Deploying_dark_tower.adoc

Deploying a Babylon Dark Tower Cluster

Overview

This document outlines deploying the Dark Tower backend(s) for the Babylon project. So named as they can be deployed and run completely lights out without any manual configuration "lighting up" the Ansible Tower front end.

• Your own Dark Tower test/dev/prod infrastructure

  • Single tower server

  • Cluster

Note	Dark Tower can be deployed on a global scale using peered VPCs on AWS on top of this AgnosticD configuration. This is not covered in this document which serves as a Quick Start guide.

A Babylon Dark Tower cluster is an AgnosticD Config with the necessary vars outlined below.

Pre-requisites

• A host capable and configured for running Ansible

• AWS Credentials

• An Ansible Tower License

Step 1 - Creating your Own Dark Tower Server or Cluster

1. If necessary clone or pull AgnosticD

   $ git clone https://github.com/redhat-cop/agnosticd.git

2. Change directory into agnosticd/ansible

   cd agnosticd/ansible

3. Find the latest ansible-tower-prod tag:

   git tag -l "ansible-tower-prod*" | sort --version-sort | tail -1

   ansible-tower-prod-0.3

   . Checkout the highest/latest revision
   git checkout <OUTPUT-OF-THE-PRIOR-COMMAND>

Preparing the Sample Vars files(s)

The typical way to deploy an AgnosticD config from a control host or laptop is to invoke it with 1, or ideally 2, var files.

Note	It is recommeded that you use 2 var files to seperate confidential information such as creds from configuration inofrmation which can be shared freely. That is the pattern we will use here:

+

 ansible-playbook main.yml \
-e @~/dark-tower-vars.yml \
-e @~/secret-vars.yml

1. Prepare a yaml based variable file

   Sample Dark Tower Vars File

   ---
   guid:                       babylon-01              # Unique string used in FQDN
   env_type:                   ansible-tower           # Name of config to deploy
   output_dir:                 /tmp/workdir            # Writable working scratch directory
   
   cloud_provider:             ec2                     # Which AgnosticD Cloud Provider to use
   aws_region:                 us-east-1               # AWS Region to deploy in
   aws_default_image:          RHEL78
   HostedZoneId:               Z3IHLWJZOU9SRT          # You will need to change this
   subdomain_base_suffix:      .example.opentlc.com    # Your domain used in FQDN
   
   # Tags applied to AWS instances
   cloud_tags:
     - Purpose: babylon
     - Stage: dev
   
   # Access key which must exsit in AWS
   key_name: ocpkey
   
   tower_version:       3.7.3-1
   software_to_deploy:  tower
   
   bastion_instance_type:   t3.medium
   tower_instance_count:    5
   tower_instance_type:     c5.4xlarge
   support_instance_count:  1
   support_instance_type:   i3.2xlarge
   worker_instance_count:   0
   worker_instance_type:    t3.medium
   root_filesystem_size:    20
   
   tower_hostname:  tower.{{ guid }}{{ subdomain_base_suffix }}
   
   ansible_tower_additional_packages:
   - gcc
   - python3
   - python3-devel
   - python3-libselinux
   
   infra_workloads:
   - tower-settings-update
   - tower-pip-packages
   - tower-user-create
   - tower-copy-ssh
   
   ansible_tower_node_workloads:
   - tower_agnosticd_virtualenvs
   
   tower_setting_params:
     AWX_PROOT_SHOW_PATHS:
     - /var/lib/awx/.ssh
   
   tower_update_venv: /var/lib/awx/venv/ansible
   pip_requirements:
   - ansible-tower-cli
   
   tower_user_accounts:
   # babylon account used for external integration
   - user:       babylon
     password:   "{{ babylon_user_password }}"
     email:      [email protected]
     firstname:  Babylon
     superuser:  yes
   
   # Readonly account used for external integration
   - user:       readonly
     password:   "{{ tower_readonly_user_password }}"
     email:      [email protected]
     firstname:  Readonly
     auditor:    yes
   
   # Used by tower-copy-ssh
   key_local_path:
   - ~/.ssh/opentlc_admin_backdoor.pem
   - ~/.ssh/ocpkey.pem
   
   tower_agnosticd_virtualenvs_venv_basedir: /opt/rh/virtualenvs
   
   
   #####
   ##### SECRET Stuff often stored and passed in a seperate var file
   #####
   
   # Base URL for yum repository, the full repo URL will be
   # {{ own_repo_path }}/{{ tower_version }}
   own_repo_path: http://my-yum-server/repos
   
   tower_license: >
     {
       "eula_accepted": true,
       "company_name": "Red Hat",
       "hostname": "your-hostname-info-here",
       "instance_count": 500,
       "license_date": 1645192339,
       "license_key": "123456789090193839393939939393939399393993939329393",
       "license_type": "enterprise",
       "subscription_name": "Red Hat Ansible Tower, Standard (50 Managed Nodes)"
     }
   
   # Access passwords
   babylon_user_password: <PASSWORD>
   tower_admin_password: <PASSWORD>
   tower_readonly_user_password: <PASSWORD>
   
   # AWS Creds
   aws_access_key_id:        <YOUR-AWS-ACCESS-KEY>
   aws_secret_access_key:    <YOUR-SECRET-AWS-ACCESS-KEY>
   ...

2. Deploy your Babylon Tower Config

   ansible-playbook main.yml -e @<Path-to-my-variable-file>