Dell-Omnia-Clusters-HPC-AI/appliance/roles/common/tasks/password_config.yml

# Copyright 2020 Dell Inc. or its subsidiaries. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---

- name: Check input config file is encrypted
  command: cat {{ input_config_filename }}
  changed_when: false
  register: config_content

- name: Decrpyt appliance_config.yml
  command: >-
    ansible-vault decrypt {{ input_config_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file appliance_config.yml
  include_vars: "{{ input_config_filename }}"
  no_log: true

- name: Validate input parameters are not empty
  fail:
    msg: "{{ input_config_failure_msg }}"
  register: input_config_check
  when:
    - provision_password | length < 1 or
      awx_password | length < 1 or
      hpc_nic | length < 1 or
      public_nic | length < 1 or
      iso_file_path | length < 1 or
      dhcp_start_ip_range | length < 1 or
      dhcp_end_ip_range | length < 1

- name: Save input variables from file
  set_fact:
    cobbler_password: "{{ provision_password }}"
    admin_password: "{{ awx_password }}"
    nic:  "{{ hpc_nic }}"
    internet_nic: "{{ public_nic }}"
    path_for_iso_file: "{{ iso_file_path }}"
    dhcp_start_ip: "{{ dhcp_start_ip_range | ipv4 }}"
    dhcp_end_ip: "{{ dhcp_end_ip_range | ipv4 }}"
    mapping_file: false
    path_for_mapping_file: "{{ mapping_file_path }}"
  no_log: true

- name: Get the system hpc ip
  shell:  "ifconfig {{ hpc_nic }} | grep 'inet' |cut -d: -f2 |  awk '{ print $2}'"
  register: ip
  changed_when: false

- name: Get the system public ip
  shell:  "ifconfig {{ internet_nic }} | grep 'inet' |cut -d: -f2 |  awk '{ print $2}'"
  register: internet_ip
  changed_when: false

- name: Get the system netmask
  shell:  "ifconfig {{ hpc_nic }} | grep 'inet' |cut -d: -f2 |  awk '{ print $4}'"
  register: net
  changed_when: false

- name: HPC nic IP
  set_fact:
    hpc_ip: "{{ ip.stdout }}"
    public_ip: "{{ internet_ip.stdout }}"

- name:  Netmask
  set_fact:
    netmask: "{{ net.stdout }}"

- name: shell try
  shell: |
    IFS=. read -r i1 i2 i3 i4 <<< "{{ hpc_ip }}"
    IFS=. read -r m1 m2 m3 m4 <<< "{{ netmask }}"
    printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))"
  register: sub_result
  changed_when: false

- name: Subnet
  set_fact:
    subnet: "{{ sub_result.stdout }}"

- name: Assert provision_password
  assert:
    that:
      - cobbler_password | length > min_length | int - 1
      - cobbler_password | length < max_length | int + 1
      - '"-" not in cobbler_password '
      - '"\\" not in cobbler_password '
      - '"\"" not in cobbler_password '
      - " \"'\" not in cobbler_password "
    success_msg: "{{ success_msg_provision_password }}"
    fail_msg: "{{ fail_msg_provision_password }}"
  no_log: true
  register: cobbler_password_check

- name: Assert awx_password
  assert:
    that:
        - admin_password | length > min_length | int - 1
        - admin_password | length < max_length | int + 1
        - '"-" not in admin_password '
        - '"\\" not in admin_password '
        - '"\"" not in admin_password '
        - " \"'\" not in admin_password "
    success_msg: "{{ success_msg_awx_password }}"
    fail_msg: "{{ fail_msg_awx_password }}"
  no_log: true
  register: awx_password_check

- name: Assert hpc_ip
  assert:
    that:
      - hpc_ip | length > 7
    success_msg: "{{ success_hpc_ip }}"
    fail_msg: "{{ fail_hpc_ip }}"
  register: hpc_ip_check

- name: Assert public_ip
  assert:
    that:
      - public_ip | length > 7
    success_msg: "{{ success_hpc_ip }}"
    fail_msg: "{{ fail_hpc_ip }}"
  register: public_ip_check

- name: Assert hpc_nic
  assert:
    that:
      - nic | length > nic_min_length | int - 1
      - nic != internet_nic
    success_msg: "{{ success_msg_hpc_nic }}"
    fail_msg: "{{ fail_msg_hpc_nic }}"
  register: hpc_nic_check

- name: Assert public_nic
  assert:
    that:
      - internet_nic | length > nic_min_length | int - 1
      - nic != internet_nic
    success_msg: "{{ success_msg_public_nic }}"
    fail_msg: "{{ fail_msg_public_nic }}"
  register: public_nic_check

- name: Assert mapping_file_exists
  assert:
    that:
      - "( mapping_file == true ) or ( mapping_file == false )"
    success_msg: "{{ success_mapping_file }}"
    fail_msg: "{{ fail_mapping_file }}"

- name: Set the mapping file value
  set_fact:
    mapping_file: true
  when: path_for_mapping_file != ""
  
- name: Assert valid mapping_file_path
  stat: 
    path: "{{ path_for_mapping_file }}"
  when: mapping_file == true
  register: result_path_mapping_file
  
- name : Valid mapping_file_path
  fail:
    msg: "{{ invalid_mapping_file_path }}"
  when: ( mapping_file == true ) and ( result_path_mapping_file.stat.exists == false )

- name: Assert valid iso_file_path
  stat:
    path: "{{ path_for_iso_file }}"
  register: result_path_iso_file

- name : Incorrect iso_file_path
  fail:
    msg: "{{ invalid_iso_file_path }}"
  when: ( result_path_iso_file.stat.exists == false ) and ( ".iso" not in  path_for_iso_file )

- name: Fail when iso path valid but image not right
  fail:
    msg: "{{ invalid_iso_file_path }}"
  when: ( result_path_iso_file.stat.exists == true ) and ( ".iso" not in path_for_iso_file )

- name: Check the subnet of dhcp start range
  shell: |
    IFS=. read -r i1 i2 i3 i4 <<< "{{ dhcp_start_ip }}"
    IFS=. read -r m1 m2 m3 m4 <<< "{{ netmask }}"
    printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))"
  args:
    warn: no
  register: dhcp_start_sub_result
  changed_when: false
  when: dhcp_start_ip != "false"

- name: Set the start dhcp subnet
  set_fact:
    dhcp_start_sub: "{{ dhcp_start_sub_result.stdout }}"
  when: dhcp_start_ip != "false"

- name: Check the subnet of dhcp end range
  shell: |
    IFS=. read -r i1 i2 i3 i4 <<< "{{ dhcp_end_ip }}"
    IFS=. read -r m1 m2 m3 m4 <<< "{{ netmask }}"
    printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))"
  register: dhcp_end_sub_result
  when: dhcp_end_ip != "false"
  changed_when: false

- name: Set the end dhcp subnet
  set_fact:
    dhcp_end_sub: "{{ dhcp_end_sub_result.stdout }}"
  when: dhcp_end_ip != "false"

- name: Assert dhcp_start_ip_range
  assert:
    that:
      - dhcp_start_ip != "false"
      - dhcp_start_ip != dhcp_end_ip
      - dhcp_start_sub == subnet
      - dhcp_start_sub == dhcp_end_sub
    success_msg: "{{ success_dhcp_range }}"
    fail_msg: "{{ fail_dhcp_range }}"
  register: dhcp_start_ip_check

- name: Assert dhcp_end_ip_range
  assert:
    that:
      - dhcp_end_ip != "false"
      - dhcp_start_ip != dhcp_end_ip
      - dhcp_end_sub == subnet
      - dhcp_start_sub == dhcp_end_sub
    success_msg: "{{ success_dhcp_range }}"
    fail_msg: "{{ fail_dhcp_range }}"
  register: dhcp_end_ip_check

- name: Create ansible vault key
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Save vault key
  copy:
    dest: "{{ vault_filename }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ input_config_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false

- name: Check if omnia_vault_key exists
  stat:
    path: "{{ role_path }}/../../../{{ config_vaultname }}"
  register: vault_key_result

- name: Create ansible vault key if it does not exist
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: not vault_key_result.stat.exists

- name: Save vault key
  copy:
    dest: "{{ role_path }}/../../../{{ config_vaultname }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
  when: not vault_key_result.stat.exists

- name: Check if omnia config file is encrypted
  command: cat {{ role_path }}/../../../{{ config_filename }}
  changed_when: false
  register: config_content
  no_log: True

- name: Decrpyt omnia_config.yml
  command: >-
    ansible-vault decrypt {{ role_path }}/../../../{{ config_filename }}
    --vault-password-file {{ role_path }}/../../../{{ config_vaultname }}
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file omnia_config.yml
  include_vars: "{{ role_path }}/../../../{{ config_filename }}"
  no_log: True

- name: Validate input parameters are not empty
  fail:
    msg: "{{ input_config_failure_msg }}"
  register: input_config_check
  when:
    - mariadb_password | length < 1 or
      k8s_cni | length < 1

- name: Assert mariadb_password
  assert:
    that:
        - mariadb_password | length > min_length | int - 1
        - mariadb_password | length < max_length | int + 1
        - '"-" not in mariadb_password '
        - '"\\" not in mariadb_password '
        - '"\"" not in mariadb_password '
        - " \"'\" not in mariadb_password "
    success_msg: "{{ success_msg_mariadb_password }}"
    fail_msg: "{{ fail_msg_mariadb_password }}"

- name: Assert kubernetes cni
  assert:
    that: "('calico' in k8s_cni) or ('flannel' in k8s_cni)"
    success_msg: "{{ success_msg_k8s_cni }}"
    fail_msg: "{{ fail_msg_k8s_cni }}"

- name: Save input variables from file
  set_fact:
    db_password: "{{ mariadb_password }}"
    k8s_cni: "{{ k8s_cni }}"
  no_log: True

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ role_path }}/../../../{{ config_filename }}
    --vault-password-file {{ role_path }}/../../../{{ config_vaultname }}
  changed_when: false