CloudVE · almahmoud · Apr 22, 2021
diff --git a/roles/cloudman-boot/tasks/auth.yaml b/roles/cloudman-boot/tasks/auth.yaml
@@ -1,4 +1,7 @@
 - name: Create namespace for keycloak
+  tags:
+    - keycloak_setup
+    - cloudman_setup
   command: /usr/local/bin/kubectl create namespace keycloak
   ignore_errors: True
 
@@ -9,6 +12,9 @@
 
 - name: Download and operator
   when: not (kc_dir.stat.exists and kc_dir.stat.isdir)
+  tags:
+    - keycloak_setup
+    - cloudman_setup
   block:
     - name: Download and unarchive keycloak-operator release
       ansible.builtin.unarchive:
@@ -29,34 +35,42 @@
     - name: Deploy the operator
       command: "/usr/local/bin/kubectl apply -f {{ cm_keycloak_operator_path }}/deploy/operator.yaml -n {{ cm_keycloak_namespace }}"
 
-- name: Render Keycloak instance CRD
-  template:
-    src: keycloakcrd.yml.j2
-    dest: "{{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak.yaml"
-
-- name: Apply the rendered Keycloak instance
-  command: /usr/local/bin/kubectl apply -f {{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak.yaml -n {{ cm_keycloak_namespace }}
-
-- name: Render GVL Keycloak realm CRD
-  template:
-    src: keycloak_gvl_realm.yml.j2
-    dest: "{{ cm_keycloak_operator_path }}/deploy/gvl-keycloakrealm.yaml"
-
-- name: Apply the rendered GVL realm
-  command: /usr/local/bin/kubectl apply -f {{ cm_keycloak_operator_path }}/deploy/gvl-keycloakrealm.yaml -n {{ cm_keycloak_namespace }}
+- name: Render and apply Keycloak instance
+  tags:
+    - keycloak_setup
+    - cloudman_setup
+  block:
+    - name: Render Keycloak instance CRD
+      template:
+        src: keycloakcrd.yml.j2
+        dest: "{{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak.yaml"
+
+    - name: Apply the rendered Keycloak instance
+      command: /usr/local/bin/kubectl apply -f {{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak.yaml -n {{ cm_keycloak_namespace }}
+
+- name: Render and apply GVL Realm
+  tags:
+    - gvl_setup
+    - gvl_realm_update
+  block:
+    - name: Render GVL Keycloak realm CRD
+      template:
+        src: keycloak_gvl_realm.yml.j2
+        dest: "{{ cm_keycloak_operator_path }}/deploy/gvl-keycloakrealm.yaml"
 
-- name: Render Keycloak ingress cert patch
-  template:
-    src: keycloak_ingress_patch.yml.j2
-    dest: "{{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak-ingress-patch.yaml"
-  tags: auth
+    - name: Apply the rendered GVL realm
+      command: /usr/local/bin/kubectl apply -f {{ cm_keycloak_operator_path }}/deploy/gvl-keycloakrealm.yaml -n {{ cm_keycloak_namespace }}
 
 - name: Check if Rancher SAML Client Certificate is already created
   stat:
     path: "{{ cm_keycloak_operator_path }}/deploy/ansible-rancher.crt"
   register: rancher_crt
 
 - name: Generate certs, Rancher SAML Client CRD, and change default rancher local password
+  tags:
+    - rancher_setup
+    - cloudman_setup
+    - rancher_keycloak_login
   when: not rancher_crt.stat.exists
   block:
     - name: Generate a key
@@ -77,35 +91,61 @@
         csr_path: "{{ cm_keycloak_operator_path }}/deploy/ansible-rancher.csr"
         provider: selfsigned
 
-- name: Slurp Rancher Cert
-  ansible.builtin.slurp:
-    src: "{{ cm_keycloak_operator_path }}/deploy/ansible-rancher.crt"
-  register: rancher_cert
-  tags: auth
-
-- name: Slurp Rancher Key
-  ansible.builtin.slurp:
-    src: "{{ cm_keycloak_operator_path }}/deploy/ansible-rancher.pem"
-  register: rancher_key
-  tags: auth
-
-- name: Render Rancher SAML Client CRD
-  template:
-    src: keycloak_rancher_client.yml.j2
-    dest: "{{ cm_keycloak_operator_path }}/deploy/rancher-saml-keycloakclient.yaml"
-
-- name: Patch in the rendered Keycloak ingress cert patch
-  command: /usr/local/bin/kubectl patch ingress keycloak -n {{ cm_keycloak_namespace }} --patch-file {{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak-ingress-patch.yaml
-  tags: auth
-  retries: 10
-  delay: 10
-  register: result
-  until: result.rc == 0
-
-- name: Apply the rendered Rancher SAML Client
-  command: /usr/local/bin/kubectl apply -f {{ cm_keycloak_operator_path }}/deploy/rancher-saml-keycloakclient.yaml -n {{ cm_keycloak_namespace }}
+- name: Slurp Cert and key
+  tags:
+    - rancher_setup
+    - cloudman_setup
+    - rancher_keycloak_login
+  block:
+    - name: Slurp Rancher Cert
+      ansible.builtin.slurp:
+        src: "{{ cm_keycloak_operator_path }}/deploy/ansible-rancher.crt"
+      register: rancher_cert
+      tags: auth
+
+    - name: Slurp Rancher Key
+      ansible.builtin.slurp:
+        src: "{{ cm_keycloak_operator_path }}/deploy/ansible-rancher.pem"
+      register: rancher_key
+      tags: auth
+
+- name: Render and apply Keycloak ingress
+  tags:
+    - keycloak_setup
+    - cloudman_setup
+    - kecyloak_cert_manager
+  block:
+    - name: Render Keycloak ingress cert patch
+      template:
+        src: keycloak_ingress_patch.yml.j2
+        dest: "{{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak-ingress-patch.yaml"
+
+    - name: Patch in the rendered Keycloak ingress cert patch
+      command: /usr/local/bin/kubectl patch ingress keycloak -n {{ cm_keycloak_namespace }} --patch-file {{ cm_keycloak_operator_path }}/deploy/cloudman-keycloak-ingress-patch.yaml
+      tags: auth
+      retries: 10
+      delay: 10
+      register: result
+      until: result.rc == 0
+
+- name: Rancher SAML Client
+  tags:
+    - keycloak_setup
+    - cloudman_setup
+    - rancher_keycloak_login
+  block:
+    - name: Render Rancher SAML Client CRD
+      template:
+        src: keycloak_rancher_client.yml.j2
+        dest: "{{ cm_keycloak_operator_path }}/deploy/rancher-saml-keycloakclient.yaml"
+
+    - name: Apply the rendered Rancher SAML Client
+      command: /usr/local/bin/kubectl apply -f {{ cm_keycloak_operator_path }}/deploy/rancher-saml-keycloakclient.yaml -n {{ cm_keycloak_namespace }}
 
 - name: Login to Rancher
+  tags:
+    - rancher_setup
+    - cloudman_setup
   uri:
     url: "https://{{ rancher_hostname }}/v3-public/localProviders/local?action=login"
     method: POST
@@ -120,16 +160,17 @@
   retries: 80
   delay: 5
   until: rancher_login['status']|default(0) in [200, 201, 401]
-  tags: auth
 
-- name: Change default password and setup external auth first time only
+- name: Change default password
+  tags:
+    - rancher_setup
+    - cloudman_setup
   when: rancher_login['status']|default(0) in [200, 201]
   block:
     - name: Set Rancher admin Token and user id
       set_fact:
         ra_token: "{{ rancher_login.json.token }}"
         ra_admin_user_id: "{{ rancher_login.json.userId }}"
-      tags: auth
 
     - name: Change password for admin user
       uri:
@@ -142,8 +183,14 @@
           newPassword: "{{ cluster_password }}"
         headers:
           Authorization: Bearer {{ ra_token }}
-      tags: auth
 
+- name: Change default password and setup external auth first time only
+  tags:
+    - rancher_setup
+    - cloudman_setup
+    - rancher_keycloak_login
+  when: rancher_login['status']|default(0) in [200, 201]
+  block:
     #https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/keycloak/#keycloak-6-0-0-idpssodescriptor-missing-from-options
     - name: Get SAML Metadata IDPSSODescriptor
       uri:
@@ -155,7 +202,6 @@
       retries: 80
       delay: 5
       until: idp_metadata['status']|default(0) == 200
-      tags: auth
 
     - name: Setup Rancher External Auth
       uri:
@@ -186,7 +232,6 @@
           Authorization: Bearer {{ ra_token }}
       retries: 5
       delay: 10
-      tags: auth
 
     - name: Set default Rancher user role to admin
       uri:
@@ -200,6 +245,5 @@
           Authorization: Bearer {{ ra_token }}
       retries: 5
       delay: 10
-      tags: auth
 
 
diff --git a/roles/cloudman-boot/tasks/certmanager.yaml b/roles/cloudman-boot/tasks/certmanager.yaml
@@ -1,32 +1,36 @@
-- name: Create cert-manager namespace
-  command: >
-    /usr/local/bin/kubectl create namespace cert-manager
-  ignore_errors: true
+- name: Setup cert-manager
+  tags:
+    - cert_manager_setup
+  block:
+    - name: Create cert-manager namespace
+      command: >
+        /usr/local/bin/kubectl create namespace cert-manager
+      ignore_errors: true
 
-- name: Create cert manager CRDs
-  shell: /usr/local/bin/kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
+    - name: Create cert manager CRDs
+      shell: /usr/local/bin/kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
 
-- name: Add cert manager helm repo
-  shell: /usr/local/bin/helm repo add jetstack https://charts.jetstack.io
-  ignore_errors: true
+    - name: Add cert manager helm repo
+      shell: /usr/local/bin/helm repo add jetstack https://charts.jetstack.io
+      ignore_errors: true
 
-- name: Update Helm repos
-  shell: /usr/local/bin/helm repo update
+    - name: Update Helm repos
+      shell: /usr/local/bin/helm repo update
 
-- name: Render cluster issuer template
-  template:
-    src: clusterissuer.yaml.j2
-    dest: /tmp/clusterissuer.yaml
+    - name: Render cluster issuer template
+      template:
+        src: clusterissuer.yaml.j2
+        dest: /tmp/clusterissuer.yaml
 
-- name: Create cert manager cluster issuer
-  shell: /usr/local/bin/kubectl apply -f /tmp/clusterissuer.yaml
+    - name: Create cert manager cluster issuer
+      shell: /usr/local/bin/kubectl apply -f /tmp/clusterissuer.yaml
 
-- name: Helm install cert-manager
-  command: >
-    /usr/local/bin/helm upgrade --install cert-manager jetstack/cert-manager
-    --namespace "cert-manager"
-    --version "0.11.0"
-    --set ingressShim.defaultIssuerName="letsencrypt-prod"
-    --set ingressShim.defaultIssuerKind="ClusterIssuer"
-    --set webhook.enabled=false
-  ignore_errors: true
+    - name: Helm install cert-manager
+      command: >
+        /usr/local/bin/helm upgrade --install cert-manager jetstack/cert-manager
+        --namespace "cert-manager"
+        --version "0.11.0"
+        --set ingressShim.defaultIssuerName="letsencrypt-prod"
+        --set ingressShim.defaultIssuerKind="ClusterIssuer"
+        --set webhook.enabled=false
+      ignore_errors: true
diff --git a/roles/cloudman-boot/tasks/cloudman.yaml b/roles/cloudman-boot/tasks/cloudman.yaml
@@ -8,30 +8,35 @@
   when: cm_force_pull_images
   ignore_errors: true
 
-- name: Create temp file for cloudman helm values
-  tempfile:
-    state:  file
-    suffix: helmvals
-  register: temp_helmvals
+- name: Update Cloudman
+  tags:
+    - cloudman_setup
+    - cloudman_update
+  block:
+    - name: Create temp file for cloudman helm values
+      tempfile:
+        state:  file
+        suffix: helmvals
+      register: temp_helmvals
 
-- name: Render CloudMan chart custom values file
-  template:
-    src: cm_chart_values.yml.j2
-    dest: "{{ temp_helmvals.path }}"
+    - name: Render CloudMan chart custom values file
+      template:
+        src: cm_chart_values.yml.j2
+        dest: "{{ temp_helmvals.path }}"
 
-- name: Helm install CloudMan
-  command: >
-    /usr/local/bin/helm upgrade --reset-values --install cloudman galaxyproject/cloudman
-    --create-namespace
-    --namespace "{{ cm_namespace_name }}"
-    {% if cm_chart_version %}
-    --version "{{ cm_chart_version }}"
-    {% endif %}
-    -f "{{ temp_helmvals.path }}"
-  ignore_errors: true
+    - name: Helm install CloudMan
+      command: >
+        /usr/local/bin/helm upgrade --reset-values --install cloudman galaxyproject/cloudman
+        --create-namespace
+        --namespace "{{ cm_namespace_name }}"
+        {% if cm_chart_version %}
+        --version "{{ cm_chart_version }}"
+        {% endif %}
+        -f "{{ temp_helmvals.path }}"
+      ignore_errors: true
 
-- name: Remove temporary values file
-  file:
-    path: "{{ temp_helmvals.path }}"
-    state: absent
-  when: temp_helmvals.path is defined
+    - name: Remove temporary values file
+      file:
+        path: "{{ temp_helmvals.path }}"
+        state: absent
+      when: temp_helmvals.path is defined
diff --git a/roles/cloudman-boot/tasks/finish.yaml b/roles/cloudman-boot/tasks/finish.yaml
@@ -1,4 +1,6 @@
 - name: Wait for CloudMan login to become accessible
+  tags:
+    - cloudman_setup
   uri:
     url: "https://{{ cluster_hostname }}/cloudman/openid/openid/KeyCloak"
     method: GET
@@ -11,6 +13,7 @@
 
 - name: System help info
   debug:
+    - cloudman_setup
     msg: |
       "The system has now been setup. Access CloudMan at https://{{ cluster_hostname }}/"
       ""

diff --git a/roles/cloudman-boot/tasks/helm_repos.yaml b/roles/cloudman-boot/tasks/helm_repos.yaml
@@ -1,10 +1,13 @@
-- name: Add wunderio Helm repo for RClone
-  shell: /usr/local/bin/helm repo add wunderio https://storage.googleapis.com/charts.wdr.io/
-  ignore_errors: True
+- name: Add helm repositories
+  tags:
+    - cloudman_setup
+    - galaxy_setup
+    - cloudman_update
+    - galaxy_update
+  block:
+    - name: "Add CloudVE Helm repo: {{ cm_charts_repo }}"
+      shell: /usr/local/bin/helm repo add galaxyproject {{ cm_charts_repo }}
+      ignore_errors: True
 
-- name: "Add CloudVE Helm repo: {{ cm_charts_repo }}"
-  shell: /usr/local/bin/helm repo add galaxyproject {{ cm_charts_repo }}
-  ignore_errors: True
-
-- name: Update Helm repos
-  shell: /usr/local/bin/helm repo update
+    - name: Update Helm repos
+      shell: /usr/local/bin/helm repo update