EGI production deployment (WIP)

egi-production/ansible.cfg

+[defaults]
+inventory=inventory
+
+[diff]
+always=true

egi-production/deploy.sh

+#! /bin/bash -xe
+
+#
+# Deploy EGI production instance
+#
+
+cd terraform && terraform init && terraform apply
+cd -
+cp -pv terraform/inventory.yaml inventory/1-cesnet.yaml
+
+# dynamic DNS
+ip="$(head -n 1 <terraform/fip.txt)"
+shellstate=$(shopt -po xtrace)
+set +o xtrace
+# https://nsupdate.fedcloud.eu
+vault_prefix=secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/egi-production
+FEDCLOUD_DYNAMIC_DNS=$(vault read -field data $vault_prefix/FEDCLOUD_DYNAMIC_DNS | grep ^map | head -n 1 | sed 's/map\[\(.*\)\]/\1/')
+for auth in $FEDCLOUD_DYNAMIC_DNS; do
+	echo "curl -i -X GET -u $(echo "$auth" | cut -d: -f1):XXX https://nsupdate.fedcloud.eu/nic/update?myip=$ip"
+	curl -i -X GET -u "$auth" https://nsupdate.fedcloud.eu/nic/update?myip="$ip"
+done
+eval "$shellstate"
+echo "Terraform finished. Check terraform/docker-volume.sh. Continue? (CTRL-C to quit)"
+read -r _
+
+# wait for ping and ssh
+while read -r ip; do
+	while ! ping -c 1 "$ip"; do sleep 5; done
+	ssh-keygen -R "$ip"
+	while ! ssh egi@"$ip" -o ConnectTimeout=10 -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no :; do sleep 10; done
+done <terraform/fip.txt
+
+# check ssh access
+ansible -m command -a 'uname -a' allnodes
+
+# wait cloud-init
+ansible -m shell -a 'while ! test -f /var/lib/cloud/instance/boot-finished; do sleep 2; done' allnodes
+
+# setup volumes
+ansible -m copy -a 'src=terraform/nfs-volume.sh dest=/root/ mode=preserve' nfs
+ansible -m command -a '/root/nfs-volume.sh' nfs
+ansible -m copy -a 'src=terraform/squid-volume.sh dest=/root/ mode=preserve' 'ingress[0]'
+ansible -m command -a '/root/squid-volume.sh' 'ingress[0]'
+
+# kubernetes
+ansible-playbook playbooks/k8s.yaml
+while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n +3 | grep -Ev ' (Running|Completed) '; do sleep 5; done
+# docker runtime directory after Kubernetes deployment (problem with unmounts)
+ansible -m copy -a 'src=terraform/docker-volume.sh dest=/root/ mode=preserve' 'ingress nfs worker gpu'
+ansible -m command -a '/root/docker-volume.sh' 'ingress nfs worker gpu'
+ansible-playbook playbooks/squid.yaml
+ansible-playbook playbooks/cvmfs.yaml
+
+# image repository
+ansible-playbook playbooks/repository-nexus.yaml
+
+# wait for finish
+while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n +3 | grep -Ev ' (Running|Completed) '; do sleep 5; done

egi-production/inventory/1-cesnet.yaml

+---
+fip:
+  hosts:
+    78.128.235.186:
+
+master:
+  hosts:
+    192.168.0.144:
+      # must be IPv4 address or hostname
+      kube_server: 192.168.0.144
+
+ingress:
+  hosts:
+    192.168.0.22:
+
+nfs:
+  hosts:
+    192.168.0.42:
+
+worker:
+  hosts:
+    192.168.0.122:
+    192.168.0.137:
+    192.168.0.181:
+    192.168.0.38:
+
+gpu:
+  hosts:
+
+# using public IP of kube_server for ansible delegate_to
+kube_server:
+  hosts:
+    192.168.0.144:
+      ansible_host: 192.168.0.144

egi-production/inventory/99-all.yaml

+---
+allnodes:
+  children:
+    master:
+    ingress:
+    nfs:
+    worker:
+    gpu:
+
+all:
+  vars:
+    ansible_become: true
+    ansible_user: egi
+    ansible_ssh_common_args: >-
+      -o ProxyCommand="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q egi@{{ groups["fip"][0] }}"
+      -o StrictHostKeyChecking=no
+      -o UserKnownHostsFile=/dev/null
+
+    site_name: egi-production
+    vault_mount_point: secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/egi-production
+    backup_repository: s3:s3.cl2.du.cesnet.cz/notebooks-production-g2
+
+    binder_hostname: binder-rc.egi.zcu.cz
+    notebooks_hostname: notebooks-rc.egi.zcu.cz
+    grafana_hostname: grafana.notebooks-rc.egi.zcu.cz
+    nexus_hostname: nexus.notebooks-rc.egi.zcu.cz
+    registry_binder_hostname: registry.binder-rc.egi.zcu.cz
+    registry_notebooks_hostname: registry.notebooks-rc.egi.zcu.cz

egi-production/playbooks/accounting.yaml

+../../common/playbooks/accounting.yaml
\ No newline at end of file

egi-production/playbooks/backup.yaml

+../../common/playbooks/backup.yaml
\ No newline at end of file

egi-production/playbooks/cvmfs.yaml

+../../common/playbooks/cvmfs.yaml
\ No newline at end of file

egi-production/playbooks/files/calico.yaml

+../../../common/playbooks/files/calico.yaml
\ No newline at end of file

egi-production/playbooks/files/egi-notebooks-privacy-policy.html

+../../../common/playbooks/files/egi-notebooks-privacy-policy.html
\ No newline at end of file

egi-production/playbooks/files/egi-notebooks-terms-of-use.html

+../../../common/playbooks/files/egi-notebooks-terms-of-use.html
\ No newline at end of file

egi-production/playbooks/files/egi-style.css

+../../../common/playbooks/files/egi-style.css
\ No newline at end of file

egi-production/playbooks/files/etc

+../../../common/playbooks/files/etc
\ No newline at end of file

egi-production/playbooks/files/usr

+../../../common/playbooks/files/usr
\ No newline at end of file

egi-production/playbooks/k8s.yaml

+../../common/playbooks/k8s.yaml
\ No newline at end of file

egi-production/playbooks/notebooks-policies-egi.yaml

+../../common/playbooks/notebooks-policies-egi.yaml
\ No newline at end of file

egi-production/playbooks/notebooks.yaml

+../../common/playbooks/notebooks.yaml
\ No newline at end of file

egi-production/playbooks/public_keys

+../../common/playbooks/public_keys
\ No newline at end of file

egi-production/playbooks/recover.yaml

+../../common/playbooks/recover.yaml
\ No newline at end of file

egi-production/playbooks/repository-nexus.yaml

+../../common/playbooks/repository-nexus.yaml
\ No newline at end of file

egi-production/playbooks/squid.yaml

+../../common/playbooks/squid.yaml
\ No newline at end of file