Release 1.0.1

.gitignore

@@ -17,4 +17,5 @@ TODO
 .secrets/artifactory-admin
 .secrets/artifactory-admin-api
 .secrets/kubeadmin
-.secrets/rook-dashboard
+.secrets/rook-dashboard
+transfer

.secrets/dockerhub.json

@@ -0,0 +1,6 @@
+{
+    "username": "DockerHub Username",
+    "password": "DockerHub Password/Token",
+    "email": "DockerHub Email",
+    "server": "docker.io"
+}

.secrets/redhat-pull-secret.json

@@ -0,0 +1,7 @@
+{
+    "auths": {
+        "fake": {
+            "auth": "aWQ6cGFzcwo="
+        }
+    }
+}

README.md

@@ -1,4 +1,5 @@
-[![OKD](https://img.shields.io/badge/okd-4.7.0--0.okd--2021--03--07--090821-red.svg)](https://www.okd.io) [![Fedore CoreOS](https://img.shields.io/badge/fcos-33.20210201.3.0-blue.svg)](https://getfedora.org/en/coreos?stream=stable) [![Rook](https://img.shields.io/badge/rook-1.5.9-blue.svg)](https://rook.io/) [![CentOS](https://img.shields.io/badge/centos-8.3.2011-orange.svg)](https://www.centos.org/) [![Terraform](https://img.shields.io/badge/terraform-0.13.6-blueviolet.svg)](https://www.terraform.io/) [![Packer](https://img.shields.io/badge/packer-1.7.0-blueviolet.svg)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/ansible-2.9.18-red.svg)](https://www.ansible.com/)
+[![OKD](https://img.shields.io/badge/okd-4.7.0--0.okd--2021--04--24--103438-red.svg)](https://www.okd.io) [![Fedore CoreOS](https://img.shields.io/badge/fcos-33.20210328.3.0-blue.svg)](https://getfedora.org/en/coreos?stream=stable) [![Rook](https://img.shields.io/badge/rook-1.5.9-blue.svg)](https://rook.io/) [![CentOS](https://img.shields.io/badge/centos-8.3.2011-orange.svg)](https://www.centos.org/) [![Terraform](https://img.shields.io/badge/terraform-0.13.6-blueviolet.svg)](https://www.terraform.io/) [![Packer](https://img.shields.io/badge/packer-1.7.0-blueviolet.svg)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/ansible-2.9.18-red.svg)](https://www.ansible.com/)
+
 
 # OKD-LAB: Controlled Environment for OKD4 experiments
 
@@ -8,7 +9,7 @@ It is probably worth the time to read a little further....
 
 Naturally when we do some experiments we can destroy our cluster and bring it in a state we can't fix or recover. From this point of view we should try to keep complex things __simple and repeatable__. This is what this lab wants to address to.
 
-You can expect a fully virtualized small IT center with everything you need to install a `User Provisioned Infrastructure (UPI)` of [OKD4](https://www.okd.io/) based on [KVM](https://www.linux-kvm.org). You get some great [Rook Cloud-native Storage](https://rook.io/) for your cluster and many more.
+You can expect a fully virtualized small IT center with everything you need to install a `User Provisioned Infrastructure (UPI)` of [OKD4](https://www.okd.io/) based on [KVM](https://www.linux-kvm.org). 
 
 Additionally you get mostly all you need for a development environment including git, artifact management, private container registry, centralized user registry..... everything pre-configured and tightly integrated.
 
@@ -17,6 +18,7 @@ Additionally you get mostly all you need for a development environment including
 ## OKD-LAB: Overview
 
 ![OKD-LAB Overview](docs/images/okd-lab.png)
+
 * * *
 
 ## Prerequisites
@@ -72,6 +74,7 @@ Bastion (KVM):
 - [OKD4](https://www.okd.io) - UPI installation environment:
   - OKD4 Registry Mirror
   - Fedora CoreOS Mirror
+  - NTP
   - DNS
   - DHCP
   - TFTP
@@ -91,12 +94,32 @@ Load Balancer (KVM):
 - 3x Master
 - 3x Worker
 
-OKD4 Storage:
+[OKD4](https://www.okd.io) Storage:
 
 - [Rook Cloud-native Storage](https://rook.io/)
 
 * * *
 
+## What do you get from the OKD world?
+
+- 3x Master and 3x Worker
+- Chrony time services configured on all Master and Worker nodes
+- Access to trusted private Project Quay container registry 
+- Trusted custom Certificate Authority and SSL certificates for Web console, Router, API, LDAP, Project Quay, Podman etc.
+- LDAP(s) authorization provider with:
+  * Administrators: `admin`, `lab` in the `cluster-admin` role
+  * Team Members: `awesome-admin`, `awesome-developer`
+- Labeled nodes:
+  * Master [`master`, `infra`, `worker`]
+  * Worker [`worker`, `storage-node`]
+- Routers sticked to `infra` nodes
+- Enabled `Image Pruner` and disabled `Samples Operator`
+- User kubeadmin is removed [optional]
+- Enhanced DockerHub rate limit [optional]
+- [Rook Cloud-native Storage](https://rook.io/) [optional]
+
+* * *
+
 ## Security
 
 Especially with servers available in the wild wild world some kind of security makes sense!

ansible/bastion/roles/389-directory/files/awesome-admin.ldif

@@ -0,0 +1,12 @@
+dn: uid=awesome-admin,ou=People,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+givenname: Awesome
+sn: Admin
+cn: Awesome Admin
+uid: awesome-admin
+ou: people
+mail: awesome-admin@example.com
+userPassword: admin

ansible/bastion/roles/389-directory/files/awesome-developer.ldif

@@ -0,0 +1,12 @@
+dn: uid=awesome-developer,ou=People,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+givenname: Awesome
+sn: Developer
+cn: Awesome Developer
+uid: awesome-developer
+ou: people
+mail: awesome-developer@example.com
+userPassword: developer

ansible/bastion/roles/389-directory/tasks/main.yml

@@ -68,6 +68,8 @@
     - groups.ldif
     - admin.ldif
     - lab.ldif
+    - awesome-developer.ldif
+    - awesome-admin.ldif
 
 - name: Add ldifs
   shell: ldapadd -w {{ okd_lab_directory_root_password }} -D "cn=Directory Manager" -H ldaps://{{ okd_lab_directory_hostname }} -x -f /root/{{ item }}
@@ -76,6 +78,8 @@
     - groups.ldif
     - admin.ldif
     - lab.ldif
+    - awesome-developer.ldif
+    - awesome-admin.ldif
 
 - name: Cleanup common resources
   file:
@@ -86,3 +90,5 @@
     - groups.ldif
     - admin.ldif
     - lab.ldif
+    - awesome-developer.ldif
+    - awesome-admin.ldif

ansible/lb/vars

@@ -0,0 +1 @@
+../vars

ansible/okd/dockerhub.yml

@@ -0,0 +1,13 @@
+---
+#######################################################################
+#
+# Enhance your DockerHub request limit 
+# Note! Please change ~/okd-lab/.secrets/dockerhub.json first!
+#
+# ansible-playbook ~/okd-lab/ansible/okd/dockerhub.yml
+#
+#######################################################################
+- hosts: bastion
+  gather_facts: no
+  roles:
+    - dockerhub

ansible/okd/kubeadmin.yml

@@ -0,0 +1,12 @@
+---
+#######################################################################
+#
+# Remove kubeadmin user
+#
+# ansible-playbook ~/okd-lab/ansible/okd/kubeadmin.yml
+#
+#######################################################################
+- hosts: bastion
+  gather_facts: no
+  roles:
+    - kubeadmin

ansible/okd/roles/dockerhub/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Get docker.json
+  set_fact: docker_json="{{ lookup('file','{{ playbook_dir }}/../../.secrets/dockerhub.json') | from_json }}"
+
+- name: Create secret
+  command: oc create secret docker-registry docker --docker-server={{ docker_json | json_query('server') }} --docker-username={{ docker_json | json_query('username') }} --docker-password={{ docker_json | json_query('password') }} --docker-email={{ docker_json | json_query('password') }}
+
+- name: Link secret
+  command: oc secrets link default docker --for=pull

ansible/okd/roles/env/templates/install-config.yaml.j2

@@ -24,10 +24,10 @@ sshKey:
 imageContentSources:
 - mirrors:
   - quay.okd.example.com/admin_okd_registry/{{ okd_lab_install_okd_name }}
-  source: quay.io/openshift/okd-content
+  source: quay.io/openshift/okd
 - mirrors:
   - quay.okd.example.com/admin_okd_registry/{{ okd_lab_install_okd_name }}
-  source: registry.svc.ci.openshift.org/origin/release
+  source: quay.io/openshift/okd-content
 additionalTrustBundle: |
     -----BEGIN CERTIFICATE-----
     MIIDSDCCAjCgAwIBAgIULqLTieg864a/Sgmds8r7x6iXQp4wDQYJKoZIhvcNAQEL

ansible/okd/roles/kubeadmin/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Remove kubeadmin
+  community.kubernetes.k8s:
+    api_version: v1
+    namespace: kube-system
+    kind: Secret
+    name: kubeadmin
+    state: absent

ansible/okd/roles/mirror-registry/tasks/main.yml

@@ -31,7 +31,7 @@
 
 - name: Mirror Registry
   shell: oc adm -a ${HOME}/installer/secret.json release mirror \
-    --from=registry.svc.ci.openshift.org/origin/release:{{ okd_lab_install_okd_version }} \
+    --from=quay.io/openshift/okd:{{ okd_lab_install_okd_version }} \
     --to={{ okd_lab_quay_hostname }}/admin_okd_registry/{{ okd_lab_install_okd_name }} \
     --to-release-image={{ okd_lab_quay_hostname }}/admin_okd_registry/{{ okd_lab_install_okd_name }}:{{ okd_lab_install_okd_version }}
   tags: 

ansible/okd/roles/okd-config/files/admins-group.yaml

@@ -0,0 +1,7 @@
+apiVersion: user.openshift.io/v1
+kind: Group
+metadata:
+  name: admins
+users:
+  - admin
+  - lab

ansible/okd/roles/okd-config/files/awesome-admins-group.yaml

@@ -0,0 +1,6 @@
+apiVersion: user.openshift.io/v1
+kind: Group
+metadata:
+  name: awesome-admins
+users:
+  - awesome-admin

ansible/okd/roles/okd-config/files/awesome-developers-group.yaml

@@ -0,0 +1,6 @@
+apiVersion: user.openshift.io/v1
+kind: Group
+metadata:
+  name: awesome-deveopers
+users:
+  - awesome-deveoper

ansible/okd/roles/okd-config/files/cluster-admin-user.yaml → ansible/okd/roles/okd-config/files/cluster-admin-for-admin.yaml

@@ -9,4 +9,4 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: cluster-admin

ansible/okd/roles/okd-config/files/cluster-admin-for-lab.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: allow-cluster-admin-to-lab
+subjects:
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: lab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin

ansible/okd/roles/okd-config/files/patch-operatorhub.yaml

@@ -0,0 +1,6 @@
+spec:
+  sources:
+    - disabled: false
+      name: redhat-operators
+    - disabled: false
+      name: community-operators

ansible/okd/roles/okd-config/files/patch-stick-routers.yaml

@@ -8,4 +8,4 @@ spec:
       key: node.kubernetes.io/unschedulable
     - effect: NoSchedule
       key: node-role.kubernetes.io/master
-  replicas: 3
+  replicas: 2

ansible/okd/roles/okd-config/tasks/main.yml

@@ -21,6 +21,19 @@
     - 1
     - 2
 
+- name: Label worker as storage nodes
+  community.kubernetes.k8s:
+    api_version: v1
+    kind: Node
+    name: worker-{{ item }}.okd.example.com
+    merge_type: merge
+    state: present
+    definition: "{{ lookup('file', 'patch-worker-as-storage.yaml') | from_yaml }}"
+  with_items:
+    - 0
+    - 1
+    - 2
+
 - name: Stick routers to infra nodes
   community.kubernetes.k8s:
     api_version: operator.openshift.io/v1
@@ -68,26 +81,71 @@
   wait_for:
     timeout: '90'
 
-- name: Log in (obtain access token)
+- name: Log in as admin (obtain access token)
   community.okd.openshift_auth:
     username: admin
     password: admin
     validate_certs: false
     host: https://api.okd.example.com:6443
-  register: openshift_auth_results
+  register: openshift_auth_admin_results
+
+- name: If login succeeded, try to log out (revoke access token)
+  when: openshift_auth_admin_results.openshift_auth.api_key is defined
+  community.okd.openshift_auth:
+    validate_certs: false
+    host: https://api.okd.example.com:6443
+    state: absent
+    api_key: "{{ openshift_auth_admin_results.openshift_auth.api_key }}"
+
+- name: Log in as lab (obtain access token)
+  community.okd.openshift_auth:
+    username: lab
+    password: lab
+    validate_certs: false
+    host: https://api.okd.example.com:6443
+  register: openshift_auth_lab_results
 
 - name: If login succeeded, try to log out (revoke access token)
-  when: openshift_auth_results.openshift_auth.api_key is defined
+  when: openshift_auth_lab_results.openshift_auth.api_key is defined
   community.okd.openshift_auth:
     validate_certs: false
     host: https://api.okd.example.com:6443
     state: absent
-    api_key: "{{ openshift_auth_results.openshift_auth.api_key }}"
+    api_key: "{{ openshift_auth_lab_results.openshift_auth.api_key }}"
 
 - name: Allow cluster-admin for amdin user
   community.kubernetes.k8s:
     state: present
-    definition: "{{ lookup('file', 'cluster-admin-user.yaml') | from_yaml }}"
+    definition: "{{ lookup('file', 'cluster-admin-for-admin.yaml') | from_yaml }}"
+
+- name: Allow cluster-admin for lab user
+  community.kubernetes.k8s:
+    state: present
+    definition: "{{ lookup('file', 'cluster-admin-for-lab.yaml') | from_yaml }}"
+
+- name: Create admins group
+  community.kubernetes.k8s:
+    state: present
+    definition: "{{ lookup('file', 'admins-group.yaml') | from_yaml }}"
+
+- name: Create awesome-admins group
+  community.kubernetes.k8s:
+    state: present
+    definition: "{{ lookup('file', 'awesome-admins-group.yaml') | from_yaml }}"
+
+- name: Create awesome-developers group
+  community.kubernetes.k8s:
+    state: present
+    definition: "{{ lookup('file', 'awesome-developers-group.yaml') | from_yaml }}"
+
+- name: Enable redhat-operators
+  community.kubernetes.k8s:
+    api_version: config.openshift.io/v1
+    kind: OperatorHub
+    name: cluster
+    merge_type: merge
+    state: present
+    definition: "{{ lookup('file', 'patch-operatorhub.yaml') | from_yaml }}"
 
 - name: Apps Certs
   community.kubernetes.k8s:
@@ -126,11 +184,3 @@
     merge_type: merge
     state: present
     definition: "{{ lookup('file', 'patch-ingresscontroller.yaml') | from_yaml }}"
-
-#- name: Remove kubeadmin
-#  community.kubernetes.k8s:
-#    api_version: v1
-#    namespace: kube-system
-#    kind: Secret
-#    name: kubeadmin
-#    state: absent