From c57adc7fab63d5882499536d41bbf012e144fe3c Mon Sep 17 00:00:00 2001 From: Enrique Vallespi Gil Date: Wed, 1 Apr 2026 14:14:51 +0200 Subject: [PATCH] Wait for DNS before install_ca role We want to be sure DNS is already set before installing certificates Signed-off-by: Enrique Vallespi Gil --- roles/install_ca/meta/main.yml | 4 ++- roles/openshift_dns_ready/README.md | 23 ++++++++++++ roles/openshift_dns_ready/defaults/main.yml | 25 +++++++++++++ roles/openshift_dns_ready/meta/main.yml | 30 ++++++++++++++++ roles/openshift_dns_ready/tasks/main.yml | 39 +++++++++++++++++++++ 5 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 roles/openshift_dns_ready/README.md create mode 100644 roles/openshift_dns_ready/defaults/main.yml create mode 100644 roles/openshift_dns_ready/meta/main.yml create mode 100644 roles/openshift_dns_ready/tasks/main.yml diff --git a/roles/install_ca/meta/main.yml b/roles/install_ca/meta/main.yml index d8f9c2793c..2b2c73684d 100644 --- a/roles/install_ca/meta/main.yml +++ b/roles/install_ca/meta/main.yml @@ -27,4 +27,6 @@ galaxy_info: # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. -dependencies: [] +dependencies: + - role: openshift_dns_ready + when: cifmw_install_ca_url is defined diff --git a/roles/openshift_dns_ready/README.md b/roles/openshift_dns_ready/README.md new file mode 100644 index 0000000000..8978b344f4 --- /dev/null +++ b/roles/openshift_dns_ready/README.md @@ -0,0 +1,23 @@ +# openshift_dns_ready + +A role to wait for the OpenShift DNS operator to be ready before proceeding with tasks that require DNS resolution. + +## Privilege escalation + +None required. + +## Parameters + +* `cifmw_openshift_dns_ready_timeout`: (Integer) Timeout in seconds for `oc wait --timeout`. Default: `60`. +* `cifmw_openshift_dns_ready_path_prefix`: (String) Directories prepended to `PATH` when `cifmw_path` is unset, so non-interactive SSH finds `oc` (e.g. under `~/.crc/bin`). Default includes `~/.crc/bin`, `~/bin`, `~/.local/bin`. +* `cifmw_path`: (String) When set (framework bootstrap / CRC), used as `PATH` for `oc` instead of the prefix above. +* `cifmw_openshift_kubeconfig`: (String) Path to kubeconfig file. If set, exported as `KUBECONFIG`. Inherited from framework defaults. +* `cifmw_openshift_dns_ready_delegate_to`: (String) Optional inventory hostname to run `oc` on. If unset, uses `cifmw_target_host` (hypervisor in adoption/reproducer), then the current host. Override only when needed; a host without `oc` fails. + +## Usage + +Used before tasks that require DNS resolution in OpenShift, such as downloading certificates from URLs or accessing external services. + +## How it works + +The role runs `oc wait dns.operator.openshift.io/default --for=condition=Available=true` so the cluster DNS operator is ready before proceeding. The command is delegated when `cifmw_target_host` is set so `oc` runs on the hypervisor (or another host that has the CLI and kubeconfig). `PATH` is set explicitly so delegated runs match interactive shells (where `oc` is often on `PATH` via profile). diff --git a/roles/openshift_dns_ready/defaults/main.yml b/roles/openshift_dns_ready/defaults/main.yml new file mode 100644 index 0000000000..436c12227b --- /dev/null +++ b/roles/openshift_dns_ready/defaults/main.yml @@ -0,0 +1,25 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should be placed in this file. +# All variables within this role should have a prefix of "cifmw_openshift_dns_ready" + +# Timeout in seconds passed to `oc wait --timeout` +cifmw_openshift_dns_ready_timeout: 60 + +# Prepended to PATH for non-interactive SSH (login shells often add ~/.crc/bin; Ansible does not). +cifmw_openshift_dns_ready_path_prefix: "{{ ansible_user_dir }}/.crc/bin:{{ ansible_user_dir }}/bin:{{ ansible_user_dir }}/.local/bin" diff --git a/roles/openshift_dns_ready/meta/main.yml b/roles/openshift_dns_ready/meta/main.yml new file mode 100644 index 0000000000..5ca2f63af0 --- /dev/null +++ b/roles/openshift_dns_ready/meta/main.yml @@ -0,0 +1,30 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: CI Framework + description: CI Framework Role -- openshift_dns_ready + company: Red Hat + license: Apache-2.0 + min_ansible_version: "2.14" + namespace: cifmw + galaxy_tags: + - cifmw + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/roles/openshift_dns_ready/tasks/main.yml b/roles/openshift_dns_ready/tasks/main.yml new file mode 100644 index 0000000000..b288604739 --- /dev/null +++ b/roles/openshift_dns_ready/tasks/main.yml @@ -0,0 +1,39 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Wait for DNS operator to be ready + ansible.builtin.command: + cmd: >- + oc wait dns.operator.openshift.io/default + --for=condition=Available=true + --timeout={{ cifmw_openshift_dns_ready_timeout }}s + environment: "{{ _cifmw_dns_ready_env }}" + vars: + _cifmw_dns_ready_path: >- + {{ + cifmw_path + | default( + cifmw_openshift_dns_ready_path_prefix ~ ':' ~ ansible_env.PATH, + true + ) + }} + _cifmw_dns_ready_env: >- + {{ + {'PATH': _cifmw_dns_ready_path} + | combine({'KUBECONFIG': cifmw_openshift_kubeconfig} if cifmw_openshift_kubeconfig is defined else {}) + }} + delegate_to: "{{ cifmw_openshift_dns_ready_delegate_to | default(cifmw_target_host | default(inventory_hostname)) }}" + changed_when: false