stolostron / ansible-collection.core Goto Github PK

OCM/ACM Ansible Collection

License: Apache License 2.0

Python 98.88% Jinja 0.18% Shell 0.68% Makefile 0.27%

ansible-collection.core's Introduction

Welcome to the Stolostron Project

Getting started with Red Hat Advanced Cluster Management for Kubernetes? Ready to manage your fleet of OpenShift and Kubernetes clusters? You're in the right place! The Stolostron project houses the projects built into Red Hat Advanced Cluster Management for Kubernetes. This repo contains tools, integrations, and suggestions to jumpstart your multicluster and multicloud presence!

Looking for Development Preview Content?

If you're looking to try out our Development Preview content - you're in the right place! Visit our Development Preview Section to discover, install, use, and provide feedback for our new features and capabilities. Your feedback is most welcome and will help us shape the future of these features!

Getting Started Resources

Day 0

Description	Link
Sizing Documentation	TBD
Results from 1k SNO Scale Testing	TBD
Results from 2k SNO Scale Testing	TBD

Day 1

GITOPS is short for Openshift-Gitops. Pipeline is short for Openshift-Pipelines. AAP is Ansible Automation Platform.

Description	Link	Technology
Bare metal Zero Touch Provisioning	https://github.com/jparrill/ztp-the-hard-way	ACM, GITOPS
OpenShift 4 Azure IPI installation	https://github.com/stolostron/ocp4-azure-ipi	AAP
ACM managed service Deployment	https://github.com/stolostron/acm-aap-aas-operations	AAP, ACM, GITOPS
Openshift-Pipeline ACM Pipelines	https://github.com/stolostron/openshift-pipelines	Pipeline

Day 2

Description	Link
A comprehensive collection of managing your fleet using RHACM Policies	https://github.com/stolostron/policy-collection
Collection of Kustomize bases	https://github.com/redhat-cop/gitops-catalog
Operate First	https://github.com/operate-first/apps
cm cli	https://github.com/stolostron/cm-cli
RHACM Ansible collection project	https://github.com/stolostron/ansible-collection.core
RHACM: How to configure an ApplicationSet to deploy Policies?	https://access.redhat.com/solutions/6553071
RHACM: Can Policies also be applied via Gitops when using ArgoCD?	https://access.redhat.com/solutions/6435991
RHACM: What is the Polling Interval in ArgoCD-Applications compared to RHACM-Applications?	https://access.redhat.com/solutions/6390571

Reference:

https://www.redhat.com/en/blog/how-does-red-hat-support-day-2-operations

ansible-collection.core's People

Stargazers

Watchers

Forkers

therealhaoliu taragu crystalchun hanqiuzh ch-stark tphee andreadecorte veniceofcode cdoan1 maxbab chris93111 philipsd6

ansible-collection.core's Issues

Managed ServiceAccount Module: Allow users to decide generated/static naming

Currently, our API uses a generated name for the ManagedServiceAccount CR (here). We should allow the user to specify if they want a generated name or static name.

create plugin to remove managed serviceaccount and the associated role/rolebinding manifestwork

currently we only have role to create managed serviceaccount but we do not have role to delete managed serviceaccount

Slackbot test

Test

Collection Naming

Our collection's current name is cm (with namespace of ocmplus).

This probably is not the most intuitive name.

Follow up with PMs on ideas for collection naming.

`import_eks` plugin must be run twice to succeed

Every time I run the import_eks plugin, it fails the first time with the following error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnboundLocalError: local variable 'managedcluster' referenced before assignment
failed: [localhost] (item=nweather-eks) => {"ansible_loop_var": "item", "changed": false, "item": "nweather-eks", "module_stderr": "Traceback (most recent call last):\n  File \"/Users/nweather/.ansible/tmp/ansible-tmp-1641924878.370075-66056-200587808912278/AnsiballZ_import_eks.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/Users/nweather/.ansible/tmp/ansible-tmp-1641924878.370075-66056-200587808912278/AnsiballZ_import_eks.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/Users/nweather/.ansible/tmp/ansible-tmp-1641924878.370075-66056-200587808912278/AnsiballZ_import_eks.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.ocmplus.cm.plugins.modules.import_eks', init_globals=dict(_module_fqn='ansible_collections.ocmplus.cm.plugins.modules.import_eks', _modlib_path=modlib_path),\n  File \"/usr/local/Cellar/[email protected]/3.9.9/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 210, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/local/Cellar/[email protected]/3.9.9/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/local/Cellar/[email protected]/3.9.9/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.import_eks_payload_3042gq4a/ansible_ocmplus.cm.import_eks_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/import_eks.py\", line 332, in <module>\n  File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.import_eks_payload_3042gq4a/ansible_ocmplus.cm.import_eks_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/import_eks.py\", line 328, in main\n  File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.import_eks_payload_3042gq4a/ansible_ocmplus.cm.import_eks_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/import_eks.py\", line 255, in execute_module\n  File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.import_eks_payload_3042gq4a/ansible_ocmplus.cm.import_eks_payload.zip/ansible_collections/ocmplus/cm/plugins/module_utils/import_utils.py\", line 117, in ensure_managedcluster\nUnboundLocalError: local variable 'managedcluster' referenced before assignment\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

The actual error to focus on is this:

ocmplus/cm/plugins/module_utils/import_utils.py\", line 117, in ensure_managedcluster\nUnboundLocalError: local variable 'managedcluster' referenced before assignment

Running the plugin a second time succeeds.

As @hanqiuzh pointed out, this seems like a timing bug we need to work out.

Restructure return for ManagedServiceAccount Addon

Currently, attributes like name are buried a level deeper than expected (ex. managed_serviceaccount.managed_serviceaccount.name). It's desirable for these attributes to be accessible from a level above (ex. managed_serviceaccount.name).

Our doc currently outlines the desired structure: https://github.com/stolostron/ocmplus.cm/blob/main/plugins/modules/managed_serviceaccount.py#L84

Setup ansible sanity test

/assign

This is a requirement for Ansible Galaxy.

Galaxy Publish Lint Cleanup

When we run galaxy_importer.main against our collection, we get a handful of linting errors.

Importing with galaxy-importer 0.4.2
Getting doc strings via ansible-doc
Finding content inside collection
Loading role ocm_install_core
WARNING: No role description found in role metadata
Linting role ocm_install_core via ansible-lint...
WARNING: roles/ocm_install_core/tasks/main.yml:40: var-naming Task uses 'set_fact' to define variables that violates variable naming standards
WARNING: roles/ocm_install_core/tasks/main.yml:51: var-naming Task uses 'set_fact' to define variables that violates variable naming standards
WARNING: roles/ocm_install_core/tasks/main.yml:56: var-naming Task uses 'set_fact' to define variables that violates variable naming standards
WARNING: ::error file=roles/ocm_install_core/tasks/main.yml,line=40,severity=MEDIUM::var-naming Task uses 'set_fact' to define variables that violates variable naming standards
WARNING: ::error file=roles/ocm_install_core/tasks/main.yml,line=51,severity=MEDIUM::var-naming Task uses 'set_fact' to define variables that violates variable naming standards
WARNING: ::error file=roles/ocm_install_core/tasks/main.yml,line=56,severity=MEDIUM::var-naming Task uses 'set_fact' to define variables that violates variable naming standards
Loading role ocm_install_observability
WARNING: No role description found in role metadata
Linting role ocm_install_observability via ansible-lint...
Loading role ocm_detach
WARNING: No role description found in role metadata
Linting role ocm_detach via ansible-lint...
Loading role ocm_install_managedserviceaccount
WARNING: No role description found in role metadata
Linting role ocm_install_managedserviceaccount via ansible-lint...
Loading role ocm_uninstall_managedserviceaccount
WARNING: No role description found in role metadata
Linting role ocm_uninstall_managedserviceaccount via ansible-lint...
Loading role ocm_labels
WARNING: No role description found in role metadata
Linting role ocm_labels via ansible-lint...
Loading role ocm_attach
WARNING: No role description found in role metadata
Linting role ocm_attach via ansible-lint...
Loading module managed_serviceaccount_addon
Loading module import_eks
Loading module cluster_proxy_addon
Loading module_utils addon_utils
Loading module_utils import_utils
Loading inventory ocm_managedcluster
WARNING: Ignore files skip ansible-test sanity tests, found ignore-2.10.txt with 60 statement(s)
WARNING: Ignore files skip ansible-test sanity tests, found ignore-2.12.txt with 62 statement(s)
WARNING: Ignore files skip ansible-test sanity tests, found ignore-2.11.txt with 62 statement(s)
Collection loading complete
Importer processing completed successfully

We should clean this up before we actually attempt to publish to galaxy.

Refactor for better Authentication

Current roles depend on a local copy of kubeconfig to connect to hub and managed clusters.

Other mechanisms such as u/p, tokens, and contexts are available.

Refactor all the current roles for a more commonly supportable auth mechanism.

adding a role for installing managedserviceaccount

we will find the managedserviceaccount add-on useful, and it requires a different way of installation.
https://github.com/open-cluster-management-io/managed-serviceaccount#steps

defect: need to wait for OLM to finish installing MultiClusterHub CRD

TASK [ocm-install-core : Setup MultiClusterHub (MCH) instance] ******************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to find exact match for operator.open-cluster-management.io/v1.MultiClusterHub by [kind, name, singularName, shortNames]"}

ACM & MCE Product Version Checking for Plugins & Modules

Our internal code needs to run checks to confirm the supported versions of ACM/MCE are running (else throw concise errors)

remove backoff & polling

ERROR: Found 1 validate-modules issue(s) which need to be resolved:
ERROR: plugins/modules/managed_serviceaccount_addon.py:0:0: import-error: Exception attempting to import module for argument_spec introspection, 'Error importing backoff lib: Traceback (most recent call last):
  File "/root/ansible_collections/ocmplus/cm/plugins/module_utils/import_utils.py", line 159, in <module>
    import backoff
ModuleNotFoundError: No module named 'backoff'
'

yamllint:unparsable-with-libyaml

Fix all yamllint:unparsable-with-libyaml in all yaml files then remove the corresponding lines in the ignore file.

Timing issue: failed to create namespace with managed service account token

Playbook

- name: "Creating namespace {{ namespace_name }} on {{ target_hosts }} host group"
  hosts: "{{ target_hosts }}"
  connection: local
  tasks:
  - name: "Get ClusterProxy URL for {{ hostvars[inventory_hostname].cluster_name }}"
    ocmplus.cm.cluster_proxy_addon:
      hub_kubeconfig: "{{ hostvars['local-cluster'].kubeconfig }}"
      managed_cluster: "{{ hostvars[inventory_hostname].cluster_name }}"
      wait: True
      timeout: 60
    register: cluster_proxy_url
  - name: debug
    debug:
      msg: "{{ cluster_proxy_url.cluster_url }}"
  - name: "Get managed ServiceAccount token for {{ hostvars[inventory_hostname].cluster_name }}"
    ocmplus.cm.managed_serviceaccount_addon:
      hub_kubeconfig: "{{ hostvars['local-cluster'].kubeconfig }}"
      managed_cluster: "{{ hostvars[inventory_hostname].cluster_name }}"
      wait: True
      timeout: 60
    register: token
  - name: debug
    debug:
      msg: "token length: {{ token.token | length }}"
  - name: "Creating namespace {{ namespace_name }} on {{ hostvars[inventory_hostname].cluster_name }}"
    kubernetes.core.k8s:
      state: present
      host: "{{ cluster_proxy_url.cluster_url }}"
      validate_certs: no
      api_key: "{{token.token}}"
      definition:
        apiVersion: v1
        kind: Namespace
        metadata:
          name: "{{ namespace_name }}"

Error

TASK [Creating namespace mytest on tphee-eks-1] ******************************************************************
fatal: [tphee-eks-1]: FAILED! => {"changed": false, "msg": "Failed to get client due to 503\nReason: Service Unavailable\nHTTP response headers: HTTPHeaderDict({'pragma': 'no-cache', 'cache-control': 'private, max-age=0, no-cache, no-store', 'content-type': 'text/html'})\nHTTP response body: b'<html>\\r\\n  <head>\\r\\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\\r\\n\\r\\n    <style type=\"text/css\">\\r\\n      body {\\r\\n        font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;\\r\\n        line-height: 1.66666667;\\r\\n        font-size: 16px;\\r\\n        color: #333;\\r\\n        background-color: #fff;\\r\\n        margin: 2em 1em;\\r\\n      }\\r\\n      h1 {\\r\\n        font-size: 28px;\\r\\n        font-weight: 400;\\r\\n      }\\r\\n      p {\\r\\n        margin: 0 0 10px;\\r\\n      }\\r\\n      .alert.alert-info {\\r\\n        background-color: #F0F0F0;\\r\\n        margin-top: 30px;\\r\\n        padding: 30px;\\r\\n      }\\r\\n      .alert p {\\r\\n        padding-left: 35px;\\r\\n      }\\r\\n      ul {\\r\\n        padding-left: 51px;\\r\\n        position: relative;\\r\\n      }\\r\\n      li {\\r\\n        font-size: 14px;\\r\\n        margin-bottom: 1em;\\r\\n      }\\r\\n      p.info {\\r\\n        position: relative;\\r\\n        font-size: 20px;\\r\\n      }\\r\\n      p.info:before, p.info:after {\\r\\n        content: \"\";\\r\\n        left: 0;\\r\\n        position: absolute;\\r\\n        top: 0;\\r\\n      }\\r\\n      p.info:before {\\r\\n        background: #0066CC;\\r\\n        border-radius: 16px;\\r\\n        color: #fff;\\r\\n        content: \"i\";\\r\\n        font: bold 16px/24px serif;\\r\\n        height: 24px;\\r\\n        left: 0px;\\r\\n        text-align: center;\\r\\n        top: 4px;\\r\\n        width: 24px;\\r\\n      }\\r\\n\\r\\n      @media (min-width: 768px) {\\r\\n        body {\\r\\n          margin: 6em;\\r\\n        }\\r\\n      }\\r\\n    </style>\\r\\n  </head>\\r\\n  <body>\\r\\n    <div>\\r\\n      <h1>Application is not available</h1>\\r\\n      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>\\r\\n\\r\\n      <div class=\"alert alert-info\">\\r\\n        <p class=\"info\">\\r\\n          Possible reasons you are seeing this page:\\r\\n        </p>\\r\\n        <ul>\\r\\n          <li>\\r\\n            <strong>The host doesn\\'t exist.</strong>\\r\\n            Make sure the hostname was typed correctly and that a route matching this hostname exists.\\r\\n          </li>\\r\\n          <li>\\r\\n            <strong>The host exists, but doesn\\'t have a matching path.</strong>\\r\\n            Check if the URL path was typed correctly and that the route was created using the desired path.\\r\\n          </li>\\r\\n          <li>\\r\\n            <strong>Route and path matches, but all pods are down.</strong>\\r\\n            Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.\\r\\n          </li>\\r\\n        </ul>\\r\\n      </div>\\r\\n    </div>\\r\\n  </body>\\r\\n</html>\\r\\n'\nOriginal traceback: \n  File \"/Users/hee/.pyenv/versions/3.9.9/envs/ocmplus.cm/lib/python3.9/site-packages/kubernetes/dynamic/client.py\", line 55, in inner\n    resp = func(self, *args, **kwargs)\n\n  File \"/Users/hee/.pyenv/versions/3.9.9/envs/ocmplus.cm/lib/python3.9/site-packages/kubernetes/dynamic/client.py\", line 270, in request\n    return self.client.call_api(\n\n  File \"/Users/hee/.pyenv/versions/3.9.9/envs/ocmplus.cm/lib/python3.9/site-packages/kubernetes/client/api_client.py\", line 348, in call_api\n    return self.__call_api(resource_path, method,\n\n  File \"/Users/hee/.pyenv/versions/3.9.9/envs/ocmplus.cm/lib/python3.9/site-packages/kubernetes/client/api_client.py\", line 180, in __call_api\n    response_data = self.request(\n\n  File \"/Users/hee/.pyenv/versions/3.9.9/envs/ocmplus.cm/lib/python3.9/site-packages/kubernetes/client/api_client.py\", line 373, in request\n    return self.rest_client.GET(url,\n\n  File \"/Users/hee/.pyenv/versions/3.9.9/envs/ocmplus.cm/lib/python3.9/site-packages/kubernetes/client/rest.py\", line 240, in GET\n    return self.request(\"GET\", url,\n\n  File \"/Users/hee/.pyenv/versions/3.9.9/envs/ocmplus.cm/lib/python3.9/site-packages/kubernetes/client/rest.py\", line 234, in request\n    raise ApiException(http_resp=r)\n"}

PLAY RECAP *******************************************************************************************************

Role ocm-detach

As an automation engineer
I want to unregister/deattach a spoke cluster from an existing RHACM hub cluster.
So that I can remove cluster from management from RHACM hub

Update featureEnable plugin to reflect API changes in MultiClusterHub and MultiClusterEngine API

Currently the generic addon plugin only installs the addon if the addon is already enabled on the hub. We want to add an option to enable (/disable?) features on the hub from the generic addon plugin.

when cluster is deleted from ACM ansible tower does not remove the cluster from inventory

timing issue for managed_serviceaccount_addon.py

{
  "module_stdout": "",
  "module_stderr": "Traceback (most recent call last):
  File "/home/runner/.ansible/tmp/ansible-tmp-1642102217.5059047-157-246553424943747/AnsiballZ_managed_serviceaccount_addon.py", line 100, in <module>
    _ansiballz_main()
  File "/home/runner/.ansible/tmp/ansible-tmp-1642102217.5059047-157-246553424943747/AnsiballZ_managed_serviceaccount_addon.py", line 92, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/runner/.ansible/tmp/ansible-tmp-1642102217.5059047-157-246553424943747/AnsiballZ_managed_serviceaccount_addon.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.ocmplus.cm.plugins.modules.managed_serviceaccount_addon', init_globals=dict(_module_fqn='ansible_collections.ocmplus.cm.plugins.modules.managed_serviceaccount_addon', _modlib_path=modlib_path),
  File "/usr/lib64/python3.8/runpy.py", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.8/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 376, in <module>
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 372, in main
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 342, in execute_module
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 225, in wait_for_serviceaccount_secret
  File "/usr/local/lib/python3.8/site-packages/polling.py", line 112, in poll
    if check_success(val):
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 220, in check_success
TypeError: 'NoneType' object is not subscriptable
",
  "exception": "Traceback (most recent call last):
  File "/home/runner/.ansible/tmp/ansible-tmp-1642102217.5059047-157-246553424943747/AnsiballZ_managed_serviceaccount_addon.py", line 100, in <module>
    _ansiballz_main()
  File "/home/runner/.ansible/tmp/ansible-tmp-1642102217.5059047-157-246553424943747/AnsiballZ_managed_serviceaccount_addon.py", line 92, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/runner/.ansible/tmp/ansible-tmp-1642102217.5059047-157-246553424943747/AnsiballZ_managed_serviceaccount_addon.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.ocmplus.cm.plugins.modules.managed_serviceaccount_addon', init_globals=dict(_module_fqn='ansible_collections.ocmplus.cm.plugins.modules.managed_serviceaccount_addon', _modlib_path=modlib_path),
  File "/usr/lib64/python3.8/runpy.py", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.8/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 376, in <module>
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 372, in main
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 342, in execute_module
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 225, in wait_for_serviceaccount_secret
  File "/usr/local/lib/python3.8/site-packages/polling.py", line 112, in poll
    if check_success(val):
  File "/tmp/ansible_ocmplus.cm.managed_serviceaccount_addon_payload_ypptylh_/ansible_ocmplus.cm.managed_serviceaccount_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/managed_serviceaccount_addon.py", line 220, in check_success
TypeError: 'NoneType' object is not subscriptable
",
  "msg": "MODULE FAILURE
See stdout/stderr for the exact error",
  "rc": 1,
  "_ansible_no_log": false,
  "changed": false
}

splitting up managed_serviceaccount plugin to support more granular RBAC configuration

in our current implementation managed_serviceaccount plugin create the maanged serviceaccount and create a manifestwork to configure clusterrolebinding to bind cluster-admin clusterrole to the created maanged service account

in our next iteration we would like to split up the plugin into 2 different ones

to create managedserviceaccount and fetch managed serviceaccount token
to create role and rolebinding to bind to the managed serviceaccount

Galaxy Publishing Checklist

What do we need to do to get published to Galaxy?

Every issue connected to this Epic needs to be completed before publishing to Galaxy.

Inventory Plugin

As an Ansible automation engineer
I would like to be able to utilize an inventory plugin that lists the managed clusters under a hub as well as identify the nodes that each cluster is comprised of.
So that I can manage clusters adhoc as well as make changes to underlying machines via Ansible automation.

Example

{
  "hub_cluster": {
    "hosts": ["cluster001"],
    "vars": {
      "var1": true
    },
    "children": ["group002"]
  },
  "managed_clusters": {
    "hosts": ["cluster002", "cluster003", "cluster004"],
    "vars": {
      "var2": 500
    },
    "children": []
  },
  "labelA": {
    "hosts": ["cluster001", "cluster002"],
    "vars": {}
  },
  "labelB": {
    "hosts": ["cluster003", "cluster004"],
    "vars": {}
  },
  "cluster001_wrks": {
    "hosts": ["host4", "host5", "host6"]
  },
  "cluster001_ctls": {
    "hosts": ["host1", "host2", "host3"]
  },
  "all": {
    "children": ["ungrouped"]
  },
  "ungrouped": {
    "children": []
  },
  "_meta": {
    "hostvars": {
      "cluster001": {
        "var001": "value"
      },
      "cluster002": {
        "var002": "value"
      },
      "host1": {
        "fqdn": "host1.acme.com",
        "ipAddress": "1.2.3.4"
      }
    }
  }

}

Policy Plugin

Goal: Provide a kube-native experience for users wanting to leverage ACM's policy functionality

Provide a path to a file containing a valid YAML definition of an object or objects to be created, updated, deleted or validated existence.
Convert the definition of an object or objects into a GRC policy
Convert cluster selections into a Placement rule
Deploy the policy to the selected managed clusters

import_eks plugin not idempotent

Running the import_eks plugin twice does not return the same results (first time succeed, second time fail because klusterlet already exists). This is not usual ansible behavior.

Consider adding a step for when the cluster to import is already managed by some hub. Check which hub manages the given imported cluster. If it's the hub that's currently trying to import the cluster, pass with ok green status. If a different hub manages the given cluster for import, fail.

Sanity test import is throwing error "import of "ansible.errors" is not allowed in this context"

Sanity test import is throwing error import of "ansible.errors" is not allowed in this context for plugins/modules/import_eks.py and plugins/module_utils/import_utils.py.
Need to figure out why and solve this problem and remove the corresponding lines in the ignore file.

Add git action for checking Galaxy publishing

If our collection is publish-able to Galaxy, then our community can easily use it.

We need a git action to run with our PRs to confirm that our collection can be published to Galaxy.

TODO

Set up a long-standing cluster
Install AAP
Create the automationhub CR to instantiate the private Galaxy on the long-standing cluster
With each PR, attempt to publish collection to the long-standing cluster's private Galaxy

Add testing framework for plugin beyond sanity testing

Review Ansible precedents when deciding how these tests should be structured and what they should test

`pip install -r requirements.txt` install a lot of version of the packages

example

Collecting awscli>=1.22.6
  Using cached awscli-1.22.18-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.17-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.16-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.15-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.14-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.13-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.12-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.11-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.10-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.9-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.8-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.7-py3-none-any.whl (3.8 MB)
  Using cached awscli-1.22.6-py3-none-any.whl (3.8 MB)

pip is literally installed all version of the package that mets our requirement

if addon option is not provided params['addon'] get None instead of default empty value

when attempting to run import_eks without addons params the addons should be initialized with default value of the addons instead of None

  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/plugins/modules/import_eks.py", line 241, in <module>
    main()
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/plugins/modules/import_eks.py", line 237, in main
    execute_module(module)
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/plugins/modules/import_eks.py", line 168, in execute_module
    import_utils.ensure_klusterletaddonconfig(hub_client, eks_cluster_name, addons)
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/ansible_collections/ocmplus/cm/plugins/module_utils/import_utils.py", line 89, in ensure_klusterletaddonconfig
    ocm_iam_policy_controller=addons['iam_policy_controller'],
TypeError: 'NoneType' object is not subscriptable```

Incorporate inventory plugin w/ Ansible Tower functionality

With Vault, we can securely store tokens retrieved by the inventory plugin

import_eks plugin module does not read in AWS environment variable as expected

when using the import_eks plugin if the user does not provide aws_access_key and aws_secret_key the module will fail

expected behavior is that like AnsibleAWSModule it will try to use the environment variables and AWS configuration of the environment to configure the credentials

(.venv) ➜  ocmplus.cm git:(cluster-proxy-addon) ✗ python plugins/modules/import_eks.py args.json
Traceback (most recent call last):
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/plugins/modules/import_eks.py", line 238, in <module>
    main()
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/plugins/modules/import_eks.py", line 234, in main
    execute_module(module)
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/plugins/modules/import_eks.py", line 149, in execute_module
    sts_token = TokenGenerator(sts_client).get_token(eks_cluster_name)
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/awscli/customizations/eks/get_token.py", line 96, in get_token
    url = self._get_presigned_url(cluster_name)
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/awscli/customizations/eks/get_token.py", line 102, in _get_presigned_url
    return self._sts_client.generate_presigned_url(
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/botocore/signers.py", line 602, in generate_presigned_url
    return request_signer.generate_presigned_url(
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/botocore/signers.py", line 275, in generate_presigned_url
    self.sign(operation_name, request, region_name,
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/botocore/signers.py", line 165, in sign
    auth.add_auth(request)
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/botocore/auth.py", line 383, in add_auth
    self._modify_request_before_signing(request)
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/botocore/auth.py", line 507, in _modify_request_before_signing
    'X-Amz-Credential': self.scope(request),
  File "/Volumes/case-sensitive-volume/projects/src/github.com/TheRealHaoLiu/ocmplus.cm/.venv/lib/python3.9/site-packages/botocore/auth.py", line 345, in scope
    return '/'.join(scope)
TypeError: sequence item 0: expected str instance, NoneType found

Collection Versioning

What version do we start with when we first publish?

Should we consider an alpha suffix?

What's our support statement? Versioning notes:

https://docs.ansible.com/ansible/latest/dev_guide/developing_collections_distributing.html#collection-versions

Role ocm-install

Provides a way to specify the catalog for Red Hat Advanced Cluster Management (RHACM) operator.
Provides a way to specify version and channel of RHACM.
Provides an optional installation of Observability.
Provides different authentication mechanisms to the hub cluster.

Modify plugin module to specify TTL configuration

TTL support now in MSA as alpha feature. Review Ansible precedents for how best to surface this configuration in our plugin spec.

Timing issue for cluster_proxy

Logs from failed Ansible playbook

$ ansible-playbook -i nweather-cpa-inventory.yml ./nweather-cpa-playbook.yml --extra-vars "namespace_name=testytest target_hosts=openshift-clusters"
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
[WARNING]: running playbook inside collection ocmplus.cm

PLAY [Creating namespace testytest on openshift-clusters host group] **********************************************************

TASK [Gathering Facts] ********************************************************************************************************
ok: [nweather-managed]

TASK [Get ClusterProxy URL for nweather-managed] ******************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'NoneType' object has no attribute 'conditions'
fatal: [nweather-managed]: FAILED! => 
{
  "changed": false,
  "module_stderr": "Traceback (most recent call last):\n
    File \"/Users/nweather/.ansible/tmp/ansible-tmp-1642534370.6547048-57779-159874808927174/AnsiballZ_cluster_proxy_addon.py\", line 100, in <module>
        _ansiballz_main()\n  
    File \"/Users/nweather/.ansible/tmp/ansible-tmp-1642534370.6547048-57779-159874808927174/AnsiballZ_cluster_proxy_addon.py\", line 92, in _ansiballz_main\n
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n
    File \"/Users/nweather/.ansible/tmp/ansible-tmp-1642534370.6547048-57779-159874808927174/AnsiballZ_cluster_proxy_addon.py\", line 40, in invoke_module\n
        runpy.run_module(mod_name='ansible_collections.ocmplus.cm.plugins.modules.cluster_proxy_addon', init_globals=dict(_module_fqn='ansible_collections.ocmplus.cm.plugins.modules.cluster_proxy_addon', _modlib_path=modlib_path),\n
    File \"/usr/local/Cellar/[email protected]/3.9.9/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 210, in run_module\n
        return _run_module_code(code, init_globals, run_name, mod_spec)\n
    File \"/usr/local/Cellar/[email protected]/3.9.9/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 97, in _run_module_code\n
        _run_code(code, mod_globals, init_globals,\n
    File \"/usr/local/Cellar/[email protected]/3.9.9/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 87, in _run_code\n
        exec(code, run_globals)\n  File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.cluster_proxy_addon_payload_shze7g4j/ansible_ocmplus.cm.cluster_proxy_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/cluster_proxy_addon.py\", line 194, in <module>\n
    File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.cluster_proxy_addon_payload_shze7g4j/ansible_ocmplus.cm.cluster_proxy_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/cluster_proxy_addon.py\", line 190, in main\n
    File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.cluster_proxy_addon_payload_shze7g4j/ansible_ocmplus.cm.cluster_proxy_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/modules/cluster_proxy_addon.py\", line 159, in execute_module\n
    File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.cluster_proxy_addon_payload_shze7g4j/ansible_ocmplus.cm.cluster_proxy_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/module_utils/addon_utils.py\", line 72, in wait_for_addon_available\n
    File \"/Users/nweather/python-venv/ansible2.12/lib/python3.9/site-packages/polling.py\", line 112, in poll\n
        if check_success(val):\n
    File \"/var/folders/m4/_wdtp1ws6b7748zwg8nyvc1r0000gn/T/ansible_ocmplus.cm.cluster_proxy_addon_payload_shze7g4j/ansible_ocmplus.cm.cluster_proxy_addon_payload.zip/ansible_collections/ocmplus/cm/plugins/module_utils/addon_utils.py\", line 57, in check_managed_cluster_addon_available\n
        AttributeError: 'NoneType' object has no attribute 'conditions'\n",
  "module_stdout": "",
  "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
  "rc": 1
}

import_eks plugin missing auto detection of managedcluster cloud and vendor configuration

cloud=auto-detect
vendor=auto-detect

need to be added to the created managedcluster resource

remove check that require input to the inventory plugin to be named `ocm.yml`

Role ocm-attach

As an automation engineer
I want to register/attach a spoke cluster to an existing RHACM hub cluster.
So that I can manage the spoke cluster in terms of policies, applications, and search.

The role should mimic the attachment procedure that is available manually via the web UI and cli.

RBAC Plugin: Validate the inclusion of both a (cluster)role and (cluster)rolebinding.

If a role is specified without a binding (or vice versa), we should throw an intelligent error instead of silently erroring (which is what happens now).

Consider all scenarios between (cluster)roles and (cluster)rolebindings and determine error handling for each
Update the documentation to describe our behavior

REQUIRES FURTHER DESIGN

Prep new hub environment with tower to validate all most-recent upstream changes

Also we can use it for a playback demo :)

pylint is throwing error ansible-bad-module-import: Import external package or ansible.module_utils not ansible.errors

Pylint is throwing error ansible-bad-module-import: Import external package or ansible.module_utils not ansible.errors for plugins/modules/import_eks.py and plugins/module_utils/import_utils.py.
Need to figure out why and solve this problem and remove the corresponding lines in the ignore file.