cidr |default(omit) }}" +tas_nsx_egress_pool_ranges: "{{ tanzu_application_service.nsx.egress_pool_ranges |default(omit) }}" +tas_nsx_container_block_name: "{{ tanzu_application_service.nsx.container_block_name |default(omit) }}" +tas_nsx_container_block_cidr: "{{ tanzu_application_service.nsx.container_block_cidr |default(omit) }}" tas_deployment_network: "{{ tanzu_application_service.deployment_network }}" tas_apps_domain: "{{ tanzu_application_service.apps_domain }}" diff --git a/roles/tanzu/application-service/tasks/main.yml b/roles/tanzu/application-service/tasks/main.yml index 7d67c90..899d8c8 100644 --- a/roles/tanzu/application-service/tasks/main.yml +++ b/roles/tanzu/application-service/tasks/main.yml @@ -7,6 +7,7 @@ password: "{{ tas_nsx_password }}" validate_certs: false register: result_nsx_routers + when: "tas_nsx_manager_url is defined and '__omit' not in tas_nsx_manager_url" - name: Fetch NSX Manager cert ansible.builtin.shell: |- @@ -18,15 +19,20 @@ changed_when: false args: executable: /usr/bin/bash + when: "tas_nsx_manager_url is defined and '__omit' not in tas_nsx_manager_url" + +- name: Set Opsman env + ansible.builtin.set_fact: + opsman_env: | + {{ lookup('template', 'env.yml') | from_yaml }} - name: Set NSX facts ansible.builtin.set_fact: nsx_ca_cert: |- - {{ result_nsx_manager_cert_pem.stdout }} + {{ result_nsx_manager_cert_pem.stdout |default("") }} # Expects the T0 to be the first created router, which is not role agnostic - nsx_t0_id: "{{ result_nsx_routers.results[0].id }}" - opsman_env: | - {{ lookup('template', 'env.yml') | from_yaml }} + nsx_t0_id: "{{ result_nsx_routers.results[0].id |default('') }}" + # when: "tas_nsx_manager_url is defined and '__omit' not in tas_nsx_manager_url" - name: Check Gorouter cert hostname args: @@ -119,11 +125,11 @@ tas_uaa_cert_pair: "{{ result_tas_uaa_cert_pair.stdout | from_json }}" when: tas_uaa_cert_replace -- name: Setting TAS Tile vars +- name: Set base vars ansible.builtin.set_fact: tas_vars: - slug: VMware-NSX-T - file_path: "{{ ncp_tile }}" + file_path: "{{ ncp_tile | default('') }}" product_config: "{{ lookup('template', 'ncp.yml') | from_yaml }}" apply_changes: false - slug: cf @@ -152,6 +158,13 @@ {{ tas_vars }} when: not "srt-2." in tas_tile +- name: Drop NSX Tile vars if 'tas_nsx_manager_url' not set + ansible.builtin.set_fact: + tas_vars: | + {% set _ = tas_vars.pop(0) %} + {{ tas_vars }} + when: not tas_nsx_manager_url is defined or '__omit' in tas_nsx_manager_url + - name: Deploy TAS ansible.builtin.include_role: name: tanzu/opsman/upload-stage-configure-tile diff --git a/roles/tanzu/application-service/templates/tas-nsx.yml b/roles/tanzu/application-service/templates/tas-nsx.yml new file mode 100644 index 0000000..4f71dbf --- /dev/null +++ b/roles/tanzu/application-service/templates/tas-nsx.yml @@ -0,0 +1,527 @@ +--- +product-name: cf +product-properties: + .cloud_controller.allow_app_ssh_access: + value: true + .cloud_controller.apps_domain: + value: "{{ tas_apps_domain }}" + # .cloud_controller.default_app_memory: + # value: 1024 + # .cloud_controller.default_app_ssh_access: + # value: true + # .cloud_controller.default_disk_quota_app: + # value: 1024 + # .cloud_controller.default_quota_max_number_services: + # value: 100 + # .cloud_controller.default_quota_memory_limit_mb: + # value: 10240 + # .cloud_controller.enable_custom_buildpacks: + # value: true + # .cloud_controller.encrypt_key: + # value: {} + # .cloud_controller.max_disk_quota_app: + # value: 2048 + # .cloud_controller.max_file_size: + # value: 1024 + # .cloud_controller.max_package_size: + # value: 2147483648 + # .cloud_controller.security_event_logging_enabled: + # value: true + # .cloud_controller.staging_timeout_in_seconds: + # value: 900 + .cloud_controller.system_domain: + value: "{{ tas_sys_domain }}" + # .diego_brain.starting_container_count_maximum: + # value: 200 + # .mysql.cli_history: + # value: true + # .mysql.max_connections: + # value: 3500 + # .mysql.prevent_node_auto_rejoin: + # value: false + # .mysql.remote_admin_access: + # value: false + # .mysql_monitor.poll_frequency: + # value: 30 + .mysql_monitor.recipient_email: + value: dummy@dummy.dummy + # .mysql_monitor.write_read_delay: + # value: 20 + # .mysql_proxy.enable_inactive_mysql_port: + # value: false + # .mysql_proxy.shutdown_delay: + # value: 30 + # .mysql_proxy.startup_delay: + # value: 0 + .nfs_server.blobstore_internal_access_rules: + value: allow 10.0.0.0/8;,allow 172.16.0.0/12;,allow 192.168.0.0/16;,allow 100.64.0.0/10; + # .properties.app_graceful_shutdown_period_in_seconds: + # value: 10 + # .properties.app_log_rate_limiting: + # selected_option: disable + # value: disable + # .properties.autoscale_api_disable_connection_pooling: + # value: false + # .properties.autoscale_api_instance_count: + # value: 1 + # .properties.autoscale_enable_notifications: + # value: true + # .properties.autoscale_enable_verbose_logging: + # value: false + # .properties.autoscale_instance_count: + # value: 3 + # .properties.autoscale_metric_bucket_count: + # value: 120 + # .properties.autoscale_scaling_interval_in_seconds: + # value: 35 + # .properties.cc_api_rate_limit: + # selected_option: disable + # value: disable + # .properties.cc_logging_level: + # value: info + # .properties.ccdb_connection_validation_timeout: + # value: 3600 + # .properties.ccdb_read_timeout: + # value: 3600 + # .properties.cf_networking_database_connection_timeout: + # value: 120 + # .properties.cf_networking_enable_space_developer_self_service: + # value: false + # .properties.cf_networking_internal_domains: + # value: + # - name: apps.internal + # .properties.cloud_controller_audit_events_cutoff_age_in_days: + # value: 31 + # .properties.cloud_controller_completed_tasks_cutoff_age_in_days: + # value: 31 + # .properties.cloud_controller_default_health_check_timeout: + # value: 60 + # .properties.cloud_controller_post_bbr_healthcheck_timeout_in_seconds: + # value: 60 + # .properties.cloud_controller_temporary_disable_deployments: + # value: false + # .properties.cloud_controller_worker_alert_if_above_mb: + # value: 384 + # .properties.cloud_controller_worker_restart_if_above_mb: + # value: 512 + # .properties.cloud_controller_worker_restart_if_consistently_above_mb: + # value: 384 + .properties.container_networking: + selected_option: enable + value: enable + .properties.container_networking_interface_plugin: + selected_option: external + value: external + .properties.credhub_database: + selected_option: internal_mysql + value: internal_mysql + # .properties.credhub_hsm_provider_client_certificate: + # value: {} + # .properties.credhub_hsm_provider_partition_password: + # value: {} + .properties.credhub_internal_provider_keys: + value: + - key: + secret: "{{ tas_credhub_key }}" + name: int-encrypt + primary: true + # .properties.default_loggregator_drain_metadata: + # value: true + # .properties.diego_database_max_open_connections: + # value: 100 + # .properties.disable_logs_in_firehose: + # value: false + # .properties.enable_garden_containerd_mode: + # value: true + # .properties.enable_log_cache_syslog_ingestion: + # value: false + # .properties.enable_smb_volume_driver: + # value: true + # .properties.enable_tls_to_internal_pxc: + # value: false + # .properties.enable_v1_firehose: + # value: true + # .properties.enable_v2_firehose: + # value: true + # .properties.garden_disk_cleanup: + # selected_option: reserved + # value: reserved + # .properties.garden_disk_cleanup.reserved.reserved_space_for_other_jobs_in_mb: + # value: 15360 + # .properties.gorouter_ssl_ciphers: + # value: ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + # .properties.haproxy_client_cert_validation: + # selected_option: none + # value: none + .properties.haproxy_forward_tls: + selected_option: disable + value: disable + # .properties.haproxy_hsts_support: + # selected_option: disable + # value: disable + # .properties.haproxy_max_buffer_size: + # value: 16384 + # .properties.haproxy_ssl_ciphers: + # value: DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 + # .properties.locket_database_max_open_connections: + # value: 200 + # .properties.log_cache_max_per_source: + # value: 100000 + # .properties.logging_timestamp_format: + # selected_option: rfc3339 + # value: rfc3339 + # .properties.metric_registrar_blacklisted_tags: + # value: deployment,job,index,ip + # .properties.metric_registrar_enabled: + # value: true + # .properties.metric_registrar_scrape_interval_in_seconds: + # value: 35 + # .properties.mysql_activity_logging: + # selected_option: enable + # value: enable + # .properties.mysql_activity_logging.enable.audit_logging_events: + # value: connect,query + .properties.networking_poe_ssl_certs: + value: + - certificate: + cert_pem: | + {{ tas_gorouter_cert_pair.certificate | default(omit) | indent(12) }} + private_key_pem: | + {{ tas_gorouter_cert_pair.key | default(omit) | indent(12) }} + name: tas-gorouters + # .properties.networkpolicyserver_database_max_open_connections: + # value: 200 + # .properties.networkpolicyserverinternal_database_max_open_connections: + # value: 200 + .properties.nfs_volume_driver: + selected_option: disable + value: disable + # .properties.nfs_volume_driver.enable.ldap_service_account_password: + # value: {} + # .properties.push_apps_manager_app_poll_interval: + # value: 10 + # .properties.push_apps_manager_buildpack: + # value: staticfile_buildpack + # .properties.push_apps_manager_currency_lookup: + # value: '{ "usd": "$", "eur": "€" }' + # .properties.push_apps_manager_display_plan_prices: + # value: false + # .properties.push_apps_manager_enable_invitations: + # value: true + # .properties.push_apps_manager_invitations_buildpack: + # value: nodejs_buildpack + # .properties.push_apps_manager_poll_interval: + # value: 30 + # .properties.push_apps_manager_search_server_buildpack: + # value: nodejs_buildpack + # .properties.push_usage_service_cutoff_age_in_days: + # value: 365 + # .properties.route_integrity: + # selected_option: tls_verify + # value: tls_verify + # .properties.route_services: + # selected_option: enable + # value: enable + # .properties.route_services.enable.ignore_ssl_cert_verification: + # value: false + # .properties.route_services.enable.internal_lookup: + # value: false + # .properties.router_backend_max_conn: + # value: 500 + # .properties.router_balancing_algorithm: + # selected_option: round_robin + # value: round-robin + # .properties.router_client_cert_validation: + # selected_option: request + # value: request + # .properties.router_enable_proxy: + # value: false + # .properties.router_keepalive_connections: + # selected_option: enable + # value: enable + # .properties.router_sticky_session_cookie_names: + # value: + # - name: JSESSIONID + # .properties.routing_disable_http: + # value: false + # .properties.routing_log_client_ips: + # selected_option: log_client_ips + # value: log_client_ips + # .properties.routing_minimum_tls_version: + # selected_option: tls_v1_2 + # value: tls_v1_2 + .properties.routing_tls_termination: + selected_option: router + value: router + # .properties.saml_signature_algorithm: + # value: SHA256 + # .properties.secure_service_instance_credentials: + # value: false + .properties.security_acknowledgement: + value: x + # .properties.service_discovery_controller_staleness_threshold: + # value: 600 + # .properties.smoke_tests: + # selected_option: on_demand + # value: on_demand + # .properties.smtp_auth_mechanism: + # value: plain + # .properties.smtp_credentials: + # value: {} + # .properties.smtp_enable_starttls_auto: + # value: false + # .properties.syslog_drop_debug: + # value: true + # .properties.syslog_tls: + # selected_option: disabled + # value: disabled + # .properties.syslog_use_tcp_for_file_forwarding_local_transport: + # value: false + # .properties.system_blobstore: + # selected_option: internal + # value: internal + # .properties.system_blobstore_backup_level: + # selected_option: all + # value: all + # .properties.system_blobstore_ccdroplet_max_staged_droplets_stored: + # value: 5 + # .properties.system_blobstore_ccpackage_max_valid_packages_stored: + # value: 5 + # .properties.system_database: + # selected_option: internal_pxc + # value: internal_pxc + # .properties.system_metrics_scraper_scrape_interval: + # value: 15s + # .properties.tcp_routing: + # selected_option: disable + # value: disable + # .properties.uaa: + # selected_option: internal + # value: internal + # .properties.uaa.internal.password_expires_after_months: + # value: 0 + # .properties.uaa.internal.password_max_retry: + # value: 5 + # .properties.uaa.internal.password_min_length: + # value: 0 + # .properties.uaa.internal.password_min_lowercase: + # value: 0 + # .properties.uaa.internal.password_min_numeric: + # value: 0 + # .properties.uaa.internal.password_min_special: + # value: 0 + # .properties.uaa.internal.password_min_uppercase: + # value: 0 + # .properties.uaa_database: + # selected_option: internal_mysql + # value: internal_mysql + # .properties.uaa_session_cookie_max_age: + # value: 28800 + # .properties.uaa_session_idle_timeout: + # value: 1800 + # .router.disable_insecure_cookies: + # value: false + # .router.drain_timeout: + # value: 900 + # .router.drain_wait: + # value: 20 + # .router.enable_isolated_routing: + # value: false + # .router.enable_write_access_logs: + # value: true + # .router.enable_zipkin: + # value: true + # .router.frontend_idle_timeout: + # value: 900 + # .router.lb_healthy_threshold: + # value: 20 + # .router.max_header_kb: + # value: 1024 + # .router.request_timeout_in_seconds: + # value: 900 + .router.static_ips: + value: "{{ tas_gorouter_ip }}" + # .uaa.apps_manager_access_token_lifetime: + # value: 3600 + # .uaa.cf_cli_access_token_lifetime: + # value: 7200 + # .uaa.cf_cli_refresh_token_lifetime: + # value: 1209600 + # .uaa.customize_password_label: + # value: Password + # .uaa.customize_username_label: + # value: Email + # .uaa.enable_uri_encoding_compatibility_mode: + # value: true + # .uaa.enforce_system_zone_policy_in_all_zones: + # value: true + # .uaa.proxy_ips_regex: + # value: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} + .uaa.service_provider_key_credentials: + value: + cert_pem: | + {{ tas_uaa_cert_pair.certificate | default(omit) | indent(8) }} + private_key_pem: | + {{ tas_uaa_cert_pair.key | default(omit) | indent(8) }} + # .uaa.service_provider_key_password: + # value: {} +network-properties: + network: + name: "{{ tas_deployment_network }}" + other_availability_zones: + - name: az1 + singleton_availability_zone: + name: az1 +resource-config: + backup_restore: + max_in_flight: 1 + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: 0 + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + persistent_disk: + name: automatic + size_mb: automatic + swap_as_percent_of_memory_size: automatic + blobstore: + max_in_flight: 1 + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + persistent_disk: + name: automatic + size_mb: automatic + swap_as_percent_of_memory_size: automatic + compute: + max_in_flight: 4% + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + swap_as_percent_of_memory_size: automatic + control: + max_in_flight: 1 + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + swap_as_percent_of_memory_size: automatic + database: + max_in_flight: 1 + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + persistent_disk: + name: automatic + size_mb: automatic + swap_as_percent_of_memory_size: automatic + # ha_proxy: + # max_in_flight: 1 + # additional_networks: [] + # additional_vm_extensions: [] + # instance_type: + # id: automatic + # instances: 0 + # nsxt: + # lb: + # server_pools: [] + # ns_groups: [] + # vif_type: null + # swap_as_percent_of_memory_size: automatic + mysql_monitor: + max_in_flight: 1 + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + swap_as_percent_of_memory_size: automatic + router: + max_in_flight: 1 + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + swap_as_percent_of_memory_size: automatic + tcp_router: + max_in_flight: 1 + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: 0 + nsxt: + lb: + server_pools: [] + ns_groups: [] + vif_type: null + persistent_disk: + name: automatic + size_mb: automatic + swap_as_percent_of_memory_size: automatic +errand-config: + deploy-autoscaler: + post-deploy-state: true + deploy-notifications: + post-deploy-state: true + deploy-notifications-ui: + post-deploy-state: true + metric_registrar_smoke_test: + post-deploy-state: false + nfsbrokerpush: + post-deploy-state: false + push-apps-manager: + post-deploy-state: true + push-usage-service: + post-deploy-state: true + rotate_cc_database_key: + post-deploy-state: false + smbbrokerpush: + post-deploy-state: false + smoke_tests: + post-deploy-state: true + test-autoscaling: + post-deploy-state: true diff --git a/roles/tanzu/application-service/templates/tas.yml b/roles/tanzu/application-service/templates/tas.yml index 4f71dbf..23dbbe2 100644 --- a/roles/tanzu/application-service/templates/tas.yml +++ b/roles/tanzu/application-service/templates/tas.yml @@ -109,9 +109,9 @@ product-properties: .properties.container_networking: selected_option: enable value: enable - .properties.container_networking_interface_plugin: - selected_option: external - value: external + # .properties.container_networking_interface_plugin: + # selected_option: external + # value: external .properties.credhub_database: selected_option: internal_mysql value: internal_mysql @@ -504,11 +504,11 @@ resource-config: swap_as_percent_of_memory_size: automatic errand-config: deploy-autoscaler: - post-deploy-state: true + post-deploy-state: false deploy-notifications: - post-deploy-state: true + post-deploy-state: false deploy-notifications-ui: - post-deploy-state: true + post-deploy-state: false metric_registrar_smoke_test: post-deploy-state: false nfsbrokerpush: @@ -516,7 +516,7 @@ errand-config: push-apps-manager: post-deploy-state: true push-usage-service: - post-deploy-state: true + post-deploy-state: false rotate_cc_database_key: post-deploy-state: false smbbrokerpush: @@ -524,4 +524,4 @@ errand-config: smoke_tests: post-deploy-state: true test-autoscaling: - post-deploy-state: true + post-deploy-state: false diff --git a/roles/tanzu/opsman/configure-bosh/defaults/main.yml b/roles/tanzu/opsman/configure-bosh/defaults/main.yml index 43ca1c0..338364d 100644 --- a/roles/tanzu/opsman/configure-bosh/defaults/main.yml +++ b/roles/tanzu/opsman/configure-bosh/defaults/main.yml @@ -14,9 +14,10 @@ bosh_vcenter_datastore_persistent: "{{ tanzu_opsman_bosh.vcenter_datastore }}" bosh_vcenter_username: "{{ tanzu_opsman_bosh.vcenter_username }}" bosh_vcenter_password: "{{ tanzu_opsman_bosh.vcenter_password }}" -bosh_nsx_url: "{{ tanzu_opsman_bosh.nsx_url }}" -bosh_nsx_username: "{{ tanzu_opsman_bosh.nsx_username }}" -bosh_nsx_password: "{{ tanzu_opsman_bosh.nsx_password }}" +bosh_nsx_url: "{{ tanzu_opsman_bosh.nsx_url | default(omit) }}" +bosh_nsx_username: "{{ tanzu_opsman_bosh.nsx_username | default(omit) }}" +bosh_nsx_password: "{{ tanzu_opsman_bosh.nsx_password | default(omit) }}" +bosh_template_file: "{{ tanzu_opsman_bosh.bosh_template_file }}" bosh_ssh_public_key: "{{ tanzu_opsman_bosh.ssh_public_key }}" bosh_username: "{{ tanzu_opsman_bosh.username }}" diff --git a/roles/tanzu/opsman/configure-bosh/tasks/main.yml b/roles/tanzu/opsman/configure-bosh/tasks/main.yml index 487b4e7..517fe21 100644 --- a/roles/tanzu/opsman/configure-bosh/tasks/main.yml +++ b/roles/tanzu/opsman/configure-bosh/tasks/main.yml @@ -9,19 +9,25 @@ executable: /usr/bin/bash register: result_nsx_manager_cert_pem changed_when: false + when: "bosh_nsx_url is defined and '__omit' not in bosh_nsx_url" - name: Set NSX CA Cert ansible.builtin.set_fact: nsx_ca_cert: |- {{ result_nsx_manager_cert_pem.stdout }} + when: "bosh_nsx_url is defined and '__omit' not in bosh_nsx_url" - name: Set variables ansible.builtin.set_fact: bosh_config: | - {{ lookup('template', 'p-bosh.yml') | from_yaml }} + {{ lookup('template', bosh_template_file) | from_yaml }} opsman_env: | {{ lookup('template', 'env.yml') | from_yaml }} +- name: Show Opsman/bosh config + debug: + var: bosh_config + - name: Configure Bosh Director args: executable: /bin/bash diff --git a/roles/tanzu/opsman/configure-bosh/templates/p-bosh-nsx.yml b/roles/tanzu/opsman/configure-bosh/templates/p-bosh-nsx.yml new file mode 100644 index 0000000..cad3b11 --- /dev/null +++ b/roles/tanzu/opsman/configure-bosh/templates/p-bosh-nsx.yml @@ -0,0 +1,121 @@ +--- +az-configuration: + - name: az1 + iaas_configuration_name: default + clusters: + - cluster: "{{ bosh_vcenter_cluster }}" + drs_rule: MUST + host_group: null + resource_pool: null +iaas-configurations: + - additional_cloud_properties: {} + bosh_disk_path: "{{ bosh_disk_path }}" + bosh_template_folder: "{{ bosh_template_folder }}" + bosh_vm_folder: "{{ bosh_vm_folder }}" + datacenter: "{{ bosh_vcenter_datacenter }}" + disk_type: thin + ephemeral_datastore_clusters_string: "" + ephemeral_datastores_string: "{{ bosh_vcenter_datastore_ephemeral }}" + name: default + nsx_address: "{{ bosh_nsx_url }}" + nsx_ca_certificate: |- + {{ nsx_ca_cert | indent(6) }} + nsx_mode: nsx-t + nsx_networking_enabled: true + nsx_password: "{{ bosh_nsx_password }}" + nsx_t_auth_type: local_user + nsx_t_use_policy_api: false + nsx_username: "{{ bosh_nsx_username }}" + persistent_datastore_clusters_string: "" + persistent_datastores_string: "{{ bosh_vcenter_datastore_persistent }}" + ssl_verification_enabled: false + vcenter_host: "{{ bosh_vcenter_url }}" + vcenter_password: "{{ bosh_vcenter_password }}" + vcenter_username: "{{ bosh_vcenter_username }}" +network-assignment: + network: + name: infra + other_availability_zones: [] + singleton_availability_zone: + name: az1 +networks-configuration: + icmp_checks_enabled: true + networks: + {{ bosh_networks | to_yaml | indent(4) }} +properties-configuration: + director_configuration: + additional_ssh_users: [] + blobstore_type: local + bosh_director_recreate_on_next_deploy: false + bosh_recreate_on_next_deploy: false + bosh_recreate_persistent_disks_on_next_deploy: false + ca_certificate_duration: 1460 + database_type: internal + director_metrics_server_enabled: true + director_worker_count: 5 + duration_overrides_enabled: false + encryption: + keys: [] + providers: [] + hm_emailer_options: + enabled: false + hm_pager_duty_options: + enabled: false + identification_tags: {} + job_configuration_on_tmpfs: false + keep_unreachable_vms: false + leaf_certificate_duration: 730 + local_blobstore_options: + enable_signed_urls: true + metrics_server_enabled: true + ntp_servers_string: "{{ bosh_ntp }}" + post_deploy_enabled: false + resurrector_enabled: true + retry_bosh_deploys: false + short_lived_nats_bootstrap_credentials_enabled: false + skip_director_drain: false + system_metrics_runtime_enabled: true + dns_configuration: + excluded_recursors: [] + handlers: [] + security_configuration: + clear_default_trusted_certificates_store: false + generate_vm_passwords: true + opsmanager_root_ca_trusted_certs: true + trusted_certificates: |- + {{ bosh_trusted_ca_certs | default(omit) | indent(6) }} + syslog_configuration: + enabled: false +resource-configuration: + compilation: + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsx: + lbs: [] + security_groups: [] + nsxt: + lb: + server_pools: [] + ns_groups: [] + swap_as_percent_of_memory_size: automatic + director: + additional_networks: [] + additional_vm_extensions: [] + instance_type: + id: automatic + instances: automatic + nsx: + lbs: [] + security_groups: [] + nsxt: + lb: + server_pools: [] + ns_groups: [] + persistent_disk: + size_mb: automatic + swap_as_percent_of_memory_size: automatic +vmextensions-configuration: [] +vmtypes-configuration: {} diff --git a/roles/tanzu/opsman/configure-bosh/templates/p-bosh.yml b/roles/tanzu/opsman/configure-bosh/templates/p-bosh.yml index cad3b11..0e02aa7 100644 --- a/roles/tanzu/opsman/configure-bosh/templates/p-bosh.yml +++ b/roles/tanzu/opsman/configure-bosh/templates/p-bosh.yml @@ -17,15 +17,6 @@ iaas-configurations: ephemeral_datastore_clusters_string: "" ephemeral_datastores_string: "{{ bosh_vcenter_datastore_ephemeral }}" name: default - nsx_address: "{{ bosh_nsx_url }}" - nsx_ca_certificate: |- - {{ nsx_ca_cert | indent(6) }} - nsx_mode: nsx-t - nsx_networking_enabled: true - nsx_password: "{{ bosh_nsx_password }}" - nsx_t_auth_type: local_user - nsx_t_use_policy_api: false - nsx_username: "{{ bosh_nsx_username }}" persistent_datastore_clusters_string: "" persistent_datastores_string: "{{ bosh_vcenter_datastore_persistent }}" ssl_verification_enabled: false @@ -93,13 +84,6 @@ resource-configuration: instance_type: id: automatic instances: automatic - nsx: - lbs: [] - security_groups: [] - nsxt: - lb: - server_pools: [] - ns_groups: [] swap_as_percent_of_memory_size: automatic director: additional_networks: [] @@ -107,13 +91,6 @@ resource-configuration: instance_type: id: automatic instances: automatic - nsx: - lbs: [] - security_groups: [] - nsxt: - lb: - server_pools: [] - ns_groups: [] persistent_disk: size_mb: automatic swap_as_percent_of_memory_size: automatic diff --git a/roles/tanzu/opsman/install-opsman/tasks/main.yml b/roles/tanzu/opsman/install-opsman/tasks/main.yml index 51ff5d6..fb89917 100644 --- a/roles/tanzu/opsman/install-opsman/tasks/main.yml +++ b/roles/tanzu/opsman/install-opsman/tasks/main.yml @@ -3,8 +3,6 @@ # Importing templates as variables to allow for debugging - name: Set variables ansible.builtin.set_fact: - # opsman_config: | - # {{ lookup('template', 'opsman.yml') | from_yaml }} opsman_env: | {{ lookup('template', 'env.yml') | from_yaml }} @@ -36,6 +34,7 @@ DNS: "{{ opsman_dns }}" ntp_servers: "{{ opsman_ntp }}" public_ssh_key: "{{ opsman_ssh_public_key }}" + custom_hostname: opsman register: result_opsman_create # Added retries to allow NSX segment to take time to propogate retries: 3 diff --git a/roles/tanzu/opsman/upload-stage-configure-tile/tasks/main.yml b/roles/tanzu/opsman/upload-stage-configure-tile/tasks/main.yml index 707da46..5d05926 100644 --- a/roles/tanzu/opsman/upload-stage-configure-tile/tasks/main.yml +++ b/roles/tanzu/opsman/upload-stage-configure-tile/tasks/main.yml @@ -109,3 +109,4 @@ delay: 10 until: result_apply_changes.rc == 0 when: 'not item.apply_changes is defined or item.apply_changes' + tags: ["opsman-apply-changes"] diff --git a/var-examples/tanzu/application-service/opinionated-1host-manager-api.yml b/var-examples/tanzu/application-service/opinionated-1host-nsx-manager-api.yml similarity index 98% rename from var-examples/tanzu/application-service/opinionated-1host-manager-api.yml rename to var-examples/tanzu/application-service/opinionated-1host-nsx-manager-api.yml index 8131b88..4cc125a 100644 --- a/var-examples/tanzu/application-service/opinionated-1host-manager-api.yml +++ b/var-examples/tanzu/application-service/opinionated-1host-nsx-manager-api.yml @@ -1,16 +1,16 @@ --- # SOFTWARE_DIR must contain all required software -vc_iso: "{{ lookup('env', 'SOFTWARE_DIR') }}/VMware-VCSA-all-7.0.3-21477706.iso" -esxi_ova: "{{ lookup('env', 'SOFTWARE_DIR') }}/Nested_ESXi7.0u3k_Appliance_Template_v1.ova" -nsxt_ova: "{{ lookup('env', 'SOFTWARE_DIR') }}/nsx-unified-appliance-3.2.3.0.0.21703641.ova" +vc_iso: "{{ lookup('env', 'SOFTWARE_DIR') }}/VMware-VCSA-all-7.0.3-22837322.iso" +esxi_ova: "{{ lookup('env', 'SOFTWARE_DIR') }}/Nested_ESXi7.0u3o_Appliance_Template_v2.ova" +nsxt_ova: "{{ lookup('env', 'SOFTWARE_DIR') }}/nsx-unified-appliance-3.2.3.1.0.22104638.ova" opsman_ova: "{{ lookup('env', 'SOFTWARE_DIR') }}/ops-manager-vsphere-3.0.11+LTS-T.ova" -tas_tile: "{{ lookup('env', 'SOFTWARE_DIR') }}/srt-2.11.41-build.2.pivotal" +tas_tile: "{{ lookup('env', 'SOFTWARE_DIR') }}/srt-4.0.4-build.2.pivotal" # tas_tile: "{{ lookup('env', 'SOFTWARE_DIR') }}/srt-4.0.4-build.2.pivotal" tas_stemcell: "{{ lookup('env', 'SOFTWARE_DIR') }}/bosh-stemcell-621.561-vsphere-esxi-ubuntu-xenial-go_agent.tgz" # tas_stemcell: "{{ lookup('env', 'SOFTWARE_DIR') }}/bosh-stemcell-1.148-vsphere-esxi-ubuntu-jammy-go_agent.tgz" ncp_tile: "{{ lookup('env', 'SOFTWARE_DIR') }}/VMware-NSX-T-4.0.1.20665035.pivotal" -environment_tag: "tas" # Used to prepend object names in hosting vCenter +environment_tag: "tas-nsx" # Used to prepend object names in hosting vCenter dns_server: "192.168.0.1" dns_domain: "home.local" ntp_server_ip: "192.168.0.1" # Must be set to an IP address! @@ -387,6 +387,8 @@ tanzu_opsman_bosh: dns: "{{ dns_server }}" ntp: "{{ ntp_server_ip }}" + bosh_template_file: p-bosh-nsx.yml + bosh_networks: - name: infra subnets: diff --git a/var-examples/tanzu/application-service/opinionated-not-nested.yml b/var-examples/tanzu/application-service/opinionated-not-nested.yml new file mode 100644 index 0000000..b23b1ff --- /dev/null +++ b/var-examples/tanzu/application-service/opinionated-not-nested.yml @@ -0,0 +1,102 @@ +--- +# SOFTWARE_DIR must contain all required software +opsman_ova: "{{ lookup('env', 'SOFTWARE_DIR') }}/ops-manager-vsphere-3.0.25+LTS-T.ova" +tas_tile: "{{ lookup('env', 'SOFTWARE_DIR') }}/srt-4.0.20-build.2.pivotal" +tas_stemcell: "{{ lookup('env', 'SOFTWARE_DIR') }}/bosh-stemcell-1.423-vsphere-esxi-ubuntu-jammy-go_agent.tgz" + +environment_tag: "tas-direct" # Used to prepend object names in hosting vCenter +dns_server: "192.168.0.1" +dns_domain: "home.local" +ntp_server_ip: "192.168.0.1" # Must be set to an IP address! +disk_mode: thin # How all disks should be deployed + +hosting_vcenter: # This is the vCenter which will be the target for nested vCenters and ESXi hosts + ip: "vcsa.lab" + username: "{{ lookup('env', 'PARENT_VCENTER_USERNAME') }}" + password: "{{ lookup('env', 'PARENT_VCENTER_PASSWORD') }}" + datacenter: "Home" # Target for all VM deployment + +# This section is only referenced by other variables in this file +opinionated: + master_password: "VMware1!" + hosting_cluster: Physical + hosting_datastore: NVME + hosting_network: + base: + port_group: Nest + cidr: "192.168.0.0/22" + gateway: "192.168.0.1" + # TAS requires XXX IP addresses! + starting_addr: "192.168.1.210" + tas: + bosh_reserved_ip_ranges: "192.168.0.2-192.168.1.210,192.168.1.215-192.168.3.254" + deployment_reserved_ip_ranges: "192.168.0.2-192.168.1.215,192.168.1.239-192.168.3.254" + + ssh_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/qMIbcfUkClzrBi7QjUmtdfpjDlTSXsPcJsmdmezbem2SboQPujpFUGmzFXi5PqhPa3QOxvMn8oJpozlJYydDspFAAqX+0u8n0FrwMMn0ckwUtF4zxz/AnI8tUltjeN67M7mG+3W8ooRFeaY6nrjxEIXbkMOzSbeTaFcB9cDzRXcMmFiuoeDhUonEYbClrsPzLdzscw7Vz6BLMHwo9SBOqlaL25aG/DtZPB7jobQRh48q3RW+Hb29nH18biJNLiBDsRu1SJIzw7Dl+rNSX9Va56vX0cz5CDiTg9A69WgySDx7oZFZM3W6jyHCN0fQbw/OxE/2MemhfQbdJqgffA7zE0qx+/DVIoT5bBP7FPpQSxkMjC+AEAH4PPsDIP0KJH9do6+T/g/Mf6725IOaPSJyV0bAkz1T57T1ty19KdhvPVfjrMnCap+pLvD6Qd/lxzY9uFF4oOwWmo4xQ6hQXZ9oJUhrRsG2A5LF7XGXwOb8mHSG4InfUfjaov4gjLl5tN0= + +##################################################################### +### No need to edit below this line for an opinionated deployment ### +##################################################################### +tanzu_opsman_bosh: + vm_name: "{{ environment_tag }}-ops-manager" + hostname: "{{ environment_tag }}-ops-manager" + opsman_username: admin + opsman_password: "{{ opinionated.master_password }}" + ssh_public_key: "{{ opinionated.ssh_public_key }}" + + opsman_ip: "{{ opinionated.hosting_network.base.starting_addr }}" #| ansible.utils.ipmath(2) + netmask: "{{ opinionated.hosting_network.base.cidr | ansible.utils.ipaddr('netmask') }}" + gateway: "{{ opinionated.hosting_network.base.gateway }}" + network: "{{ opinionated.hosting_network.base.port_group }}" + dns: "{{ dns_server }}" + ntp: "{{ ntp_server_ip }}" + + bosh_template_file: p-bosh.yml + + bosh_networks: + - name: infra + subnets: + - iaas_identifier: "{{ opinionated.hosting_network.base.port_group }}" + cidr: "{{ opinionated.hosting_network.base.cidr }}" + dns: "{{ dns_server }}" + gateway: "{{ opinionated.hosting_network.base.gateway }}" + reserved_ip_ranges: >- + {{ opinionated.hosting_network.base.gateway }}-{{ opinionated.hosting_network.base.starting_addr }},{{ + opinionated.hosting_network.base.starting_addr | ansible.utils.ipmath(6) }}-{{ + opinionated.hosting_network.base.cidr | ansible.utils.ipaddr('-2') | ansible.utils.ipaddr('address') }} + availability_zone_names: + - az1 + - name: tas-deployment + subnets: + - iaas_identifier: "{{ opinionated.hosting_network.base.port_group }}" + cidr: "{{ opinionated.hosting_network.base.cidr }}" + dns: "{{ dns_server }}" + gateway: "{{ opinionated.hosting_network.base.gateway }}" + # reserved_ip_ranges: "{{ opinionated.tas.deployment_reserved_ip_ranges }}" + reserved_ip_ranges: >- + {{ opinionated.hosting_network.base.gateway }}-{{ opinionated.hosting_network.base.starting_addr | ansible.utils.ipmath(5) }},{{ + opinionated.hosting_network.base.starting_addr | ansible.utils.ipmath(20) }}-{{ + opinionated.hosting_network.base.cidr | ansible.utils.ipaddr('-2') | ansible.utils.ipaddr('address') }} + availability_zone_names: + - az1 + + vcenter_url: "{{ hosting_vcenter.ip }}" + vcenter_cluster: "{{ opinionated.hosting_cluster }}" + vcenter_datacenter: "{{ hosting_vcenter.datacenter }}" + vcenter_datastore: "{{ opinionated.hosting_datastore }}" + vcenter_folder: "/{{ hosting_vcenter.datacenter }}/vm" + vcenter_username: "{{ hosting_vcenter.username }}" + vcenter_password: "{{ hosting_vcenter.password }}" + +tanzu_application_service: + tas_template_file: tas-nsx.yml + # install_nsx_tile: true + deployment_network: tas-deployment + apps_domain: >- + apps.{{ opinionated.hosting_network.base.starting_addr | ansible.utils.ipmath(19) }}.nip.io + sys_domain: >- + sys.{{ opinionated.hosting_network.base.starting_addr | ansible.utils.ipmath(19) }}.nip.io + uaa_domain: >- + login.sys.{{ opinionated.hosting_network.base.starting_addr | ansible.utils.ipmath(19) }}.nip.io + credhub_key: "{{ opinionated.master_password }}{{ opinionated.master_password }}{{ opinionated.master_password }}{{ opinionated.master_password }}" + gorouter_ip: "{{ opinionated.hosting_network.base.starting_addr | ansible.utils.ipmath(19) }}" diff --git a/var-examples/tanzu/integrated-nsxt/opinionated-1host-manager-api.yml b/var-examples/tanzu/integrated-nsxt/opinionated-1host-manager-api.yml index 7594920..56096fb 100644 --- a/var-examples/tanzu/integrated-nsxt/opinionated-1host-manager-api.yml +++ b/var-examples/tanzu/integrated-nsxt/opinionated-1host-manager-api.yml @@ -413,9 +413,6 @@ tanzu_opsman_bosh: nsx_username: "{{ nsxt.manager.username }}" nsx_password: "{{ nsxt.manager.password }}" - # Reserve opsman IP. - bosh_reserved_ip_ranges: "{{ opinionated.tkgi.routeable_super_net | ansible.utils.ipmath(2) }}" - tkgi: vcenter_url: "{{ nested_vcenter.ip }}" vcenter_username: "{{ nested_vcenter.username }}"