# Copyright 2020 Dell Inc. or its subsidiaries. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: Check input config file is encrypted command: cat {{ input_config_filename }} changed_when: false register: config_content - name: Decrpyt appliance_config.yml command: >- ansible-vault decrypt {{ input_config_filename }} --vault-password-file {{ vault_filename }} changed_when: false when: "'$ANSIBLE_VAULT;' in config_content.stdout" - name: Include variable file appliance_config.yml include_vars: "{{ input_config_filename }}" no_log: true - name: Validate input parameters are not empty fail: msg: "{{ input_config_failure_msg }}" register: input_config_check when: - provision_password | length < 1 or awx_password | length < 1 or hpc_nic | length < 1 or public_nic | length < 1 or iso_file_path | length < 1 or dhcp_start_ip_range | length < 1 or dhcp_end_ip_range | length < 1 or timezone | length < 1 - name: Save input variables from file set_fact: cobbler_password: "{{ provision_password }}" admin_password: "{{ awx_password }}" nic: "{{ hpc_nic }}" internet_nic: "{{ public_nic }}" path_for_iso_file: "{{ iso_file_path }}" dhcp_start_ip: "{{ dhcp_start_ip_range | ipv4 }}" dhcp_end_ip: "{{ dhcp_end_ip_range | ipv4 }}" mapping_file: false path_for_mapping_file: "{{ mapping_file_path }}" ks_timezone: "{{ timezone }}" no_log: true - name: Get the system hpc ip shell: "ifconfig {{ hpc_nic }} | grep 'inet' |cut -d: -f2 | awk '{ print $2}'" register: ip changed_when: false - name: Get the system public ip shell: "ifconfig {{ internet_nic }} | grep 'inet' |cut -d: -f2 | awk '{ print $2}'" register: internet_ip changed_when: false - name: Get the system netmask shell: "ifconfig {{ hpc_nic }} | grep 'inet' |cut -d: -f2 | awk '{ print $4}'" register: net changed_when: false - name: HPC nic IP set_fact: hpc_ip: "{{ ip.stdout }}" public_ip: "{{ internet_ip.stdout }}" - name: Netmask set_fact: netmask: "{{ net.stdout }}" - name: shell try shell: | IFS=. read -r i1 i2 i3 i4 <<< "{{ hpc_ip }}" IFS=. read -r m1 m2 m3 m4 <<< "{{ netmask }}" printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))" register: sub_result changed_when: false - name: Subnet set_fact: subnet: "{{ sub_result.stdout }}" - name: Assert provision_password assert: that: - cobbler_password | length > min_length | int - 1 - cobbler_password | length < max_length | int + 1 - '"-" not in cobbler_password ' - '"\\" not in cobbler_password ' - '"\"" not in cobbler_password ' - " \"'\" not in cobbler_password " success_msg: "{{ success_msg_provision_password }}" fail_msg: "{{ fail_msg_provision_password }}" no_log: true register: cobbler_password_check - name: Assert awx_password assert: that: - admin_password | length > min_length | int - 1 - admin_password | length < max_length | int + 1 - '"-" not in admin_password ' - '"\\" not in admin_password ' - '"\"" not in admin_password ' - " \"'\" not in admin_password " success_msg: "{{ success_msg_awx_password }}" fail_msg: "{{ fail_msg_awx_password }}" no_log: true register: awx_password_check - name: Assert hpc_ip assert: that: - hpc_ip | length > 7 success_msg: "{{ success_hpc_ip }}" fail_msg: "{{ fail_hpc_ip }}" register: hpc_ip_check - name: Assert public_ip assert: that: - public_ip | length > 7 success_msg: "{{ success_hpc_ip }}" fail_msg: "{{ fail_hpc_ip }}" register: public_ip_check - name: Assert hpc_nic assert: that: - nic | length > nic_min_length | int - 1 - nic != internet_nic success_msg: "{{ success_msg_hpc_nic }}" fail_msg: "{{ fail_msg_hpc_nic }}" register: hpc_nic_check - name: Assert public_nic assert: that: - internet_nic | length > nic_min_length | int - 1 - nic != internet_nic success_msg: "{{ success_msg_public_nic }}" fail_msg: "{{ fail_msg_public_nic }}" register: public_nic_check - name: Assert mapping_file_exists assert: that: - "( mapping_file == true ) or ( mapping_file == false )" success_msg: "{{ success_mapping_file }}" fail_msg: "{{ fail_mapping_file }}" - name: Set the mapping file value set_fact: mapping_file: true when: path_for_mapping_file != "" - name: Assert valid mapping_file_path stat: path: "{{ path_for_mapping_file }}" when: mapping_file == true register: result_path_mapping_file - name : Valid mapping_file_path fail: msg: "{{ invalid_mapping_file_path }}" when: ( mapping_file == true ) and ( result_path_mapping_file.stat.exists == false ) - name: Assert valid iso_file_path stat: path: "{{ path_for_iso_file }}" register: result_path_iso_file - name : Incorrect iso_file_path fail: msg: "{{ invalid_iso_file_path }}" when: ( result_path_iso_file.stat.exists == false ) and ( ".iso" not in path_for_iso_file ) - name: Fail when iso path valid but image not right fail: msg: "{{ invalid_iso_file_path }}" when: ( result_path_iso_file.stat.exists == true ) and ( ".iso" not in path_for_iso_file ) - name: Check the subnet of dhcp start range shell: | IFS=. read -r i1 i2 i3 i4 <<< "{{ dhcp_start_ip }}" IFS=. read -r m1 m2 m3 m4 <<< "{{ netmask }}" printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))" args: warn: no register: dhcp_start_sub_result changed_when: false when: dhcp_start_ip != "false" - name: Set the start dhcp subnet set_fact: dhcp_start_sub: "{{ dhcp_start_sub_result.stdout }}" when: dhcp_start_ip != "false" - name: Check the subnet of dhcp end range shell: | IFS=. read -r i1 i2 i3 i4 <<< "{{ dhcp_end_ip }}" IFS=. read -r m1 m2 m3 m4 <<< "{{ netmask }}" printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))" register: dhcp_end_sub_result when: dhcp_end_ip != "false" changed_when: false - name: Set the end dhcp subnet set_fact: dhcp_end_sub: "{{ dhcp_end_sub_result.stdout }}" when: dhcp_end_ip != "false" - name: Assert dhcp_start_ip_range assert: that: - dhcp_start_ip != "false" - dhcp_start_ip != dhcp_end_ip - dhcp_start_sub == subnet - dhcp_start_sub == dhcp_end_sub success_msg: "{{ success_dhcp_range }}" fail_msg: "{{ fail_dhcp_range }}" register: dhcp_start_ip_check - name: Assert dhcp_end_ip_range assert: that: - dhcp_end_ip != "false" - dhcp_start_ip != dhcp_end_ip - dhcp_end_sub == subnet - dhcp_start_sub == dhcp_end_sub success_msg: "{{ success_dhcp_range }}" fail_msg: "{{ fail_dhcp_range }}" register: dhcp_end_ip_check - name: Check timezone file command: grep -Fx "{{ ks_timezone }}" {{ role_path }}/files/timezone.txt ignore_errors: yes register: timezone_out - name: Assert timezone assert: that: ks_timezone in timezone_out.stdout success_msg: "{{ success_timezone }}" fail_msg: "{{ fail_timezone }}" register: timezone_check - name: Create ansible vault key set_fact: vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}" when: "'$ANSIBLE_VAULT;' not in config_content.stdout" - name: Save vault key copy: dest: "{{ vault_filename }}" content: | {{ vault_key }} owner: root force: yes when: "'$ANSIBLE_VAULT;' not in config_content.stdout" - name: Encrypt input config file command: >- ansible-vault encrypt {{ input_config_filename }} --vault-password-file {{ vault_filename }} changed_when: false - name: Check if omnia_vault_key exists stat: path: "{{ role_path }}/../../../{{ config_vaultname }}" register: vault_key_result - name: Create ansible vault key if it does not exist set_fact: vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}" when: not vault_key_result.stat.exists - name: Save vault key copy: dest: "{{ role_path }}/../../../{{ config_vaultname }}" content: | {{ vault_key }} owner: root force: yes when: not vault_key_result.stat.exists - name: Check if omnia config file is encrypted command: cat {{ role_path }}/../../../{{ config_filename }} changed_when: false register: config_content no_log: True - name: Decrpyt omnia_config.yml command: >- ansible-vault decrypt {{ role_path }}/../../../{{ config_filename }} --vault-password-file {{ role_path }}/../../../{{ config_vaultname }} when: "'$ANSIBLE_VAULT;' in config_content.stdout" - name: Include variable file omnia_config.yml include_vars: "{{ role_path }}/../../../{{ config_filename }}" no_log: True - name: Validate input parameters are not empty fail: msg: "{{ input_config_failure_msg }}" register: input_config_check when: - mariadb_password | length < 1 or k8s_cni | length < 1 - name: Assert mariadb_password assert: that: - mariadb_password | length > min_length | int - 1 - mariadb_password | length < max_length | int + 1 - '"-" not in mariadb_password ' - '"\\" not in mariadb_password ' - '"\"" not in mariadb_password ' - " \"'\" not in mariadb_password " success_msg: "{{ success_msg_mariadb_password }}" fail_msg: "{{ fail_msg_mariadb_password }}" - name: Assert kubernetes cni assert: that: "('calico' in k8s_cni) or ('flannel' in k8s_cni)" success_msg: "{{ success_msg_k8s_cni }}" fail_msg: "{{ fail_msg_k8s_cni }}" - name: Save input variables from file set_fact: db_password: "{{ mariadb_password }}" k8s_cni: "{{ k8s_cni }}" no_log: True - name: Encrypt input config file command: >- ansible-vault encrypt {{ role_path }}/../../../{{ config_filename }} --vault-password-file {{ role_path }}/../../../{{ config_vaultname }} changed_when: false