Setup BWC repos, Install BWC and Setup RBAC

[lakshmi-kannan]

To test, I changed stackstorm.yml to include following:

    - name: bwc_repos
      vars:
        license: <REDACTED>

    - name: bwc
      vars:
        ldap: 
          config:
            bind_dn: foo
            ...
        rbac:
          roles:
              - foo
          assignments:
              - bar

TODO:

• Rotate license keys after ensuring we don't log anymore
• Idempotency fails in U14 and U16 https://gist.github.com/lakshmi-kannan/581bf90b3a192ae7303b662ad197bc13
• bwc smoke tests

[arm4b]

What do you think about moving bwc_rbac role logic inside the bwc?

RBAC comes tightly connected with bwc-enterprise package/dependencies in any way. Looks a bit more simpler:

  roles:
    - name: Install and Configure Brocade Workflow Composer
      role: bwc
      vars:
        bwc_version: latest
        bwc_rbac_enable: yes
        bwc_rbac_roles:
          ...
        bwc_rbac_assignments:
          ...

which is similar to st2 role with st2_auth_enable: yes var.

Related question to that. Do you think we'll have more roles related to bwc in nearest future? Just to have better understanding, since it could be a game changer how to distribute everything later (you previous valid concern about: roles/galaxy/repos).

[arm4b]

I think we can hardcode it without any big worries. st2.conf path is pretty much a constant everywhere, bundled in packaging.

Also that's what we do in st2 role (st2.conf path is hardcoded).

[arm4b]

Just a note: We should think about better approaches for setting RBAC configs in this or maybe in future bwc role versions.

Vars like:

bwc_superuser: st2admin
rbac_setup_default_assignments: true

seems to provide not that much flexibility in terms of configuration. But yeah, it's a good start.

[arm4b]

@lakshmi-kannan Returning to your original concern about roles/galaxy/repos/distribution. Here is a more detailed write-up about our options:

1) BWC role in separated repo

Long-term (?), more effort, polishing, time

• As you noted, we can use packagecloud-ansible-role as external dependency for bwc
  • but it's not idempotent
  • in future we need contribute PRs to improve it
• Publish bwc on Ansible-Galaxy later
  • important requirements (!): bwc should work as a single role (with depenencies if needed), very different approach comparing to ansible-st2
• Blog Post it later (marketing ++)
• Harder to test the role, since we need st2 installed first
• Needs some CI configuration
• Long term solution, harder to do/more to polish/more time

2) BWC in ansible-st2 repo

KISS, faster, easier for short-term

• I don't like packagecloud-ansible-role code and how we re-use it in ansible-st2, needs much more polishing.
• Easy to test, since all roles are in one repo and CI is configured: https://travis-ci.org/StackStorm/ansible-st2
• short-term solution, easier to do if we need it faster

I'll let you to implement/polish the main "core" logic (since it's needed in any way) and later when it's finished I think we should throw all pros/cons to decide what works best based on improved data/arguments/ideas/priorities we have.
The reasoning about rising these questions, - I have opinions and my requests to change this or that piece of code depends on the approach we choose.

cc @dzimine about short-term vs long-term approaches.

PS. @lakshmi-kannan Also take a look at related: #45 to have better context.

[lakshmi-kannan]

This prints out a multi-line string in the ini file and our config parser pukes. I tried to_json. Still the same.

[arm4b]

One important request is to define all used vars in defaults/main.yml and include them in README.md #Variables with descriptons.

Another issue is idempotence. Packagecloud logic needs a good cleaning and refactoring.

Additionally, as noted before https://stackstorm.slack.com/archives/stackstorm/p1489014359911089?thread_ts=1489011496.584237&cid=C029K4CBU we need all these roles to run in TravisCI. It will show you more errors. See #125 (comment) and #125 (comment) in @humblearner's PR how to mask the secrets in Ansible/Travis debug logs.
If we don't run these Ansible roles in CI, - it's not real.

What I liked: dicts and all the logic to configure advanced things like rbac settings. Looks pretty flexible from the ops PR.

In general, - I like the high-level interface to interact with bwc (again, according to ops PR), - we'll just need to polish low-level tasks more.

For ansible-st2 repo, I think it's a good idea to set these rbac var defaults so they conifgure the same settings as bwc installer. Good for consistency.

Finally, if you know how to check bwc basic functionality by adding bwc-smoketests, similar to st2smoketests, - that would be very nice.

[arm4b]

As noted before, don't forget to hardcode st2.conf path.
We don't need it in vars (#126 (comment) reasons why).

[arm4b]

Notify st2 restart or reload handler (if enough) trigger when changing the st2.conf file.
Example: https://github.com/StackStorm/ansible-st2/blob/master/roles/st2/tasks/auth.yml#L34

[lakshmi-kannan]

Yeah, we also have to set the backend_kwargs before restarting. See next step. I did notify.

[arm4b]

Include notify for every task where its needed logically (ex: changing the conf file), its less error prone since "next task" could be removed, adjusted or never ran because of some conditional.

It doesn't matter how many times we call Ansible handlers, - they will be executed in the end of entire play run in any way.

See "Handlers: Running Operations On Change": http://docs.ansible.com/ansible/playbooks_intro.html with better explanation.

[lakshmi-kannan]

Ahh, good to know about that.

[arm4b]

What is enable_rbac?

[arm4b]

Can't find any occurrence of rbac_roles var. Is it used anywhere?

[arm4b]

Can't find any occurrence of rbac_assignments var. Is it used anywhere?

[arm4b]

Any idea why do we need this?
Also it's not idempotent.

[arm4b]

when: ansible_os_family == "RedHat"

we're already in os-family specific yum task.

[arm4b]

Please name vars accordingly to role, eg: bwc_rbac.

[arm4b]

Please name vars accordingly to role, eg: bwc_ldap.

[arm4b]

Please define all vars used in this role with comments, as well as include them in README.md.

[arm4b]

When all finished/merged, we'll need Ansible st2docs update with separated section to install/configure bwc.

[arm4b]

Just a note: sync-up with master to include the recent build failure fix.

[arm4b]

This block could be removed, was really critical for st2 package.

[arm4b]

Not needed in this file, since you include that check in previous step bwc_repos_setup.yml

[arm4b]

Following our previous case when we rotated {{ bwc_license }}.

What will happen if user changes {{ bwc_license }}? Seems like read token will remain from the old license.

Eg. if user changes the license - Ansible should update apt/yum repository too with new read token.

[lakshmi-kannan]

Yep. Unfortunately, if I generate a token every time, it would cause idempotency failures. If I do what I did, then installation with fail if they swapped the license. But I think this is fine. It fails out with an error.

Another approach is to ask user for {{ bwc_read_token }} which I am -1 to.

[lakshmi-kannan]

Looks like I could force changed_when: no. That sounds hacky to me.

[arm4b]

What we can do is to additionally generate the hash from the {{ bwc_license }} via http://docs.ansible.com/ansible/playbooks_filters.html#hashing-filters and store hash somewhere in file.

If hash changed (eg. user provided new license), - then we request new {{ bwc_read_token }} and update apt/yum repo config.

[lakshmi-kannan]

I think we can address this in a different PR. I am not too keen on adding more scope to this PR.

[arm4b]

Deal. Feel free to create an issue for this then so maybe someone else could pick it up.

[arm4b]

I see with_dict here but don't see {{ item }}. That thing is used only for loops, see http://docs.ansible.com/ansible/playbooks_loops.html#looping-over-hashes.

So you probably want something like:

when: bwc_ldap.backend_kwargs is defined and bwc_ldap.backend_kwargs|length > 0

[arm4b]

Also @lakshmi-kannan length for dict worked in yaml:

TASK [bwc : debug] *************************************************************
task path: /vagrant/roles/bwc/tasks/ldap.yml:6
ok: [ubuntu16] => {
    "{}|length": "0"
}

TASK [bwc : debug] *************************************************************
task path: /vagrant/roles/bwc/tasks/ldap.yml:6
ok: [ubuntu16] => {
    "{'key':'val','a':'b'}|length": "2"
}

Just interesting fact.

[arm4b]

Same here, with_dict is used only for loops, just:

when: bwc_ldap.backend_kwargs is defined and bwc_ldap.backend_kwargs|length > 0

[arm4b]

Don't need bwc_repo_added|success, since ansible will stop on first failure

[arm4b]

Don't need bwc_installed|success since Ansible will stop on first failure

[arm4b]

Same here to avoid unecessary check bwc_installed|success

[arm4b]

Changing any file in /rbac/ dir should notify reload bwc_rbac trigger.

Make sure we run that thing for other tasks in this file.

[arm4b]

Since we found indentation fix for https://github.com/StackStorm/ansible-st2/pull/126/files#r106033276 this must be the right way:
{{ item.roles | to_nice_yaml(2) | indent(2) }}

in case if someday item.roles will contain more complex data.

[arm4b]

indentation should be 2 spaces here, same as in roles.yml.j2

[arm4b]

and 0 spaces here.

Otherwise {{ item.roles | to_nice_yaml(2) | indent(2) }} won't work correctly if we add some complex data there

[arm4b]

👍 🎉

[arm4b]

Thanks for being serious about the quality! 💯

After merging, what we'll need also is respective st2docs change to highlight bwc installation (as said in: #126 (comment))