Add example for PvC Base on AWS

Signed-off-by: Jim Enright <jenright@cloudera.com>
cloudera-labs · Oct 9, 2023 · c57f33a · c57f33a
1 parent 06e7e50
commit c57f33a
Show file tree

Hide file tree

Showing 18 changed files with 1,213 additions and 0 deletions.
diff --git a/private-cloud/pvc-base-on-aws/.gitignore b/private-cloud/pvc-base-on-aws/.gitignore
@@ -0,0 +1,17 @@
+# Ansible Navigator assets
+ansible-navigator.log
+runs
+context
+
+# Terraform deployments
+tf_deployment*
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Static inventory files
+inventory_static*
diff --git a/private-cloud/pvc-base-on-aws/README.md b/private-cloud/pvc-base-on-aws/README.md
@@ -0,0 +1,198 @@
+# PvC Base Cluster on AWS
+
+> Constructs a CDP Private Cloud Base cluster running on AWS.
+
+## Requirements
+
+This example requires an execution environment with dependencies to run the automation; and a set of configuration variables.
+
+We provide instructions for using a container based execution environment. 
+
+### Container Execution Environment
+
+1. Create and activate a new `virtualenv` and install `ansible-core` and `ansible-navigator`
+
+    ```bash
+    python -m venv ~/cdp-navigator; 
+
+    source ~/cdp-navigator/bin/activate; 
+
+    pip install ansible-core==2.12.10 ansible-navigator==3.4.0
+    ```
+
+1. Clone this repository.
+
+    ```bash
+    git clone https://github.com/cloudera-labs/cloudera-deploy.git;
+    ```
+
+1. Change your working directory to this project.
+
+    ```bash
+    cd cloudera-deploy/private-cloud/pvc-base-on-aws
+    ```
+
+1. We currently need to build a local `cldr-runner` image for use as an Execution Environment. _(This is necessary at this point in the release cycle. It will become optional.)_
+
+    ```bash
+    ansible-navigator builder build --prune-images -v 3 --tag ghcr.io/cloudera-labs/cldr-runner:pvc-tmp-devel-collections
+    ```
+
+This step sometimes takes a ~~number of minutes~~ long time to complete. YMMV.
+
+Once constructed, you can check the image by running `ansible-navigator` and using the prompts to examine:
+
+```bash
+ansible-navigator images
+```
+
+Or by running the Docker command directly, `docker image ls`.
+
+### Configuration Variables
+
+Configuration is passed via environment variables and an user-facing configuration file.
+
+#### Environment Variables
+
+* Set up the following definition environment variables:
+
+    | Variable | Description | Status |
+    |----------|-------------|--------|
+    | `SSH_PUBLIC_KEY_FILE` | File path to the SSH public key that will be uploaded to the cloud provider (using the `name_prefix` variable as the key label). E.g. `/Users/example/.ssh/demo_ops.pub` | Mandatory |
+    | `CDP_LICENSE_FILE` | File path to a CDP Private Cloud Base license. E.g. `/Users/example/Documents/example_cloudera_license.txt` | Mandatory |
+    | `IPA_USER` | Set this to `admin`. The adminstrator user for FreeIPA.  | Mandatory |
+    | `IPA_PASSWORD` | The adminstrator and directory password for FreeIPA | Mandatory |
+    | `AWS_PROFILE` | The profile label for your AWS credentials. Otherwise, use the associated `AWS_*` parameters. Used also for remote storage of Terraform state in AWS. | Mandatory |
+
+> **_NOTE:_** For OSX, set the following: `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES` to allow the WinRM modules to function.
+
+
+#### Configuration file variables
+
+Edit the `config.yml` user-facing configuration file to match your particular deployment.
+
+*NOTE:* `name_prefix` should be 4-8 characters and is the "primary key" for the deployment. `owner_prefix` is used in circumstances to differentiate resources such as the SSH key label in the cloud provider and the subdomain(s) for the private DNS service.
+
+```yaml
+name_prefix:       "labaw"                          # CHANGE THIS
+owner_prefix:      "pvc-base"                        
+owner_email:       "example@cloudera.com"            
+infra_region:      "eu-west-1"                      
+infra_type:        "aws"                            # "aws", "static"
+domain:            "{{ owner_prefix }}.cldr.example"   # The private, adhoc subdomain (name_prefix.owner_prefix.cldr.demo)
+realm:             "CLDR.EXAMPLE"                      # The Kerberos realm
+common_password:   "Example776"                   
+admin_password:    "Example776"                   
+deployment_tags:
+  owner: "{{ owner_prefix }}"
+  email: "{{ owner_email }}"
+  project: "PvC Base Lab - {{ owner_prefix }}-{{ name_prefix }}"
+  enddate: "{{ ('%m%d%Y' | strftime((ansible_date_time.epoch | int) + (90 * 86400))) }}"
+  deployment: "{{ name_prefix }}"
+  deploy-tool: cloudera-deploy
+```
+
+## Execution
+
+### Pre-setup Playbook
+
+This definition-specific playbook includes tasks such as:
+* Instructure provisioning
+* FreeIPA DNS and KRB services provisioning
+
+Run the following command 
+
+```bash
+ansible-navigator run pre_setup.yml \
+-e @config.yml \
+-e @definition.yml
+```
+
+Once the pre-setup playbook completes confirm that:
+
+* You can connect to each node via the inventory - see Confirm SSH Connectivity. Note that a A `validate_dns_lookups.yml` Playbook exists to check connectivity.
+* Connect to FreeIPA UI and login with the `IPA_USER` and `IPA_PASSWORD` credentials in the configuration file. See Cluster Access for more details.
+
+### Platform Playbooks
+
+These playbooks configure and deploy PVC Base. They use the infrastructure provisioned (or assigned, if using `static` inventory).
+
+Tasks include:
+* System/host configuration
+* Cloudera Manager server and agent installation and configuration
+* Cluster template imports
+
+Run the following: 
+
+```bash
+# Run the 'external' system configuration
+ansible-navigator run external_setup.yml \
+    -e @config.yml \
+    -i inventory_static_<name_prefix>_aws.ini
+```
+
+```bash
+# Run the 'internal' Cloudera installations and configurations
+ansible-navigator run internal_setup.yml \
+    -e @config.yml \
+    -i inventory_static_<name_prefix>_aws.ini
+```
+
+```bash
+# Run the Cloudera cluster configuration and imports
+ansible-navigator run base_setup.yml \
+    -e @config.yml \
+    -i inventory_static_<name_prefix>_aws.ini
+```
+
+And lastly, the _postfix_:
+
+```bash
+ansible-navigator run base_postfix.yml \
+    -e @config.yml \
+    -i inventory_static_<name_prefix>_aws.ini
+```
+
+## Cluster Access
+
+Once the cluster is up, you can access all of the UIs within, including the FreeIPA sidecar, via a SSH tunnel:
+
+```bash
+ssh -D <local port for your tunnel, e.g. 8157> -q -C -N <ami user>@<IP address of jump host>
+```
+
+and use a SOCKS5 proxy switcher in your browser (an example is the SwitchyOmega browser extension).
+In the SOCKS5 proxy configuration, set Protocol to SOCKS5; Server to localhost and Port to 8157. Ensure the SOCKS5 proxy is active when clicking on the CDP UI that you wish to access.
+
+You will get a SSL warning for the self-signed certificate; this is expected given this particular definition.
+
+In addition, you can log into the jump host via SSH and get to any of the servers within the cluster. Remember to forward your SSH key!
+
+```bash
+ssh -A -C -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null <ami user>@<IP address of jump host>
+```
+
+## Teardown
+
+Run the following: 
+
+```bash
+ansible-navigator run pre_teardown.yml \
+    -e @config.yml \
+    -e @definition.yml \
+    -i inventory_static_<name_prefix>_aws.ini
+```
+
+You can also run `terraform destroy` within the `tf_deployment_*` directory.
+
+## Troubleshooting
+
+### Confirm SSH Connectivity
+
+Run the following:
+
+```bash
+ansible -m ansible.builtin.ping -i inventory_static_<name_prefix>_aws.ini all
+```
+
+This will check to see if the inventory file is well constructed, etc.
diff --git a/private-cloud/pvc-base-on-aws/ansible-navigator.yml b/private-cloud/pvc-base-on-aws/ansible-navigator.yml
@@ -0,0 +1,49 @@
+---
+
+ansible-navigator:
+  playbook-artifact:
+      save-as: "runs/{playbook_name}-{time_stamp}.json"
+
+  ansible-runner:
+    artifact-dir: runs
+    rotate-artifacts-count: 3
+
+  logging:
+    level: debug
+    append: False
+
+  execution-environment:
+    container-engine: docker
+    enabled: True
+    environment-variables:
+      pass:
+        - AWS_PROFILE
+        - CDP_PROFILE
+        - SSH_PUBLIC_KEY_FILE
+        - CDP_LICENSE_FILE
+        - IPA_USER
+        - IPA_PASSWORD        
+      set:
+        ANSIBLE_SSH_CONTROL_PATH: "/dev/shm/cp%%h-%%p-%%r"
+        ANSIBLE_CALLBACK_WHITELIST: "ansible.posix.profile_tasks"
+        ANSIBLE_GATHERING: "smart"
+        ANSIBLE_DEPRECATION_WARNINGS: False
+        ANSIBLE_HOST_KEY_CHECKING: False
+        ANSIBLE_SSH_RETRIES: 10
+    image: ghcr.io/cloudera-labs/cldr-runner:pvc-tmp-devel-collections
+    pull:
+      arguments:
+        - "--tls-verify=false"
+    volume-mounts:
+      - src: "${SSH_PUBLIC_KEY_FILE}"
+        dest: "${SSH_PUBLIC_KEY_FILE}"
+      - src: "${CDP_LICENSE_FILE}"
+        dest: "${CDP_LICENSE_FILE}"
+      - src: "~/.aws"
+        dest: "/runner/.aws"
+        options: "Z"
+      - src: "~/.ssh"
+        dest: "/runner/.ssh"
+        options: "Z"
+    container-options:
+      - "--network=host"
diff --git a/private-cloud/pvc-base-on-aws/base_postfix.yml b/private-cloud/pvc-base-on-aws/base_postfix.yml
@@ -0,0 +1,38 @@
+---
+
+- name: Postfix CDP Private Cloud clusters
+  hosts: localhost
+  connection: local
+  gather_facts: yes
+  vars:
+    definition_path: "./"
+  tasks:
+    - name: Set of deployment variables from definition.yml
+      ansible.builtin.include_role:
+        name: cloudera.exe.init_deployment
+        public: yes
+      when: init__completed is undefined
+
+    - name: Prepare inventory for PvC Plays
+      ansible.builtin.include_role:
+        name: cloudera.exe.init_deployment
+        public: yes
+        tasks_from: prep_pvc.yml
+  tags:
+    - always
+
+- name: Init run tasks for all nodes
+  hosts: all
+  gather_facts: no
+  tasks:
+    - name: Group hosts by host template and TLS
+      ansible.builtin.include_role:
+        name: cloudera.cluster.deployment.groupby
+
+    - name: Check connectivity to Inventory
+      ansible.builtin.wait_for_connection:
+  tags:
+    - always
+
+- name: Postfix clusters for CDP Private Cloud
+  ansible.builtin.import_playbook: cloudera.exe.pvc_base_postfix.yml
diff --git a/private-cloud/pvc-base-on-aws/base_setup.yml b/private-cloud/pvc-base-on-aws/base_setup.yml
@@ -0,0 +1,38 @@
+---
+
+- name: Set up CDP Private Cloud clusters
+  hosts: localhost
+  connection: local
+  gather_facts: yes
+  vars:
+    definition_path: "./"
+  tasks:
+    - name: Set of deployment variables from definition.yml
+      ansible.builtin.include_role:
+        name: cloudera.exe.init_deployment
+        public: yes
+      when: init__completed is undefined
+
+    - name: Prepare inventory for PvC Plays
+      ansible.builtin.include_role:
+        name: cloudera.exe.init_deployment
+        public: yes
+        tasks_from: prep_pvc.yml
+  tags:
+    - always
+
+- name: Init run tasks for all nodes
+  hosts: all
+  gather_facts: no
+  tasks:
+    - name: Group hosts by host template and TLS
+      ansible.builtin.include_role:
+        name: cloudera.cluster.deployment.groupby
+
+    - name: Check connectivity to Inventory
+      ansible.builtin.wait_for_connection:
+  tags:
+    - always
+
+- name: Set up clusters for CDP Private Cloud
+  ansible.builtin.import_playbook: cloudera.exe.pvc_base_setup.yml