LM
/
nwl-ci
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

doc: added status and migration work after review 

Signed-off-by: Marc Mattmüller <marc.mattmueller@netmodule.com>
This commit is contained in:
Marc Mattmüller 2023-09-19 16:09:13 +02:00
parent 8942501294
commit 1ef66cc7c8
2 changed files with 150 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/src/nextlevel-ci/researchAnsible.rst
View File

@ -716,6 +716,8 @@ SSH keypair we create.
The playbook is reflected in the git repository with name ``create-ssh-key.yml``. The playbook is reflected in the git repository with name ``create-ssh-key.yml``.
.. _vaultUsage:
Sensitive Data, Passphrases using the Vault Sensitive Data, Passphrases using the Vault
=========================================== ===========================================
Ansible comes with an encrypting mechanism which we use. Let's start by encrypting the first SSH passphrase: Ansible comes with an encrypting mechanism which we use. Let's start by encrypting the first SSH passphrase:

148
doc/src/setup/nwl-ci-review.rst
View File

@ -78,3 +78,151 @@ In the ansible instance the entire part of software tests on devices (like e.g.
are not yet integrated. are not yet integrated.
Any further steps depend on how the workflow and release process will be defined. Any further steps depend on how the workflow and release process will be defined.
#####################################
NWL CI State after Review 2023.09.19
#####################################
Introduction / Status
######################
The AWX instance presented in the Area Review is set up on a local machine and with the end of the contract this
instance won't be accessible anymore. Originally there were network connection issues (IT permissions) and uncertainties
about where to set up a productive instance. To not stall the progress of this proof of concept, I decided to set up a
local AWX instance using minikube. Nevertheless there was a big interest in the topic using Ansible Playbooks. To be
prepared I created an empty AWX instance using K3s on the server with IP 10.115.101.101, so that any DevOps engineer
could play around.
My first steps using the local AWX instance was to progress with a local notebook (as machine) where super user
priviledges were set up. With the switch to build servers for the NWL CI instance set up with Ansible playbooks, this
priviledged part was no longer needed. And thus there is a difference in the documentation to what we have in real.
Well, during the preparation of the live demo of the Area Review today, I noticed that the instance on the server was
down and no longer accessible. I brought it back but saw that this instance was never used and still empty. Hence, I
informed Patrick Zysset about this state and we decided to migrate as much as possible from my local instance to the
instance on the server.
.. note::
The server 10.115.101.101 holds in its home directory the nwl-ci setup, see */home/user/nwl-ci*. The NWL CI Instance
can be brought up with ``docker-compose up --build -d`` and down with ``docker-compose down`` directly in the home
directory of server 10.115.101.101. With this the instance is still usable.
.. caution::
The encrypted passwords were generated with the local AWX instance and thus they are not the same with the migrated
instance. This means that none of the jobs using a vault encrypted password will work.
After migrating the job *Reconfigure Docker Network*, I manually installed *sudo* (apt install sudo) and manually
added user *user* to group sudo in */etc/group*. But commands using sudo will fail anyway because the password is
not set in the credentials menu of the AWX instance for this user. Meaning there would be an effort needed as well.
In the same turn I additionally installed ansible with ``sudo apt install ansible`` manually, so you can encrypt the
passwords as documented in :ref:`vaultUsage`.
**Important:** Due to this vault encryption, the playbooks in the
`NWL CI repository <https://bitbucket.gad.local/projects/NM-NSP/repos/nwl-ci/browse>`_ containing the encryped
parts, have to be adapted with the new vault encryption of this migrated instance. The time just was not sufficient
to change all those parts and bring you back a fully functional AWX instance.
FYI: These mentioned manual installations are intended as preparation if someone starts playing with Ansible and
wants to migrate the job yaml files in the repository using the new vault encryptions, etc.
.. note::
All the jobs below act as **look-up templates**. These jobs were just migrated to give an overview about the order
and about the way they are set up.
Please find in the following section the migration notes.
Migration of the AWX Functionalities
#####################################
Job Template Migration Overview
********************************
Basic Installation
===================
As already mentioned the super user priviledges do not fit into that environment. Thus this part of the documentation
is no longer valid. Additionally the basic installations, Job *01 Basic Installation* won't work because the user with
the appropriate priviledges is not set up. Hence this job is failing.
This could be fixed if we would add another machine access for the user *root* OR install sudo and add the current user
to the list of sudoers.
Create SSH keypair
===================
The vault password is set and the job is migrated but not executed. The reason is simple: this job was developed using
the local machine as mentioned in the section `Introduction / Status`_. But I copied manually the ssh keys
*testvm_ed25519* from from 10.115.101.101 to 10.115.101.100.
Reconfigure Docker Network
===========================
The docker network is already okay on 10.115.101.100. This job was created and ran but failed because originally sudo
was missing.
Clone CI Repo
==============
According to the caution note above, the job won't work but is set up and I cloned the repository manually:
.. code-block::
# starting the ssh-agent and loading the ssh key
eval `ssh-agent -s`
ssh-add .ssh/testvm_ed25519
# verifying the loaded key
ssh-add -l
# cloning the repository
git clone ssh://git@bitbucket.gad.local:7999/nm-nsp/nwl-ci.git
cd nwl-ci
git checkout ansible-instance
Build Docker Image
===================
Job migrated and passed. Reason is due to the manual clone of the NWL CI repsitory.
Setup CI Environment
=====================
According to the caution note above, the job won't work but is set up.
Setup Jenkins Seed Job Git URL
===============================
This job might work but was not ran. This is intended to switch the Jenkins file for the seed job to another repository.
If you intend to use this way you can use this job as base for your work.
Start-Stop CI Instance
=======================
This job does currently not work correctly because the environment is not set up.
Host Info
==========
Job migrated and passed.
Further Information
####################
Getting the URL of the AWX instance:
.. code-block::
# enter the server 10.115.101.101 and run
kubectl get services -n awx awx-belden-service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
awx-belden-service NodePort 10.43.253.191 <none> 80:32188/TCP 56d
From the column PORT(S) you see 32188. The adress in the browser would be ``http://<host-ip>:32188``, i.e.
``http://10.115.101.101:32188``.
To get the password for the user admin:
.. code-block::
# enter the server 10.115.101.101 and run
kubectl get secret -n awx awx-belden-admin-password -o jsonpath="{.data.password}" | base64 --decode; echo
Final Word
####################
I guess this is it. I wish you all the best and hopefully we see each other again. It wa a pleasure to me doing
conceptional work for you, so that you have a good base for your next generation CI environment.
Thank you and all the best,
Marc