diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
| commit | 975f66f2eebe9dadba04f275774d4ab83f74cf25 (patch) | |
| tree | 89bd26a93aaae6a25749145b7e4bca4a1e75b2be /ansible_collections/netapp/ontap/playbooks | |
| parent | Initial commit. (diff) | |
| download | ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.tar.xz ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.zip | |
Adding upstream version 7.7.0+dfsg.upstream/7.7.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/netapp/ontap/playbooks')
15 files changed, 1144 insertions, 0 deletions
diff --git a/ansible_collections/netapp/ontap/playbooks/examples/README.md b/ansible_collections/netapp/ontap/playbooks/examples/README.md new file mode 100644 index 000000000..1d90cbfaa --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/README.md @@ -0,0 +1,37 @@ +============================================================= + + netapp.ontap + + NetApp ONTAP Collection + + Copyright (c) 2020 NetApp, Inc. All rights reserved. + Specifications subject to change without notice. + +============================================================= +# Playbook examples + +As the name indicates, these are examples, and while they are working at the time of publication, we do not support these playbooks. +We cannot guarantee they are working on other systems, or other configurations, or other versions than what we used at the time. +We will not maintain these playbooks as time passes. + +## ONTAP Firmware Updates + +By default, downloading a firmware image is enough to trigger an update. +The update happens automatically in background for the disk qualification package and for disk, shelf, and ACP firmwares. It is designed to be non disruptive. + +The SP firmware will be automatically installed, but requires a node reboot. The reboot is not done in these playbooks. + +The na_ontap_pb_upgrade_firmware playbooks are illustrating three ways to use variables in an Ansible playbook: +1. directly inside the playbook, under the `vars:` keyword +1. by importing an external file, under the `vars_file:` keyword +1. by adding `--extra-vars` to the `ansible-playbook` command line. Using `@` enables to use a file rather than providing each variable explicitly. + +``` +ansible-playbook ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware.yml + +ansible-playbook ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_vars_file.yml + +ansible-playbook ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_extra_vars.yml --extra-vars=@/tmp/ansible/ontap_vars_file.yml +``` + +The advantage of using a vars_file is that you can keep important variables private. --extra-vars provides more flexibility regarding the location of the vars file. diff --git a/ansible_collections/netapp/ontap/playbooks/examples/filter/test_na_filter_iso8601.yaml b/ansible_collections/netapp/ontap/playbooks/examples/filter/test_na_filter_iso8601.yaml new file mode 100644 index 000000000..0f5c704a0 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/filter/test_na_filter_iso8601.yaml @@ -0,0 +1,77 @@ +- + name: test netapp.ontap ISO8601 filters + gather_facts: false + hosts: localhost + + vars: + iso_duration: 'P689DT13H57M44S' + iso_duration_weeks: 'P98W' + seconds_duration: 59579864 + + + tasks: + - name: convert duration in ISO 8601 format to seconds + set_fact: + input: "{{ iso_duration }}" + out: "{{ iso_duration | netapp.ontap.iso8601_duration_to_seconds }}" + + - name: validate results + assert: + that: out | int == seconds_duration + quiet: true + + - name: convert seconds to duration in ISO 8601 format + set_fact: + input: "{{ seconds_duration }}" + out: "{{ seconds_duration | netapp.ontap.iso8601_duration_from_seconds }}" + + - name: validate results + assert: + that: out == iso_duration + quiet: true + + - name: convert seconds to duration in ISO 8601 format, using format specifier + set_fact: + input: "{{ seconds_duration }}" + out: "{{ seconds_duration | netapp.ontap.iso8601_duration_from_seconds(format='P%P') }}" + + - name: validate results + assert: + that: out == iso_duration + quiet: true + + - name: convert seconds to duration in ISO 8601 format, using format specifier for weeks + set_fact: + input: "{{ seconds_duration }}" + out: "{{ seconds_duration | netapp.ontap.iso8601_duration_from_seconds(format='P%p') }}" + + - name: validate results + assert: + that: out == iso_duration_weeks + quiet: true + + - name: input error, input does not match ISO format + set_fact: + out: "{{ 'dummy' | netapp.ontap.iso8601_duration_to_seconds }}" + ignore_errors: true + register: results + + - name: validate error message + assert: + that: results.msg == error + quiet: true + vars: + error: "iso8601_duration_to_seconds - error: Unable to parse duration string 'dummy' - expecting PnnYnnMnnDTnnHnnMnnS, received: dummy" + + - name: input error, input does not match int or float format + set_fact: + out: "{{ 'dummy' | netapp.ontap.iso8601_duration_from_seconds }}" + ignore_errors: true + register: results + + - name: validate error message + assert: + that: results.msg == error + quiet: true + vars: + error: "iso8601_duration_from_seconds - error: unsupported type for timedelta seconds component: str - received: dummy" diff --git a/ansible_collections/netapp/ontap/playbooks/examples/json_query/README.md b/ansible_collections/netapp/ontap/playbooks/examples/json_query/README.md new file mode 100644 index 000000000..0d3321af0 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/json_query/README.md @@ -0,0 +1,30 @@ +============================================================= + + netapp.ontap + + NetApp ONTAP Collection + + Copyright (c) 2020 NetApp, Inc. All rights reserved. + Specifications subject to change without notice. + +============================================================= +# Playbook examples + +As the name indicates, these are examples, and while they are working at the time of publication, we do not support these playbooks. +We cannot guarantee they are working on other systems, or other configurations, or other versions than what we used at the time. +We will not maintain these playbooks as time passes. + +## ONTAP list volumes that are online, or offline + +The na_ontap_pb_get_online_volumes playbook illustrate two ways to use json_query: +1. to flatten a complex structure and extract only the fields of interest, +2. to filter the fields of interest based on some criteria. + +The na_ontap_pb_get_online_volumes playbook illustrates three ways to use variables in an Ansible playbook: +1. directly inside the playbook, under the `vars:` keyword, +1. by importing an external file, under the `vars_files:` keyword, +1. by adding `--extra-vars` to the `ansible-playbook` command line. Using `@` enables to use a file rather than providing each variable explicitly. + +Note that `--extra-vars` has the highest precedence. `vars` has the lowest precedence. It is possible to comnbine the 3 techniques within a single playbook. + +The advantage of using a vars_file is that you can keep important variables private. --extra-vars provides more flexibility regarding the location of the vars file. diff --git a/ansible_collections/netapp/ontap/playbooks/examples/json_query/na_ontap_pb_get_online_volumes.yml b/ansible_collections/netapp/ontap/playbooks/examples/json_query/na_ontap_pb_get_online_volumes.yml new file mode 100644 index 000000000..5d58d17a9 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/json_query/na_ontap_pb_get_online_volumes.yml @@ -0,0 +1,76 @@ +- + name: Get list of online ONTAP volumes + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars_files: + # This will fail silently if the vars_file is not found. Remove '/dev/null' to force an error + # if --extra_vars is used to provide values for these variables, the values from vars_file are ignored + - ['/path/to/ontap_vars_file.yml', '/dev/null'] + + vars: + # TODO: change these value until DONE, unless a vars file or --extra_vars is used. + # If --extra_vars is used to provide values for these variables, the values below are ignored. + # If vars_files is used, the values below are ignored. + ontap_admin_ip: TBD + # username/password authentication + ontap_admin_username: admin + ontap_admin_password: TBD + # SSL certificate authentication + ontap_cert_filepath: "/path/to/test.pem" + ontap_key_filepath: "/path/to//test.key" + # optional, SVM login + ontap_svm_admin_ip: TBD + ontap_svm_admin_username: vsadmin + ontap_svm_admin_password: TBD + # we recommend to use https, with a valid certificate + ontap_use_https: true + ontap_validate_certs: false + # DONE + login: &login + hostname: "{{ ontap_admin_ip }}" + username: "{{ ontap_admin_username }}" + password: "{{ ontap_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + cert_login: &cert_login + hostname: "{{ ontap_admin_ip }}" + cert_filepath: "{{ ontap_cert_filepath }}" + key_filepath: "{{ ontap_key_filepath }}" + https: true # ignored, as https is required for SSL + validate_certs: "{{ ontap_validate_certs }}" + svm_login: &svm_login + hostname: "{{ ontap_svm_admin_ip }}" + username: "{{ ontap_svm_admin_username }}" + password: "{{ ontap_svm_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + tasks: + - name: collect list of volumes, and state information + na_ontap_info: + <<: *cert_login + gather_subset: volume_info + desired_attributes: + volume-attributes: + volume-state-attributes: + state: + use_native_zapi_tags: false + register: ontap + - debug: var=ontap + tags: never + - set_fact: + volumes: "{{ ontap.ontap_info | json_query(get_attrs) }}" + vars: + get_attrs: "volume_info.*.{id: volume_id_attributes.name, svm: volume_id_attributes.owning_vserver_name, state: volume_state_attributes.state}" + - debug: var=volumes + - set_fact: + online_volumes: "{{ volumes | json_query(get_online) }}" + vars: + get_online: "[? state=='online']" + - debug: var=online_volumes + - set_fact: + offline_volumes: "{{ volumes | json_query(get_offline) }}" + vars: + get_offline: "[? state=='offline']" + - debug: var=offline_volumes diff --git a/ansible_collections/netapp/ontap/playbooks/examples/json_query/na_ontap_pb_get_online_volumes_loop.yml b/ansible_collections/netapp/ontap/playbooks/examples/json_query/na_ontap_pb_get_online_volumes_loop.yml new file mode 100644 index 000000000..41cfba21c --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/json_query/na_ontap_pb_get_online_volumes_loop.yml @@ -0,0 +1,85 @@ +- + name: Get list of online ONTAP volumes + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars_files: + # This will fail silently if the vars_file is not found. Remove '/dev/null' to force an error + # if --extra_vars is used to provide values for these variables, the values from vars_file are ignored + - ['/path/to/ontap_vars_file.yml', '/dev/null'] + + vars: + # TODO: change these value until DONE, unless a vars file or --extra_vars is used. + # If --extra_vars is used to provide values for these variables, the values below are ignored. + # If vars_files is used, the values below are ignored. + # cluster or vsserver IP addresses + ontap_admin_ips: + - ip1 + - ip2 + # username/password authentication + ontap_admin_username: admin + ontap_admin_password: netapp1! + # SSL certificate authentication + ontap_cert_filepath: "/path/to/test.pem" + ontap_key_filepath: "/path/to//test.key" + # optional, SVM login + ontap_svm_admin_username: vsadmin + ontap_svm_admin_password: TBD + # we recommend to use https, with a valid certificate + ontap_use_https: true + ontap_validate_certs: false + # DONE + login: &login + username: "{{ ontap_admin_username }}" + password: "{{ ontap_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + cert_login: &cert_login + cert_filepath: "{{ ontap_cert_filepath }}" + key_filepath: "{{ ontap_key_filepath }}" + https: true # ignored, as https is required for SSL + validate_certs: "{{ ontap_validate_certs }}" + svm_login: &svm_login + username: "{{ ontap_svm_admin_username }}" + password: "{{ ontap_svm_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + tasks: + - debug: var=ontap + tags: never + - debug: var=ontap.results + tags: xnever + - name: collect list of volumes, and state information + na_ontap_info: + hostname: "{{ item }}" + <<: *login + gather_subset: volume_info + desired_attributes: + volume-attributes: + volume-state-attributes: + state: + use_native_zapi_tags: false + register: ontap + loop: "{{ ontap_admin_ips }}" + loop_control: + label: "{{ item }}" + - set_fact: + volumes: "{{ volumes|default({}) | combine( {item.item: item.ontap_info | json_query(get_attrs)} ) }}" + vars: + get_attrs: "volume_info.*.{id: volume_id_attributes.name, svm: volume_id_attributes.owning_vserver_name, state: volume_state_attributes.state}" + loop: "{{ ontap.results }}" + - debug: var=volumes + - pause: + - set_fact: + online_volumes: "{{ online_volumes|default({}) | combine( {item.key: item.value | json_query(get_online)} ) }}" + vars: + get_online: "[? state=='online']" + loop: "{{ volumes | dict2items }}" + - debug: var=online_volumes + - set_fact: + offline_volumes: "{{ offline_volumes|default({}) | combine( {item.key: item.value | json_query(get_offline)} ) }}" + vars: + get_offline: "[? state=='offline']" + loop: "{{ volumes | dict2items }}" + - debug: var=offline_volumes diff --git a/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_install_SSL_certificate.yml b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_install_SSL_certificate.yml new file mode 100644 index 000000000..18ced0517 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_install_SSL_certificate.yml @@ -0,0 +1,209 @@ +# Example of installing a SSL certificate in ONTAP for authentication +# This playbook: +# 1. installs the certificate, or proceeds if the certificate is already installed, +# 2. enables SSL client authentication, +# 3. creates user account for cert authentication for ontapi and http applications, +# 4. validates that cert authentication works +# +# in test mode (using tags: -t all,testpb): +# 1b. the installation is repeated, to validate the check for idempotency (certificate already installed), +# 5. user account for cert authentication for ontapi and http applications is deleted, +# 6. if the certificate was installed in step 1, it is deleted. +# The certificate can be manually deleted using something like: +# security certificate delete -vserver trident_svm -common-name cert_user -ca cert_user -type * +# +# Prerequisites: +# you must have generated a certificate and have the certificate file (.pem) and the private key file available. +# This was tested using a self signed certificate: +# https://netapp.io/2016/11/08/certificate-based-authentication-netapp-manageability-sdk-ontap/ +- + name: Ontap Install SSL certificate and enable SSL certificate authentication + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars: + # TODO: change these variable values from HERE to DONE: + ontap_admin_ip: 10.XXX.XXX.X19 + ontap_admin_username: admin + ontap_admin_password: XXXXXXXX + # we recommend to use https, but it requires a valid SSL certificate + ontap_use_https: true + ontap_validate_certs: false + + # parameters to set up the certificate, ontap_cert_user must match the value of CN= when generating the certificate + ontap_cert_user: cert_user + ontap_cert_name: deleteme_cert + # admin or vsadmin + ontap_cert_role: vsadmin + # admin or data SVM + vserver: trident_svm + # admin or SVM IP address (for admin, would the same as ontap_admin_ip) + ontap_svm_ip: 10.XXX.XXX.X21 + # certificate and private key files + cert_filepath: "/home/laurentn/atelier/ansible_wsl/ansible-playbooks/test.pem" + key_filepath: "/home/laurentn/atelier/ansible_wsl/ansible-playbooks/test.key" + # set this to false if the certificate is self-signed + validate_certs_for_ssl_auth: false + + # you can either copy/paste the certificate(s) from the pem file, respecting the identation: + ssl_certificate_inline: | + -----BEGIN CERTIFICATE----- + MXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxx== + -----END CERTIFICATE----- + + # or read it directly from the pem file + ssl_certificate_from_file: "{{lookup('file', cert_filepath)}}" + + # pick one: + # ssl_certificate: "{{ ssl_certificate_inline }}" + ssl_certificate: "{{ ssl_certificate_from_file }}" + + # DONE - do not change anything else (unless you really want to) + + # this will be used to authenticate using SSL certificate + cert_login: &cert_login + hostname: "{{ ontap_svm_ip }}" + cert_filepath: "{{ cert_filepath }}" + key_filepath: "{{ key_filepath }}" + https: true + validate_certs: "{{ validate_certs_for_ssl_auth }}" + + login: &login + hostname: "{{ ontap_admin_ip }}" + username: "{{ ontap_admin_username }}" + password: "{{ ontap_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + + tasks: + - name: run ontap info module to check connectivity + na_ontap_info: + <<: *login + gather_subset: ontap_system_version + register: ontap + - debug: var=ontap.ontap_info.ontap_version + + - name: use ZAPIT to install certificate + na_ontap_zapit: + <<: *login + zapi: + security-certificate-install: + cert-name: "{{ ontap_cert_name }}" + certificate: "{{ ssl_certificate }}" + type: client-ca + vserver: "{{ vserver }}" + ignore_errors: true + register: ontap + - debug: var=ontap + - fail: + msg: "Failed to install certificate: {{ ontap }}" + when: ontap.failed and ontap.reason != "duplicate entry" + - name: collect certificate data to be able to delete it later when testing + tags: never,testpb + set_fact: + certificate_authority: "{{ ontap.response.ca | default('unknown') }}" + serial_number: "{{ ontap.response.serial | default(0) }}" + certificate_installed: "{{ not ontap.failed }}" + - debug: var=certificate_authority + tags: never,testpb + - debug: var=serial_number + tags: never,testpb + - debug: var=certificate_installed + tags: never,testpb + + - name: use ZAPIT to install certificate (idempotency) + # use -t all,testpb when testing the playbook + tags: never,testpb + na_ontap_zapit: + <<: *login + zapi: + security-certificate-install: + cert-name: "{{ ontap_cert_name }}" + certificate: "{{ ssl_certificate }}" + type: client-ca + vserver: "{{ vserver }}" + ignore_errors: true + register: ontap + - debug: var=ontap + tags: never,testpb + - fail: + msg: "Failed to install certificate: {{ ontap }}" + tags: never,testpb + when: ontap.failed and ontap.reason != "duplicate entry" + + - name: use ZAPIT to enable certificate authentication + na_ontap_zapit: + <<: *login + zapi: + security-ssl-modify: + client-authentication-enabled: true + vserver: "{{ vserver }}" + register: ontap + - debug: var=ontap + tags: never,testpb + + - name: set up cert authentication for ontapi (ZAPI) and http (REST) + na_ontap_user: + <<: *login + applications: ontapi,http + authentication_method: cert + name: "{{ ontap_cert_user }}" + role_name: "{{ ontap_cert_role }}" + vserver: "{{ vserver }}" + register: ontap + - debug: var=ontap + tags: never,testpb + + - name: validate cert authentication is working for ZAPI + na_ontap_info: + <<: *cert_login + gather_subset: ontap_version + register: ontap + - debug: var=ontap + + - name: remove cert authentication for ontapi (ZAPI) and http (REST) when testing + tags: never,testpb + na_ontap_user: + <<: *login + state: absent + applications: ontapi,http + authentication_method: cert + name: "{{ ontap_cert_user }}" + role_name: "{{ ontap_cert_role }}" + vserver: "{{ vserver }}" + register: ontap + - debug: var=ontap + tags: never,testpb + + - name: use ZAPIT to delete certificate when testing + # use -t all,never when testing the playbook + tags: never,testpb,delete + na_ontap_zapit: + <<: *login + zapi: + security-certificate-delete: + certificate-authority: "{{ certificate_authority }}" + common-name: "{{ certificate_authority }}" + serial-number: "{{ serial_number }}" + type: client-ca + vserver: "{{ vserver }}" + when: certificate_installed diff --git a/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_install_SSL_certificate_REST.yml b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_install_SSL_certificate_REST.yml new file mode 100644 index 000000000..3abe6104e --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_install_SSL_certificate_REST.yml @@ -0,0 +1,202 @@ +# Example of installing a SSL certificate in ONTAP for authentication +# This playbook: +# 1. installs the certificate, or proceeds if the certificate is already installed, +# (this also enables SSL client authentication), +# 2. creates user account for cert authentication for ontapi and http applications, +# 3. validates that cert authentication works +# +# in test mode (using tags: -t all,testpb): +# 1b. the installation is repeated, to validate the check for idempotency (certificate already installed), +# 4. user account for cert authentication for ontapi and http applications is deleted, +# 6. if the certificate was installed in step 1, it is deleted. +# The certificate can be manually deleted using something like: +# security certificate delete -vserver trident_svm -common-name cert_user -ca cert_user -type * +# +# Prerequisites: +# you must have generated a certificate and have the certificate file (.pem) and the private key file available. +# This was tested using a self signed certificate: +# https://netapp.io/2016/11/08/certificate-based-authentication-netapp-manageability-sdk-ontap/ +- + name: Ontap Install SSL certificate and enable SSL certificate authentication + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars: + # TODO: change these variable values from HERE to DONE: + ontap_admin_ip: 10.xxx.xxx.x19 + ontap_admin_username: admin + ontap_admin_password: xxxxxxxxx + # we recommend to use https, but it requires a valid SSL certificate + ontap_use_https: true + ontap_validate_certs: false + + # parameters to set up the certificate, ontap_cert_user must match the value of CN= when generating the certificate + ontap_cert_user: cert_user + ontap_cert_name: testme-cert + # data SVM, name and set role to vsadmin + svm: ansibleSVM + ontap_cert_role: vsadmin + # uncomment and leave the value empty for cluster certificate, set role to admin + # svm: + # ontap_cert_role: admin + # admin or SVM IP address (for admin, would the same as ontap_admin_ip) + ontap_svm_ip: 10.XXX.XXX.X21 + # certificate and private key files + cert_filepath: "/home/laurentn/atelier/wsl/ansible/ansible_collections/ansible_collection_ontap/test.pem" + key_filepath: "/home/laurentn/atelier/wsl/ansible/ansible_collections/ansible_collection_ontap/test.key" + # set this to false if the certificate is self-signed + validate_certs_for_ssl_auth: false + + # you can either copy/paste the certificate(s) from the pem file, respecting the identation: + ssl_certificate_inline: | + -----BEGIN CERTIFICATE----- + MXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxx + XXXXXXXXxxxxxxxxXXXXXXXXxxxxxxxxXXXXXXXXxx== + -----END CERTIFICATE----- + + # or read it directly from the pem file + ssl_certificate_from_file: "{{lookup('file', cert_filepath)}}" + + # pick one: + # ssl_certificate: "{{ ssl_certificate_inline }}" + ssl_certificate: "{{ ssl_certificate_from_file }}" + + # DONE - do not change anything else (unless you really want to) + + # this will be used to authenticate using SSL certificate + cert_login: &cert_login + hostname: "{{ ontap_admin_ip }}" + cert_filepath: "{{ cert_filepath }}" + key_filepath: "{{ key_filepath }}" + https: true + validate_certs: "{{ validate_certs_for_ssl_auth }}" + + login: &login + hostname: "{{ ontap_admin_ip }}" + username: "{{ ontap_admin_username }}" + password: "{{ ontap_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + + tasks: + - name: run ontap info module to check connectivity + na_ontap_info: + <<: *login + gather_subset: ontap_system_version + register: ontap + - debug: var=ontap.ontap_info.ontap_version + + - name: install certificate + na_ontap_security_certificates: + <<: *login + common_name: "{{ ontap_cert_user }}" + name: "{{ ontap_cert_name }}" + public_certificate: "{{ ssl_certificate }}" + type: client_ca + svm: "{{ svm }}" + register: result + - debug: var=result + - assert: {that: result.changed, quiet: true} + + - name: install certificate (idempotency test) + # use -t all,testpb when testing the playbook + tags: never,testpb + na_ontap_security_certificates: + <<: *login + common_name: "{{ ontap_cert_user }}" + name: "{{ ontap_cert_name }}" + public_certificate: "{{ ssl_certificate }}" + type: client_ca + svm: "{{ svm }}" + register: result + - debug: var=result + tags: never,testpb + - assert: {that: not result.changed, quiet: true} + tags: never,testpb + + - name: set up cert authentication for ontapi (ZAPI) and http (REST) + na_ontap_user: + <<: *login + applications: ontapi,http + authentication_method: cert + name: "{{ ontap_cert_user }}" + role_name: "{{ ontap_cert_role }}" + svm: "{{ svm }}" + use_rest: Always + register: result + - debug: var=result + tags: never,testpb + - assert: {that: result.changed, quiet: true} + tags: never,testpb + + - name: validate cert authentication is working for REST + na_ontap_rest_info: + <<: *cert_login + gather_subset: vserver_info + register: result + - debug: var=result + + - name: remove cert authentication for ontapi (ZAPI) and http (REST) when testing + tags: never,testpb + na_ontap_user: + <<: *login + state: absent + applications: ontapi,http + authentication_method: cert + name: "{{ ontap_cert_user }}" + role_name: "{{ ontap_cert_role }}" + svm: "{{ svm }}" + use_rest: Always + register: result + - debug: var=result + tags: never,testpb + - assert: {that: result.changed, quiet: true} + tags: never,testpb + + - name: delete certificate when testing + # use -t all,never when testing the playbook + tags: never,testpb,delete + na_ontap_security_certificates: + <<: *login + common_name: "{{ ontap_cert_user }}" + name: "{{ ontap_cert_name }}" + svm: "{{ svm }}" + state: absent + register: result + - debug: var=result + tags: never,testpb,delete + - assert: {that: result.changed, quiet: true} + tags: never,testpb,delete + + - name: delete certificate when testing (idempotemcy) + # use -t all,never when testing the playbook + tags: never,testpb,delete + na_ontap_security_certificates: + <<: *login + common_name: "{{ ontap_cert_user }}" + name: "{{ ontap_cert_name }}" + svm: "{{ svm }}" + state: absent + register: result + - debug: var=result + tags: never,testpb,delete + - assert: {that: not result.changed, quiet: true} + tags: never,testpb,delete diff --git a/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware.yml b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware.yml new file mode 100644 index 000000000..c6d7ed5da --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware.yml @@ -0,0 +1,46 @@ +- + name: Ontap Upgrade Firmware + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars: + # TODO: change these variable values + ontap_firmware_url: TBD + ontap_admin_ip: TBD + ontap_admin_username: admin + ontap_admin_password: TBD + # we recommend to use https, but it requires a valid SSL certificate + ontap_use_https: true + ontap_validate_certs: false + # DONE - do not change anything else + + login: &login + hostname: "{{ ontap_admin_ip }}" + username: "{{ ontap_admin_username }}" + password: "{{ ontap_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + + tasks: + - name: run ontap info module to check connectivity + na_ontap_info: + <<: *login + gather_subset: ontap_system_version + register: ontap + - debug: var=ontap + + - name: run ontap command module to validate access permissions + na_ontap_command: + <<: *login + command: version + return_dict: false + register: ontap + - debug: var=ontap + + - name: run ontap firmware download module + na_ontap_firmware_upgrade: + <<: *login + package_url: "{{ ontap_firmware_url }}" + register: ontap + - debug: var=ontap diff --git a/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_extra_vars.yml b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_extra_vars.yml new file mode 100644 index 000000000..c5ebf0c38 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_extra_vars.yml @@ -0,0 +1,47 @@ +- + name: Ontap Upgrade Firmware + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars: + # TODO: use --extra_vars to provide values for these variables + # ontap_firmware_url: TBD + # ontap_admin_ip: TBD + # ontap_admin_username: admin + # ontap_admin_password: TBD + # we recommend to use https, but it requires a valid SSL certificate + # if these variables are defined in --extra_vars, the following values are ignored + ontap_use_https: true + ontap_validate_certs: false + # do not change anything else + + login: &login + hostname: "{{ ontap_admin_ip }}" + username: "{{ ontap_admin_username }}" + password: "{{ ontap_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + + tasks: + - name: run ontap info module to check connectivity + na_ontap_info: + <<: *login + gather_subset: ontap_system_version + register: ontap + - debug: var=ontap + + - name: run ontap command module to validate access permissions + na_ontap_command: + <<: *login + command: version + return_dict: false + register: ontap + - debug: var=ontap + + - name: run ontap firmware download module + na_ontap_firmware_upgrade: + <<: *login + package_url: "{{ ontap_firmware_url }}" + register: ontap + - debug: var=ontap diff --git a/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_vars_file.yml b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_vars_file.yml new file mode 100644 index 000000000..30a73cf12 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_vars_file.yml @@ -0,0 +1,45 @@ +- + name: Ontap Upgrade Firmware + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars_files: + # TODO change this path as needed + - /tmp/ansible/ontap_vars_file.yml + vars: + # we recommend to use https, but it requires a valid SSL certificate + # if these variables are defined in the vars file, the following values are ignored + ontap_use_https: true + ontap_validate_certs: false + # DONE - do not change anything else + + login: &login + hostname: "{{ ontap_admin_ip }}" + username: "{{ ontap_admin_username }}" + password: "{{ ontap_admin_password }}" + https: "{{ ontap_use_https }}" + validate_certs: "{{ ontap_validate_certs }}" + + tasks: + - name: run ontap info module to check connectivity + na_ontap_info: + <<: *login + gather_subset: ontap_system_version + register: ontap + - debug: var=ontap + + - name: run ontap command module to validate access permissions + na_ontap_command: + <<: *login + command: version + return_dict: false + register: ontap + - debug: var=ontap + + - name: run ontap firmware download module + na_ontap_firmware_upgrade: + <<: *login + package_url: "{{ ontap_firmware_url }}" + register: ontap + - debug: var=ontap diff --git a/ansible_collections/netapp/ontap/playbooks/examples/ontap_vars_file.yml b/ansible_collections/netapp/ontap/playbooks/examples/ontap_vars_file.yml new file mode 100644 index 000000000..7675e295f --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/ontap_vars_file.yml @@ -0,0 +1,27 @@ +# TODO: change these variable values +ontap_admin_ip: TBD +# either username/passord credentials +ontap_admin_username: admin +ontap_admin_password: TBD +# or SSL certificate authentication +ontap_cert_filepath: "/home/TBD/test.pem" +ontap_key_filepath: "/home/TBD/test.key" +# we recommend to use https, but it requires a valid SSL certificate +ontap_use_https: true +ontap_validate_certs: false +# Optionally, SVM credentials +ontap_svm_admin_ip: TBD +ontap_svm_admin_username: vsadmin +ontap_svm_admin_password: TBD +# Optionally, to upgrade disk, shelf, acp firmware +ontap_firmware_url: TBD +# DONE - do not change anything else +# +# To use this file: +# option 1: use ansible-playbook command line argument --extra-vars=@<path to this file> +# for instance: +# ansible-playbook ansible_collections/netapp/ontap/playbooks/examples/na_ontap_pb_upgrade_firmware_with_extra_vars.yml --extra-vars=@/tmp/ansible/ontap_vars_file.yml +# option 2: include this file in your playbook using vars_files: +# for instance: +# vars_files: +# - <path to vars file> diff --git a/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/clusters.yaml b/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/clusters.yaml new file mode 100644 index 000000000..4048eb5c7 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/clusters.yaml @@ -0,0 +1,19 @@ +admin_username: admin +admin_password: password +admin_ips: + - 10.10.10.11 + - 10.10.10.12 + - 10.10.10.21 +clusters: + cluster1: + admin_username: "{{ admin_username }}" + admin_password: "{{ admin_password }}" + admin_ip: "{{ admin_ips[0] }}" + cluster1_node1: + admin_username: "{{ admin_username }}" + admin_password: "{{ admin_password }}" + admin_ip: "{{ admin_ips[1] }}" + cluster2: + admin_username: "{{ admin_username }}" + admin_password: "{{ admin_password }}" + admin_ip: "{{ admin_ips[2] }}" diff --git a/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/list_aggregates.yaml b/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/list_aggregates.yaml new file mode 100644 index 000000000..a901760e3 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/list_aggregates.yaml @@ -0,0 +1,42 @@ +- + name: ONTAP list aggregates + gather_facts: false + hosts: localhost + collections: + - netapp.ontap + + module_defaults: + group/netapp.ontap.netapp_ontap: + hostname: '{{ clusters.cluster1.admin_ip }}' + username: '{{ clusters.cluster1.admin_username }}' + password: '{{ clusters.cluster1.admin_password }}' + https: true + validate_certs: false + + tasks: + - name: list aggregates + netapp.ontap.na_ontap_rest_info: + gather_subset: + - storage/aggregates + fields: 'block_storage,space' + # store the results to use them in another task + register: aggregates + +# call this play as: +# +# ansible-playbook -v list_aggregates.yaml -e@clusters.yaml +# +# with clusters.yaml providing credentials and IP addresses to connect to a cluster, eg: +# +# clusters: +# cluster1: +# admin_username: "{{ admin_username }}" +# admin_password: "{{ admin_password }}" +# admin_ip: "{{ admin_ips[0] }}" +# cluster2: +# admin_username: "{{ admin_username }}" +# admin_password: "{{ admin_password }}" +# admin_ip: "{{ admin_ips[1] }}" +# +# NOTE: module_defaults requires Ansible 2.12 as a minimum. +# With earlier versions of Ansible, move the values from lines 10 to 14 under the tasks, or use an alias. diff --git a/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/volumes.yml b/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/volumes.yml new file mode 100644 index 000000000..89e518dff --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/rest_apis/volumes.yml @@ -0,0 +1,160 @@ +- + name: Ontap REST API + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + vars: + admin_ip: XXX.XXX.XXX.XXX + admin_username: XXXXXXXX + admin_password: XXXXXXXX + svm_name: ansibleSVM + + login: &login + hostname: "{{ admin_ip }}" + username: "{{ admin_username }}" + password: "{{ admin_password }}" + https: true + validate_certs: false + feature_flags: + trace_apis: true + tasks: + - name: run ontap REST API command as cluster admin - get version + na_ontap_restit: + <<: *login + api: cluster/software + query: + fields: version + register: result + - assert: {that: result.status_code==200, quiet: true} + + - name: run ontap REST API command as cluster admin - get list of SVMs + na_ontap_restit: + <<: *login + api: svm/svms + register: result + - assert: {that: result.status_code==200, quiet: true} + + - name: run ontap REST API command as cluster admin - get list of aggregates for this SVM + na_ontap_restit: + <<: *login + api: svm/svms + query: + fields: aggregates,cifs,nfs,uuid + query_fields: name + query: "{{ svm_name }}" + hal_linking: true + register: result + + - name: run ontap REST API command as cluster admin - delete volume + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + query: # query based DELETE does not require a UUID + name: deleteme_ln1 + svm.name: "{{ svm_name }}" + method: DELETE + wait_for_completion: true + register: result + + - name: run ontap REST API command as cluster admin - create volume + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + body: + name: deleteme_ln1 + aggregates.name: + - aggr1 + svm.name: "{{ svm_name }}" + method: POST + wait_for_completion: true + register: result + - assert: {that: result.response.job_response=='success', quiet: true} + + - name: run ontap REST API command as cluster admin - create volume - already exists! + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + body: + name: deleteme_ln1 + aggregates.name: + - aggr1 + svm.name: "{{ svm_name }}" + method: POST + wait_for_completion: true + ignore_errors: true + register: result + - assert: + that: msg in result.error_message + quiet: true + vars: + msg: 'Duplicate volume name' + + - name: run ontap REST API command as cluster admin - patch volume (rename) + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + query: # query based DELETE does not require a UUID + name: deleteme_ln1 + svm.name: "{{ svm_name }}" + body: + name: deleteme_ln2 + method: PATCH + wait_for_completion: true + register: result + + - name: run ontap REST API command as cluster admin - delete volume + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + query: # query based DELETE does not require a UUID + name: deleteme_ln2 + svm.name: "{{ svm_name }}" + method: DELETE + wait_for_completion: true + register: result + + - name: run ontap REST API command as cluster admin - create volume (vserver tunneling) + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + body: + name: deleteme_ln1 + aggregates.name: + - aggr1 + vserver_name: "{{ svm_name }}" + method: POST + wait_for_completion: true + register: result + + - name: run ontap REST API command as cluster admin - patch volume (rename) (vserver tunneling) + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + query: # query based DELETE does not require a UUID + name: deleteme_* + vserver_name: "{{ svm_name }}" + body: + name: deleteme_ln2 + method: PATCH + wait_for_completion: true + register: result + + - name: run ontap REST API command as cluster admin - delete volume (vserver tunneling) + tags: create + na_ontap_restit: + <<: *login + api: storage/volumes + query: # query based DELETE does not require a UUID + name: deleteme_ln2 + vserver_name: "{{ svm_name }}" + method: DELETE + wait_for_completion: true + register: result diff --git a/ansible_collections/netapp/ontap/playbooks/examples/support/debug_connectivity.yaml b/ansible_collections/netapp/ontap/playbooks/examples/support/debug_connectivity.yaml new file mode 100644 index 000000000..3c664c058 --- /dev/null +++ b/ansible_collections/netapp/ontap/playbooks/examples/support/debug_connectivity.yaml @@ -0,0 +1,42 @@ +- + name: ONTAP connect + hosts: localhost + gather_facts: false + collections: + - netapp.ontap + + tasks: + - name: debug connectivity using admin management interface or vsadmin interface + # use this to validate ZAPI and REST connectivity + # - with admin management interface, use admin or a user with admin privileges + # - with vsadmin management interface, use vsadmin or a user with vsadmin privileges + # for better formatting, you may use: + # export ANSIBLE_STDOUT_CALLBACK=minimal + # run this as: + # ansible-playbook -v ansible_collections/netapp/ontap/playbooks/examples/support/debug_connectivity.yaml + # after updating the values for hostname, username, and password + tags: + - admin + - vsadmin + na_ontap_debug: + hostname: "ip address of management interface, or of vserver interface" + username: "xxxx" + password: "yyyy" + https: true + validate_certs: false + + - name: debug connectivity using admin interface, validate vserver configuration + # use this to validate ZAPI and REST connectivity, and check vserver is reachable + # with admin management interface, use admin or a user with admin privileges + # run this as + # ansible-playbook -v ansible_collections/netapp/ontap/playbooks/examples/support/debug_connectivity.yaml -t admin_and_vserver + tags: + - never + - admin_and_vserver + na_ontap_debug: + hostname: "ip_address_of_management_interface" + username: "xxxx" + password: "yyyy" + vserver: "svm name" + https: true + validate_certs: false |