Update storage and Keycloak config

playbooks/deploy_openshift.yml

@@ -8,11 +8,14 @@
 # Inventory requirements:
 #   sno.openshift.toal.ca  - in 'openshift' group
 #     host_vars: ocp_cluster_name, ocp_base_domain, ocp_version, sno_ip,
-#                sno_gateway, sno_nameserver, sno_prefix_length, sno_vm_name,
-#                sno_bridge, sno_vlan, proxmox_node, keycloak_url, keycloak_realm,
+#                sno_gateway, sno_nameserver, sno_prefix_length, sno_machine_network,
+#                sno_vm_name, sno_vnet, sno_storage_ip, sno_storage_ip_prefix_length,
+#                sno_storage_vnet, proxmox_node, keycloak_url, keycloak_realm,
 #                oidc_admin_groups, sno_deploy_letsencrypt_email, ...
 #     secrets:  vault_ocp_pull_secret, vault_keycloak_admin_password,
 #               vault_oidc_client_secret (optional)
+#     optional: ocp_kubeconfig (defaults to ~/.kube/config; set to
+#               sno_install_dir/auth/kubeconfig for fresh installs)
 #   proxmox_api            - inventory host (ansible_host, ansible_port)
 #   proxmox_host           - inventory host (ansible_host, ansible_connection: ssh)
 #   gate.toal.ca           - in 'opnsense' group
@@ -27,6 +30,11 @@
 #   Play 4: sno_deploy_install  — Generate ISO, boot VM, wait for install
 #   Play 5: keycloak            — Configure Keycloak OIDC client
 #   Play 6: sno_deploy_oidc / sno_deploy_certmanager / sno_deploy_delete_kubeadmin
+#   Play 7: sno_deploy_lvms            — Install LVM Storage for persistent volumes
+#   Play 8: sno_deploy_nfs             — Deploy in-cluster NFS provisioner (RWX StorageClass)
+#   Play 9: sno_deploy_service_accounts — Provision ServiceAccounts for app deployers
+#
+# AAP deployment is in a separate playbook: deploy_aap.yml
 #
 # Usage:
 #   ansible-navigator run playbooks/deploy_openshift.yml
@@ -35,6 +43,9 @@
 #   ansible-navigator run playbooks/deploy_openshift.yml --tags opnsense,dns
 #   ansible-navigator run playbooks/deploy_openshift.yml --tags keycloak,sno_deploy_oidc
 #   ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_certmanager
+#   ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_lvms
+#   ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_nfs
+#   ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_service_accounts
 
 # ---------------------------------------------------------------------------
 # Play 1: Create SNO VM in Proxmox
@@ -244,7 +255,7 @@
   connection: local
 
   environment:
-    KUBECONFIG: "{{ sno_install_dir }}/auth/kubeconfig"
+    KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
     K8S_AUTH_VERIFY_SSL: "false"
 
   tags:
@@ -274,20 +285,80 @@
         - sno_deploy_delete_kubeadmin
 
 # ---------------------------------------------------------------------------
-# Play 7: Install Ansible Automation Platform (opt-in via --tags aap)
+# Play 7: Install LVM Storage for persistent volumes
 # ---------------------------------------------------------------------------
-- name: Install Ansible Automation Platform
+- name: Configure LVM Storage for persistent volumes
+  hosts: sno.openshift.toal.ca
+  gather_facts: false
+  connection: local
+  tags: sno_deploy_lvms
+
+  environment:
+    KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
+    K8S_AUTH_VERIFY_SSL: "false"
+
+  roles:
+    - role: lvms_operator
+
+# ---------------------------------------------------------------------------
+# Play 8: Deploy NFS provisioner for ReadWriteMany storage
+# Set nfs_provisioner_external_server / nfs_provisioner_external_path to use
+# a pre-existing NFS share (e.g. 192.168.129.100:/mnt/BIGPOOL/NoBackups/OCPNFS).
+# When those are unset, an in-cluster NFS server is deployed; LVMS (Play 7) must
+# have run first to provide the backing RWO PVC.
+# ---------------------------------------------------------------------------
+- name: Deploy in-cluster NFS provisioner
+  hosts: sno.openshift.toal.ca
+  gather_facts: false
+  connection: local
+  tags: sno_deploy_nfs
+
+  environment:
+    KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
+    K8S_AUTH_VERIFY_SSL: "false"
+
+  roles:
+    - role: nfs_provisioner
+
+# ---------------------------------------------------------------------------
+# Play 9: Provision ServiceAccounts for application deployers
+# ---------------------------------------------------------------------------
+- name: Provision OpenShift service accounts
   hosts: sno.openshift.toal.ca
   gather_facts: false
   connection: local
 
   environment:
-    KUBECONFIG: "{{ sno_install_dir }}/auth/kubeconfig"
+    KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
     K8S_AUTH_VERIFY_SSL: "false"
 
   tags:
     - never
-    - aap
+    - sno_deploy_service_accounts
 
   roles:
-    - role: aap_operator
+    - role: ocp_service_account
+      ocp_service_account_name: aap-deployer
+      ocp_service_account_namespace: aap
+      ocp_service_account_cluster_role_rules:
+        - apiGroups: [""]
+          resources: ["namespaces"]
+          verbs: ["get", "list", "create", "patch"]
+        - apiGroups: [""]
+          resources: ["secrets"]
+          verbs: ["get", "list", "watch", "create", "patch"]
+        - apiGroups: [""]
+          resources: ["serviceaccounts"]
+          verbs: ["get", "list", "watch"]
+        - apiGroups: ["apps"]
+          resources: ["deployments"]
+          verbs: ["get", "list", "watch"]
+        - apiGroups: ["operators.coreos.com"]
+          resources: ["operatorgroups", "subscriptions", "clusterserviceversions"]
+          verbs: ["get", "list", "create", "patch", "watch"]
+        - apiGroups: ["apiextensions.k8s.io"]
+          resources: ["customresourcedefinitions"]
+          verbs: ["get", "list", "watch"]
+        - apiGroups: ["aap.ansible.com"]
+          resources: ["ansibleautomationplatforms"]
+          verbs: ["get", "list", "create", "patch", "watch"]