AWS/Terraform/Ansible/OpenShift – Provision an EC2 instance and further configure it using Infrastructure as Code

Note: This is a duplicate of the AWS Lightsail article, modified for EC2 with some additional amendments.

In this article we will Provision an EC2 host with docker/docker-compose on it using Terraform and install/initialize OpenShift Origin on it using Ansible.

OpenShift is Red Hat’s containerization platform which utilizes Kubernetes. Origin (what we will be working with here) is the opensource implementation of it.

We will use ‘myweb’ as an example in this article, using the same base path of ‘dev’ that was previously created, the container-admin group and using ~/.local/bin for the binaries.

Please ensure you have gone through the previous Terraform, Ansible and related preceding articles.

Please use AWS Free Tier prior to commencing with this article.

–>
Go in to the dev directory/link located within your home directory:

$ cd ~/dev

Update PIP:

$ python3 -m pip install --upgrade --user pip

If there was an update, then forget remembered location references in the shell environment:

$ hash -r pip 

Upgrade the AWS CLI on your host:

$ pip3 install awscli --upgrade --user && chmod 754 ~/.local/bin/aws

Install/Upgrade Ansible:

$ pip3 install ansible --upgrade --user && chmod 754 ~/.local/bin/ansible ~/.local/bin/ansible-playbook

Install/Upgrade Boto3:

$ pip3 install boto3 --upgrade --user

Grab the latest version of Terraform:

$ wget https://releases.hashicorp.com/terraform/0.12.23/terraform_0.12.23_linux_amd64.zip

Unzip it to ~/.local/bin and set permissions accordingly on it (type y and hit enter to replace if upgrading, at the prompt):

$ unzip terraform_0.12.23_linux_amd64.zip -d ~/.local/bin && chmod 754 ~/.local/bin/terraform

Change to the myweb directory inside terraform/aws:

$ cd terraform/aws/myweb

Change our instance from a micro to a medium, so it will have sufficient resources to run OpenShift Origin and related:

$ sed -i s:t3a.micro:t3a.medium: ec2.tf

Output the Public IP of the Provisioned host (along with connection parameters and variables) in to a file which we will feed in to an Ansible playbook run.

Note: Please re-create the file if you have went through the previous Terraform articles:

$ cat << 'EOF' > output.tf
> output "static_public_ip" {
>   value = var.lightsail ? element(aws_lightsail_static_ip.myweb[*].ip_address, 0) : element(aws_eip.external[*].public_ip, 0)
> }
>
> resource "local_file" "hosts" {
>   content              = trimspace("[vps]\n${var.lightsail ? element(aws_lightsail_static_ip.myweb[*].ip_address, 0) : element(aws_eip.external[*].public_ip, 0)} ansible_connection=ssh ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/${var.prefix} instance=${var.lightsail ? element(aws_lightsail_instance.myweb[*].name, 0) : element(aws_instance.myweb[*].tags["Name"], 0)} ${var.lightsail ? "" : "instance_sg=${element(aws_security_group.myweb[*].name, 0)}"} ${var.lightsail ? "" : "instance_sg_id=${element(aws_security_group.myweb[*].id, 0)}"} ${var.lightsail ? "" : "instance_vpc_id=${element(aws_vpc.myweb[*].id, 0)}"}")
>   filename             = pathexpand("~/dev/ansible/hosts-aws")
>   directory_permission = 0754
>   file_permission      = 0664
> }
> EOF

Amend an item from the user_data script (if you have went through the AWS/Terraform/Ansible/OpenShift against Lightsail article then this can be disregarded):

$ sed -i 's:sudo apt-key add -:apt-key add -:' scripts/install.sh

Initialize the directory/refresh module(s):

$ terraform init

Run a dry-run to see what will occur:

$ terraform plan -var 'lightsail=false'

Provision:

$ terraform apply -var 'lightsail=false' -auto-approve

Create a work folder for an Ansible playbook:

$ cd ../../../ansible
$ mkdir -p openshift/scripts && cd openshift

Create an Ansible playbook which will install/initialize OpenShift Origin on our provisioned host.

Note: This accommodates our previous implementation against AWS Lightsail and Microsoft Azure VM:

$ cat << 'EOF' > openshift.yml 
> # Install, initialize OpenShift Origin and create a destroy routine for it
> # This is a unified setup against AWS Lightsail, Microsoft Azure VM and AWS EC2
> ---
> - hosts: vps
>   connection: local
>
>   vars:
>     network_security_group: "{{ hostvars[groups['vps'][0]].instance_nsg }}"
>     instance: "{{ hostvars[groups['vps'][0]].instance }}"
>     resource_group: "{{ hostvars[groups['vps'][0]].instance_rg }}"
>     security_group: "{{ hostvars[groups['vps'][0]].instance_sg }}"
>     security_group_id: "{{ hostvars[groups['vps'][0]].instance_sg_id }}"
>     virtual_private_cloud_id: "{{ hostvars[groups['vps'][0]].instance_vpc_id }}"
>     openshift_directory: /home/ubuntu/.local/etc/openshift
>     ansible_python_interpreter: /usr/bin/python3
>
>   tasks:
>     - name: Discover Services
>       service_facts:
>
>     - name: Check if openshift directory exists
>       stat:
>         path: "{{ openshift_directory }}"
>       register: openshift_dir
>       tags: [ 'destroy' ]
>
>     - name: Open Firewall Ports (AWS Lightsail)
>       delegate_to: localhost
>       args:
>         executable: /bin/bash
>       script: "./scripts/firewall.sh open {{ instance }}"
>       when:
>         - "'instance_nsg' not in hostvars[groups['vps'][0]]"
>         - "'instance_sg' not in hostvars[groups['vps'][0]]"
>         - "'docker' in services"
>         - openshift_dir.stat.exists == False
>
>     - name: Add Network Security Group rules (Microsoft Azure VM)
>       delegate_to: localhost
>       azure_rm_securitygroup:
>         name: "{{ network_security_group }}"
>         resource_group: "{{ resource_group }}"
>         rules:
>          - name: OpenShift-Tcp
>            priority: 1002
>            direction: Inbound
>            access: Allow
>            protocol: Tcp
>            source_port_range: "*"
>            destination_port_range:
>              - 80
>              - 443
>              - 1936
>              - 4001
>              - 7001
>              - 8443
>              - 10250-10259
>            source_address_prefix: "*"
>            destination_address_prefix: "*"
>          - name: OpenShift-Udp
>            priority: 1003
>            direction: Inbound
>            access: Allow
>            protocol: Udp
>            source_port_range: "*"
>            destination_port_range:
>              - 53
>              - 8053
>            source_address_prefix: "*"
>            destination_address_prefix: "*"
>        state: present
>      when:
>        - "'instance_nsg' in hostvars[groups['vps'][0]]"
>        - "'instance_sg' not in hostvars[groups['vps'][0]]"
>        - "'docker' in services"
>        - openshift_dir.stat.exists == False
>
>    - name: Add Security Group rules (AWS EC2)
>      delegate_to: localhost
>      ec2_group:
>        name: "{{ security_group }}"
>        description: OpenShift
>        vpc_id: "{{ virtual_private_cloud_id }}"
>        purge_rules: no
>        rules:
>         - proto: tcp
>           ports:
>             - 80
>             - 443
>             - 1936
>             - 4001
>             - 7001
>             - 8443
>             - 10250-10259
>           cidr_ip: 0.0.0.0/0
>           rule_desc: OpenShift-Tcp
>         - proto: udp
>           ports:
>             - 53
>             - 8053
>           cidr_ip: 0.0.0.0/0
>           rule_desc: OpenShift-Udp
>       state: present
>     when:
>       - "'instance_nsg' not in hostvars[groups['vps'][0]]"
>       - "'instance_sg' in hostvars[groups['vps'][0]]"
>       - "'docker' in services"
>       - openshift_dir.stat.exists == False
>
>   - name: Copy and Run install
>     environment:
>       PATH: "{{ ansible_env.PATH}}:{{ openshift_directory }}/../../bin"
>     args:
>       executable: /bin/bash
>     script: "./scripts/install.sh {{ ansible_ssh_host }}"
>     when:
>       - "'docker' in services"
>       - openshift_dir.stat.exists == False
>
>   - debug: msg="Please install docker to proceed."
>     when: "'docker' not in services"
>
>   - debug: msg="Install script has already been completed.  Run this playbook with the destroy tag, then run once again normally to re-intialize openshift."
>     when: openshift_dir.stat.exists == True
>
>   - name: Destroy
>     become: yes
>     environment:
>       PATH: "{{ ansible_env.PATH }}:{{ openshift_directory }}/../../bin"
>     args:
>       executable: /bin/bash
>     shell:
>       "cd {{ openshift_directory }} && oc cluster down && cd ../ && rm -rf {{ openshift_directory }}/../../../.kube {{ openshift_directory }}"
>     when: openshift_dir.stat.exists == True
>     tags: [ 'never', 'destroy' ]
>
>   - name: Close Firewall Ports (AWS Lightsail)
>     delegate_to: localhost
>     args:
>       executable: /bin/bash
>     script: "./scripts/firewall.sh close {{ instance }}"
>     when:
>       - "'instance_nsg' not in hostvars[groups['vps'][0]]"
>       - "'instance_sg' not in hostvars[groups['vps'][0]]"
>     tags: [ 'never', 'destroy' ]
>
>   - name: Delete Network Security Group rules (Microsoft Azure VM)
>     delegate_to: localhost
>     command:
>       bash -ic "az-login-sp && (az network nsg rule delete -g {{ resource_group }} --nsg-name {{ network_security_group }} -n {{ item }})"
>     with_items:
>       - OpenShift-Tcp
>       - OpenShift-Udp
>     when:
>       - "'instance_nsg' in hostvars[groups['vps'][0]]"
>       - "'instance_sg' not in hostvars[groups['vps'][0]]"
>     tags: [ 'never', 'destroy' ]
>
>   - name: Delete Security Group rules (AWS EC2)
>     delegate_to: localhost
>     command:
>       bash -c "[[ {{ item }} -eq 53 || {{ item }} -eq 8053 ]] && protocol=udp || protocol=tcp && aws ec2 revoke-security-group-ingress --group-id {{ security_group_id }} --port {{ item }} --protocol $protocol --cidr 0.0.0.0/0"
>     with_items:
>       - 80
>       - 443
>       - 1936
>       - 4001
>       - 7001
>       - 8443
>       - 10250-10259
>       - 53
>       - 8053
>     when:
>       - "'instance_nsg' not in hostvars[groups['vps'][0]]"
>       - "'instance_sg' in hostvars[groups['vps'][0]]"
>     tags: [ 'never', 'destroy' ]
> EOF

Create a shell script which will pull the latest release of client tools from GitHub, place the needed binaries in ~/.local/bin, set insecure registry on Docker and initialize (if you have went through the AWS/Terraform/Ansible/OpenShift against Lightsail article then this can be disregarded):

$ cat << 'EOF' > scripts/install.sh
> #!/bin/bash
> [[ -z $* ]] && { echo "Please specify a Public IP or Host/Domain name." && exit 1; }
> # Fetch and Install
> file_url="$(curl -sL https://github.com/openshift/origin/releases/latest | grep "download.*client.*linux-64" | cut -f2 -d\" | sed 's/^/https:\/\/github.com/')"
> [[ -z $file_url ]] && { echo "The URL could not be obtained.  Please try again shortly." && exit 1; }
> file_name="$(echo $file_url | cut -f9 -d/)"
> if [[ ! -f $file_name ]]; then
>         curl -sL $file_url --output $file_name
>         folder_name="$(tar ztf $file_name 2>/dev/null | head -1 | sed s:/.*::)"
>         [[ -z $folder_name ]] && { echo "The archive could not be read.  Please try again." && rm -f $file_name && exit 1; }
>         tar zxf $file_name
>         mv $folder_name/oc $folder_name/kubectl $HOME/.local/bin && rm -r $folder_name
>         chmod 754 $HOME/.local/bin/oc $HOME/.local/bin/kubectl
> fi
> # Docker insecure
> [[ $(grep insecure /etc/docker/daemon.json &>/dev/null; echo $?) -eq 2 ]] && redirect=">"
> [[ $(grep insecure /etc/docker/daemon.json &>/dev/null; echo $?) -eq 1 ]] && redirect=">>"
> [[ $(grep insecure /etc/docker/daemon.json &>/dev/null; echo $?) -eq 0 ]] || { sudo bash -c "cat << 'EOF' $redirect /etc/docker/daemon.json
> {
>         \"insecure-registries\" : [ \"172.30.0.0/16\" ]
> }
> EOF" && sudo systemctl restart docker; }
> # OpenShift Origin up
> [[ ! -d $HOME/.local/etc/openshift ]] && { mkdir -p $HOME/.local/etc/openshift && cd $HOME/.local/etc/openshift; } || { cd $HOME/.local/etc/openshift && oc cluster down; }
> oc cluster up --public-hostname=$1
>
> exit 0
> EOF 

Note: If you have already went through the AWS/Terraform/Ansible/OpenShift for Lightsail article or you don’t want to use Lightsail, then this can be disregarded.

The Lightsail firewall functionality is currently being implemented in Terraform and is not available in Ansible. In the interim, we will create a shell script to open and close ports needed by OpenShift Origin (using the AWS CLI). This script will be run locally via the Playbook during the create and destroy routines.

Note2: Port 80 is already open when the Lightsail host is provisioned:

$ cat << 'EOF' > scripts/firewall.sh && chmod 754 scripts/firewall.sh
> #!/bin/bash
> #
> openshift_ports="53/UDP 443/TCP 1936/TCP 4001/TCP 7001/TCP 8053/UDP 8443/TCP 10250_10259/TCP"  
> #
> [[ -z $* || $(echo $* | xargs -n1 | wc -l) -ne 2 || ! ($* =~ $(echo '\<open\>') || $* =~ $(echo '\<close\>')) ]] && { echo "Please pass in the desired action [ open, close ] and instance [ site_myweb ]." && exit 2; }
> #
> instance="$(echo $* | xargs -n1 | sed '/\<open\>/d; /\<close\>/d')"
> [[ -z $instance ]] && { echo "Please double-check the passed in instance." && exit 1; }
> action="$(echo $* | xargs -n1 | grep -v $instance)"
> #
> for port in $openshift_ports; do
>         aws lightsail $action-instance-public-ports --instance $instance --port-info fromPort=$(echo $port | cut -f1 -d_ | cut -f1  -d/),protocol=$(echo $port | cut -f2 -d/),toPort=$(echo $port | cut -f2 -d_ | cut -f1 -d/)
> done
> #
>
> exit 0
> EOF 

Run the Ansible playbook after a few minutes (accept the host key by typing yes and hitting enter when prompted):

$ ansible-playbook -i ../hosts-aws openshift.yml

Note: Disregard the warning regarding mismatch descriptions on the Security Group. This will not be modified so the original description was not exported out to be used here.

Note2: If a Terraform apply is run again after the security group modification (addition of rules for OpenShift), then those rules will be destroyed. In that case, please run a Playbook destroy then run again to reinitialize.

After a short while, log on to the instance:

$ ssh -i ~/.ssh/myweb ubuntu@<The value of static_public_ip that was reported.  One can also use 'terraform output static_public_ip' to print it again.>

To get an overview of the current project with any identified issues:

$ oc status --suggest

Log on as Admin via CMD Line and switch to the default project:

$ oc login -u system:admin -n default

Logout of the session:

$ oc logout

Please see the Command-Line Walkthrough.

Logout from the host:

$ logout

Log on as Admin via Web Browser (replace <PUBLIC_IP>):

https://<PUBLIC_IP>:8443/console (You will get a Certificate/Site warning due to a mismatch).

Please see the Web Console Walkthrough.

To shut down the OpenShift Origin cluster, destroy the working folder and start anew (you can re-run the playbook normally to reinitialize):

$ ansible-playbook -i ../hosts openshift.yml --tags "destroy"

Tear down what was created by first performing a dry-run to see what will occur:

$ cd ../../terraform/aws/myweb && terraform plan -var 'lightsail=false' -destroy 

Tear down the instance:

$ terraform destroy -var 'lightsail=false' -auto-approve

<–

References:
how-to-install-openshift-origin-on-ubuntu-18-04

Source:
ansible_openshift