OCTOPUS-558: refactor the ignition checks and guards for the worker i…

…gnition

Signed-off-by: Paul Bastide <pbastide@us.ibm.com>

ansible/support/tasks/ignition.yml

@@ -2,22 +2,21 @@
 - hosts: all
 
   tasks:
-  - name: Create Apache directories for installing
-    file:
-      path: "{{ item }}"
-      state: directory
-      mode: 0755
-    with_items:
-      - /var/www/html/ignition
+  - name: Assemble the MachineConfig url
+    shell: |
+      oc config view -ojson | jq -r '.clusters[].cluster.server' | sed 's|/api\.|/api-int.|' | sed 's|:6443||' | 
+    register: openshift_machine_config_hostname
 
-  - name: Disable fcontext
-    shell: "semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/ignition/worker.ign || true"
+  - name: Print the MachineConfig Hostname
+    ansible.builtin.debug:
+      msg: MachineConfig Hostname is {{ openshift_machine_config_hostname.stdout_lines[0] }}
 
-  - name: Download the Ignition file
+  # Loop until the Machine Config is updated
+  - name: Wait until the mcp/worker is updated properly
     block:
-    - name: Loop until TARGET_MTU is correct
+    - name: Loop until mpath is correct
       ansible.builtin.uri:
-        url: "{{ openshift_machine_config_url }}"
+        url: "{{ openshift_machine_config_hostname.stdout_lines[0] }}:22623/config/worker"
         method: GET
         return_content: true
         headers:
@@ -29,29 +28,24 @@
       delay: 10
       until: 'result.status in [200] and "mpath" not in result.content'
 
-    - name: Downloading the ignition file
-      get_url:
-        url: "{{ openshift_machine_config_url }}"
-        dest: /var/www/html/ignition/worker.ign
-        validate_certs: false
-        headers:
-          "Accept": "application/vnd.coreos.ignition+json;version=3.2.0"
-      ignore_errors: true
-      register: result
-      retries: 120
-      delay: 10
-      until: '"Request failed: <urlopen error timed out>" not in result.msg'
+  - name: Disable fcontext
+    shell: "semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/ignition/worker.ign || true"
+
+  # In some circumstances the certificates used in the worker ingnition can expire
+  - name: Refresh the worker ignition file
+    shell: |
+      oc extract -n openshift-machine-api secret/worker-user-data --keys=userData --to=- > /var/www/html/ignition/worker.ign
 
-    - name: Verify the ignition file exists
-      ansible.builtin.shell: stat /var/www/html/ignition/worker.ign
+  - name: Verify the ignition file exists
+    ansible.builtin.shell: stat /var/www/html/ignition/worker.ign
 
-    - name: Make ignition file readable through the www dir
-      ansible.builtin.file:
-        path: /var/www
-        owner: apache
-        group: apache
-        recurse: true 
-        mode: u+rwx,g-rx,o-rx
+  - name: Make ignition file readable through the www dir
+    ansible.builtin.file:
+      path: /var/www
+      owner: apache
+      group: apache
+      recurse: true 
+      mode: u+rwx,g-rx,o-rx
 
   - name: Best effort SELinux repair - Apache
-    shell: "restorecon -vR /var/www/html/ignition || true"
+    shell: "restorecon -vR /var/www/html/ignition || true"

ansible/support/vars/vars.yaml

@@ -1,2 +1 @@
 ---
-openshift_machine_config_url: "https://<HOSTNAME>:22623/config/worker"

modules/4_pvs_support/pvs_support.tf

@@ -310,7 +310,7 @@ resource "null_resource" "latest_ignition" {
 nmcli device up env3
 echo 'Running ocp4-upi-compute-powervs-ibmcloud playbook for ignition...'
 cd ocp4-upi-compute-powervs-ibmcloud/intel/support
-ANSIBLE_LOG_PATH=/root/.openshift/ocp4-upi-compute-powervs-ibmcloud-support-ignition.log ansible-playbook -e @vars/vars.yaml tasks/ignition.yml --become
+ANSIBLE_LOG_PATH=/root/.openshift/ocp4-upi-compute-powervs-ibmcloud-support-ignition.log ansible-playbook tasks/ignition.yml --become
 EOF
     ]
   }