From 1ef66cc7c8b164a4721e3e17488a4da42c2ffe3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Mattm=C3=BCller?= Date: Tue, 19 Sep 2023 16:09:13 +0200 Subject: [PATCH] doc: added status and migration work after review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marc Mattmüller --- doc/src/nextlevel-ci/researchAnsible.rst | 2 + doc/src/setup/nwl-ci-review.rst | 148 +++++++++++++++++++++++ 2 files changed, 150 insertions(+) diff --git a/doc/src/nextlevel-ci/researchAnsible.rst b/doc/src/nextlevel-ci/researchAnsible.rst index b5ec6a7..574a249 100644 --- a/doc/src/nextlevel-ci/researchAnsible.rst +++ b/doc/src/nextlevel-ci/researchAnsible.rst @@ -716,6 +716,8 @@ SSH keypair we create. The playbook is reflected in the git repository with name ``create-ssh-key.yml``. +.. _vaultUsage: + Sensitive Data, Passphrases using the Vault =========================================== Ansible comes with an encrypting mechanism which we use. Let's start by encrypting the first SSH passphrase: diff --git a/doc/src/setup/nwl-ci-review.rst b/doc/src/setup/nwl-ci-review.rst index 5eaa7b5..10020a7 100644 --- a/doc/src/setup/nwl-ci-review.rst +++ b/doc/src/setup/nwl-ci-review.rst @@ -78,3 +78,151 @@ In the ansible instance the entire part of software tests on devices (like e.g. are not yet integrated. Any further steps depend on how the workflow and release process will be defined. + + +##################################### +NWL CI State after Review 2023.09.19 +##################################### +Introduction / Status +###################### +The AWX instance presented in the Area Review is set up on a local machine and with the end of the contract this +instance won't be accessible anymore. Originally there were network connection issues (IT permissions) and uncertainties +about where to set up a productive instance. To not stall the progress of this proof of concept, I decided to set up a +local AWX instance using minikube. Nevertheless there was a big interest in the topic using Ansible Playbooks. To be +prepared I created an empty AWX instance using K3s on the server with IP 10.115.101.101, so that any DevOps engineer +could play around. + +My first steps using the local AWX instance was to progress with a local notebook (as machine) where super user +priviledges were set up. With the switch to build servers for the NWL CI instance set up with Ansible playbooks, this +priviledged part was no longer needed. And thus there is a difference in the documentation to what we have in real. + +Well, during the preparation of the live demo of the Area Review today, I noticed that the instance on the server was +down and no longer accessible. I brought it back but saw that this instance was never used and still empty. Hence, I +informed Patrick Zysset about this state and we decided to migrate as much as possible from my local instance to the +instance on the server. + +.. note:: + The server 10.115.101.101 holds in its home directory the nwl-ci setup, see */home/user/nwl-ci*. The NWL CI Instance + can be brought up with ``docker-compose up --build -d`` and down with ``docker-compose down`` directly in the home + directory of server 10.115.101.101. With this the instance is still usable. + +.. caution:: + The encrypted passwords were generated with the local AWX instance and thus they are not the same with the migrated + instance. This means that none of the jobs using a vault encrypted password will work. + + After migrating the job *Reconfigure Docker Network*, I manually installed *sudo* (apt install sudo) and manually + added user *user* to group sudo in */etc/group*. But commands using sudo will fail anyway because the password is + not set in the credentials menu of the AWX instance for this user. Meaning there would be an effort needed as well. + + In the same turn I additionally installed ansible with ``sudo apt install ansible`` manually, so you can encrypt the + passwords as documented in :ref:`vaultUsage`. + + **Important:** Due to this vault encryption, the playbooks in the + `NWL CI repository `_ containing the encryped + parts, have to be adapted with the new vault encryption of this migrated instance. The time just was not sufficient + to change all those parts and bring you back a fully functional AWX instance. + + FYI: These mentioned manual installations are intended as preparation if someone starts playing with Ansible and + wants to migrate the job yaml files in the repository using the new vault encryptions, etc. + +.. note:: + All the jobs below act as **look-up templates**. These jobs were just migrated to give an overview about the order + and about the way they are set up. + + +Please find in the following section the migration notes. + + +Migration of the AWX Functionalities +##################################### +Job Template Migration Overview +******************************** +Basic Installation +=================== +As already mentioned the super user priviledges do not fit into that environment. Thus this part of the documentation +is no longer valid. Additionally the basic installations, Job *01 Basic Installation* won't work because the user with +the appropriate priviledges is not set up. Hence this job is failing. + +This could be fixed if we would add another machine access for the user *root* OR install sudo and add the current user +to the list of sudoers. + +Create SSH keypair +=================== +The vault password is set and the job is migrated but not executed. The reason is simple: this job was developed using +the local machine as mentioned in the section `Introduction / Status`_. But I copied manually the ssh keys +*testvm_ed25519* from from 10.115.101.101 to 10.115.101.100. + +Reconfigure Docker Network +=========================== +The docker network is already okay on 10.115.101.100. This job was created and ran but failed because originally sudo +was missing. + +Clone CI Repo +============== +According to the caution note above, the job won't work but is set up and I cloned the repository manually: + +.. code-block:: + + # starting the ssh-agent and loading the ssh key + eval `ssh-agent -s` + ssh-add .ssh/testvm_ed25519 + + # verifying the loaded key + ssh-add -l + + # cloning the repository + git clone ssh://git@bitbucket.gad.local:7999/nm-nsp/nwl-ci.git + cd nwl-ci + git checkout ansible-instance + +Build Docker Image +=================== +Job migrated and passed. Reason is due to the manual clone of the NWL CI repsitory. + +Setup CI Environment +===================== +According to the caution note above, the job won't work but is set up. + +Setup Jenkins Seed Job Git URL +=============================== +This job might work but was not ran. This is intended to switch the Jenkins file for the seed job to another repository. +If you intend to use this way you can use this job as base for your work. + +Start-Stop CI Instance +======================= +This job does currently not work correctly because the environment is not set up. + +Host Info +========== +Job migrated and passed. + + +Further Information +#################### +Getting the URL of the AWX instance: + +.. code-block:: + + # enter the server 10.115.101.101 and run + kubectl get services -n awx awx-belden-service + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + awx-belden-service NodePort 10.43.253.191 80:32188/TCP 56d + +From the column PORT(S) you see 32188. The adress in the browser would be ``http://:32188``, i.e. +``http://10.115.101.101:32188``. + +To get the password for the user admin: + +.. code-block:: + + # enter the server 10.115.101.101 and run + kubectl get secret -n awx awx-belden-admin-password -o jsonpath="{.data.password}" | base64 --decode; echo + + +Final Word +#################### +I guess this is it. I wish you all the best and hopefully we see each other again. It wa a pleasure to me doing +conceptional work for you, so that you have a good base for your next generation CI environment. + +Thank you and all the best, +Marc