okd/roles/openshift_node/tasks/config.yml

---
#### Disable SWAP #####
# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
# swapoff is a custom module that comments out swap entries in
# /etc/fstab and runs swapoff -a, if necessary.
- name: Disable swap
  swapoff: {}

# The atomic-openshift-node service will set this parameter on
# startup, but if the network service is restarted this setting is
# lost. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1372388
- name: Enable IP Forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: 1
    sysctl_file: "/etc/sysctl.d/99-openshift.conf"
    reload: yes

# The base OS RHEL with "Minimal" installation option is
# enabled firewalld serivce by default, it denies unexpected 10250 port.
# Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1740439
- name: Disable firewalld service
  systemd:
    name: "firewalld.service"
    enabled: false
  register: service_status
  failed_when:
  - service_status is failed
  - not ('Could not find the requested service' in service_status.msg)

- name: Setting sebool container_manage_cgroup
  seboolean:
    name: container_manage_cgroup
    state: yes
    persistent: yes

- name: Create temp directory
  tempfile:
    state: directory
  register: temp_dir

- name: Wait for bootstrap endpoint to show up
  uri:
    url: "{{ openshift_node_bootstrap_endpoint }}"
    validate_certs: false
  delay: 10
  retries: 60
  register: result
  until:
  - result.status is defined
  - result.status == 200

- name: Fetch bootstrap ignition file locally
  uri:
    url: "{{ openshift_node_bootstrap_endpoint }}"
    dest: "{{ temp_dir.path }}/bootstrap.ign"
    validate_certs: false
  register: bootstrap_ignition

# registries.conf is listed twice in the config, the second one is the right one
- name: Extract the last registries.conf file from bootstrap.ign
  set_fact:
    registries_conf: >
      {{
      bootstrap_ignition.json.storage.files
      | selectattr('path', 'match', '/etc/containers/registries.conf')
      | list
      | last
      }}

- name: Check data URL encoding and extract source data
  set_fact:
    base64encoded: "{{ registries_conf.contents.source.split(',')[0].endswith('base64') }}"
    source_data: "{{ registries_conf.contents.source.split(',')[1] }}"

- name: Write /etc/containers/registries.conf
  copy:
    content: "{{ (source_data | b64decode) if base64encoded else (source_data | urldecode) }}"
    mode: "{{ '0' ~ registries_conf.mode }}"
    dest: "{{ registries_conf.path }}"
  register: update_registries

- name: Restart the CRI-O service
  systemd:
    name: "crio"
    state: restarted
  when: update_registries is changed

- name: Get cluster pull-secret
  command: >
    oc get secret pull-secret
    --kubeconfig={{ openshift_node_kubeconfig_path }}
    --namespace=openshift-config
    --output=jsonpath='{.data.\.dockerconfigjson}'
  delegate_to: localhost
  register: oc_get
  until:
  - oc_get.stdout != ''
  retries: 36
  delay: 5

- name: Write pull-secret to file
  copy:
    content: "{{ oc_get.stdout | b64decode }}"
    dest: "{{ temp_dir.path }}/pull-secret.json"

- name: Get cluster release image
  command: >
    oc get clusterversion
    --kubeconfig={{ openshift_node_kubeconfig_path }}
    --output=jsonpath='{.items[0].status.desired.image}'
  delegate_to: localhost
  register: oc_get
  until:
  - oc_get.stdout != ''
  retries: 36
  delay: 5

- name: Set l_release_image fact
  set_fact:
    l_release_image: "{{ oc_get.stdout }}"

- import_tasks: proxy.yml

- block:
  - name: Pull release image
    command: "podman pull --tls-verify={{ openshift_node_tls_verify }} --authfile {{ temp_dir.path }}/pull-secret.json {{ l_release_image }}"
    register: podman_pull
    until:
      podman_pull.stdout != ''

  - name: Get machine controller daemon image from release image
    command: "podman run --rm {{ l_release_image }} image machine-config-operator"
    register: release_image_mcd
  environment:
    http_proxy: "{{ http_proxy | default('')}}"
    https_proxy: "{{https_proxy | default('')}}"
    no_proxy: "{{ no_proxy | default('')}}"

- block:
  - name: Pull MCD image
    command: "podman pull --tls-verify={{ openshift_node_tls_verify }} --authfile {{ temp_dir.path }}/pull-secret.json {{ release_image_mcd.stdout }}"
    register: podman_pull
    until:
      podman_pull.stdout != ''

  - name: Apply ignition manifest
    command: "podman run {{ podman_mounts }} {{ podman_flags }} {{ mcd_command }}"
    vars:
      podman_flags: "--privileged --rm --entrypoint=/usr/bin/machine-config-daemon -ti {{ release_image_mcd.stdout }}"
      podman_mounts: "-v /:/rootfs -v /var/run/dbus:/var/run/dbus -v /run/systemd:/run/systemd"
      mcd_command: "start --node-name {{ ansible_nodename | lower }} --once-from {{ temp_dir.path }}/bootstrap.ign --skip-reboot"

  - name: Remove temp directory
    file:
      path: "{{ temp_dir.path }}"
      state: absent

  - name: Reboot the host and wait for it to come back
    reboot:
    #  reboot_timeout: 600  # default, 10 minutes
  environment:
    http_proxy: "{{ http_proxy | default('')}}"
    https_proxy: "{{ https_proxy | default('')}}"
    no_proxy: "{{ no_proxy | default('')}}"
  rescue:
  - fail:
      msg: "Ignition apply failed"

- block:
  - name: Approve node-bootstrapper CSR
    shell: >
      count=0;
      for csr in `oc --kubeconfig={{ openshift_node_kubeconfig_path }} get csr --no-headers \
        | grep " system:serviceaccount:openshift-machine-config-operator:node-bootstrapper " \
        | cut -d " " -f1`;
      do
        oc --kubeconfig={{ openshift_node_kubeconfig_path }} describe csr/$csr \
          | grep " system:node:{{ hostvars[item].ansible_nodename | lower }}$";
        if [ $? -eq 0 ];
        then
          oc --kubeconfig={{ openshift_node_kubeconfig_path }} adm certificate approve ${csr};
          if [ $? -eq 0 ];
          then
            count=$((count+1));
          fi;
        fi;
      done;
      exit $((!count));
    loop: "{{ ansible_play_batch }}"
    delegate_to: localhost
    run_once: true
    register: oc_get
    until:
    - oc_get is success
    retries: 6
    delay: 5

  rescue:
  - import_tasks: gather_debug.yml

  - name: DEBUG - Failed to approve node-bootstrapper CSR
    fail:
      msg: "Failed to approve node-bootstrapper CSR"
    delegate_to: localhost

- block:
  - name: Approve node CSR
    shell: >
      count=0;
      for csr in `oc --kubeconfig={{ openshift_node_kubeconfig_path }} get csr --no-headers \
        | grep " system:node:{{ hostvars[item].ansible_nodename | lower }} " \
        | cut -d " " -f1`;
      do
        oc --kubeconfig={{ openshift_node_kubeconfig_path }} adm certificate approve ${csr};
        if [ $? -eq 0 ];
        then
          count=$((count+1));
        fi;
      done;
      exit $((!count));
    loop: "{{ ansible_play_batch }}"
    delegate_to: localhost
    run_once: true
    register: oc_get
    until:
    - oc_get is success
    retries: 6
    delay: 5

  rescue:
  - import_tasks: gather_debug.yml

  - name: DEBUG - Failed to approve node CSR
    fail:
      msg: "Failed to approve node CSR"
    delegate_to: localhost

- block:
  - name: Wait for nodes to report ready
    command: >
      oc get node {{ hostvars[item].ansible_nodename | lower }}
      --kubeconfig={{ openshift_node_kubeconfig_path }}
      --output=jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
    loop: "{{ ansible_play_batch }}"
    delegate_to: localhost
    run_once: true
    register: oc_get
    until:
    - oc_get.stdout == "True"
    retries: 36
    delay: 5
    changed_when: false

  rescue:
  - import_tasks: gather_debug.yml

  - name: DEBUG - Node failed to report ready
    fail:
      msg: "Node failed to report ready"
    delegate_to: localhost