diff options
119 files changed, 6210 insertions, 1354 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index d6dd5a3c8..c5214c999 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.9.0-0.23.0 ./ +3.9.0-0.31.0 ./ diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 719e54eb9..f01c923d2 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.9.0 -Release: 0.23.0%{?dist} +Release: 0.31.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -65,9 +65,6 @@ rm -f %{buildroot}%{python_sitelib}/openshift_ansible/gce mkdir -p docs/example-inventories cp inventory/hosts.* inventory/README.md docs/example-inventories/ -# openshift-ansible-files install -cp -rp files %{buildroot}%{_datadir}/ansible/%{name}/ - # openshift-ansible-playbooks install cp -rp playbooks %{buildroot}%{_datadir}/ansible/%{name}/ # remove contiv plabooks @@ -101,7 +98,6 @@ popd %doc README* %license LICENSE %dir %{_datadir}/ansible/%{name} -%{_datadir}/ansible/%{name}/files %{_datadir}/ansible/%{name}/inventory/dynamic %ghost %{_datadir}/ansible/%{name}/playbooks/common/openshift-master/library.rpmmoved @@ -204,6 +200,95 @@ Atomic OpenShift Utilities includes %changelog +* Sat Jan 27 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.31.0 +- removed references to 'files' dir in spec file (dyocum@redhat.com) +- files in ansible roles do not need to have the path specified to them when + referenced by a builtin module, i.e., copy: (dyocum@redhat.com) +- moving files to their correct <role>/files dir for the openshift_web_console + and template_service_broker roles (dyocum@redhat.com) + +* Fri Jan 26 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.30.0 +- Removing dependency on the extra stroage device. (kwoodson@redhat.com) + +* Fri Jan 26 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.29.0 +- Add prometheus annotations to console service (spadgett@redhat.com) +- Add resource requests to console template (spadgett@redhat.com) +- ignore 'users' field in oc_group module (jdiaz@redhat.com) + +* Fri Jan 26 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.28.0 +- Updating deprecations to use callback plugin (ewolinet@redhat.com) +- Run console pods on the master (spadgett@redhat.com) + +* Fri Jan 26 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.26.0 +- docker_image_availability: containerized overrides (lmeyer@redhat.com) +- Remove old assetConfig from master-config.yaml (spadgett@redhat.com) +- Don't emit assetConfig on 3.9 (sdodson@redhat.com) + +* Fri Jan 26 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.25.0 +- [1502838] Correct certificate alt name parsing (rteague@redhat.com) +- sync imagestreams+templates from origin master for v3.9 (bparees@redhat.com) +- node: specify bind option to /root/.docker (gscrivan@redhat.com) +- [1530403] Improve etcd group error message (rteague@redhat.com) +- Only automatically restart if cluster is in yellow or green state + (ewolinet@redhat.com) +- openshift_manage_node: Label nodes in one pass (vrutkovs@redhat.com) +- Redeploy etcd certificates during upgrade when etcd hostname not present in + etcd serving cert SAN. (abutcher@redhat.com) +- Create swapoff module (mgugino@redhat.com) +- Label masters with node-role.kubernetes.io/master. This PR also sets these + labels and scheduling status during upgrades (vrutkovs@redhat.com) +- [1537946] Correct conditional check for GlusterFS IPs (rteague@redhat.com) +- Remove unused node.lables from openshift_facts (mgugino@redhat.com) +- Change dnsmasq Requires to Wants. + https://bugzilla.redhat.com/show_bug.cgi?id=1532960 (rchopra@redhat.com) +- Set a default for openshift_hosted_registry_storage_azure_blob_realm + (sdodson@redhat.com) +- openshift_prometheus: remove block duration settings (pgier@redhat.com) + +* Wed Jan 24 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.24.0 +- Update CF 4.6 Beta templates in openshift_management directory + (simaishi@redhat.com) +- installer: increase content width for commands, which may output URLs + (vrutkovs@redhat.com) +- Only rollout console if config changed (spadgett@redhat.com) +- Protect master installed version during node upgrades (mgugino@redhat.com) +- [1506866] Update haproxy.cfg.j2 (rteague@redhat.com) +- Split control plane and component install in deploy_cluster + (ccoleman@redhat.com) +- Add clusterResourceOverridesEnabled to console config (spadgett@redhat.com) +- [1537105] Add openshift_facts to flannel role (rteague@redhat.com) +- PyYAML is required by openshift_facts on nodes (ccoleman@redhat.com) +- Move origin-gce roles and playbooks into openshift-ansible + (ccoleman@redhat.com) +- Directly select the ansible version (ccoleman@redhat.com) +- use non-deprecated REGISTRY_OPENSHIFT_SERVER_ADDR variable to set the + registry hostname (bparees@redhat.com) +- update Dockerfile to add boto3 dependency (jdiaz@redhat.com) +- Lowercase node names when creating certificates (vrutkovs@redhat.com) +- NFS Storage: make sure openshift_hosted_*_storage_nfs_directory are quoted + (vrutkovs@redhat.com) +- Fix etcd scaleup playbook (mgugino@redhat.com) +- Bug 1524805- ServiceCatalog now works disconnected (fabian@fabianism.us) +- [1506750] Ensure proper hostname check override (rteague@redhat.com) +- failed_when lists are implicitely ANDs, not ORs (vrutkovs@redhat.com) +- un-hardcode default subnet az (jdiaz@redhat.com) +- Ensure that node names are lowerecased before matching (sdodson@redhat.com) +- Bug 1534020 - Only set logging and metrics URLs if console config map exists + (spadgett@redhat.com) +- Add templates to v3.9 (simaishi@redhat.com) +- Use Beta repo path (simaishi@redhat.com) +- CF 4.6 templates (simaishi@redhat.com) +- Add ability to mount volumes into system container nodes (mgugino@redhat.com) +- Fix to master-internal elb scheme (mazzystr@gmail.com) +- Allow 5 etcd hosts (sdodson@redhat.com) +- Remove unused symlink (sdodson@redhat.com) +- docker_creds: fix python3 exception (gscrivan@redhat.com) +- docker_creds: fix python3 exception (gscrivan@redhat.com) +- docker: use image from CentOS and Fedora registries (gscrivan@redhat.com) +- crio: use Docker and CentOS registries for the image (gscrivan@redhat.com) +- The provision_install file ends in yml not yaml! Ansible requirement + clarification. (mbruzek@gmail.com) + * Tue Jan 23 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.23.0 - docker_image_availability: enable skopeo to use proxies (lmeyer@redhat.com) - Install base_packages earlier (mgugino@redhat.com) diff --git a/playbooks/aws/provisioning_vars.yml.example b/playbooks/aws/provisioning_vars.yml.example index f6b1a6b5d..a1a8a5b08 100644 --- a/playbooks/aws/provisioning_vars.yml.example +++ b/playbooks/aws/provisioning_vars.yml.example @@ -41,11 +41,27 @@ openshift_pkg_version: # -3.7.0 # a vpc, set this to false. #openshift_aws_create_vpc: true +# when openshift_aws_create_vpc is true (the default), the VPC defined in +# openshift_aws_vpc will be created +#openshift_aws_vpc: +# name: "{{ openshift_aws_vpc_name }}" +# cidr: 172.31.0.0/16 +# subnets: +# us-east-1: +# - cidr: 172.31.48.0/20 +# az: "us-east-1c" +# default_az: true +# - cidr: 172.31.32.0/20 +# az: "us-east-1e" +# - cidr: 172.31.16.0/20 +# az: "us-east-1a" + # Name of the vpc. Needs to be set if using a pre-existing vpc. #openshift_aws_vpc_name: "{{ openshift_aws_clusterid }}" # Name of the subnet in the vpc to use. Needs to be set if using a pre-existing -# vpc + subnet. +# vpc + subnet. Otherwise will use the subnet with 'default_az' set (see above +# example VPC structure) #openshift_aws_subnet_az: # -------------- # diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml b/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml index 869e185af..c8f397186 100644 --- a/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml +++ b/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml @@ -12,3 +12,5 @@ # You can run the upgrade_nodes.yml playbook after this to upgrade these components separately. # - import_playbook: ../../../../common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml + +- import_playbook: ../../../../openshift-master/private/restart.yml diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index f790fd98d..de612da21 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -6,7 +6,9 @@ hosts: oo_first_master roles: - role: openshift_web_console - when: openshift_web_console_install | default(true) | bool + when: + - openshift_web_console_install | default(true) | bool + - openshift_upgrade_target is version_compare('3.9','>=') - name: Upgrade default router and default registry hosts: oo_first_master diff --git a/playbooks/common/openshift-cluster/upgrades/pre/config.yml b/playbooks/common/openshift-cluster/upgrades/pre/config.yml index da63450b8..2b27f8dd0 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/config.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/config.yml @@ -49,7 +49,7 @@ # to a more specific version, respecting openshift_image_tag and openshift_pkg_version if # defined, and overriding the normal behavior of protecting the installed version openshift_release: "{{ openshift_upgrade_target }}" - openshift_protect_installed_version: False + # openshift_protect_installed_version is passed n via upgrade_control_plane.yml # l_openshift_version_set_hosts is passed via upgrade_control_plane.yml # l_openshift_version_check_hosts is passed via upgrade_control_plane.yml diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml index 693ab2d96..5ee8a9d78 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_cluster.yml @@ -92,3 +92,25 @@ state: started enabled: yes with_items: "{{ master_services }}" + +# Until openshift-ansible is determining which host is the CA host we +# must (unfortunately) ensure that the first host in the etcd group is +# the etcd CA host. +# https://bugzilla.redhat.com/show_bug.cgi?id=1469358 +- name: Verify we can proceed on first etcd + hosts: oo_first_etcd + gather_facts: no + tasks: + - name: Ensure CA exists on first etcd + stat: + path: /etc/etcd/generated_certs + register: __etcd_ca_stat + + - fail: + msg: > + In order to correct an etcd certificate signing problem + upgrading may require re-generating etcd certificates. Please + ensure that the /etc/etcd/generated_certs directory exists on + the first host defined in your [etcd] group. + when: + - not __etcd_ca_stat.stat.exists | bool diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index e89f06f17..a10fd4bee 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -2,6 +2,30 @@ ############################################################################### # Upgrade Masters ############################################################################### + +# Prior to 3.6, openshift-ansible created etcd serving certificates +# without a SubjectAlternativeName entry for the system hostname. The +# SAN list in Go 1.8 is now (correctly) authoritative and since +# openshift-ansible configures masters to talk to etcd hostnames +# rather than IP addresses, we must correct etcd certificates. +# +# This play examines the etcd serving certificate SANs on each etcd +# host and records whether or not the system hostname is missing. +- name: Examine etcd serving certificate SAN + hosts: oo_etcd_to_config + tasks: + - slurp: + src: /etc/etcd/server.crt + register: etcd_serving_cert + - set_fact: + __etcd_cert_lacks_hostname: "{{ (openshift.common.hostname not in (etcd_serving_cert.content | b64decode | lib_utils_oo_parse_certificate_san)) | bool }}" + +# Redeploy etcd certificates when hostnames were missing from etcd +# serving certificate SANs. +- import_playbook: ../../../openshift-etcd/redeploy-certificates.yml + when: + - true in hostvars | lib_utils_oo_select_keys(groups['oo_etcd_to_config']) | lib_utils_oo_collect('__etcd_cert_lacks_hostname') | default([false]) + - name: Backup and upgrade etcd import_playbook: ../../../openshift-etcd/private/upgrade_main.yml @@ -310,13 +334,8 @@ - import_role: name: openshift_node tasks_from: upgrade.yml - - name: Set node schedulability - oc_adm_manage_node: - node: "{{ openshift.node.nodename | lower }}" - schedulable: True - delegate_to: "{{ groups.oo_first_master.0 }}" - retries: 10 - delay: 5 - register: node_schedulable - until: node_schedulable is succeeded - when: node_unschedulable is changed + - import_role: + name: openshift_manage_node + tasks_from: config.yml + vars: + openshift_master_host: "{{ groups.oo_first_master.0 }}" diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml index 850442b3b..915fae9fd 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml @@ -50,16 +50,11 @@ - import_role: name: openshift_node tasks_from: upgrade.yml - - name: Set node schedulability - oc_adm_manage_node: - node: "{{ openshift.node.nodename | lower }}" - schedulable: True - delegate_to: "{{ groups.oo_first_master.0 }}" - retries: 10 - delay: 5 - register: node_schedulable - until: node_schedulable is succeeded - when: node_unschedulable is changed + - import_role: + name: openshift_manage_node + tasks_from: config.yml + vars: + openshift_master_host: "{{ groups.oo_first_master.0 }}" - name: Re-enable excluders hosts: oo_nodes_to_upgrade:!oo_masters_to_config diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml index d520c6aee..a2d21b69f 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml @@ -23,6 +23,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config" + openshift_protect_installed_version: False - import_playbook: validator.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml index d88880140..9aa5a3b64 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml @@ -35,6 +35,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_masters_to_config" + openshift_protect_installed_version: False - import_playbook: validator.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml index 4daa9e490..cc2ec2709 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml @@ -23,6 +23,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config" + openshift_protect_installed_version: False - import_playbook: validator.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml index ce069e2d0..b1ecc75d3 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml @@ -35,6 +35,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_masters_to_config" + openshift_protect_installed_version: False - import_playbook: validator.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml index a9bf354cc..a73b7d63a 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml @@ -23,6 +23,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config" + openshift_protect_installed_version: False - import_playbook: validator.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml index 3f26a6297..723b2e533 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml @@ -36,6 +36,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_masters_to_config" + openshift_protect_installed_version: False - import_playbook: validator.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml index 20e0c165e..bf6e8605e 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml @@ -20,6 +20,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config" + openshift_protect_installed_version: False - import_playbook: validator.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml index 0f48725f6..fe1fdefff 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml @@ -25,10 +25,18 @@ openshift_upgrade_target: '3.8' openshift_upgrade_min: '3.7' openshift_release: '3.8' - _requested_pkg_version: "{{openshift_pkg_version if openshift_pkg_version is defined else omit }}" - _requested_image_tag: "{{openshift_image_tag if openshift_image_tag is defined else omit }}" + _requested_pkg_version: "{{ openshift_pkg_version if openshift_pkg_version is defined else omit }}" + _requested_image_tag: "{{ openshift_image_tag if openshift_image_tag is defined else omit }}" + l_double_upgrade_cp: True when: hostvars[groups.oo_first_master.0].openshift_currently_installed_version | version_compare('3.8','<') + - name: set l_force_image_tag_to_version = True + set_fact: + # Need to set this during 3.8 upgrade to ensure image_tag is set correctly + # to match 3.8 version + l_force_image_tag_to_version: True + when: _requested_image_tag is defined + - import_playbook: ../pre/config.yml # These vars a meant to exclude oo_nodes from plays that would otherwise include # them by default. @@ -41,6 +49,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_masters_to_config" + openshift_protect_installed_version: False when: hostvars[groups.oo_first_master.0].openshift_currently_installed_version | version_compare('3.8','<') - name: Flag pre-upgrade checks complete for hosts without errors 3.8 @@ -68,7 +77,20 @@ openshift_upgrade_min: '3.8' openshift_release: '3.9' openshift_pkg_version: "{{ _requested_pkg_version | default ('-3.9*') }}" - openshift_image_tag: "{{ _requested_image_tag | default('v3.9') }}" + # Set the user's specified image_tag for 3.9 upgrade if it was provided. + - set_fact: + openshift_image_tag: "{{ _requested_image_tag }}" + l_force_image_tag_to_version: False + when: _requested_image_tag is defined + # If the user didn't specify an image_tag, we need to force update image_tag + # because it will have already been set during 3.8. If we aren't running + # a double upgrade, then we can preserve image_tag because it will still + # be the user provided value. + - set_fact: + l_force_image_tag_to_version: True + when: + - l_double_upgrade_cp is defined and l_double_upgrade_cp + - _requested_image_tag is not defined - import_playbook: ../pre/config.yml # These vars a meant to exclude oo_nodes from plays that would otherwise include @@ -82,6 +104,7 @@ l_upgrade_verify_targets_hosts: "oo_masters_to_config" l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config" l_upgrade_excluder_hosts: "oo_masters_to_config" + openshift_protect_installed_version: False - name: Flag pre-upgrade checks complete for hosts without errors hosts: oo_masters_to_config:oo_etcd_to_config @@ -110,3 +133,9 @@ state: started - import_playbook: ../post_control_plane.yml + +- hosts: oo_masters + tasks: + - import_role: + name: openshift_web_console + tasks_from: remove_old_asset_config diff --git a/playbooks/deploy_cluster.yml b/playbooks/deploy_cluster.yml index 361553ee4..c8e30ddbc 100644 --- a/playbooks/deploy_cluster.yml +++ b/playbooks/deploy_cluster.yml @@ -6,11 +6,3 @@ - import_playbook: openshift-node/private/config.yml - import_playbook: common/private/components.yml - -- name: Print deprecated variable warning message if necessary - hosts: oo_first_master - gather_facts: no - tasks: - - debug: msg="{{__deprecation_message}}" - when: - - __deprecation_message | default ('') | length > 0 diff --git a/playbooks/init/evaluate_groups.yml b/playbooks/init/evaluate_groups.yml index 924ae481a..e8bf1892c 100644 --- a/playbooks/init/evaluate_groups.yml +++ b/playbooks/init/evaluate_groups.yml @@ -45,7 +45,11 @@ - name: Evaluate groups - Fail if no etcd hosts group is defined fail: msg: > - Running etcd as an embedded service is no longer supported. + Running etcd as an embedded service is no longer supported. If this is a + new install please define an 'etcd' group with either one, three or five + hosts. These hosts may be the same hosts as your masters. If this is an + upgrade please see https://docs.openshift.com/container-platform/latest/install_config/upgrading/migrating_embedded_etcd.html + for documentation on how to migrate from embedded to external etcd. when: - g_etcd_hosts | default([]) | length not in [5,3,1] - not (openshift_node_bootstrap | default(False)) diff --git a/playbooks/openshift-master/private/tasks/wire_aggregator.yml b/playbooks/openshift-master/private/tasks/wire_aggregator.yml index 59e2b515c..cc812c300 100644 --- a/playbooks/openshift-master/private/tasks/wire_aggregator.yml +++ b/playbooks/openshift-master/private/tasks/wire_aggregator.yml @@ -142,11 +142,6 @@ state: absent changed_when: False -- name: Setup extension file for service console UI - template: - src: ../templates/openshift-ansible-catalog-console.js - dest: /etc/origin/master/openshift-ansible-catalog-console.js - - name: Update master config yedit: state: present @@ -166,8 +161,6 @@ value: [X-Remote-Group] - key: authConfig.requestHeader.extraHeaderPrefixes value: [X-Remote-Extra-] - - key: assetConfig.extensionScripts - value: [/etc/origin/master/openshift-ansible-catalog-console.js] - key: kubernetesMasterConfig.apiServerArguments.runtime-config value: [apis/settings.k8s.io/v1alpha1=true] - key: admissionConfig.pluginConfig.PodPreset.configuration.kind @@ -178,37 +171,50 @@ value: false register: yedit_output -#restart master serially here -- name: restart master api - systemd: name={{ openshift_service_type }}-master-api state=restarted - when: - - yedit_output.changed - -# We retry the controllers because the API may not be 100% initialized yet. -- name: restart master controllers - command: "systemctl restart {{ openshift_service_type }}-master-controllers" - retries: 3 - delay: 5 - register: result - until: result.rc == 0 - when: - - yedit_output.changed +# Only add the catalog extension script if not 3.9. From 3.9 on, the console +# can discover if template service broker is running. +- when: not openshift.common.version_gte_3_9 + block: + - name: Setup extension file for service console UI + template: + src: ../templates/openshift-ansible-catalog-console.js + dest: /etc/origin/master/openshift-ansible-catalog-console.js + + - name: Update master config + yedit: + state: present + src: /etc/origin/master/master-config.yaml + key: assetConfig.extensionScripts + value: [/etc/origin/master/openshift-ansible-catalog-console.js] + register: yedit_asset_config_output -- name: Verify API Server - # Using curl here since the uri module requires python-httplib2 and - # wait_for port doesn't provide health information. - command: > - curl --silent --tlsv1.2 - --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {{ openshift.master.api_url }}/healthz/ready - args: - # Disables the following warning: - # Consider using get_url or uri module rather than running curl - warn: no - register: api_available_output - until: api_available_output.stdout == 'ok' - retries: 120 - delay: 1 - changed_when: false - when: - - yedit_output.changed +#restart master serially here +- when: yedit_output.changed or (yedit_asset_config_output is defined and yedit_asset_config_output.changed) + block: + - name: restart master api + systemd: name={{ openshift_service_type }}-master-api state=restarted + + # We retry the controllers because the API may not be 100% initialized yet. + - name: restart master controllers + command: "systemctl restart {{ openshift_service_type }}-master-controllers" + retries: 3 + delay: 5 + register: result + until: result.rc == 0 + + - name: Verify API Server + # Using curl here since the uri module requires python-httplib2 and + # wait_for port doesn't provide health information. + command: > + curl --silent --tlsv1.2 + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {{ openshift.master.api_url }}/healthz/ready + args: + # Disables the following warning: + # Consider using get_url or uri module rather than running curl + warn: no + register: api_available_output + until: api_available_output.stdout == 'ok' + retries: 120 + delay: 1 + changed_when: false diff --git a/roles/container_runtime/defaults/main.yml b/roles/container_runtime/defaults/main.yml index 8203d15f5..7397e2bec 100644 --- a/roles/container_runtime/defaults/main.yml +++ b/roles/container_runtime/defaults/main.yml @@ -64,7 +64,7 @@ docker_storage_setup_options: root_lv_mount_path: "{{ docker_storage_path }}" docker_storage_extra_options: - "--storage-opt overlay2.override_kernel_check=true" -- "--storage-opt overlay2.size={{ docker_storage_size }}" +- "{{ '--storage-opt overlay2.size=' ~ docker_storage_size if container_runtime_docker_storage_setup_device is defined and container_runtime_docker_storage_setup_device != '' else '' }}" - "--graph={{ docker_storage_path}}" @@ -117,7 +117,7 @@ l_crio_image: "{{ openshift_crio_systemcontainer_image_override | default(l_crio # ----------------------- # l_crt_docker_image_dict: Fedora: "registry.fedoraproject.org/latest/docker" - Centos: "registry.centos.org/projectatomic/docker" + CentOS: "registry.centos.org/projectatomic/docker" RedHat: "registry.access.redhat.com/openshift3/container-engine" openshift_docker_image_tag_default: "latest" diff --git a/roles/container_runtime/templates/docker_storage_setup.j2 b/roles/container_runtime/templates/docker_storage_setup.j2 index b056087e0..ec540ea44 100644 --- a/roles/container_runtime/templates/docker_storage_setup.j2 +++ b/roles/container_runtime/templates/docker_storage_setup.j2 @@ -2,6 +2,7 @@ # /usr/lib/docker-storage-setup/docker-storage-setup. # # For more details refer to "man docker-storage-setup" +{% if container_runtime_docker_storage_setup_device is defined and container_runtime_docker_storage_setup_device != '' %} DEVS={{ container_runtime_docker_storage_setup_device }} VG={{ docker_storage_setup_options.vg }} DATA_SIZE={{ docker_storage_setup_options.data_size }} @@ -9,4 +10,7 @@ STORAGE_DRIVER="{{ docker_storage_setup_options.storage_driver }}" CONTAINER_ROOT_LV_NAME="{{ docker_storage_setup_options.root_lv_name }}" CONTAINER_ROOT_LV_SIZE="{{ docker_storage_setup_options.root_lv_size }}" CONTAINER_ROOT_LV_MOUNT_PATH="{{ docker_storage_setup_options.root_lv_mount_path }}" +{% else %} +STORAGE_DRIVER="{{ docker_storage_setup_options.storage_driver }}" +{% endif %} EXTRA_STORAGE_OPTIONS="{{ docker_storage_extra_options | join(' ') }}" diff --git a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py index da7e7b1da..a38b95c1d 100644 --- a/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py +++ b/roles/installer_checkpoint/callback_plugins/installer_checkpoint.py @@ -127,6 +127,10 @@ class CallbackModule(CallbackBase): self._display.display( '\tThis phase can be restarted by running: {}'.format( phase_attributes[phase]['playbook'])) + if 'message' in stats.custom['_run'][phase]: + self._display.display( + '\t{}'.format( + stats.custom['_run'][phase]['message'])) self._display.display("", screen_only=True) diff --git a/roles/lib_openshift/library/oc_group.py b/roles/lib_openshift/library/oc_group.py index 1b63a6c13..72023eaf7 100644 --- a/roles/lib_openshift/library/oc_group.py +++ b/roles/lib_openshift/library/oc_group.py @@ -1485,7 +1485,7 @@ class OCGroup(OpenShiftCLI): def needs_update(self): ''' verify an update is needed ''' - return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=[], debug=True) + return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=['users'], debug=True) # pylint: disable=too-many-return-statements,too-many-branches @staticmethod diff --git a/roles/lib_openshift/src/class/oc_group.py b/roles/lib_openshift/src/class/oc_group.py index 89fb09ea4..53e6b6766 100644 --- a/roles/lib_openshift/src/class/oc_group.py +++ b/roles/lib_openshift/src/class/oc_group.py @@ -59,7 +59,7 @@ class OCGroup(OpenShiftCLI): def needs_update(self): ''' verify an update is needed ''' - return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=[], debug=True) + return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=['users'], debug=True) # pylint: disable=too-many-return-statements,too-many-branches @staticmethod diff --git a/roles/lib_utils/filter_plugins/oo_filters.py b/roles/lib_utils/filter_plugins/oo_filters.py index ef996fefe..574743ff1 100644 --- a/roles/lib_utils/filter_plugins/oo_filters.py +++ b/roles/lib_utils/filter_plugins/oo_filters.py @@ -272,7 +272,7 @@ def haproxy_backend_masters(hosts, port): return servers -# pylint: disable=too-many-branches +# pylint: disable=too-many-branches, too-many-nested-blocks def lib_utils_oo_parse_named_certificates(certificates, named_certs_dir, internal_hostnames): """ Parses names from list of certificate hashes. @@ -318,8 +318,9 @@ def lib_utils_oo_parse_named_certificates(certificates, named_certs_dir, interna certificate['names'].append(str(cert.get_subject().commonName.decode())) for i in range(cert.get_extension_count()): if cert.get_extension(i).get_short_name() == 'subjectAltName': - for name in str(cert.get_extension(i)).replace('DNS:', '').split(', '): - certificate['names'].append(name) + for name in str(cert.get_extension(i)).split(', '): + if 'DNS:' in name: + certificate['names'].append(name.replace('DNS:', '')) except Exception: raise errors.AnsibleFilterError(("|failed to parse certificate '%s', " % certificate['certfile'] + "please specify certificate names in host inventory")) @@ -341,6 +342,58 @@ def lib_utils_oo_parse_named_certificates(certificates, named_certs_dir, interna return certificates +def lib_utils_oo_parse_certificate_san(certificate): + """ Parses SubjectAlternativeNames from a PEM certificate. + + Ex: certificate = '''-----BEGIN CERTIFICATE----- + MIIEcjCCAlqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZldGNk + LXNpZ25lckAxNTE2ODIwNTg1MB4XDTE4MDEyNDE5MDMzM1oXDTIzMDEyMzE5MDMz + M1owHzEdMBsGA1UEAwwUbWFzdGVyMS5hYnV0Y2hlci5jb20wggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQD4wBdWXNI3TF1M0b0bEIGyJPvdqKeGwF5XlxWg + NoA1Ain/Xz0N1SW5pXW2CDo9HX+ay8DyhzR532yrBa+RO3ivNCmfnexTQinfSLWG + mBEdiu7HO3puR/GNm74JNyXoEKlMAIRiTGq9HPoTo7tNV5MLodgYirpHrkSutOww + DfFSrNjH/ehqxwQtrIOnTAHigdTOrKVdoYxqXblDEMONTPLI5LMvm4/BqnAVaOyb + 9RUzND6lxU/ei3FbUS5IoeASOHx0l1ifxae3OeSNAimm/RIRo9rieFNUFh45TzID + elsdGrLB75LH/gnRVV1xxVbwPN6xW1mEwOceRMuhIArJQ2G5AgMBAAGjgbYwgbMw + UQYDVR0jBEowSIAUXTqN88vCI6E7wONls3QJ4/63unOhJaQjMCExHzAdBgNVBAMM + FmV0Y2Qtc2lnbmVyQDE1MTY4MjA1ODWCCQDMaopfom6OljAMBgNVHRMBAf8EAjAA + MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU7l05 + OYeY3HppL6/0VJSirudj8t0wDwYDVR0RBAgwBocEwKh6ujANBgkqhkiG9w0BAQsF + AAOCAgEAFU8sicE5EeQsUPnFEqDvoJd1cVE+8aCBqkW0++4GsVw2A/JOJ3OBJL6r + BV3b1u8/e8xBNi8hPi42Q+LWBITZZ/COFyhwEAK94hcr7eZLCV2xfUdMJziP4Qkh + /WRN7vXHTtJ6NP/d6A22SPbtnMSt9Y6G8y9qa5HBrqIqmkYbLzDw/SdZbDbuGhRk + xUwg2ahXNblVoE5P6rxPONgXliA94telZ1/61iyrVaiGQb1/GUP/DRfvvR4dOCrA + lMosW6fm37Wdi/8iYW+aDPWGS+yVK/sjSnHNjxqvrzkfGk+COa5riT9hJ7wZY0Hb + YiJS74SZgZt/nnr5PI2zFRUiZLECqCkZnC/sz29i+irLabnq7Cif9Mv+TUcXWvry + TdJuaaYdTSMRSUkDd/c9Ife8tOr1i1xhFzDNKNkZjTVRk1MBquSXndVCDKucdfGi + YoWm+NDFrayw8yxK/KTHo3Db3lu1eIXTHxriodFx898b//hysHr4hs4/tsEFUTZi + 705L2ScIFLfnyaPby5GK/3sBIXtuhOFM3QV3JoYKlJB5T6wJioVoUmSLc+UxZMeE + t9gGVQbVxtLvNHUdW7uKQ5pd76nIJqApQf8wg2Pja8oo56fRZX2XLt8nm9cswcC4 + Y1mDMvtfxglQATwMTuoKGdREuu1mbdb8QqdyQmZuMa72q+ax2kQ= + -----END CERTIFICATE-----''' + + returns ['192.168.122.186'] + """ + + if not HAS_OPENSSL: + raise errors.AnsibleFilterError("|missing OpenSSL python bindings") + + names = [] + + try: + lcert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, certificate) + for i in range(lcert.get_extension_count()): + if lcert.get_extension(i).get_short_name() == 'subjectAltName': + sanstr = str(lcert.get_extension(i)) + sanstr = sanstr.replace('DNS:', '') + sanstr = sanstr.replace('IP Address:', '') + names = sanstr.split(', ') + except Exception: + raise errors.AnsibleFilterError("|failed to parse certificate") + + return names + + def lib_utils_oo_generate_secret(num_bytes): """ generate a session secret """ @@ -625,6 +678,7 @@ class FilterModule(object): "lib_utils_oo_dict_to_keqv_list": lib_utils_oo_dict_to_keqv_list, "lib_utils_oo_list_to_dict": lib_utils_oo_list_to_dict, "lib_utils_oo_parse_named_certificates": lib_utils_oo_parse_named_certificates, + "lib_utils_oo_parse_certificate_san": lib_utils_oo_parse_certificate_san, "lib_utils_oo_generate_secret": lib_utils_oo_generate_secret, "lib_utils_oo_pods_match_component": lib_utils_oo_pods_match_component, "lib_utils_oo_image_tag_to_rpm_version": lib_utils_oo_image_tag_to_rpm_version, diff --git a/roles/lib_utils/filter_plugins/openshift_aws_filters.py b/roles/lib_utils/filter_plugins/openshift_aws_filters.py index dfcb11da3..f16048056 100644 --- a/roles/lib_utils/filter_plugins/openshift_aws_filters.py +++ b/roles/lib_utils/filter_plugins/openshift_aws_filters.py @@ -67,8 +67,24 @@ class FilterModule(object): return tags + @staticmethod + def get_default_az(subnets): + ''' From a list of subnets/AZs in a specific region (from the VPC + structure), return the AZ that has the key/value + 'default_az=True.' ''' + + for subnet in subnets: + if subnet.get('default_az'): + return subnet['az'] + + # if there was none marked with default_az=True, just return the first + # one. (this does mean we could possible return an item that has + # default_az=False set + return subnets[0]['az'] + def filters(self): ''' returns a mapping of filters to methods ''' return {'build_instance_tags': self.build_instance_tags, + 'get_default_az': self.get_default_az, 'scale_groups_match_capacity': self.scale_groups_match_capacity, 'scale_groups_serial': self.scale_groups_serial} diff --git a/roles/lib_utils/library/swapoff.py b/roles/lib_utils/library/swapoff.py new file mode 100644 index 000000000..925eeb17d --- /dev/null +++ b/roles/lib_utils/library/swapoff.py @@ -0,0 +1,137 @@ +#!/usr/bin/env python +# pylint: disable=missing-docstring +# +# Copyright 2017 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import subprocess + +from ansible.module_utils.basic import AnsibleModule + + +DOCUMENTATION = ''' +--- +module: swapoff + +short_description: Disable swap and comment from /etc/fstab + +version_added: "2.4" + +description: + - This module disables swap and comments entries from /etc/fstab + +author: + - "Michael Gugino <mgugino@redhat.com>" +''' + +EXAMPLES = ''' +# Pass in a message +- name: Disable Swap + swapoff: {} +''' + + +def check_swap_in_fstab(module): + '''Check for uncommented swap entries in fstab''' + res = subprocess.call(['grep', '^[^#].*swap', '/etc/fstab']) + + if res == 2: + # rc 2 == cannot open file. + result = {'failed': True, + 'changed': False, + 'msg': 'unable to read /etc/fstab', + 'state': 'unknown'} + module.fail_json(**result) + elif res == 1: + # No grep match, fstab looks good. + return False + elif res == 0: + # There is an uncommented entry for fstab. + return True + else: + # Some other grep error code, we shouldn't get here. + result = {'failed': True, + 'changed': False, + 'msg': 'unknow problem with grep "^[^#].*swap" /etc/fstab ', + 'state': 'unknown'} + module.fail_json(**result) + + +def check_swapon_status(module): + '''Check if swap is actually in use.''' + try: + res = subprocess.check_output(['swapon', '--show']) + except subprocess.CalledProcessError: + # Some other grep error code, we shouldn't get here. + result = {'failed': True, + 'changed': False, + 'msg': 'unable to execute swapon --show', + 'state': 'unknown'} + module.fail_json(**result) + return 'NAME' in str(res) + + +def comment_swap_fstab(module): + '''Comment out swap lines in /etc/fstab''' + res = subprocess.call(['sed', '-i.bak', 's/^[^#].*swap.*/#&/', '/etc/fstab']) + if res: + result = {'failed': True, + 'changed': False, + 'msg': 'sed failed to comment swap in /etc/fstab', + 'state': 'unknown'} + module.fail_json(**result) + + +def run_swapoff(module, changed): + '''Run swapoff command''' + res = subprocess.call(['swapoff', '--all']) + if res: + result = {'failed': True, + 'changed': changed, + 'msg': 'swapoff --all returned {}'.format(str(res)), + 'state': 'unknown'} + module.fail_json(**result) + + +def run_module(): + '''Run this module''' + module = AnsibleModule( + supports_check_mode=False, + argument_spec={} + ) + changed = False + + swap_fstab_res = check_swap_in_fstab(module) + swap_is_inuse_res = check_swapon_status(module) + + if swap_fstab_res: + comment_swap_fstab(module) + changed = True + + if swap_is_inuse_res: + run_swapoff(module, changed) + changed = True + + result = {'changed': changed} + + module.exit_json(**result) + + +def main(): + run_module() + + +if __name__ == '__main__': + main() diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml index a729e8dbd..e14d57702 100644 --- a/roles/openshift_aws/defaults/main.yml +++ b/roles/openshift_aws/defaults/main.yml @@ -59,7 +59,7 @@ openshift_aws_elb_name_dict: external: "{{ openshift_aws_elb_basename }}-infra" openshift_aws_elb_idle_timout: 400 -openshift_aws_elb_scheme: internet-facing + openshift_aws_elb_cert_arn: '' openshift_aws_elb_dict: @@ -282,8 +282,6 @@ openshift_aws_node_security_groups: openshift_aws_vpc_tags: Name: "{{ openshift_aws_vpc_name }}" -openshift_aws_subnet_az: us-east-1c - openshift_aws_vpc: name: "{{ openshift_aws_vpc_name }}" cidr: 172.31.0.0/16 @@ -291,11 +289,14 @@ openshift_aws_vpc: us-east-1: - cidr: 172.31.48.0/20 az: "us-east-1c" + default_az: true - cidr: 172.31.32.0/20 az: "us-east-1e" - cidr: 172.31.16.0/20 az: "us-east-1a" +openshift_aws_subnet_az: "{{ openshift_aws_vpc.subnets[openshift_aws_region] | get_default_az }}" + openshift_aws_node_run_bootstrap_startup: True openshift_aws_node_user_data: '' openshift_aws_node_config_namespace: openshift-node diff --git a/roles/openshift_aws/tasks/elb.yml b/roles/openshift_aws/tasks/elb.yml index 5d371ec7a..6f0028a3d 100644 --- a/roles/openshift_aws/tasks/elb.yml +++ b/roles/openshift_aws/tasks/elb.yml @@ -15,7 +15,7 @@ - "{{ subnetout.subnets[0].id }}" health_check: "{{ openshift_aws_elb_health_check }}" listeners: "{{ item.value }}" - scheme: "{{ openshift_aws_elb_scheme }}" + scheme: "{{ (item.key == 'internal') | ternary('internal','internet-facing') }}" tags: "{{ openshift_aws_elb_tags }}" wait: True register: new_elb diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-job.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-job.yaml new file mode 100644 index 000000000..48d1d4e26 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-job.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: cloudforms-backup +spec: + template: + metadata: + name: cloudforms-backup + spec: + containers: + - name: postgresql + image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest + command: + - "/opt/rh/cfme-container-scripts/backup_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: cloudforms-secrets + key: database-url + volumeMounts: + - name: cfme-backup-vol + mountPath: "/backups" + volumes: + - name: cfme-backup-vol + persistentVolumeClaim: + claimName: cloudforms-backup + restartPolicy: Never diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-pvc.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-pvc.yaml new file mode 100644 index 000000000..92598ce82 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: cloudforms-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 15Gi diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-backup-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-backup-example.yaml new file mode 100644 index 000000000..4fe349897 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-backup-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: cfme-pv03 +spec: + capacity: + storage: 15Gi + accessModes: + - ReadWriteOnce + nfs: + path: "/exports/cfme-pv03" + server: "<your-nfs-host-here>" + persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml index 250a99b8d..0cdd821b5 100644 --- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml @@ -1,13 +1,38 @@ apiVersion: v1 -kind: PersistentVolume +kind: Template +labels: + template: cloudforms-db-pv metadata: - name: cfme-pv01 -spec: - capacity: - storage: 15Gi - accessModes: + name: cloudforms-db-pv + annotations: + description: PV Template for CFME PostgreSQL DB + tags: PVS, CFME +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: cfme-db + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: - ReadWriteOnce - nfs: - path: /exports/cfme-pv01 - server: <your-nfs-host-here> - persistentVolumeReclaimPolicy: Retain + nfs: + path: "${BASE_PATH}/cfme-db" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for DB + required: true + description: The size of the CFME DB PV given in Gi + value: 15Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-region-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-region-example.yaml deleted file mode 100644 index cba9bbe35..000000000 --- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-region-example.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: cfme-pv02 -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - nfs: - path: /exports/cfme-pv02 - server: <your-nfs-host-here> - persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml index c08c21265..527090ae8 100644 --- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml @@ -1,13 +1,38 @@ apiVersion: v1 -kind: PersistentVolume +kind: Template +labels: + template: cloudforms-app-pv metadata: - name: cfme-pv03 -spec: - capacity: - storage: 5Gi - accessModes: + name: cloudforms-app-pv + annotations: + description: PV Template for CFME Server + tags: PVS, CFME +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: cfme-app + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: - ReadWriteOnce - nfs: - path: /exports/cfme-pv03 - server: <your-nfs-host-here> - persistentVolumeReclaimPolicy: Retain + nfs: + path: "${BASE_PATH}/cfme-app" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for App + required: true + description: The size of the CFME APP PV given in Gi + value: 5Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-restore-job.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-restore-job.yaml new file mode 100644 index 000000000..7fd4fc2e1 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-restore-job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: cloudforms-restore +spec: + template: + metadata: + name: cloudforms-restore + spec: + containers: + - name: postgresql + image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest + command: + - "/opt/rh/cfme-container-scripts/restore_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: cloudforms-secrets + key: database-url + - name: BACKUP_VERSION + value: latest + volumeMounts: + - name: cfme-backup-vol + mountPath: "/backups" + - name: cfme-prod-vol + mountPath: "/restore" + volumes: + - name: cfme-backup-vol + persistentVolumeClaim: + claimName: cloudforms-backup + - name: cfme-prod-vol + persistentVolumeClaim: + claimName: cloudforms-postgresql + restartPolicy: Never diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-scc-sysadmin.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-scc-sysadmin.yaml new file mode 100644 index 000000000..d2ece9298 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-scc-sysadmin.yaml @@ -0,0 +1,38 @@ +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: v1 +defaultAddCapabilities: +- SYS_ADMIN +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus. + creationTimestamp: + name: cfme-sysadmin +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +- SYS_CHROOT +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- secret diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template-ext-db.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template-ext-db.yaml new file mode 100644 index 000000000..9866c29c3 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template-ext-db.yaml @@ -0,0 +1,956 @@ +apiVersion: v1 +kind: Template +labels: + template: cloudforms-ext-db +metadata: + name: cloudforms-ext-db + annotations: + description: CloudForms appliance with persistent storage using a external DB host + tags: instant-app,cloudforms,cfme + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + admin-password: "${APPLICATION_ADMIN_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances CloudForms pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: cloudforms + image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: APPLICATION_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: admin-password + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for CloudForms backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: cloudforms + image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: + name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${MEMCACHED_SERVICE_NAME}" + template: + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + labels: + name: "${MEMCACHED_SERVICE_NAME}" + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Remote database service + spec: + ports: + - name: postgresql + port: 5432 + targetPort: "${{DATABASE_PORT}}" + selector: {} +- apiVersion: v1 + kind: Endpoints + metadata: + name: "${DATABASE_SERVICE_NAME}" + subsets: + - addresses: + - ip: "${DATABASE_IP}" + ports: + - port: "${{DATABASE_PORT}}" + name: postgresql +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: cfme-privileged + serviceAccountName: cfme-privileged +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + <VirtualHost *:80> + KeepAlive on + # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP + ServerName https://%{REQUEST_HOST} + + ProxyPreserveHost on + + RewriteCond %{REQUEST_URI} ^/ws [NC] + RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC] + RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] + RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L] + + # For httpd, some ErrorDocuments must by served by the httpd pod + RewriteCond %{REQUEST_URI} !^/proxy_pages + + # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod + RewriteCond %{REQUEST_URI} !^/saml2 + RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L] + ProxyPassReverse / http://${NAME}/ + + # Ensures httpd stdout/stderr are seen by docker logs. + ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log" + CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common + </VirtualHost> + authentication.conf: | + # Load appropriate authentication configuration files + # + Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth" + configuration-internal-auth: | + # Internal authentication + # + configuration-external-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/http.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-active-directory-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/krb5.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-saml-auth: | + LoadModule auth_mellon_module modules/mod_auth_mellon.so + + <Location /> + MellonEnable "info" + + MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml" + + MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key" + MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert" + MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml" + + MellonVariable "sp-cookie" + MellonSecureCookie On + MellonCookiePath "/" + + MellonIdP "IDP" + + MellonEndpointPath "/saml2" + + MellonUser username + MellonMergeEnvVars On + + MellonSetEnvNoPrefix "REMOTE_USER" username + MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email + MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname + MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname + MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname + MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups + </Location> + + <Location /saml_login> + AuthType "Mellon" + MellonEnable "auth" + Require valid-user + </Location> + + Include "conf.d/external-auth-remote-user-conf" + external-auth-load-modules-conf: | + LoadModule authnz_pam_module modules/mod_authnz_pam.so + LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so + LoadModule lookup_identity_module modules/mod_lookup_identity.so + LoadModule auth_kerb_module modules/mod_auth_kerb.so + external-auth-login-form-conf: | + <Location /dashboard/external_authenticate> + InterceptFormPAMService httpd-auth + InterceptFormLogin user_name + InterceptFormPassword user_password + InterceptFormLoginSkip admin + InterceptFormClearRemoteUserForSkipped on + </Location> + external-auth-application-api-conf: | + <LocationMatch ^/api> + SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in + SetEnvIf X-Auth-Token '^.+$' let_api_token_in + SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in + + AuthType Basic + AuthName "External Authentication (httpd) for API" + AuthBasicProvider PAM + + AuthPAMService httpd-auth + Require valid-user + Order Allow,Deny + Allow from env=let_admin_in + Allow from env=let_api_token_in + Allow from env=let_sys_token_in + Satisfy Any + </LocationMatch> + external-auth-lookup-user-details-conf: | + <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api> + LookupUserAttr mail REMOTE_USER_EMAIL + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + LookupUserAttr sn REMOTE_USER_LASTNAME + LookupUserAttr displayname REMOTE_USER_FULLNAME + LookupUserAttr domainname REMOTE_USER_DOMAIN + + LookupUserGroups REMOTE_USER_GROUPS ":" + LookupDbusTimeout 5000 + </LocationMatch> + external-auth-remote-user-conf: | + RequestHeader unset X_REMOTE_USER + + RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER + RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR + RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL + RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME + RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME + RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME + RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS + RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-kerberos-realms: undefined + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_DBUS_API_SERVICE_NAME}" + annotations: + description: Exposes the httpd server dbus api + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http-dbus-api + port: 8080 + targetPort: 8080 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 8080 + protocol: TCP + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + - name: HTTPD_AUTH_KERBEROS_REALMS + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-kerberos-realms + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: cfme-httpd + serviceAccountName: cfme-httpd +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: cloudforms +- name: V2_KEY + displayName: CloudForms Encryption Key + required: true + description: Encryption Key for CloudForms Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_IP + displayName: PostgreSQL Server IP + required: true + description: PostgreSQL external server IP used to configure service. + value: '' +- name: DATABASE_PORT + displayName: PostgreSQL Server Port + required: true + description: PostgreSQL external server port used to configure service. + value: '5432' +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: APPLICATION_ADMIN_PASSWORD + displayName: Application Admin Password + required: true + description: Admin password that will be set on the application. + value: smartvm +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: FRONTEND_APPLICATION_IMG_NAME + displayName: Frontend Application Image Name + description: This is the Frontend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME + displayName: Backend Application Image Name + description: This is the Backend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the CloudForms Frontend Application image tag/version requested to deploy. + value: latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the CloudForms Backend Application image tag/version requested to deploy. + value: latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_DBUS_API_SERVICE_NAME + required: true + displayName: Apache httpd DBus API Service Name + description: The name of httpd dbus api service. + value: httpd-dbus-api +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache httpd Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml index 3bc6c5813..5c757b6c2 100644 --- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml +++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml @@ -5,17 +5,308 @@ labels: metadata: name: cloudforms annotations: - description: "CloudForms appliance with persistent storage" - tags: "instant-app,cloudforms,cfme" - iconClass: "icon-rails" + description: CloudForms appliance with persistent storage + tags: instant-app,cloudforms,cfme + iconClass: icon-rails objects: - apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + admin-password: "${APPLICATION_ADMIN_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${DATABASE_SERVICE_NAME}-configs" + data: + 01_miq_overrides.conf: | + #------------------------------------------------------------------------------ + # CONNECTIONS AND AUTHENTICATION + #------------------------------------------------------------------------------ + + tcp_keepalives_count = 9 + tcp_keepalives_idle = 3 + tcp_keepalives_interval = 75 + + #------------------------------------------------------------------------------ + # RESOURCE USAGE (except WAL) + #------------------------------------------------------------------------------ + + shared_preload_libraries = 'pglogical,repmgr_funcs' + max_worker_processes = 10 + + #------------------------------------------------------------------------------ + # WRITE AHEAD LOG + #------------------------------------------------------------------------------ + + wal_level = 'logical' + wal_log_hints = on + wal_buffers = 16MB + checkpoint_completion_target = 0.9 + + #------------------------------------------------------------------------------ + # REPLICATION + #------------------------------------------------------------------------------ + + max_wal_senders = 10 + wal_sender_timeout = 0 + max_replication_slots = 10 + hot_standby = on + + #------------------------------------------------------------------------------ + # ERROR REPORTING AND LOGGING + #------------------------------------------------------------------------------ + + log_filename = 'postgresql.log' + log_rotation_age = 0 + log_min_duration_statement = 5000 + log_connections = on + log_disconnections = on + log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' + log_lock_waits = on + + #------------------------------------------------------------------------------ + # AUTOVACUUM PARAMETERS + #------------------------------------------------------------------------------ + + log_autovacuum_min_duration = 0 + autovacuum_naptime = 5min + autovacuum_vacuum_threshold = 500 + autovacuum_analyze_threshold = 500 + autovacuum_vacuum_scale_factor = 0.05 + + #------------------------------------------------------------------------------ + # LOCK MANAGEMENT + #------------------------------------------------------------------------------ + + deadlock_timeout = 5s + + #------------------------------------------------------------------------------ + # VERSION/PLATFORM COMPATIBILITY + #------------------------------------------------------------------------------ + + escape_string_warning = off + standard_conforming_strings = off +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + <VirtualHost *:80> + KeepAlive on + # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP + ServerName https://%{REQUEST_HOST} + + ProxyPreserveHost on + + RewriteCond %{REQUEST_URI} ^/ws [NC] + RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC] + RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] + RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L] + + # For httpd, some ErrorDocuments must by served by the httpd pod + RewriteCond %{REQUEST_URI} !^/proxy_pages + + # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod + RewriteCond %{REQUEST_URI} !^/saml2 + RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L] + ProxyPassReverse / http://${NAME}/ + + # Ensures httpd stdout/stderr are seen by docker logs. + ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log" + CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common + </VirtualHost> + authentication.conf: | + # Load appropriate authentication configuration files + # + Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth" + configuration-internal-auth: | + # Internal authentication + # + configuration-external-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/http.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-active-directory-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/krb5.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-saml-auth: | + LoadModule auth_mellon_module modules/mod_auth_mellon.so + + <Location /> + MellonEnable "info" + + MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml" + + MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key" + MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert" + MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml" + + MellonVariable "sp-cookie" + MellonSecureCookie On + MellonCookiePath "/" + + MellonIdP "IDP" + + MellonEndpointPath "/saml2" + + MellonUser username + MellonMergeEnvVars On + + MellonSetEnvNoPrefix "REMOTE_USER" username + MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email + MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname + MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname + MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname + MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups + </Location> + + <Location /saml_login> + AuthType "Mellon" + MellonEnable "auth" + Require valid-user + </Location> + + Include "conf.d/external-auth-remote-user-conf" + external-auth-load-modules-conf: | + LoadModule authnz_pam_module modules/mod_authnz_pam.so + LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so + LoadModule lookup_identity_module modules/mod_lookup_identity.so + LoadModule auth_kerb_module modules/mod_auth_kerb.so + external-auth-login-form-conf: | + <Location /dashboard/external_authenticate> + InterceptFormPAMService httpd-auth + InterceptFormLogin user_name + InterceptFormPassword user_password + InterceptFormLoginSkip admin + InterceptFormClearRemoteUserForSkipped on + </Location> + external-auth-application-api-conf: | + <LocationMatch ^/api> + SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in + SetEnvIf X-Auth-Token '^.+$' let_api_token_in + SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in + + AuthType Basic + AuthName "External Authentication (httpd) for API" + AuthBasicProvider PAM + + AuthPAMService httpd-auth + Require valid-user + Order Allow,Deny + Allow from env=let_admin_in + Allow from env=let_api_token_in + Allow from env=let_sys_token_in + Satisfy Any + </LocationMatch> + external-auth-lookup-user-details-conf: | + <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api> + LookupUserAttr mail REMOTE_USER_EMAIL + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + LookupUserAttr sn REMOTE_USER_LASTNAME + LookupUserAttr displayname REMOTE_USER_FULLNAME + LookupUserAttr domainname REMOTE_USER_DOMAIN + + LookupUserGroups REMOTE_USER_GROUPS ":" + LookupDbusTimeout 5000 + </LocationMatch> + external-auth-remote-user-conf: | + RequestHeader unset X_REMOTE_USER + + RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER + RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR + RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL + RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME + RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME + RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME + RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS + RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-kerberos-realms: undefined + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 kind: Service metadata: annotations: - description: "Exposes and load balances CloudForms pods" + description: Exposes and load balances CloudForms pods service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' - name: ${NAME} + name: "${NAME}" spec: clusterIP: None ports: @@ -23,141 +314,97 @@ objects: port: 80 protocol: TCP targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 selector: - name: ${NAME} + name: "${NAME}" - apiVersion: v1 kind: Route metadata: - name: ${NAME} + name: "${HTTPD_SERVICE_NAME}" spec: - host: ${APPLICATION_DOMAIN} + host: "${APPLICATION_DOMAIN}" port: - targetPort: https + targetPort: http tls: - termination: passthrough + termination: edge + insecureEdgeTerminationPolicy: Redirect to: kind: Service - name: ${NAME} -- apiVersion: v1 - kind: ImageStream - metadata: - name: cfme-openshift-app - annotations: - description: "Keeps track of changes in the CloudForms app image" - spec: - dockerImageRepository: "${APPLICATION_IMG_NAME}" -- apiVersion: v1 - kind: ImageStream - metadata: - name: cfme-openshift-postgresql - annotations: - description: "Keeps track of changes in the CloudForms postgresql image" - spec: - dockerImageRepository: "${POSTGRESQL_IMG_NAME}" -- apiVersion: v1 - kind: ImageStream - metadata: - name: cfme-openshift-memcached - annotations: - description: "Keeps track of changes in the CloudForms memcached image" - spec: - dockerImageRepository: "${MEMCACHED_IMG_NAME}" + name: "${HTTPD_SERVICE_NAME}" - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: "${NAME}-${DATABASE_SERVICE_NAME}" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: - storage: ${DATABASE_VOLUME_CAPACITY} -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: "${NAME}-region" - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: ${APPLICATION_REGION_VOLUME_CAPACITY} + storage: "${DATABASE_VOLUME_CAPACITY}" - apiVersion: apps/v1beta1 - kind: "StatefulSet" + kind: StatefulSet metadata: - name: ${NAME} + name: "${NAME}" annotations: - description: "Defines how to deploy the CloudForms appliance" + description: Defines how to deploy the CloudForms appliance spec: serviceName: "${NAME}" - replicas: 1 + replicas: "${APPLICATION_REPLICA_COUNT}" template: metadata: labels: - name: ${NAME} - name: ${NAME} + name: "${NAME}" + name: "${NAME}" spec: containers: - name: cloudforms - image: "${APPLICATION_IMG_NAME}:${APPLICATION_IMG_TAG}" + image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" livenessProbe: - tcpSocket: - port: 443 + exec: + command: + - pidof + - MIQ Server initialDelaySeconds: 480 timeoutSeconds: 3 readinessProbe: - httpGet: - path: / - port: 443 - scheme: HTTPS + tcpSocket: + port: 80 initialDelaySeconds: 200 timeoutSeconds: 3 ports: - containerPort: 80 protocol: TCP - - containerPort: 443 - protocol: TCP - securityContext: - privileged: true volumeMounts: - - - name: "${NAME}-server" - mountPath: "/persistent" - - - name: "${NAME}-region" - mountPath: "/persistent-region" + - name: "${NAME}-server" + mountPath: "/persistent" env: - - - name: "APPLICATION_INIT_DELAY" - value: "${APPLICATION_INIT_DELAY}" - - - name: "DATABASE_SERVICE_NAME" - value: "${DATABASE_SERVICE_NAME}" - - - name: "DATABASE_REGION" - value: "${DATABASE_REGION}" - - - name: "MEMCACHED_SERVICE_NAME" - value: "${MEMCACHED_SERVICE_NAME}" - - - name: "POSTGRESQL_USER" - value: "${DATABASE_USER}" - - - name: "POSTGRESQL_PASSWORD" - value: "${DATABASE_PASSWORD}" - - - name: "POSTGRESQL_DATABASE" - value: "${DATABASE_NAME}" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - value: "${POSTGRESQL_MAX_CONNECTIONS}" - - - name: "POSTGRESQL_SHARED_BUFFERS" - value: "${POSTGRESQL_SHARED_BUFFERS}" + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: APPLICATION_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: admin-password + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password resources: requests: memory: "${APPLICATION_MEM_REQ}" @@ -168,59 +415,128 @@ objects: preStop: exec: command: - - /opt/rh/cfme-container-scripts/sync-pv-data - volumes: - - - name: "${NAME}-region" - persistentVolumeClaim: - claimName: ${NAME}-region + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 volumeClaimTemplates: - - metadata: - name: "${NAME}-server" - annotations: - # Uncomment this if using dynamic volume provisioning. - # https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html - # volume.alpha.kubernetes.io/storage-class: anything - spec: - accessModes: [ ReadWriteOnce ] + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for CloudForms backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: cloudforms + image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password resources: requests: - storage: "${APPLICATION_VOLUME_CAPACITY}" + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" - apiVersion: v1 - kind: "Service" + kind: Service metadata: name: "${MEMCACHED_SERVICE_NAME}" annotations: - description: "Exposes the memcached server" + description: Exposes the memcached server spec: ports: - - - name: "memcached" - port: 11211 - targetPort: 11211 + - name: memcached + port: 11211 + targetPort: 11211 selector: name: "${MEMCACHED_SERVICE_NAME}" - apiVersion: v1 - kind: "DeploymentConfig" + kind: DeploymentConfig metadata: name: "${MEMCACHED_SERVICE_NAME}" annotations: - description: "Defines how to deploy memcached" + description: Defines how to deploy memcached spec: strategy: - type: "Recreate" + type: Recreate triggers: - - - type: "ImageChange" - imageChangeParams: - automatic: true - containerNames: - - "memcached" - from: - kind: "ImageStreamTag" - name: "cfme-openshift-memcached:${MEMCACHED_IMG_TAG}" - - - type: "ConfigChange" + - type: ConfigChange replicas: 1 selector: name: "${MEMCACHED_SERVICE_NAME}" @@ -232,74 +548,58 @@ objects: spec: volumes: [] containers: - - - name: "memcached" - image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" - ports: - - - containerPort: 11211 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 5 - tcpSocket: - port: 11211 - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - tcpSocket: - port: 11211 - volumeMounts: [] - env: - - - name: "MEMCACHED_MAX_MEMORY" - value: "${MEMCACHED_MAX_MEMORY}" - - - name: "MEMCACHED_MAX_CONNECTIONS" - value: "${MEMCACHED_MAX_CONNECTIONS}" - - - name: "MEMCACHED_SLAB_PAGE_SIZE" - value: "${MEMCACHED_SLAB_PAGE_SIZE}" - resources: - requests: - memory: "${MEMCACHED_MEM_REQ}" - cpu: "${MEMCACHED_CPU_REQ}" - limits: - memory: "${MEMCACHED_MEM_LIMIT}" + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" - apiVersion: v1 - kind: "Service" + kind: Service metadata: name: "${DATABASE_SERVICE_NAME}" annotations: - description: "Exposes the database server" + description: Exposes the database server spec: ports: - - - name: "postgresql" - port: 5432 - targetPort: 5432 + - name: postgresql + port: 5432 + targetPort: 5432 selector: name: "${DATABASE_SERVICE_NAME}" - apiVersion: v1 - kind: "DeploymentConfig" + kind: DeploymentConfig metadata: name: "${DATABASE_SERVICE_NAME}" annotations: - description: "Defines how to deploy the database" + description: Defines how to deploy the database spec: strategy: - type: "Recreate" + type: Recreate triggers: - - - type: "ImageChange" - imageChangeParams: - automatic: true - containerNames: - - "postgresql" - from: - kind: "ImageStreamTag" - name: "cfme-openshift-postgresql:${POSTGRESQL_IMG_TAG}" - - - type: "ConfigChange" + - type: ConfigChange replicas: 1 selector: name: "${DATABASE_SERVICE_NAME}" @@ -310,236 +610,524 @@ objects: name: "${DATABASE_SERVICE_NAME}" spec: volumes: - - - name: "cfme-pgdb-volume" - persistentVolumeClaim: - claimName: "${NAME}-${DATABASE_SERVICE_NAME}" + - name: cfme-pgdb-volume + persistentVolumeClaim: + claimName: "${NAME}-${DATABASE_SERVICE_NAME}" + - name: cfme-pg-configs + configMap: + name: "${DATABASE_SERVICE_NAME}-configs" containers: - - - name: "postgresql" - image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" - ports: - - - containerPort: 5432 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 15 + - name: postgresql + image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" + ports: + - containerPort: 5432 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 15 + exec: + command: + - "/bin/sh" + - "-i" + - "-c" + - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 60 + tcpSocket: + port: 5432 + volumeMounts: + - name: cfme-pgdb-volume + mountPath: "/var/lib/pgsql/data" + - name: cfme-pg-configs + mountPath: "${POSTGRESQL_CONFIG_DIR}" + env: + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${DATABASE_NAME}" + - name: POSTGRESQL_MAX_CONNECTIONS + value: "${POSTGRESQL_MAX_CONNECTIONS}" + - name: POSTGRESQL_SHARED_BUFFERS + value: "${POSTGRESQL_SHARED_BUFFERS}" + - name: POSTGRESQL_CONFIG_DIR + value: "${POSTGRESQL_CONFIG_DIR}" + resources: + requests: + memory: "${POSTGRESQL_MEM_REQ}" + cpu: "${POSTGRESQL_CPU_REQ}" + limits: + memory: "${POSTGRESQL_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: cfme-privileged + serviceAccountName: cfme-privileged +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_DBUS_API_SERVICE_NAME}" + annotations: + description: Exposes the httpd server dbus api + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http-dbus-api + port: 8080 + targetPort: 8080 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 8080 + protocol: TCP + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + - name: HTTPD_AUTH_KERBEROS_REALMS + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-kerberos-realms + lifecycle: + postStart: exec: command: - - "/bin/sh" - - "-i" - - "-c" - - "psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'" - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 60 - tcpSocket: - port: 5432 - volumeMounts: - - - name: "cfme-pgdb-volume" - mountPath: "/var/lib/pgsql/data" - env: - - - name: "POSTGRESQL_USER" - value: "${DATABASE_USER}" - - - name: "POSTGRESQL_PASSWORD" - value: "${DATABASE_PASSWORD}" - - - name: "POSTGRESQL_DATABASE" - value: "${DATABASE_NAME}" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - value: "${POSTGRESQL_MAX_CONNECTIONS}" - - - name: "POSTGRESQL_SHARED_BUFFERS" - value: "${POSTGRESQL_SHARED_BUFFERS}" - resources: - requests: - memory: "${POSTGRESQL_MEM_REQ}" - cpu: "${POSTGRESQL_CPU_REQ}" - limits: - memory: "${POSTGRESQL_MEM_LIMIT}" - + - "/usr/bin/save-container-environment" + serviceAccount: cfme-httpd + serviceAccountName: cfme-httpd parameters: - - - name: "NAME" - displayName: Name - required: true - description: "The name assigned to all of the frontend objects defined in this template." - value: cloudforms - - - name: "DATABASE_SERVICE_NAME" - displayName: "PostgreSQL Service Name" - required: true - description: "The name of the OpenShift Service exposed for the PostgreSQL container." - value: "postgresql" - - - name: "DATABASE_USER" - displayName: "PostgreSQL User" - required: true - description: "PostgreSQL user that will access the database." - value: "root" - - - name: "DATABASE_PASSWORD" - displayName: "PostgreSQL Password" - required: true - description: "Password for the PostgreSQL user." - value: "smartvm" - - - name: "DATABASE_NAME" - required: true - displayName: "PostgreSQL Database Name" - description: "Name of the PostgreSQL database accessed." - value: "vmdb_production" - - - name: "DATABASE_REGION" - required: true - displayName: "Application Database Region" - description: "Database region that will be used for application." - value: "0" - - - name: "MEMCACHED_SERVICE_NAME" - required: true - displayName: "Memcached Service Name" - description: "The name of the OpenShift Service exposed for the Memcached container." - value: "memcached" - - - name: "MEMCACHED_MAX_MEMORY" - displayName: "Memcached Max Memory" - description: "Memcached maximum memory for memcached object storage in MB." - value: "64" - - - name: "MEMCACHED_MAX_CONNECTIONS" - displayName: "Memcached Max Connections" - description: "Memcached maximum number of connections allowed." - value: "1024" - - - name: "MEMCACHED_SLAB_PAGE_SIZE" - displayName: "Memcached Slab Page Size" - description: "Memcached size of each slab page." - value: "1m" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - displayName: "PostgreSQL Max Connections" - description: "PostgreSQL maximum number of database connections allowed." - value: "100" - - - name: "POSTGRESQL_SHARED_BUFFERS" - displayName: "PostgreSQL Shared Buffer Amount" - description: "Amount of memory dedicated for PostgreSQL shared memory buffers." - value: "256MB" - - - name: "APPLICATION_CPU_REQ" - displayName: "Application Min CPU Requested" - required: true - description: "Minimum amount of CPU time the Application container will need (expressed in millicores)." - value: "1000m" - - - name: "POSTGRESQL_CPU_REQ" - displayName: "PostgreSQL Min CPU Requested" - required: true - description: "Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores)." - value: "500m" - - - name: "MEMCACHED_CPU_REQ" - displayName: "Memcached Min CPU Requested" - required: true - description: "Minimum amount of CPU time the Memcached container will need (expressed in millicores)." - value: "200m" - - - name: "APPLICATION_MEM_REQ" - displayName: "Application Min RAM Requested" - required: true - description: "Minimum amount of memory the Application container will need." - value: "6144Mi" - - - name: "POSTGRESQL_MEM_REQ" - displayName: "PostgreSQL Min RAM Requested" - required: true - description: "Minimum amount of memory the PostgreSQL container will need." - value: "1024Mi" - - - name: "MEMCACHED_MEM_REQ" - displayName: "Memcached Min RAM Requested" - required: true - description: "Minimum amount of memory the Memcached container will need." - value: "64Mi" - - - name: "APPLICATION_MEM_LIMIT" - displayName: "Application Max RAM Limit" - required: true - description: "Maximum amount of memory the Application container can consume." - value: "16384Mi" - - - name: "POSTGRESQL_MEM_LIMIT" - displayName: "PostgreSQL Max RAM Limit" - required: true - description: "Maximum amount of memory the PostgreSQL container can consume." - value: "8192Mi" - - - name: "MEMCACHED_MEM_LIMIT" - displayName: "Memcached Max RAM Limit" - required: true - description: "Maximum amount of memory the Memcached container can consume." - value: "256Mi" - - - name: "POSTGRESQL_IMG_NAME" - displayName: "PostgreSQL Image Name" - description: "This is the PostgreSQL image name requested to deploy." - value: "registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql" - - - name: "POSTGRESQL_IMG_TAG" - displayName: "PostgreSQL Image Tag" - description: "This is the PostgreSQL image tag/version requested to deploy." - value: "latest" - - - name: "MEMCACHED_IMG_NAME" - displayName: "Memcached Image Name" - description: "This is the Memcached image name requested to deploy." - value: "registry.access.redhat.com/cloudforms45/cfme-openshift-memcached" - - - name: "MEMCACHED_IMG_TAG" - displayName: "Memcached Image Tag" - description: "This is the Memcached image tag/version requested to deploy." - value: "latest" - - - name: "APPLICATION_IMG_NAME" - displayName: "Application Image Name" - description: "This is the Application image name requested to deploy." - value: "registry.access.redhat.com/cloudforms45/cfme-openshift-app" - - - name: "APPLICATION_IMG_TAG" - displayName: "Application Image Tag" - description: "This is the Application image tag/version requested to deploy." - value: "latest" - - - name: "APPLICATION_DOMAIN" - displayName: "Application Hostname" - description: "The exposed hostname that will route to the application service, if left blank a value will be defaulted." - value: "" - - - name: "APPLICATION_INIT_DELAY" - displayName: "Application Init Delay" - required: true - description: "Delay in seconds before we attempt to initialize the application." - value: "15" - - - name: "APPLICATION_VOLUME_CAPACITY" - displayName: "Application Volume Capacity" - required: true - description: "Volume space available for application data." - value: "5Gi" - - - name: "APPLICATION_REGION_VOLUME_CAPACITY" - displayName: "Application Region Volume Capacity" - required: true - description: "Volume space available for region application data." - value: "5Gi" - - - name: "DATABASE_VOLUME_CAPACITY" - displayName: "Database Volume Capacity" - required: true - description: "Volume space available for database." - value: "15Gi" +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: cloudforms +- name: V2_KEY + displayName: CloudForms Encryption Key + required: true + description: Encryption Key for CloudForms Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: APPLICATION_ADMIN_PASSWORD + displayName: Application Admin Password + required: true + description: Admin password that will be set on the application. + value: smartvm +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: POSTGRESQL_CONFIG_DIR + displayName: PostgreSQL Configuration Overrides + description: Directory used to store PostgreSQL configuration overrides. + value: "/var/lib/pgsql/conf.d" +- name: POSTGRESQL_MAX_CONNECTIONS + displayName: PostgreSQL Max Connections + description: PostgreSQL maximum number of database connections allowed. + value: '1000' +- name: POSTGRESQL_SHARED_BUFFERS + displayName: PostgreSQL Shared Buffer Amount + description: Amount of memory dedicated for PostgreSQL shared memory buffers. + value: 1GB +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: POSTGRESQL_CPU_REQ + displayName: PostgreSQL Min CPU Requested + required: true + description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). + value: 500m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: POSTGRESQL_MEM_REQ + displayName: PostgreSQL Min RAM Requested + required: true + description: Minimum amount of memory the PostgreSQL container will need. + value: 4Gi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: POSTGRESQL_MEM_LIMIT + displayName: PostgreSQL Max RAM Limit + required: true + description: Maximum amount of memory the PostgreSQL container can consume. + value: 8Gi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: POSTGRESQL_IMG_NAME + displayName: PostgreSQL Image Name + description: This is the PostgreSQL image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql +- name: POSTGRESQL_IMG_TAG + displayName: PostgreSQL Image Tag + description: This is the PostgreSQL image tag/version requested to deploy. + value: latest +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: FRONTEND_APPLICATION_IMG_NAME + displayName: Frontend Application Image Name + description: This is the Frontend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME + displayName: Backend Application Image Name + description: This is the Backend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the CloudForms Frontend Application image tag/version requested to deploy. + value: latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the CloudForms Backend Application image tag/version requested to deploy. + value: latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: DATABASE_VOLUME_CAPACITY + displayName: Database Volume Capacity + required: true + description: Volume space available for database. + value: 15Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_DBUS_API_SERVICE_NAME + required: true + displayName: Apache httpd DBus API Service Name + description: The name of httpd dbus api service. + value: httpd-dbus-api +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-job.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-job.yaml new file mode 100644 index 000000000..48d1d4e26 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-job.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: cloudforms-backup +spec: + template: + metadata: + name: cloudforms-backup + spec: + containers: + - name: postgresql + image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest + command: + - "/opt/rh/cfme-container-scripts/backup_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: cloudforms-secrets + key: database-url + volumeMounts: + - name: cfme-backup-vol + mountPath: "/backups" + volumes: + - name: cfme-backup-vol + persistentVolumeClaim: + claimName: cloudforms-backup + restartPolicy: Never diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-pvc.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-pvc.yaml new file mode 100644 index 000000000..92598ce82 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: cloudforms-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 15Gi diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-backup-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-backup-example.yaml new file mode 100644 index 000000000..4fe349897 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-backup-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: cfme-pv03 +spec: + capacity: + storage: 15Gi + accessModes: + - ReadWriteOnce + nfs: + path: "/exports/cfme-pv03" + server: "<your-nfs-host-here>" + persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml index 250a99b8d..0cdd821b5 100644 --- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml @@ -1,13 +1,38 @@ apiVersion: v1 -kind: PersistentVolume +kind: Template +labels: + template: cloudforms-db-pv metadata: - name: cfme-pv01 -spec: - capacity: - storage: 15Gi - accessModes: + name: cloudforms-db-pv + annotations: + description: PV Template for CFME PostgreSQL DB + tags: PVS, CFME +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: cfme-db + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: - ReadWriteOnce - nfs: - path: /exports/cfme-pv01 - server: <your-nfs-host-here> - persistentVolumeReclaimPolicy: Retain + nfs: + path: "${BASE_PATH}/cfme-db" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for DB + required: true + description: The size of the CFME DB PV given in Gi + value: 15Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-region-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-region-example.yaml deleted file mode 100644 index cba9bbe35..000000000 --- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-region-example.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: cfme-pv02 -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - nfs: - path: /exports/cfme-pv02 - server: <your-nfs-host-here> - persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml index c08c21265..527090ae8 100644 --- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml @@ -1,13 +1,38 @@ apiVersion: v1 -kind: PersistentVolume +kind: Template +labels: + template: cloudforms-app-pv metadata: - name: cfme-pv03 -spec: - capacity: - storage: 5Gi - accessModes: + name: cloudforms-app-pv + annotations: + description: PV Template for CFME Server + tags: PVS, CFME +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: cfme-app + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: - ReadWriteOnce - nfs: - path: /exports/cfme-pv03 - server: <your-nfs-host-here> - persistentVolumeReclaimPolicy: Retain + nfs: + path: "${BASE_PATH}/cfme-app" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for App + required: true + description: The size of the CFME APP PV given in Gi + value: 5Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-restore-job.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-restore-job.yaml new file mode 100644 index 000000000..7fd4fc2e1 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-restore-job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: cloudforms-restore +spec: + template: + metadata: + name: cloudforms-restore + spec: + containers: + - name: postgresql + image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest + command: + - "/opt/rh/cfme-container-scripts/restore_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: cloudforms-secrets + key: database-url + - name: BACKUP_VERSION + value: latest + volumeMounts: + - name: cfme-backup-vol + mountPath: "/backups" + - name: cfme-prod-vol + mountPath: "/restore" + volumes: + - name: cfme-backup-vol + persistentVolumeClaim: + claimName: cloudforms-backup + - name: cfme-prod-vol + persistentVolumeClaim: + claimName: cloudforms-postgresql + restartPolicy: Never diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-scc-sysadmin.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-scc-sysadmin.yaml new file mode 100644 index 000000000..d2ece9298 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-scc-sysadmin.yaml @@ -0,0 +1,38 @@ +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: v1 +defaultAddCapabilities: +- SYS_ADMIN +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus. + creationTimestamp: + name: cfme-sysadmin +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +- SYS_CHROOT +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- secret diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template-ext-db.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template-ext-db.yaml new file mode 100644 index 000000000..9866c29c3 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template-ext-db.yaml @@ -0,0 +1,956 @@ +apiVersion: v1 +kind: Template +labels: + template: cloudforms-ext-db +metadata: + name: cloudforms-ext-db + annotations: + description: CloudForms appliance with persistent storage using a external DB host + tags: instant-app,cloudforms,cfme + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + admin-password: "${APPLICATION_ADMIN_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances CloudForms pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: cloudforms + image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: APPLICATION_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: admin-password + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for CloudForms backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: cloudforms + image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: + name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${MEMCACHED_SERVICE_NAME}" + template: + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + labels: + name: "${MEMCACHED_SERVICE_NAME}" + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Remote database service + spec: + ports: + - name: postgresql + port: 5432 + targetPort: "${{DATABASE_PORT}}" + selector: {} +- apiVersion: v1 + kind: Endpoints + metadata: + name: "${DATABASE_SERVICE_NAME}" + subsets: + - addresses: + - ip: "${DATABASE_IP}" + ports: + - port: "${{DATABASE_PORT}}" + name: postgresql +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: cfme-privileged + serviceAccountName: cfme-privileged +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + <VirtualHost *:80> + KeepAlive on + # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP + ServerName https://%{REQUEST_HOST} + + ProxyPreserveHost on + + RewriteCond %{REQUEST_URI} ^/ws [NC] + RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC] + RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] + RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L] + + # For httpd, some ErrorDocuments must by served by the httpd pod + RewriteCond %{REQUEST_URI} !^/proxy_pages + + # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod + RewriteCond %{REQUEST_URI} !^/saml2 + RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L] + ProxyPassReverse / http://${NAME}/ + + # Ensures httpd stdout/stderr are seen by docker logs. + ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log" + CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common + </VirtualHost> + authentication.conf: | + # Load appropriate authentication configuration files + # + Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth" + configuration-internal-auth: | + # Internal authentication + # + configuration-external-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/http.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-active-directory-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/krb5.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-saml-auth: | + LoadModule auth_mellon_module modules/mod_auth_mellon.so + + <Location /> + MellonEnable "info" + + MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml" + + MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key" + MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert" + MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml" + + MellonVariable "sp-cookie" + MellonSecureCookie On + MellonCookiePath "/" + + MellonIdP "IDP" + + MellonEndpointPath "/saml2" + + MellonUser username + MellonMergeEnvVars On + + MellonSetEnvNoPrefix "REMOTE_USER" username + MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email + MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname + MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname + MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname + MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups + </Location> + + <Location /saml_login> + AuthType "Mellon" + MellonEnable "auth" + Require valid-user + </Location> + + Include "conf.d/external-auth-remote-user-conf" + external-auth-load-modules-conf: | + LoadModule authnz_pam_module modules/mod_authnz_pam.so + LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so + LoadModule lookup_identity_module modules/mod_lookup_identity.so + LoadModule auth_kerb_module modules/mod_auth_kerb.so + external-auth-login-form-conf: | + <Location /dashboard/external_authenticate> + InterceptFormPAMService httpd-auth + InterceptFormLogin user_name + InterceptFormPassword user_password + InterceptFormLoginSkip admin + InterceptFormClearRemoteUserForSkipped on + </Location> + external-auth-application-api-conf: | + <LocationMatch ^/api> + SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in + SetEnvIf X-Auth-Token '^.+$' let_api_token_in + SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in + + AuthType Basic + AuthName "External Authentication (httpd) for API" + AuthBasicProvider PAM + + AuthPAMService httpd-auth + Require valid-user + Order Allow,Deny + Allow from env=let_admin_in + Allow from env=let_api_token_in + Allow from env=let_sys_token_in + Satisfy Any + </LocationMatch> + external-auth-lookup-user-details-conf: | + <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api> + LookupUserAttr mail REMOTE_USER_EMAIL + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + LookupUserAttr sn REMOTE_USER_LASTNAME + LookupUserAttr displayname REMOTE_USER_FULLNAME + LookupUserAttr domainname REMOTE_USER_DOMAIN + + LookupUserGroups REMOTE_USER_GROUPS ":" + LookupDbusTimeout 5000 + </LocationMatch> + external-auth-remote-user-conf: | + RequestHeader unset X_REMOTE_USER + + RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER + RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR + RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL + RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME + RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME + RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME + RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS + RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-kerberos-realms: undefined + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_DBUS_API_SERVICE_NAME}" + annotations: + description: Exposes the httpd server dbus api + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http-dbus-api + port: 8080 + targetPort: 8080 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 8080 + protocol: TCP + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + - name: HTTPD_AUTH_KERBEROS_REALMS + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-kerberos-realms + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: cfme-httpd + serviceAccountName: cfme-httpd +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: cloudforms +- name: V2_KEY + displayName: CloudForms Encryption Key + required: true + description: Encryption Key for CloudForms Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_IP + displayName: PostgreSQL Server IP + required: true + description: PostgreSQL external server IP used to configure service. + value: '' +- name: DATABASE_PORT + displayName: PostgreSQL Server Port + required: true + description: PostgreSQL external server port used to configure service. + value: '5432' +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: APPLICATION_ADMIN_PASSWORD + displayName: Application Admin Password + required: true + description: Admin password that will be set on the application. + value: smartvm +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: FRONTEND_APPLICATION_IMG_NAME + displayName: Frontend Application Image Name + description: This is the Frontend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME + displayName: Backend Application Image Name + description: This is the Backend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the CloudForms Frontend Application image tag/version requested to deploy. + value: latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the CloudForms Backend Application image tag/version requested to deploy. + value: latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_DBUS_API_SERVICE_NAME + required: true + displayName: Apache httpd DBus API Service Name + description: The name of httpd dbus api service. + value: httpd-dbus-api +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache httpd Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml index 3bc6c5813..5c757b6c2 100644 --- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml +++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml @@ -5,17 +5,308 @@ labels: metadata: name: cloudforms annotations: - description: "CloudForms appliance with persistent storage" - tags: "instant-app,cloudforms,cfme" - iconClass: "icon-rails" + description: CloudForms appliance with persistent storage + tags: instant-app,cloudforms,cfme + iconClass: icon-rails objects: - apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + admin-password: "${APPLICATION_ADMIN_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${DATABASE_SERVICE_NAME}-configs" + data: + 01_miq_overrides.conf: | + #------------------------------------------------------------------------------ + # CONNECTIONS AND AUTHENTICATION + #------------------------------------------------------------------------------ + + tcp_keepalives_count = 9 + tcp_keepalives_idle = 3 + tcp_keepalives_interval = 75 + + #------------------------------------------------------------------------------ + # RESOURCE USAGE (except WAL) + #------------------------------------------------------------------------------ + + shared_preload_libraries = 'pglogical,repmgr_funcs' + max_worker_processes = 10 + + #------------------------------------------------------------------------------ + # WRITE AHEAD LOG + #------------------------------------------------------------------------------ + + wal_level = 'logical' + wal_log_hints = on + wal_buffers = 16MB + checkpoint_completion_target = 0.9 + + #------------------------------------------------------------------------------ + # REPLICATION + #------------------------------------------------------------------------------ + + max_wal_senders = 10 + wal_sender_timeout = 0 + max_replication_slots = 10 + hot_standby = on + + #------------------------------------------------------------------------------ + # ERROR REPORTING AND LOGGING + #------------------------------------------------------------------------------ + + log_filename = 'postgresql.log' + log_rotation_age = 0 + log_min_duration_statement = 5000 + log_connections = on + log_disconnections = on + log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' + log_lock_waits = on + + #------------------------------------------------------------------------------ + # AUTOVACUUM PARAMETERS + #------------------------------------------------------------------------------ + + log_autovacuum_min_duration = 0 + autovacuum_naptime = 5min + autovacuum_vacuum_threshold = 500 + autovacuum_analyze_threshold = 500 + autovacuum_vacuum_scale_factor = 0.05 + + #------------------------------------------------------------------------------ + # LOCK MANAGEMENT + #------------------------------------------------------------------------------ + + deadlock_timeout = 5s + + #------------------------------------------------------------------------------ + # VERSION/PLATFORM COMPATIBILITY + #------------------------------------------------------------------------------ + + escape_string_warning = off + standard_conforming_strings = off +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + <VirtualHost *:80> + KeepAlive on + # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP + ServerName https://%{REQUEST_HOST} + + ProxyPreserveHost on + + RewriteCond %{REQUEST_URI} ^/ws [NC] + RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC] + RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] + RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L] + + # For httpd, some ErrorDocuments must by served by the httpd pod + RewriteCond %{REQUEST_URI} !^/proxy_pages + + # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod + RewriteCond %{REQUEST_URI} !^/saml2 + RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L] + ProxyPassReverse / http://${NAME}/ + + # Ensures httpd stdout/stderr are seen by docker logs. + ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log" + CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common + </VirtualHost> + authentication.conf: | + # Load appropriate authentication configuration files + # + Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth" + configuration-internal-auth: | + # Internal authentication + # + configuration-external-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/http.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-active-directory-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/krb5.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-saml-auth: | + LoadModule auth_mellon_module modules/mod_auth_mellon.so + + <Location /> + MellonEnable "info" + + MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml" + + MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key" + MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert" + MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml" + + MellonVariable "sp-cookie" + MellonSecureCookie On + MellonCookiePath "/" + + MellonIdP "IDP" + + MellonEndpointPath "/saml2" + + MellonUser username + MellonMergeEnvVars On + + MellonSetEnvNoPrefix "REMOTE_USER" username + MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email + MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname + MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname + MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname + MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups + </Location> + + <Location /saml_login> + AuthType "Mellon" + MellonEnable "auth" + Require valid-user + </Location> + + Include "conf.d/external-auth-remote-user-conf" + external-auth-load-modules-conf: | + LoadModule authnz_pam_module modules/mod_authnz_pam.so + LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so + LoadModule lookup_identity_module modules/mod_lookup_identity.so + LoadModule auth_kerb_module modules/mod_auth_kerb.so + external-auth-login-form-conf: | + <Location /dashboard/external_authenticate> + InterceptFormPAMService httpd-auth + InterceptFormLogin user_name + InterceptFormPassword user_password + InterceptFormLoginSkip admin + InterceptFormClearRemoteUserForSkipped on + </Location> + external-auth-application-api-conf: | + <LocationMatch ^/api> + SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in + SetEnvIf X-Auth-Token '^.+$' let_api_token_in + SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in + + AuthType Basic + AuthName "External Authentication (httpd) for API" + AuthBasicProvider PAM + + AuthPAMService httpd-auth + Require valid-user + Order Allow,Deny + Allow from env=let_admin_in + Allow from env=let_api_token_in + Allow from env=let_sys_token_in + Satisfy Any + </LocationMatch> + external-auth-lookup-user-details-conf: | + <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api> + LookupUserAttr mail REMOTE_USER_EMAIL + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + LookupUserAttr sn REMOTE_USER_LASTNAME + LookupUserAttr displayname REMOTE_USER_FULLNAME + LookupUserAttr domainname REMOTE_USER_DOMAIN + + LookupUserGroups REMOTE_USER_GROUPS ":" + LookupDbusTimeout 5000 + </LocationMatch> + external-auth-remote-user-conf: | + RequestHeader unset X_REMOTE_USER + + RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER + RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR + RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL + RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME + RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME + RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME + RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS + RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-kerberos-realms: undefined + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 kind: Service metadata: annotations: - description: "Exposes and load balances CloudForms pods" + description: Exposes and load balances CloudForms pods service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' - name: ${NAME} + name: "${NAME}" spec: clusterIP: None ports: @@ -23,141 +314,97 @@ objects: port: 80 protocol: TCP targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 selector: - name: ${NAME} + name: "${NAME}" - apiVersion: v1 kind: Route metadata: - name: ${NAME} + name: "${HTTPD_SERVICE_NAME}" spec: - host: ${APPLICATION_DOMAIN} + host: "${APPLICATION_DOMAIN}" port: - targetPort: https + targetPort: http tls: - termination: passthrough + termination: edge + insecureEdgeTerminationPolicy: Redirect to: kind: Service - name: ${NAME} -- apiVersion: v1 - kind: ImageStream - metadata: - name: cfme-openshift-app - annotations: - description: "Keeps track of changes in the CloudForms app image" - spec: - dockerImageRepository: "${APPLICATION_IMG_NAME}" -- apiVersion: v1 - kind: ImageStream - metadata: - name: cfme-openshift-postgresql - annotations: - description: "Keeps track of changes in the CloudForms postgresql image" - spec: - dockerImageRepository: "${POSTGRESQL_IMG_NAME}" -- apiVersion: v1 - kind: ImageStream - metadata: - name: cfme-openshift-memcached - annotations: - description: "Keeps track of changes in the CloudForms memcached image" - spec: - dockerImageRepository: "${MEMCACHED_IMG_NAME}" + name: "${HTTPD_SERVICE_NAME}" - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: "${NAME}-${DATABASE_SERVICE_NAME}" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: - storage: ${DATABASE_VOLUME_CAPACITY} -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: "${NAME}-region" - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: ${APPLICATION_REGION_VOLUME_CAPACITY} + storage: "${DATABASE_VOLUME_CAPACITY}" - apiVersion: apps/v1beta1 - kind: "StatefulSet" + kind: StatefulSet metadata: - name: ${NAME} + name: "${NAME}" annotations: - description: "Defines how to deploy the CloudForms appliance" + description: Defines how to deploy the CloudForms appliance spec: serviceName: "${NAME}" - replicas: 1 + replicas: "${APPLICATION_REPLICA_COUNT}" template: metadata: labels: - name: ${NAME} - name: ${NAME} + name: "${NAME}" + name: "${NAME}" spec: containers: - name: cloudforms - image: "${APPLICATION_IMG_NAME}:${APPLICATION_IMG_TAG}" + image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" livenessProbe: - tcpSocket: - port: 443 + exec: + command: + - pidof + - MIQ Server initialDelaySeconds: 480 timeoutSeconds: 3 readinessProbe: - httpGet: - path: / - port: 443 - scheme: HTTPS + tcpSocket: + port: 80 initialDelaySeconds: 200 timeoutSeconds: 3 ports: - containerPort: 80 protocol: TCP - - containerPort: 443 - protocol: TCP - securityContext: - privileged: true volumeMounts: - - - name: "${NAME}-server" - mountPath: "/persistent" - - - name: "${NAME}-region" - mountPath: "/persistent-region" + - name: "${NAME}-server" + mountPath: "/persistent" env: - - - name: "APPLICATION_INIT_DELAY" - value: "${APPLICATION_INIT_DELAY}" - - - name: "DATABASE_SERVICE_NAME" - value: "${DATABASE_SERVICE_NAME}" - - - name: "DATABASE_REGION" - value: "${DATABASE_REGION}" - - - name: "MEMCACHED_SERVICE_NAME" - value: "${MEMCACHED_SERVICE_NAME}" - - - name: "POSTGRESQL_USER" - value: "${DATABASE_USER}" - - - name: "POSTGRESQL_PASSWORD" - value: "${DATABASE_PASSWORD}" - - - name: "POSTGRESQL_DATABASE" - value: "${DATABASE_NAME}" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - value: "${POSTGRESQL_MAX_CONNECTIONS}" - - - name: "POSTGRESQL_SHARED_BUFFERS" - value: "${POSTGRESQL_SHARED_BUFFERS}" + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: APPLICATION_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: admin-password + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password resources: requests: memory: "${APPLICATION_MEM_REQ}" @@ -168,59 +415,128 @@ objects: preStop: exec: command: - - /opt/rh/cfme-container-scripts/sync-pv-data - volumes: - - - name: "${NAME}-region" - persistentVolumeClaim: - claimName: ${NAME}-region + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 volumeClaimTemplates: - - metadata: - name: "${NAME}-server" - annotations: - # Uncomment this if using dynamic volume provisioning. - # https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html - # volume.alpha.kubernetes.io/storage-class: anything - spec: - accessModes: [ ReadWriteOnce ] + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for CloudForms backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: cloudforms + image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password resources: requests: - storage: "${APPLICATION_VOLUME_CAPACITY}" + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" - apiVersion: v1 - kind: "Service" + kind: Service metadata: name: "${MEMCACHED_SERVICE_NAME}" annotations: - description: "Exposes the memcached server" + description: Exposes the memcached server spec: ports: - - - name: "memcached" - port: 11211 - targetPort: 11211 + - name: memcached + port: 11211 + targetPort: 11211 selector: name: "${MEMCACHED_SERVICE_NAME}" - apiVersion: v1 - kind: "DeploymentConfig" + kind: DeploymentConfig metadata: name: "${MEMCACHED_SERVICE_NAME}" annotations: - description: "Defines how to deploy memcached" + description: Defines how to deploy memcached spec: strategy: - type: "Recreate" + type: Recreate triggers: - - - type: "ImageChange" - imageChangeParams: - automatic: true - containerNames: - - "memcached" - from: - kind: "ImageStreamTag" - name: "cfme-openshift-memcached:${MEMCACHED_IMG_TAG}" - - - type: "ConfigChange" + - type: ConfigChange replicas: 1 selector: name: "${MEMCACHED_SERVICE_NAME}" @@ -232,74 +548,58 @@ objects: spec: volumes: [] containers: - - - name: "memcached" - image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" - ports: - - - containerPort: 11211 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 5 - tcpSocket: - port: 11211 - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - tcpSocket: - port: 11211 - volumeMounts: [] - env: - - - name: "MEMCACHED_MAX_MEMORY" - value: "${MEMCACHED_MAX_MEMORY}" - - - name: "MEMCACHED_MAX_CONNECTIONS" - value: "${MEMCACHED_MAX_CONNECTIONS}" - - - name: "MEMCACHED_SLAB_PAGE_SIZE" - value: "${MEMCACHED_SLAB_PAGE_SIZE}" - resources: - requests: - memory: "${MEMCACHED_MEM_REQ}" - cpu: "${MEMCACHED_CPU_REQ}" - limits: - memory: "${MEMCACHED_MEM_LIMIT}" + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" - apiVersion: v1 - kind: "Service" + kind: Service metadata: name: "${DATABASE_SERVICE_NAME}" annotations: - description: "Exposes the database server" + description: Exposes the database server spec: ports: - - - name: "postgresql" - port: 5432 - targetPort: 5432 + - name: postgresql + port: 5432 + targetPort: 5432 selector: name: "${DATABASE_SERVICE_NAME}" - apiVersion: v1 - kind: "DeploymentConfig" + kind: DeploymentConfig metadata: name: "${DATABASE_SERVICE_NAME}" annotations: - description: "Defines how to deploy the database" + description: Defines how to deploy the database spec: strategy: - type: "Recreate" + type: Recreate triggers: - - - type: "ImageChange" - imageChangeParams: - automatic: true - containerNames: - - "postgresql" - from: - kind: "ImageStreamTag" - name: "cfme-openshift-postgresql:${POSTGRESQL_IMG_TAG}" - - - type: "ConfigChange" + - type: ConfigChange replicas: 1 selector: name: "${DATABASE_SERVICE_NAME}" @@ -310,236 +610,524 @@ objects: name: "${DATABASE_SERVICE_NAME}" spec: volumes: - - - name: "cfme-pgdb-volume" - persistentVolumeClaim: - claimName: "${NAME}-${DATABASE_SERVICE_NAME}" + - name: cfme-pgdb-volume + persistentVolumeClaim: + claimName: "${NAME}-${DATABASE_SERVICE_NAME}" + - name: cfme-pg-configs + configMap: + name: "${DATABASE_SERVICE_NAME}-configs" containers: - - - name: "postgresql" - image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" - ports: - - - containerPort: 5432 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 15 + - name: postgresql + image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" + ports: + - containerPort: 5432 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 15 + exec: + command: + - "/bin/sh" + - "-i" + - "-c" + - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 60 + tcpSocket: + port: 5432 + volumeMounts: + - name: cfme-pgdb-volume + mountPath: "/var/lib/pgsql/data" + - name: cfme-pg-configs + mountPath: "${POSTGRESQL_CONFIG_DIR}" + env: + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${DATABASE_NAME}" + - name: POSTGRESQL_MAX_CONNECTIONS + value: "${POSTGRESQL_MAX_CONNECTIONS}" + - name: POSTGRESQL_SHARED_BUFFERS + value: "${POSTGRESQL_SHARED_BUFFERS}" + - name: POSTGRESQL_CONFIG_DIR + value: "${POSTGRESQL_CONFIG_DIR}" + resources: + requests: + memory: "${POSTGRESQL_MEM_REQ}" + cpu: "${POSTGRESQL_CPU_REQ}" + limits: + memory: "${POSTGRESQL_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: cfme-privileged + serviceAccountName: cfme-privileged +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_DBUS_API_SERVICE_NAME}" + annotations: + description: Exposes the httpd server dbus api + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http-dbus-api + port: 8080 + targetPort: 8080 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 8080 + protocol: TCP + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + - name: HTTPD_AUTH_KERBEROS_REALMS + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-kerberos-realms + lifecycle: + postStart: exec: command: - - "/bin/sh" - - "-i" - - "-c" - - "psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'" - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 60 - tcpSocket: - port: 5432 - volumeMounts: - - - name: "cfme-pgdb-volume" - mountPath: "/var/lib/pgsql/data" - env: - - - name: "POSTGRESQL_USER" - value: "${DATABASE_USER}" - - - name: "POSTGRESQL_PASSWORD" - value: "${DATABASE_PASSWORD}" - - - name: "POSTGRESQL_DATABASE" - value: "${DATABASE_NAME}" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - value: "${POSTGRESQL_MAX_CONNECTIONS}" - - - name: "POSTGRESQL_SHARED_BUFFERS" - value: "${POSTGRESQL_SHARED_BUFFERS}" - resources: - requests: - memory: "${POSTGRESQL_MEM_REQ}" - cpu: "${POSTGRESQL_CPU_REQ}" - limits: - memory: "${POSTGRESQL_MEM_LIMIT}" - + - "/usr/bin/save-container-environment" + serviceAccount: cfme-httpd + serviceAccountName: cfme-httpd parameters: - - - name: "NAME" - displayName: Name - required: true - description: "The name assigned to all of the frontend objects defined in this template." - value: cloudforms - - - name: "DATABASE_SERVICE_NAME" - displayName: "PostgreSQL Service Name" - required: true - description: "The name of the OpenShift Service exposed for the PostgreSQL container." - value: "postgresql" - - - name: "DATABASE_USER" - displayName: "PostgreSQL User" - required: true - description: "PostgreSQL user that will access the database." - value: "root" - - - name: "DATABASE_PASSWORD" - displayName: "PostgreSQL Password" - required: true - description: "Password for the PostgreSQL user." - value: "smartvm" - - - name: "DATABASE_NAME" - required: true - displayName: "PostgreSQL Database Name" - description: "Name of the PostgreSQL database accessed." - value: "vmdb_production" - - - name: "DATABASE_REGION" - required: true - displayName: "Application Database Region" - description: "Database region that will be used for application." - value: "0" - - - name: "MEMCACHED_SERVICE_NAME" - required: true - displayName: "Memcached Service Name" - description: "The name of the OpenShift Service exposed for the Memcached container." - value: "memcached" - - - name: "MEMCACHED_MAX_MEMORY" - displayName: "Memcached Max Memory" - description: "Memcached maximum memory for memcached object storage in MB." - value: "64" - - - name: "MEMCACHED_MAX_CONNECTIONS" - displayName: "Memcached Max Connections" - description: "Memcached maximum number of connections allowed." - value: "1024" - - - name: "MEMCACHED_SLAB_PAGE_SIZE" - displayName: "Memcached Slab Page Size" - description: "Memcached size of each slab page." - value: "1m" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - displayName: "PostgreSQL Max Connections" - description: "PostgreSQL maximum number of database connections allowed." - value: "100" - - - name: "POSTGRESQL_SHARED_BUFFERS" - displayName: "PostgreSQL Shared Buffer Amount" - description: "Amount of memory dedicated for PostgreSQL shared memory buffers." - value: "256MB" - - - name: "APPLICATION_CPU_REQ" - displayName: "Application Min CPU Requested" - required: true - description: "Minimum amount of CPU time the Application container will need (expressed in millicores)." - value: "1000m" - - - name: "POSTGRESQL_CPU_REQ" - displayName: "PostgreSQL Min CPU Requested" - required: true - description: "Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores)." - value: "500m" - - - name: "MEMCACHED_CPU_REQ" - displayName: "Memcached Min CPU Requested" - required: true - description: "Minimum amount of CPU time the Memcached container will need (expressed in millicores)." - value: "200m" - - - name: "APPLICATION_MEM_REQ" - displayName: "Application Min RAM Requested" - required: true - description: "Minimum amount of memory the Application container will need." - value: "6144Mi" - - - name: "POSTGRESQL_MEM_REQ" - displayName: "PostgreSQL Min RAM Requested" - required: true - description: "Minimum amount of memory the PostgreSQL container will need." - value: "1024Mi" - - - name: "MEMCACHED_MEM_REQ" - displayName: "Memcached Min RAM Requested" - required: true - description: "Minimum amount of memory the Memcached container will need." - value: "64Mi" - - - name: "APPLICATION_MEM_LIMIT" - displayName: "Application Max RAM Limit" - required: true - description: "Maximum amount of memory the Application container can consume." - value: "16384Mi" - - - name: "POSTGRESQL_MEM_LIMIT" - displayName: "PostgreSQL Max RAM Limit" - required: true - description: "Maximum amount of memory the PostgreSQL container can consume." - value: "8192Mi" - - - name: "MEMCACHED_MEM_LIMIT" - displayName: "Memcached Max RAM Limit" - required: true - description: "Maximum amount of memory the Memcached container can consume." - value: "256Mi" - - - name: "POSTGRESQL_IMG_NAME" - displayName: "PostgreSQL Image Name" - description: "This is the PostgreSQL image name requested to deploy." - value: "registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql" - - - name: "POSTGRESQL_IMG_TAG" - displayName: "PostgreSQL Image Tag" - description: "This is the PostgreSQL image tag/version requested to deploy." - value: "latest" - - - name: "MEMCACHED_IMG_NAME" - displayName: "Memcached Image Name" - description: "This is the Memcached image name requested to deploy." - value: "registry.access.redhat.com/cloudforms45/cfme-openshift-memcached" - - - name: "MEMCACHED_IMG_TAG" - displayName: "Memcached Image Tag" - description: "This is the Memcached image tag/version requested to deploy." - value: "latest" - - - name: "APPLICATION_IMG_NAME" - displayName: "Application Image Name" - description: "This is the Application image name requested to deploy." - value: "registry.access.redhat.com/cloudforms45/cfme-openshift-app" - - - name: "APPLICATION_IMG_TAG" - displayName: "Application Image Tag" - description: "This is the Application image tag/version requested to deploy." - value: "latest" - - - name: "APPLICATION_DOMAIN" - displayName: "Application Hostname" - description: "The exposed hostname that will route to the application service, if left blank a value will be defaulted." - value: "" - - - name: "APPLICATION_INIT_DELAY" - displayName: "Application Init Delay" - required: true - description: "Delay in seconds before we attempt to initialize the application." - value: "15" - - - name: "APPLICATION_VOLUME_CAPACITY" - displayName: "Application Volume Capacity" - required: true - description: "Volume space available for application data." - value: "5Gi" - - - name: "APPLICATION_REGION_VOLUME_CAPACITY" - displayName: "Application Region Volume Capacity" - required: true - description: "Volume space available for region application data." - value: "5Gi" - - - name: "DATABASE_VOLUME_CAPACITY" - displayName: "Database Volume Capacity" - required: true - description: "Volume space available for database." - value: "15Gi" +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: cloudforms +- name: V2_KEY + displayName: CloudForms Encryption Key + required: true + description: Encryption Key for CloudForms Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: APPLICATION_ADMIN_PASSWORD + displayName: Application Admin Password + required: true + description: Admin password that will be set on the application. + value: smartvm +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: POSTGRESQL_CONFIG_DIR + displayName: PostgreSQL Configuration Overrides + description: Directory used to store PostgreSQL configuration overrides. + value: "/var/lib/pgsql/conf.d" +- name: POSTGRESQL_MAX_CONNECTIONS + displayName: PostgreSQL Max Connections + description: PostgreSQL maximum number of database connections allowed. + value: '1000' +- name: POSTGRESQL_SHARED_BUFFERS + displayName: PostgreSQL Shared Buffer Amount + description: Amount of memory dedicated for PostgreSQL shared memory buffers. + value: 1GB +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: POSTGRESQL_CPU_REQ + displayName: PostgreSQL Min CPU Requested + required: true + description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). + value: 500m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: POSTGRESQL_MEM_REQ + displayName: PostgreSQL Min RAM Requested + required: true + description: Minimum amount of memory the PostgreSQL container will need. + value: 4Gi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: POSTGRESQL_MEM_LIMIT + displayName: PostgreSQL Max RAM Limit + required: true + description: Maximum amount of memory the PostgreSQL container can consume. + value: 8Gi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: POSTGRESQL_IMG_NAME + displayName: PostgreSQL Image Name + description: This is the PostgreSQL image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql +- name: POSTGRESQL_IMG_TAG + displayName: PostgreSQL Image Tag + description: This is the PostgreSQL image tag/version requested to deploy. + value: latest +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: FRONTEND_APPLICATION_IMG_NAME + displayName: Frontend Application Image Name + description: This is the Frontend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME + displayName: Backend Application Image Name + description: This is the Backend Application image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the CloudForms Frontend Application image tag/version requested to deploy. + value: latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the CloudForms Backend Application image tag/version requested to deploy. + value: latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: DATABASE_VOLUME_CAPACITY + displayName: Database Volume Capacity + required: true + description: Volume space available for database. + value: 15Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_DBUS_API_SERVICE_NAME + required: true + displayName: Apache httpd DBus API Service Name + description: The name of httpd dbus api service. + value: httpd-dbus-api +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-ephemeral-template.json b/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-ephemeral-template.json index 5e7585eeb..1772dbbcf 100644 --- a/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-ephemeral-template.json +++ b/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-ephemeral-template.json @@ -5,16 +5,16 @@ "name": "mariadb-ephemeral", "annotations": { "openshift.io/display-name": "MariaDB (Ephemeral)", - "description": "MariaDB database service, without persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.1/README.md.\n\nWARNING: Any data stored will be lost upon pod destruction. Only use this template for testing", + "description": "MariaDB database service, without persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.2/root/usr/share/container-scripts/mysql/README.md.\n\nWARNING: Any data stored will be lost upon pod destruction. Only use this template for testing", "iconClass": "icon-mariadb", "tags": "database,mariadb", "openshift.io/long-description": "This template provides a standalone MariaDB server with a database created. The database is not stored on persistent storage, so any restart of the service will result in all data being lost. The database name, username, and password are chosen via parameters when provisioning this service.", "openshift.io/provider-display-name": "Red Hat, Inc.", - "openshift.io/documentation-url": "https://github.com/sclorg/mariadb-container/blob/master/10.1/README.md", + "openshift.io/documentation-url": "https://github.com/sclorg/mariadb-container/blob/master/10.2/root/usr/share/container-scripts/mysql/README.md", "openshift.io/support-url": "https://access.redhat.com" } }, - "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.1/README.md.", + "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.2/root/usr/share/container-scripts/mysql/README.md.", "labels": { "template": "mariadb-persistent-template" }, @@ -82,7 +82,7 @@ ], "from": { "kind": "ImageStreamTag", - "name": "mariadb:10.1", + "name": "mariadb:${MARIADB_VERSION}", "namespace": "${NAMESPACE}" } } @@ -242,6 +242,13 @@ "description": "Name of the MariaDB database accessed.", "value": "sampledb", "required": true + }, + { + "name": "MARIADB_VERSION", + "displayName": "Version of MariaDB Image", + "description": "Version of MariaDB image to be used (10.0, 10.1, 10.2 or latest).", + "value": "10.2", + "required": true } ] } diff --git a/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-persistent-template.json b/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-persistent-template.json index 92be8f42e..8424ecbc8 100644 --- a/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-persistent-template.json +++ b/roles/openshift_examples/files/examples/v3.9/db-templates/mariadb-persistent-template.json @@ -5,16 +5,16 @@ "name": "mariadb-persistent", "annotations": { "openshift.io/display-name": "MariaDB", - "description": "MariaDB database service, with persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.1/README.md.\n\nNOTE: Scaling to more than one replica is not supported. You must have persistent volumes available in your cluster to use this template.", + "description": "MariaDB database service, with persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.2/root/usr/share/container-scripts/mysql/README.md.\n\nNOTE: Scaling to more than one replica is not supported. You must have persistent volumes available in your cluster to use this template.", "iconClass": "icon-mariadb", "tags": "database,mariadb", "openshift.io/long-description": "This template provides a standalone MariaDB server with a database created. The database is stored on persistent storage. The database name, username, and password are chosen via parameters when provisioning this service.", "openshift.io/provider-display-name": "Red Hat, Inc.", - "openshift.io/documentation-url": "https://github.com/sclorg/mariadb-container/blob/master/10.1/README.md", + "openshift.io/documentation-url": "https://github.com/sclorg/mariadb-container/blob/master/10.2/root/usr/share/container-scripts/mysql/README.md", "openshift.io/support-url": "https://access.redhat.com" } }, - "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.1/README.md.", + "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/blob/master/10.2/root/usr/share/container-scripts/mysql/README.md.", "labels": { "template": "mariadb-persistent-template" }, @@ -99,7 +99,7 @@ ], "from": { "kind": "ImageStreamTag", - "name": "mariadb:10.1", + "name": "mariadb:${MARIADB_VERSION}", "namespace": "${NAMESPACE}" } } @@ -261,6 +261,13 @@ "required": true }, { + "name": "MARIADB_VERSION", + "displayName": "Version of MariaDB Image", + "description": "Version of MariaDB image to be used (10.0, 10.1, 10.2 or latest).", + "value": "10.2", + "required": true + }, + { "name": "VOLUME_CAPACITY", "displayName": "Volume Capacity", "description": "Volume space available for data, e.g. 512Mi, 2Gi.", diff --git a/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-ephemeral-template.json b/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-ephemeral-template.json index c0946416d..bed940a37 100644 --- a/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-ephemeral-template.json +++ b/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-ephemeral-template.json @@ -5,7 +5,7 @@ "name": "mysql-ephemeral", "annotations": { "openshift.io/display-name": "MySQL (Ephemeral)", - "description": "MySQL database service, without persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/README.md.\n\nWARNING: Any data stored will be lost upon pod destruction. Only use this template for testing", + "description": "MySQL database service, without persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/root/usr/share/container-scripts/mysql/README.md.\n\nWARNING: Any data stored will be lost upon pod destruction. Only use this template for testing", "iconClass": "icon-mysql-database", "tags": "database,mysql", "openshift.io/long-description": "This template provides a standalone MySQL server with a database created. The database is not stored on persistent storage, so any restart of the service will result in all data being lost. The database name, username, and password are chosen via parameters when provisioning this service.", @@ -14,7 +14,7 @@ "openshift.io/support-url": "https://access.redhat.com" } }, - "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/README.md.", + "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/root/usr/share/container-scripts/mysql/README.md.", "labels": { "template": "mysql-ephemeral-template" }, diff --git a/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-persistent-template.json b/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-persistent-template.json index 6ac80f3a0..85adde65d 100644 --- a/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-persistent-template.json +++ b/roles/openshift_examples/files/examples/v3.9/db-templates/mysql-persistent-template.json @@ -5,7 +5,7 @@ "name": "mysql-persistent", "annotations": { "openshift.io/display-name": "MySQL", - "description": "MySQL database service, with persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/README.md.\n\nNOTE: Scaling to more than one replica is not supported. You must have persistent volumes available in your cluster to use this template.", + "description": "MySQL database service, with persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/root/usr/share/container-scripts/mysql/README.md.\n\nNOTE: Scaling to more than one replica is not supported. You must have persistent volumes available in your cluster to use this template.", "iconClass": "icon-mysql-database", "tags": "database,mysql", "openshift.io/long-description": "This template provides a standalone MySQL server with a database created. The database is stored on persistent storage. The database name, username, and password are chosen via parameters when provisioning this service.", @@ -14,7 +14,7 @@ "openshift.io/support-url": "https://access.redhat.com" } }, - "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/README.md.", + "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${MYSQL_USER}\n Password: ${MYSQL_PASSWORD}\n Database Name: ${MYSQL_DATABASE}\n Connection URL: mysql://${DATABASE_SERVICE_NAME}:3306/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/mysql-container/blob/master/5.7/root/usr/share/container-scripts/mysql/README.md.", "labels": { "template": "mysql-persistent-template" }, diff --git a/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-ephemeral-template.json b/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-ephemeral-template.json index 7c419f1ae..f29698d0c 100644 --- a/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-ephemeral-template.json +++ b/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-ephemeral-template.json @@ -5,7 +5,7 @@ "name": "postgresql-ephemeral", "annotations": { "openshift.io/display-name": "PostgreSQL (Ephemeral)", - "description": "PostgreSQL database service, without persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/blob/master/9.5.\n\nWARNING: Any data stored will be lost upon pod destruction. Only use this template for testing", + "description": "PostgreSQL database service, without persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/.\n\nWARNING: Any data stored will be lost upon pod destruction. Only use this template for testing", "iconClass": "icon-postgresql", "tags": "database,postgresql", "openshift.io/long-description": "This template provides a standalone PostgreSQL server with a database created. The database is not stored on persistent storage, so any restart of the service will result in all data being lost. The database name, username, and password are chosen via parameters when provisioning this service.", @@ -14,7 +14,7 @@ "openshift.io/support-url": "https://access.redhat.com" } }, - "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${POSTGRESQL_USER}\n Password: ${POSTGRESQL_PASSWORD}\n Database Name: ${POSTGRESQL_DATABASE}\n Connection URL: postgresql://${DATABASE_SERVICE_NAME}:5432/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/blob/master/9.5.", + "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${POSTGRESQL_USER}\n Password: ${POSTGRESQL_PASSWORD}\n Database Name: ${POSTGRESQL_DATABASE}\n Connection URL: postgresql://${DATABASE_SERVICE_NAME}:5432/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/.", "labels": { "template": "postgresql-ephemeral-template" }, @@ -127,11 +127,11 @@ } }, "livenessProbe": { + "exec": { + "command": [ "/bin/sh", "-i", "-c", "pg_isready -h 127.0.0.1 -p 5432" ] + }, "timeoutSeconds": 1, - "initialDelaySeconds": 30, - "tcpSocket": { - "port": 5432 - } + "initialDelaySeconds": 30 }, "env": [ { @@ -245,8 +245,8 @@ { "name": "POSTGRESQL_VERSION", "displayName": "Version of PostgreSQL Image", - "description": "Version of PostgreSQL image to be used (9.2, 9.4, 9.5 or latest).", - "value": "9.5", + "description": "Version of PostgreSQL image to be used (9.4, 9.5, 9.6 or latest).", + "value": "9.6", "required": true } ] diff --git a/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-persistent-template.json b/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-persistent-template.json index 190509112..7feeb704a 100644 --- a/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-persistent-template.json +++ b/roles/openshift_examples/files/examples/v3.9/db-templates/postgresql-persistent-template.json @@ -5,7 +5,7 @@ "name": "postgresql-persistent", "annotations": { "openshift.io/display-name": "PostgreSQL", - "description": "PostgreSQL database service, with persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/blob/master/9.5.\n\nNOTE: Scaling to more than one replica is not supported. You must have persistent volumes available in your cluster to use this template.", + "description": "PostgreSQL database service, with persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/.\n\nNOTE: Scaling to more than one replica is not supported. You must have persistent volumes available in your cluster to use this template.", "iconClass": "icon-postgresql", "tags": "database,postgresql", "openshift.io/long-description": "This template provides a standalone PostgreSQL server with a database created. The database is stored on persistent storage. The database name, username, and password are chosen via parameters when provisioning this service.", @@ -14,7 +14,7 @@ "openshift.io/support-url": "https://access.redhat.com" } }, - "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${POSTGRESQL_USER}\n Password: ${POSTGRESQL_PASSWORD}\n Database Name: ${POSTGRESQL_DATABASE}\n Connection URL: postgresql://${DATABASE_SERVICE_NAME}:5432/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/blob/master/9.5.", + "message": "The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}.\n\n Username: ${POSTGRESQL_USER}\n Password: ${POSTGRESQL_PASSWORD}\n Database Name: ${POSTGRESQL_DATABASE}\n Connection URL: postgresql://${DATABASE_SERVICE_NAME}:5432/\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/.", "labels": { "template": "postgresql-persistent-template" }, @@ -144,11 +144,11 @@ } }, "livenessProbe": { + "exec": { + "command": [ "/bin/sh", "-i", "-c", "pg_isready -h 127.0.0.1 -p 5432" ] + }, "timeoutSeconds": 1, - "initialDelaySeconds": 30, - "tcpSocket": { - "port": 5432 - } + "initialDelaySeconds": 30 }, "env": [ { @@ -269,8 +269,8 @@ { "name": "POSTGRESQL_VERSION", "displayName": "Version of PostgreSQL Image", - "description": "Version of PostgreSQL image to be used (9.2, 9.4, 9.5 or latest).", - "value": "9.5", + "description": "Version of PostgreSQL image to be used (9.4, 9.5, 9.6 or latest).", + "value": "9.6", "required": true } ] diff --git a/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-centos7.json b/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-centos7.json index ad17b709e..924c2884b 100644 --- a/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-centos7.json +++ b/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-centos7.json @@ -44,7 +44,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/httpd-24-centos7:latest" + "name": "docker.io/centos/httpd-24-centos7:latest" } } ] @@ -91,7 +91,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/ruby-20-centos7:latest" + "name": "docker.io/openshift/ruby-20-centos7:latest" } }, { @@ -108,7 +108,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/ruby-22-centos7:latest" + "name": "docker.io/centos/ruby-22-centos7:latest" } }, { @@ -125,7 +125,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/ruby-23-centos7:latest" + "name": "docker.io/centos/ruby-23-centos7:latest" } }, { @@ -142,7 +142,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/ruby-24-centos7:latest" + "name": "docker.io/centos/ruby-24-centos7:latest" } } ] @@ -164,7 +164,7 @@ "annotations": { "openshift.io/display-name": "Node.js (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Build and run Node.js applications on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/4/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of Node.js available on OpenShift, including major versions updates.", + "description": "Build and run Node.js applications on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/8/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of Node.js available on OpenShift, including major versions updates.", "iconClass": "icon-nodejs", "tags": "builder,nodejs", "supports":"nodejs", @@ -172,7 +172,7 @@ }, "from": { "kind": "ImageStreamTag", - "name": "6" + "name": "8" } }, { @@ -189,7 +189,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/nodejs-010-centos7:latest" + "name": "docker.io/openshift/nodejs-010-centos7:latest" } }, { @@ -206,7 +206,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/nodejs-4-centos7:latest" + "name": "docker.io/centos/nodejs-4-centos7:latest" } }, { @@ -223,7 +223,23 @@ }, "from": { "kind": "DockerImage", - "name": "centos/nodejs-6-centos7:latest" + "name": "docker.io/centos/nodejs-6-centos7:latest" + } + }, + { + "name": "8", + "annotations": { + "openshift.io/display-name": "Node.js 8", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and run Node.js 8 applications on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/8/README.md.", + "iconClass": "icon-nodejs", + "tags": "builder,nodejs", + "version": "8", + "sampleRepo": "https://github.com/openshift/nodejs-ex.git" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/nodejs-8-centos7:latest" } } ] @@ -270,7 +286,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/perl-516-centos7:latest" + "name": "docker.io/openshift/perl-516-centos7:latest" } }, { @@ -287,7 +303,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/perl-520-centos7:latest" + "name": "docker.io/centos/perl-520-centos7:latest" } }, { @@ -304,7 +320,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/perl-524-centos7:latest" + "name": "docker.io/centos/perl-524-centos7:latest" } } ] @@ -326,7 +342,7 @@ "annotations": { "openshift.io/display-name": "PHP (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Build and run PHP applications on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-php-container/blob/master/5.6/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PHP available on OpenShift, including major versions updates.", + "description": "Build and run PHP applications on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-php-container/blob/master/7.1/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PHP available on OpenShift, including major versions updates.", "iconClass": "icon-php", "tags": "builder,php", "supports":"php", @@ -334,7 +350,7 @@ }, "from": { "kind": "ImageStreamTag", - "name": "7.0" + "name": "7.1" } }, { @@ -351,7 +367,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/php-55-centos7:latest" + "name": "docker.io/openshift/php-55-centos7:latest" } }, { @@ -368,7 +384,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/php-56-centos7:latest" + "name": "docker.io/centos/php-56-centos7:latest" } }, { @@ -385,7 +401,24 @@ }, "from": { "kind": "DockerImage", - "name": "centos/php-70-centos7:latest" + "name": "docker.io/centos/php-70-centos7:latest" + } + }, + { + "name": "7.1", + "annotations": { + "openshift.io/display-name": "PHP 7.1", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and run PHP 7.1 applications on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-php-container/blob/master/7.1/README.md.", + "iconClass": "icon-php", + "tags": "builder,php", + "supports":"php:7.1,php", + "version": "7.1", + "sampleRepo": "https://github.com/openshift/cakephp-ex.git" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/php-71-centos7:latest" } } ] @@ -432,7 +465,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/python-33-centos7:latest" + "name": "docker.io/openshift/python-33-centos7:latest" } }, { @@ -449,7 +482,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/python-27-centos7:latest" + "name": "docker.io/centos/python-27-centos7:latest" } }, { @@ -466,7 +499,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/python-34-centos7:latest" + "name": "docker.io/centos/python-34-centos7:latest" } }, { @@ -483,7 +516,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/python-35-centos7:latest" + "name": "docker.io/centos/python-35-centos7:latest" } }, { @@ -500,7 +533,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/python-36-centos7:latest" + "name": "docker.io/centos/python-36-centos7:latest" } } ] @@ -547,7 +580,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/wildfly-81-centos7:latest" + "name": "docker.io/openshift/wildfly-81-centos7:latest" } }, { @@ -564,7 +597,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/wildfly-90-centos7:latest" + "name": "docker.io/openshift/wildfly-90-centos7:latest" } }, { @@ -581,7 +614,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/wildfly-100-centos7:latest" + "name": "docker.io/openshift/wildfly-100-centos7:latest" } }, { @@ -598,7 +631,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/wildfly-101-centos7:latest" + "name": "docker.io/openshift/wildfly-101-centos7:latest" } } ] @@ -641,7 +674,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/mysql-55-centos7:latest" + "name": "docker.io/openshift/mysql-55-centos7:latest" } }, { @@ -656,7 +689,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/mysql-56-centos7:latest" + "name": "docker.io/centos/mysql-56-centos7:latest" } }, { @@ -671,7 +704,88 @@ }, "from": { "kind": "DockerImage", - "name": "centos/mysql-57-centos7:latest" + "name": "docker.io/centos/mysql-57-centos7:latest" + } + } + ] + } + }, + { + "kind": "ImageStream", + "apiVersion": "v1", + "metadata": { + "name": "nginx", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy (nginx)" + } + }, + "spec": { + "tags": [ + { + "name": "1.8", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy 1.8", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP Server and a reverse proxy (nginx) on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.8/README.md.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git", + "version": "1.8" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/nginx-18-centos7:latest" + } + }, + { + "name": "1.10", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy 1.10", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP Server and a reverse proxy (nginx) on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.10/README.md.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git", + "version": "1.10" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/nginx-110-centos7:latest" + } + }, + { + "name": "1.12", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy 1.12", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP Server and a reverse proxy (nginx) on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.12/README.md.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git", + "version": "1.12" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/nginx-112-centos7:latest" + } + }, + { + "name": "latest", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy (Latest)", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP Server and a reverse proxy (nginx) on CentOS 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.12/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of Nginx available on OpenShift, including major versions updates.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git" + }, + "from": { + "kind": "ImageStreamTag", + "name": "1.12" } } ] @@ -693,13 +807,13 @@ "annotations": { "openshift.io/display-name": "MariaDB (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a MariaDB database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.1/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MariaDB available on OpenShift, including major versions updates.", + "description": "Provides a MariaDB database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.2/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MariaDB available on OpenShift, including major versions updates.", "iconClass": "icon-mariadb", - "tags": "mariadb" + "tags": "database,mariadb" }, "from": { "kind": "ImageStreamTag", - "name": "10.1" + "name": "10.2" } }, { @@ -709,12 +823,27 @@ "openshift.io/provider-display-name": "Red Hat, Inc.", "description": "Provides a MariaDB 10.1 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.1/README.md.", "iconClass": "icon-mariadb", - "tags": "mariadb", + "tags": "database,mariadb", "version": "10.1" }, "from": { "kind": "DockerImage", - "name": "centos/mariadb-101-centos7:latest" + "name": "docker.io/centos/mariadb-101-centos7:latest" + } + }, + { + "name": "10.2", + "annotations": { + "openshift.io/display-name": "MariaDB 10.2", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Provides a MariaDB 10.2 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.2/README.md.", + "iconClass": "icon-mariadb", + "tags": "database,mariadb", + "version": "10.2" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/mariadb-102-centos7:latest" } } ] @@ -736,13 +865,13 @@ "annotations": { "openshift.io/display-name": "PostgreSQL (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.5.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PostgreSQL available on OpenShift, including major versions updates.", + "description": "Provides a PostgreSQL database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.6/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PostgreSQL available on OpenShift, including major versions updates.", "iconClass": "icon-postgresql", - "tags": "postgresql" + "tags": "database,postgresql" }, "from": { "kind": "ImageStreamTag", - "name": "9.5" + "name": "9.6" } }, { @@ -750,14 +879,14 @@ "annotations": { "openshift.io/display-name": "PostgreSQL 9.2", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL 9.2 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.2.", + "description": "Provides a PostgreSQL 9.2 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.2/README.md.", "iconClass": "icon-postgresql", "tags": "hidden,postgresql", "version": "9.2" }, "from": { "kind": "DockerImage", - "name": "openshift/postgresql-92-centos7:latest" + "name": "docker.io/openshift/postgresql-92-centos7:latest" } }, { @@ -765,14 +894,14 @@ "annotations": { "openshift.io/display-name": "PostgreSQL 9.4", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL 9.4 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.4.", + "description": "Provides a PostgreSQL 9.4 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.4/README.md.", "iconClass": "icon-postgresql", - "tags": "postgresql", + "tags": "database,postgresql", "version": "9.4" }, "from": { "kind": "DockerImage", - "name": "centos/postgresql-94-centos7:latest" + "name": "docker.io/centos/postgresql-94-centos7:latest" } }, { @@ -780,14 +909,29 @@ "annotations": { "openshift.io/display-name": "PostgreSQL 9.5", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL 9.5 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.5.", + "description": "Provides a PostgreSQL 9.5 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.5/README.md.", "iconClass": "icon-postgresql", - "tags": "postgresql", + "tags": "database,postgresql", "version": "9.5" }, "from": { "kind": "DockerImage", - "name": "centos/postgresql-95-centos7:latest" + "name": "docker.io/centos/postgresql-95-centos7:latest" + } + }, + { + "name": "9.6", + "annotations": { + "openshift.io/display-name": "PostgreSQL 9.6", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Provides a PostgreSQL 9.6 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.6/README.md.", + "iconClass": "icon-postgresql", + "tags": "database,postgresql", + "version": "9.6" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/postgresql-96-centos7:latest" } } ] @@ -809,13 +953,13 @@ "annotations": { "openshift.io/display-name": "MongoDB (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a MongoDB database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.2/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MongoDB available on OpenShift, including major versions updates.", + "description": "Provides a MongoDB database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.4/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MongoDB available on OpenShift, including major versions updates.", "iconClass": "icon-mongodb", - "tags": "mongodb" + "tags": "database,mongodb" }, "from": { "kind": "ImageStreamTag", - "name": "3.2" + "name": "3.4" } }, { @@ -830,7 +974,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/mongodb-24-centos7:latest" + "name": "docker.io/openshift/mongodb-24-centos7:latest" } }, { @@ -840,12 +984,12 @@ "openshift.io/provider-display-name": "Red Hat, Inc.", "description": "Provides a MongoDB 2.6 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/2.6/README.md.", "iconClass": "icon-mongodb", - "tags": "mongodb", + "tags": "database,mongodb", "version": "2.6" }, "from": { "kind": "DockerImage", - "name": "centos/mongodb-26-centos7:latest" + "name": "docker.io/centos/mongodb-26-centos7:latest" } }, { @@ -855,12 +999,27 @@ "openshift.io/provider-display-name": "Red Hat, Inc.", "description": "Provides a MongoDB 3.2 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.2/README.md.", "iconClass": "icon-mongodb", - "tags": "mongodb", + "tags": "database,mongodb", "version": "3.2" }, "from": { "kind": "DockerImage", - "name": "centos/mongodb-32-centos7:latest" + "name": "docker.io/centos/mongodb-32-centos7:latest" + } + }, + { + "name": "3.4", + "annotations": { + "openshift.io/display-name": "MongoDB 3.4", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Provides a MongoDB 3.4 database on CentOS 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.4/README.md.", + "iconClass": "icon-mongodb", + "tags": "database,mongodb", + "version": "3.4" + }, + "from": { + "kind": "DockerImage", + "name": "docker.io/centos/mongodb-34-centos7:latest" } } ] @@ -903,7 +1062,7 @@ }, "from": { "kind": "DockerImage", - "name": "centos/redis-32-centos7:latest" + "name": "docker.io/centos/redis-32-centos7:latest" } } ] @@ -946,7 +1105,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/jenkins-1-centos7:latest" + "name": "docker.io/openshift/jenkins-1-centos7:latest" } }, { @@ -961,7 +1120,7 @@ }, "from": { "kind": "DockerImage", - "name": "openshift/jenkins-2-centos7:v3.9" + "name": "docker.io/openshift/jenkins-2-centos7:v3.9" } } ] diff --git a/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-rhel7.json b/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-rhel7.json index efc8705f4..af319beed 100644 --- a/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-rhel7.json +++ b/roles/openshift_examples/files/examples/v3.9/image-streams/image-streams-rhel7.json @@ -164,7 +164,7 @@ "annotations": { "openshift.io/display-name": "Node.js (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Build and run Node.js applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/4/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of Node.js available on OpenShift, including major versions updates.", + "description": "Build and run Node.js applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container/blob/master/8/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of Node.js available on OpenShift, including major versions updates.", "iconClass": "icon-nodejs", "tags": "builder,nodejs", "supports":"nodejs", @@ -172,7 +172,7 @@ }, "from": { "kind": "ImageStreamTag", - "name": "6" + "name": "8" } }, { @@ -225,6 +225,22 @@ "kind": "DockerImage", "name": "registry.access.redhat.com/rhscl/nodejs-6-rhel7:latest" } + }, + { + "name": "8", + "annotations": { + "openshift.io/display-name": "Node.js 8", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and run Node.js 8 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-nodejs-container.", + "iconClass": "icon-nodejs", + "tags": "builder,nodejs", + "version": "8", + "sampleRepo": "https://github.com/openshift/nodejs-ex.git" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/nodejs-8-rhel7:latest" + } } ] } @@ -326,7 +342,7 @@ "annotations": { "openshift.io/display-name": "PHP (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Build and run PHP applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-php-container/blob/master/5.6/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PHP available on OpenShift, including major versions updates.", + "description": "Build and run PHP applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-php-container/blob/master/7.1/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PHP available on OpenShift, including major versions updates.", "iconClass": "icon-php", "tags": "builder,php", "supports":"php", @@ -334,7 +350,7 @@ }, "from": { "kind": "ImageStreamTag", - "name": "7.0" + "name": "7.1" } }, { @@ -387,6 +403,23 @@ "kind": "DockerImage", "name": "registry.access.redhat.com/rhscl/php-70-rhel7:latest" } + }, + { + "name": "7.1", + "annotations": { + "openshift.io/display-name": "PHP 7.1", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and run PHP 7.1 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-php-container/blob/master/7.1/README.md.", + "iconClass": "icon-php", + "tags": "builder,php", + "supports":"php:7.1,php", + "version": "7.1", + "sampleRepo": "https://github.com/openshift/cakephp-ex.git" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/php-71-rhel7:latest" + } } ] } @@ -583,6 +616,87 @@ "kind": "ImageStream", "apiVersion": "v1", "metadata": { + "name": "nginx", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy (nginx)" + } + }, + "spec": { + "tags": [ + { + "name": "1.8", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy 1.8", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP server and a reverse proxy (nginx) on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.8/README.md.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git", + "version": "1.8" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/nginx-18-rhel7:latest" + } + }, + { + "name": "1.10", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy 1.10", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP server and a reverse proxy (nginx) on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.10/README.md.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git", + "version": "1.10" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/nginx-110-rhel7:latest" + } + }, + { + "name": "1.12", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy 1.12", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP server and a reverse proxy (nginx) on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.12/README.md.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git", + "version": "1.12" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/nginx-112-rhel7:latest" + } + }, + { + "name": "latest", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy (Latest)", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Build and serve static content via Nginx HTTP server and a reverse proxy (nginx) on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/nginx-container/blob/master/1.12/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of Nginx available on OpenShift, including major versions updates.", + "iconClass": "icon-nginx", + "tags": "builder,nginx", + "supports":"nginx", + "sampleRepo": "https://github.com/sclorg/nginx-ex.git" + }, + "from": { + "kind": "ImageStreamTag", + "name": "1.12" + } + } + ] + } + }, + { + "kind": "ImageStream", + "apiVersion": "v1", + "metadata": { "name": "mariadb", "annotations": { "openshift.io/display-name": "MariaDB" @@ -595,13 +709,13 @@ "annotations": { "openshift.io/display-name": "MariaDB (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a MariaDB database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.1/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MariaDB available on OpenShift, including major versions updates.", + "description": "Provides a MariaDB database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.2/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MariaDB available on OpenShift, including major versions updates.", "iconClass": "icon-mariadb", - "tags": "mariadb" + "tags": "database,mariadb" }, "from": { "kind": "ImageStreamTag", - "name": "10.1" + "name": "10.2" } }, { @@ -611,13 +725,28 @@ "openshift.io/provider-display-name": "Red Hat, Inc.", "description": "Provides a MariaDB 10.1 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.1/README.md.", "iconClass": "icon-mariadb", - "tags": "mariadb", + "tags": "database,mariadb", "version": "10.1" }, "from": { "kind": "DockerImage", "name": "registry.access.redhat.com/rhscl/mariadb-101-rhel7:latest" } + }, + { + "name": "10.2", + "annotations": { + "openshift.io/display-name": "MariaDB 10.2", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Provides a MariaDB 10.2 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mariadb-container/tree/master/10.2/README.md.", + "iconClass": "icon-mariadb", + "tags": "database,mariadb", + "version": "10.2" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/mariadb-102-rhel7:latest" + } } ] } @@ -638,13 +767,13 @@ "annotations": { "openshift.io/display-name": "PostgreSQL (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.5.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PostgreSQL available on OpenShift, including major versions updates.", + "description": "Provides a PostgreSQL database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.6/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of PostgreSQL available on OpenShift, including major versions updates.", "iconClass": "icon-postgresql", - "tags": "postgresql" + "tags": "database,postgresql" }, "from": { "kind": "ImageStreamTag", - "name": "9.5" + "name": "9.6" } }, { @@ -652,7 +781,7 @@ "annotations": { "openshift.io/display-name": "PostgreSQL 9.2", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL 9.2 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.2.", + "description": "Provides a PostgreSQL 9.2 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.2/README.md.", "iconClass": "icon-postgresql", "tags": "hidden,postgresql", "version": "9.2" @@ -667,9 +796,9 @@ "annotations": { "openshift.io/display-name": "PostgreSQL 9.4", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL 9.4 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.4.", + "description": "Provides a PostgreSQL 9.4 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.4/README.md.", "iconClass": "icon-postgresql", - "tags": "postgresql", + "tags": "database,postgresql", "version": "9.4" }, "from": { @@ -682,15 +811,30 @@ "annotations": { "openshift.io/display-name": "PostgreSQL 9.5", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a PostgreSQL 9.5 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.5.", + "description": "Provides a PostgreSQL 9.5 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.5/README.md.", "iconClass": "icon-postgresql", - "tags": "postgresql", + "tags": "database,postgresql", "version": "9.5" }, "from": { "kind": "DockerImage", "name": "registry.access.redhat.com/rhscl/postgresql-95-rhel7:latest" } + }, + { + "name": "9.6", + "annotations": { + "openshift.io/display-name": "PostgreSQL (Ephemeral) 9.6", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Provides a PostgreSQL 9.6 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/tree/master/9.6/README.md.", + "iconClass": "icon-postgresql", + "tags": "database,postgresql", + "version": "9.6" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/postgresql-96-rhel7:latest" + } } ] } @@ -711,13 +855,13 @@ "annotations": { "openshift.io/display-name": "MongoDB (Latest)", "openshift.io/provider-display-name": "Red Hat, Inc.", - "description": "Provides a MongoDB database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.2/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MongoDB available on OpenShift, including major versions updates.", + "description": "Provides a MongoDB database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.4/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of MongoDB available on OpenShift, including major versions updates.", "iconClass": "icon-mongodb", "tags": "mongodb" }, "from": { "kind": "ImageStreamTag", - "name": "3.2" + "name": "3.4" } }, { @@ -742,7 +886,7 @@ "openshift.io/provider-display-name": "Red Hat, Inc.", "description": "Provides a MongoDB 2.6 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/2.6/README.md.", "iconClass": "icon-mongodb", - "tags": "mongodb", + "tags": "database,mongodb", "version": "2.6" }, "from": { @@ -757,13 +901,28 @@ "openshift.io/provider-display-name": "Red Hat, Inc.", "description": "Provides a MongoDB 3.2 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.2/README.md.", "iconClass": "icon-mongodb", - "tags": "mongodb", + "tags": "database,mongodb", "version": "3.2" }, "from": { "kind": "DockerImage", "name": "registry.access.redhat.com/rhscl/mongodb-32-rhel7:latest" } + }, + { + "name": "3.4", + "annotations": { + "openshift.io/display-name": "MongoDB 3.4", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "Provides a MongoDB 3.4 database on RHEL 7. For more information about using this database image, including OpenShift considerations, see https://github.com/sclorg/mongodb-container/tree/master/3.4/README.md.", + "iconClass": "icon-mongodb", + "tags": "database,mongodb", + "version": "3.4" + }, + "from": { + "kind": "DockerImage", + "name": "registry.access.redhat.com/rhscl/mongodb-34-rhel7:latest" + } } ] } diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/README.md b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/README.md index 6d2ccbf7f..710d5f58d 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/README.md +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/README.md @@ -18,6 +18,7 @@ instantiating them. * [Django](https://raw.githubusercontent.com/openshift/django-ex/master/openshift/templates/django-postgresql.json) - Provides a basic Django (Python) application with a PostgreSQL database. For more information see the [source repository](https://github.com/openshift/django-ex). * [Django persistent](https://raw.githubusercontent.com/openshift/django-ex/master/openshift/templates/django-postgresql-persistent.json) - Provides a basic Django (Python) application with a persistent PostgreSQL database. Note: requires available persistent volumes. For more information see the [source repository](https://github.com/openshift/django-ex). * [Httpd](https://raw.githubusercontent.com/openshift/httpd-ex/master/openshift/templates/httpd.json) - Provides a basic Httpd static content application. For more information see the [source repository](https://github.com/openshift/httpd-ex). +* [Nginx](https://raw.githubusercontent.com/sclorg/nginx-ex/master/openshift/templates/nginx.json) - Provides a basic Nginx static content application. For more information see the [source repository](https://github.com/sclorg/nginx-ex). * [NodeJS](https://raw.githubusercontent.com/openshift/nodejs-ex/master/openshift/templates/nodejs-mongodb.json) - Provides a basic NodeJS application with a MongoDB database. For more information see the [source repository](https://github.com/openshift/nodejs-ex). * [NodeJS persistent](https://raw.githubusercontent.com/openshift/nodejs-ex/master/openshift/templates/nodejs-mongodb-persistent.json) - Provides a basic NodeJS application with a persistent MongoDB database. Note: requires available persistent volumes. For more information see the [source repository](https://github.com/openshift/nodejs-ex). * [Rails](https://raw.githubusercontent.com/openshift/rails-ex/master/openshift/templates/rails-postgresql.json) - Provides a basic Rails (Ruby) application with a PostgreSQL database. For more information see the [source repository](https://github.com/openshift/rails-ex). diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql-persistent.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql-persistent.json index 40b4eaa81..8888f19d0 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql-persistent.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql-persistent.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/cake-ex/blob/master/README.md.", "labels": { - "template": "cakephp-mysql-persistent", - "app": "cakephp-mysql-persistent" + "template": "cakephp-mysql-persistent", + "app": "cakephp-mysql-persistent" }, "objects": [ { @@ -209,6 +209,7 @@ "readinessProbe": { "timeoutSeconds": 3, "initialDelaySeconds": 3, + "periodSeconds": 60, "httpGet": { "path": "/health.php", "port": 8080 @@ -217,6 +218,7 @@ "livenessProbe": { "timeoutSeconds": 3, "initialDelaySeconds": 30, + "periodSeconds": 60, "httpGet": { "path": "/health.php", "port": 8080 diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql.json index ecd90e495..2bf7acd8c 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/cakephp-mysql.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/cake-ex/blob/master/README.md.", "labels": { - "template": "cakephp-mysql-example", - "app": "cakephp-mysql-example" + "template": "cakephp-mysql-example", + "app": "cakephp-mysql-example" }, "objects": [ { @@ -209,6 +209,7 @@ "readinessProbe": { "timeoutSeconds": 3, "initialDelaySeconds": 3, + "periodSeconds": 60, "httpGet": { "path": "/health.php", "port": 8080 @@ -217,6 +218,7 @@ "livenessProbe": { "timeoutSeconds": 3, "initialDelaySeconds": 30, + "periodSeconds": 60, "httpGet": { "path": "/health.php", "port": 8080 diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql-persistent.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql-persistent.json index 17a155600..b29f8ba40 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql-persistent.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql-persistent.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/dancer-ex/blob/master/README.md.", "labels": { - "template": "dancer-mysql-persistent", - "app": "dancer-mysql-persistent" + "template": "dancer-mysql-persistent", + "app": "dancer-mysql-persistent" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql.json index abf711535..e76353764 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/dancer-mysql.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/dancer-ex/blob/master/README.md.", "labels": { - "template": "dancer-mysql-example", - "app": "dancer-mysql-example" + "template": "dancer-mysql-example", + "app": "dancer-mysql-example" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql-persistent.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql-persistent.json index c8dab0b53..7a0ab213a 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql-persistent.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql-persistent.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/django-ex/blob/master/README.md.", "labels": { - "template": "django-psql-persistent", - "app": "django-psql-persistent" + "template": "django-psql-persistent", + "app": "django-psql-persistent" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql.json index 6395defda..be3fc740c 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/django-postgresql.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/django-ex/blob/master/README.md.", "labels": { - "template": "django-psql-example", - "app": "django-psql-example" + "template": "django-psql-example", + "app": "django-psql-example" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/httpd.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/httpd.json index e944f21a5..67ae3c751 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/httpd.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/httpd.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/httpd-ex/blob/master/README.md.", "labels": { - "template": "httpd-example", - "app": "httpd-example" + "template": "httpd-example", + "app": "httpd-example" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nginx.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nginx.json new file mode 100644 index 000000000..84aa1f469 --- /dev/null +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nginx.json @@ -0,0 +1,283 @@ +{ + "kind": "Template", + "apiVersion": "v1", + "metadata": { + "name": "nginx-example", + "annotations": { + "openshift.io/display-name": "Nginx HTTP server and a reverse proxy", + "description": "An example Nginx HTTP server and a reverse proxy (nginx) application that serves static content. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/nginx-ex/blob/master/README.md.", + "tags": "quickstart,nginx", + "iconClass": "icon-nginx", + "openshift.io/long-description": "This template defines resources needed to develop a static application served by Nginx HTTP server and a reverse proxy (nginx), including a build configuration and application deployment configuration.", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "openshift.io/documentation-url": "https://github.com/sclorg/nginx-ex", + "openshift.io/support-url": "https://access.redhat.com" + } + }, + "message": "The following service(s) have been created in your project: ${NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/sclorg/nginx-ex/blob/master/README.md.", + "labels": { + "template": "nginx-example" + }, + "objects": [ + { + "kind": "Service", + "apiVersion": "v1", + "metadata": { + "name": "${NAME}", + "annotations": { + "description": "Exposes and load balances the application pods" + } + }, + "spec": { + "ports": [ + { + "name": "web", + "port": 8080, + "targetPort": 8080 + } + ], + "selector": { + "name": "${NAME}" + } + } + }, + { + "kind": "Route", + "apiVersion": "v1", + "metadata": { + "name": "${NAME}", + "annotations": { + "template.openshift.io/expose-uri": "http://{.spec.host}{.spec.path}" + } + }, + "spec": { + "host": "${APPLICATION_DOMAIN}", + "to": { + "kind": "Service", + "name": "${NAME}" + } + } + }, + { + "kind": "ImageStream", + "apiVersion": "v1", + "metadata": { + "name": "${NAME}", + "annotations": { + "description": "Keeps track of changes in the application image" + } + } + }, + { + "kind": "BuildConfig", + "apiVersion": "v1", + "metadata": { + "name": "${NAME}", + "annotations": { + "description": "Defines how to build the application", + "template.alpha.openshift.io/wait-for-ready": "true" + } + }, + "spec": { + "source": { + "type": "Git", + "git": { + "uri": "${SOURCE_REPOSITORY_URL}", + "ref": "${SOURCE_REPOSITORY_REF}" + }, + "contextDir": "${CONTEXT_DIR}" + }, + "strategy": { + "type": "Source", + "sourceStrategy": { + "from": { + "kind": "ImageStreamTag", + "namespace": "${NAMESPACE}", + "name": "nginx:${NGINX_VERSION}" + } + } + }, + "output": { + "to": { + "kind": "ImageStreamTag", + "name": "${NAME}:latest" + } + }, + "triggers": [ + { + "type": "ImageChange" + }, + { + "type": "ConfigChange" + }, + { + "type": "GitHub", + "github": { + "secret": "${GITHUB_WEBHOOK_SECRET}" + } + }, + { + "type": "Generic", + "generic": { + "secret": "${GENERIC_WEBHOOK_SECRET}" + } + } + ] + } + }, + { + "kind": "DeploymentConfig", + "apiVersion": "v1", + "metadata": { + "name": "${NAME}", + "annotations": { + "description": "Defines how to deploy the application server", + "template.alpha.openshift.io/wait-for-ready": "true" + } + }, + "spec": { + "strategy": { + "type": "Rolling" + }, + "triggers": [ + { + "type": "ImageChange", + "imageChangeParams": { + "automatic": true, + "containerNames": [ + "nginx-example" + ], + "from": { + "kind": "ImageStreamTag", + "name": "${NAME}:latest" + } + } + }, + { + "type": "ConfigChange" + } + ], + "replicas": 1, + "selector": { + "name": "${NAME}" + }, + "template": { + "metadata": { + "name": "${NAME}", + "labels": { + "name": "${NAME}" + } + }, + "spec": { + "containers": [ + { + "name": "nginx-example", + "image": " ", + "ports": [ + { + "containerPort": 8080 + } + ], + "readinessProbe": { + "timeoutSeconds": 3, + "initialDelaySeconds": 3, + "httpGet": { + "path": "/", + "port": 8080 + } + }, + "livenessProbe": { + "timeoutSeconds": 3, + "initialDelaySeconds": 30, + "httpGet": { + "path": "/", + "port": 8080 + } + }, + "resources": { + "limits": { + "memory": "${MEMORY_LIMIT}" + } + }, + "env": [ + ], + "resources": { + "limits": { + "memory": "${MEMORY_LIMIT}" + } + } + } + ] + } + } + } + } + ], + "parameters": [ + { + "name": "NAME", + "displayName": "Name", + "description": "The name assigned to all of the frontend objects defined in this template.", + "required": true, + "value": "nginx-example" + }, + { + "name": "NAMESPACE", + "displayName": "Namespace", + "description": "The OpenShift Namespace where the ImageStream resides.", + "required": true, + "value": "openshift" + }, + { + "name": "NGINX_VERSION", + "displayName": "NGINX Version", + "description": "Version of NGINX image to be used (1.12 by default).", + "required": true, + "value": "1.12" + }, + { + "name": "MEMORY_LIMIT", + "displayName": "Memory Limit", + "description": "Maximum amount of memory the container can use.", + "required": true, + "value": "512Mi" + }, + { + "name": "SOURCE_REPOSITORY_URL", + "displayName": "Git Repository URL", + "description": "The URL of the repository with your application source code.", + "required": true, + "value": "https://github.com/sclorg/nginx-ex.git" + }, + { + "name": "SOURCE_REPOSITORY_REF", + "displayName": "Git Reference", + "description": "Set this to a branch name, tag or other ref of your repository if you are not using the default branch." + }, + { + "name": "CONTEXT_DIR", + "displayName": "Context Directory", + "description": "Set this to the relative path to your project if it is not in the root of your repository." + }, + { + "name": "APPLICATION_DOMAIN", + "displayName": "Application Hostname", + "description": "The exposed hostname that will route to the nginx service, if left blank a value will be defaulted.", + "value": "" + }, + { + "name": "GITHUB_WEBHOOK_SECRET", + "displayName": "GitHub Webhook Secret", + "description": "Github trigger secret. A difficult to guess string encoded as part of the webhook URL. Not encrypted.", + "generate": "expression", + "from": "[a-zA-Z0-9]{40}" + }, + { + "name": "GENERIC_WEBHOOK_SECRET", + "displayName": "Generic Webhook Secret", + "description": "A secret string used to configure the Generic webhook.", + "generate": "expression", + "from": "[a-zA-Z0-9]{40}" + } + ] +} diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb-persistent.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb-persistent.json index f04adaa67..787f51361 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb-persistent.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb-persistent.json @@ -17,8 +17,7 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/nodejs-ex/blob/master/README.md.", "labels": { - "template": "nodejs-mongo-persistent", - "app": "nodejs-mongo-persistent" + "template": "nodejs-mongo-persistent" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb.json index 0ce36dba5..0fcc540ab 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/nodejs-mongodb.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/nodejs-ex/blob/master/README.md.", "labels": { - "template": "nodejs-mongodb-example", - "app": "nodejs-mongodb-example" + "template": "nodejs-mongodb-example", + "app": "nodejs-mongodb-example" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql-persistent.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql-persistent.json index 10e9382cc..9f40f250b 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql-persistent.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql-persistent.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/rails-ex/blob/master/README.md.", "labels": { - "template": "rails-pgsql-persistent", - "app": "rails-pgsql-persistent" + "template": "rails-pgsql-persistent", + "app": "rails-pgsql-persistent" }, "objects": [ { diff --git a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql.json b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql.json index 8ec2c8ea6..77d218aa5 100644 --- a/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql.json +++ b/roles/openshift_examples/files/examples/v3.9/quickstart-templates/rails-postgresql.json @@ -17,8 +17,8 @@ }, "message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/rails-ex/blob/master/README.md.", "labels": { - "template": "rails-postgresql-example", - "app": "rails-postgresql-example" + "template": "rails-postgresql-example", + "app": "rails-postgresql-example" }, "objects": [ { diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 26f0525e9..d6d31effd 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1430,9 +1430,6 @@ class OpenShiftFacts(object): dynamic_provisioning_enabled=True, max_requests_inflight=500) - if 'node' in roles: - defaults['node'] = dict(labels={}) - if 'cloudprovider' in roles: defaults['cloudprovider'] = dict(kind=None) diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py index d298fbab2..145b82491 100644 --- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py +++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py @@ -171,16 +171,21 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck): required.add(self._registry_console_image(image_tag, image_info)) # images for containerized components - if self.get_var("openshift_is_containerized"): - components = set() + def add_var_or_default_img(var_name, comp_name): + """Returns: default image from comp_name, overridden by var_name in task_vars""" + default = "{}/{}:{}".format(image_info["namespace"], comp_name, image_tag) + required.add(self.template_var(self.get_var(var_name, default=default))) + + if self.get_var("openshift_is_containerized", convert=bool): if 'oo_nodes_to_config' in host_groups: - components.update(["node", "openvswitch"]) + add_var_or_default_img("osn_image", "node") + add_var_or_default_img("osn_ovs_image", "openvswitch") if 'oo_masters_to_config' in host_groups: # name is "origin" or "ose" - components.add(image_info["name"]) - for component in components: - required.add("{}/{}:{}".format(image_info["namespace"], component, image_tag)) - if 'oo_etcd_to_config' in host_groups: # special case, note it is the same for origin/enterprise - required.add("registry.access.redhat.com/rhel7/etcd") # and no image tag + add_var_or_default_img("osm_image", image_info["name"]) + if 'oo_etcd_to_config' in host_groups: + # special case, note default is the same for origin/enterprise and has no image tag + etcd_img = self.get_var("osm_etcd_image", default="registry.access.redhat.com/rhel7/etcd") + required.add(self.template_var(etcd_img)) return required diff --git a/roles/openshift_health_checker/test/docker_image_availability_test.py b/roles/openshift_health_checker/test/docker_image_availability_test.py index 9fd6e049d..d31f263dd 100644 --- a/roles/openshift_health_checker/test/docker_image_availability_test.py +++ b/roles/openshift_health_checker/test/docker_image_availability_test.py @@ -276,11 +276,40 @@ def test_registry_console_image(task_vars, expected): assert expected == DockerImageAvailability(task_vars=task_vars)._registry_console_image(tag, info) -def test_containerized_etcd(): - task_vars = dict( +@pytest.mark.parametrize("task_vars, expected", [ + ( + dict( + group_names=['oo_nodes_to_config'], + osn_ovs_image='spam/ovs', + openshift_image_tag="veggs", + ), + set([ + 'spam/ovs', 'openshift/node:veggs', 'cockpit/kubernetes:latest', + 'openshift/origin-haproxy-router:veggs', 'openshift/origin-deployer:veggs', + 'openshift/origin-docker-registry:veggs', 'openshift/origin-pod:veggs', + ]), + ), ( + dict( + group_names=['oo_masters_to_config'], + ), + set(['openshift/origin:latest']), + ), ( + dict( + group_names=['oo_etcd_to_config'], + ), + set(['registry.access.redhat.com/rhel7/etcd']), + ), ( + dict( + group_names=['oo_etcd_to_config'], + osm_etcd_image='spam/etcd', + ), + set(['spam/etcd']), + ), +]) +def test_containerized(task_vars, expected): + task_vars.update(dict( openshift_is_containerized=True, openshift_deployment_type="origin", - group_names=['oo_etcd_to_config'], - ) - expected = set(['registry.access.redhat.com/rhel7/etcd']) + )) + assert expected == DockerImageAvailability(task_vars=task_vars).required_images() diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index f40085976..610de4f91 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -109,3 +109,5 @@ openshift_push_via_dns: False # NOTE: settting openshift_docker_hosted_registry_insecure may affect other roles openshift_hosted_docker_registry_insecure_default: "{{ openshift_docker_hosted_registry_insecure | default(False) }}" openshift_hosted_docker_registry_insecure: "{{ openshift_hosted_docker_registry_insecure_default }}" + +openshift_hosted_registry_storage_azure_blob_realm: core.windows.net diff --git a/roles/openshift_hosted/tasks/registry.yml b/roles/openshift_hosted/tasks/registry.yml index 22294e3d4..bc4d81eb7 100644 --- a/roles/openshift_hosted/tasks/registry.yml +++ b/roles/openshift_hosted/tasks/registry.yml @@ -43,7 +43,7 @@ - name: Update registry environment variables when pushing via dns set_fact: - openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine({'OPENSHIFT_DEFAULT_REGISTRY':'docker-registry.default.svc:5000'}) }}" + openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine({'REGISTRY_OPENSHIFT_SERVER_ADDR':'docker-registry.default.svc:5000'}) }}" when: openshift_push_via_dns | bool - name: Update registry proxy settings for dc/docker-registry diff --git a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 index de5a8d7c2..823f012af 100644 --- a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 +++ b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 @@ -38,7 +38,8 @@ defaults timeout check 10s maxconn {{ openshift_loadbalancer_default_maxconn | default(20000) }} -listen stats :9000 +listen stats + bind :9000 mode http stats enable stats uri / diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index 3afd8680f..e4883bfa0 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -314,8 +314,8 @@ openshift_logging_install_eventrouter | default(false) | bool -# TODO: Remove when asset config is removed from master-config.yaml - include_tasks: update_master_config.yaml + when: not openshift.common.version_gte_3_9 # Update asset config in openshift-web-console namespace - name: Add Kibana route information to web console asset config diff --git a/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml b/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml index 6bce13d1d..879459cf6 100644 --- a/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml +++ b/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml @@ -1,91 +1,113 @@ --- -# Disable external communication for {{ _cluster_component }} -- name: Disable external communication for logging-{{ _cluster_component }} - oc_service: - state: present - name: "logging-{{ _cluster_component }}" - namespace: "{{ openshift_logging_elasticsearch_namespace }}" - selector: - component: "{{ _cluster_component }}" - provider: openshift - connection: blocked - labels: - logging-infra: 'support' - ports: - - port: 9200 - targetPort: "restapi" - when: - - full_restart_cluster | bool - ## get all pods for the cluster - command: > oc get pod -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[?(@.status.phase==\"Running\")].metadata.name} register: _cluster_pods -- name: "Disable shard balancing for logging-{{ _cluster_component }} cluster" - command: > - oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_cluster/settings' -d '{ "transient": { "cluster.routing.allocation.enable" : "none" } }' - register: _disable_output - changed_when: "'\"acknowledged\":true' in _disable_output.stdout" +### Check for cluster state before making changes -- if its red then we don't want to continue +- name: "Checking current health for {{ _es_node }} cluster" + shell: > + oc exec "{{ _cluster_pods.stdout.split(' ')[0] }}" -c elasticsearch -n "{{ openshift_logging_elasticsearch_namespace }}" -- es_cluster_health + register: _pod_status when: _cluster_pods.stdout_lines | count > 0 -# Flush ES -- name: "Flushing for logging-{{ _cluster_component }} cluster" - command: > - oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_flush/synced' - register: _flush_output - changed_when: "'\"acknowledged\":true' in _flush_output.stdout" - when: +- when: + - _pod_status.stdout is defined + - (_pod_status.stdout | from_json)['status'] in ['red'] + block: + - name: Set Logging message to manually restart + run_once: true + set_stats: + data: + installer_phase_logging: + message: "Cluster logging-{{ _cluster_component }} was in a red state and will not be automatically restarted. Please see documentation regarding doing a {{ 'full' if full_restart_cluster | bool else 'rolling'}} cluster restart." + + - debug: msg="Cluster logging-{{ _cluster_component }} was in a red state and will not be automatically restarted. Please see documentation regarding doing a {{ 'full' if full_restart_cluster | bool else 'rolling'}} cluster restart." + +- when: _pod_status.stdout is undefined or (_pod_status.stdout | from_json)['status'] in ['green', 'yellow'] + block: + # Disable external communication for {{ _cluster_component }} + - name: Disable external communication for logging-{{ _cluster_component }} + oc_service: + state: present + name: "logging-{{ _cluster_component }}" + namespace: "{{ openshift_logging_elasticsearch_namespace }}" + selector: + component: "{{ _cluster_component }}" + provider: openshift + connection: blocked + labels: + logging-infra: 'support' + ports: + - port: 9200 + targetPort: "restapi" + when: + - full_restart_cluster | bool + + - name: "Disable shard balancing for logging-{{ _cluster_component }} cluster" + command: > + oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_cluster/settings' -d '{ "transient": { "cluster.routing.allocation.enable" : "none" } }' + register: _disable_output + changed_when: "'\"acknowledged\":true' in _disable_output.stdout" + when: _cluster_pods.stdout_lines | count > 0 + + # Flush ES + - name: "Flushing for logging-{{ _cluster_component }} cluster" + command: > + oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_flush/synced' + register: _flush_output + changed_when: "'\"acknowledged\":true' in _flush_output.stdout" + when: - _cluster_pods.stdout_lines | count > 0 - full_restart_cluster | bool -- command: > - oc get dc -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} - register: _cluster_dcs + - command: > + oc get dc -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} + register: _cluster_dcs -## restart all dcs for full restart -- name: "Restart ES node {{ _es_node }}" - include_tasks: restart_es_node.yml - with_items: "{{ _cluster_dcs }}" - loop_control: - loop_var: _es_node - when: + ## restart all dcs for full restart + - name: "Restart ES node {{ _es_node }}" + include_tasks: restart_es_node.yml + with_items: "{{ _cluster_dcs }}" + loop_control: + loop_var: _es_node + when: - full_restart_cluster | bool -## restart the node if it's dc is in the list of nodes to restart? -- name: "Restart ES node {{ _es_node }}" - include_tasks: restart_es_node.yml - with_items: "{{ _restart_logging_nodes }}" - loop_control: - loop_var: _es_node - when: + ## restart the node if it's dc is in the list of nodes to restart? + - name: "Restart ES node {{ _es_node }}" + include_tasks: restart_es_node.yml + with_items: "{{ _restart_logging_nodes }}" + loop_control: + loop_var: _es_node + when: - not full_restart_cluster | bool - _es_node in _cluster_dcs.stdout -## we may need a new first pod to run against -- fetch them all again -- command: > - oc get pod -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[?(@.status.phase==\"Running\")].metadata.name} - register: _cluster_pods + ## we may need a new first pod to run against -- fetch them all again + - command: > + oc get pod -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[?(@.status.phase==\"Running\")].metadata.name} + register: _cluster_pods -- name: "Enable shard balancing for logging-{{ _cluster_component }} cluster" - command: > - oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_cluster/settings' -d '{ "transient": { "cluster.routing.allocation.enable" : "all" } }' - register: _enable_output - changed_when: "'\"acknowledged\":true' in _enable_output.stdout" + - name: "Enable shard balancing for logging-{{ _cluster_component }} cluster" + command: > + oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_cluster/settings' -d '{ "transient": { "cluster.routing.allocation.enable" : "all" } }' + register: _enable_output + changed_when: "'\"acknowledged\":true' in _enable_output.stdout" -# Reenable external communication for {{ _cluster_component }} -- name: Reenable external communication for logging-{{ _cluster_component }} - oc_service: - state: present - name: "logging-{{ _cluster_component }}" - namespace: "{{ openshift_logging_elasticsearch_namespace }}" - selector: - component: "{{ _cluster_component }}" - provider: openshift - labels: - logging-infra: 'support' - ports: + # Reenable external communication for {{ _cluster_component }} + - name: Reenable external communication for logging-{{ _cluster_component }} + oc_service: + state: present + name: "logging-{{ _cluster_component }}" + namespace: "{{ openshift_logging_elasticsearch_namespace }}" + selector: + component: "{{ _cluster_component }}" + provider: openshift + labels: + logging-infra: 'support' + ports: - port: 9200 targetPort: "restapi" - when: + when: - full_restart_cluster | bool diff --git a/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml b/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml index 6d0df40c8..fe15e40fd 100644 --- a/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml +++ b/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml @@ -26,12 +26,12 @@ - name: "Waiting for ES to be ready for {{ _es_node }}" shell: > - oc exec "{{ _pod }}" -c elasticsearch -n "{{ openshift_logging_elasticsearch_namespace }}" -- {{ __es_local_curl }} https://localhost:9200/_cat/health | cut -d' ' -f4 + oc exec "{{ _pod }}" -c elasticsearch -n "{{ openshift_logging_elasticsearch_namespace }}" -- es_cluster_health with_items: "{{ _pods.stdout.split(' ') }}" loop_control: loop_var: _pod register: _pod_status - until: _pod_status.stdout in ['green', 'yellow'] + until: (_pod_status.stdout | from_json)['status'] in ['green', 'yellow'] retries: 60 delay: 5 changed_when: false diff --git a/roles/openshift_manage_node/defaults/main.yml b/roles/openshift_manage_node/defaults/main.yml index f0e728a3f..00e04b9f2 100644 --- a/roles/openshift_manage_node/defaults/main.yml +++ b/roles/openshift_manage_node/defaults/main.yml @@ -4,3 +4,6 @@ openshift_manage_node_is_master: False # Default is to be schedulable except for master nodes. l_openshift_manage_schedulable: "{{ openshift_schedulable | default(not openshift_manage_node_is_master) }}" + +openshift_master_node_labels: + node-role.kubernetes.io/master: 'true' diff --git a/roles/openshift_manage_node/tasks/config.yml b/roles/openshift_manage_node/tasks/config.yml new file mode 100644 index 000000000..4f00351b5 --- /dev/null +++ b/roles/openshift_manage_node/tasks/config.yml @@ -0,0 +1,27 @@ +--- +- name: Set node schedulability + oc_adm_manage_node: + node: "{{ openshift.node.nodename | lower }}" + schedulable: "{{ 'true' if l_openshift_manage_schedulable | bool else 'false' }}" + retries: 10 + delay: 5 + register: node_schedulable + until: node_schedulable is succeeded + when: "'nodename' in openshift.node" + delegate_to: "{{ openshift_master_host }}" + +- name: Label nodes + oc_label: + name: "{{ openshift.node.nodename }}" + kind: node + state: add + labels: "{{ l_all_labels | lib_utils_oo_dict_to_list_of_dict }}" + namespace: default + when: + - "'nodename' in openshift.node" + - l_all_labels != {} + delegate_to: "{{ openshift_master_host }}" + vars: + l_node_labels: "{{ openshift_node_labels | default({}) }}" + l_master_labels: "{{ ('oo_masters_to_config' in group_names) | ternary(openshift_master_node_labels, {}) }}" + l_all_labels: "{{ l_node_labels | combine(l_master_labels) }}" diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index 9251d380b..154e2b45f 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -34,25 +34,4 @@ when: "'nodename' in openshift.node" delegate_to: "{{ openshift_master_host }}" -- name: Set node schedulability - oc_adm_manage_node: - node: "{{ openshift.node.nodename | lower }}" - schedulable: "{{ 'true' if l_openshift_manage_schedulable | bool else 'false' }}" - retries: 10 - delay: 5 - register: node_schedulable - until: node_schedulable is succeeded - when: "'nodename' in openshift.node" - delegate_to: "{{ openshift_master_host }}" - -- name: Label nodes - oc_label: - name: "{{ openshift.node.nodename }}" - kind: node - state: add - labels: "{{ openshift_node_labels | lib_utils_oo_dict_to_list_of_dict }}" - namespace: default - when: - - "'nodename' in openshift.node" - - openshift_node_labels | default({}) != {} - delegate_to: "{{ openshift_master_host }}" +- include_tasks: config.yml diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml index c3bc1d20c..48d1d4e26 100644 --- a/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml +++ b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml @@ -9,7 +9,7 @@ spec: spec: containers: - name: postgresql - image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest + image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest command: - "/opt/rh/cfme-container-scripts/backup_db" env: diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml index 8b23f8a33..7fd4fc2e1 100644 --- a/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml +++ b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml @@ -9,7 +9,7 @@ spec: spec: containers: - name: postgresql - image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest + image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest command: - "/opt/rh/cfme-container-scripts/restore_db" env: diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml index 4a04f3372..9866c29c3 100644 --- a/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml +++ b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml @@ -31,6 +31,7 @@ objects: name: "${NAME}-secrets" stringData: pg-password: "${DATABASE_PASSWORD}" + admin-password: "${APPLICATION_ADMIN_PASSWORD}" database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 v2-key: "${V2_KEY}" - apiVersion: v1 @@ -90,15 +91,15 @@ objects: - name: cloudforms image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" livenessProbe: - tcpSocket: - port: 80 + exec: + command: + - pidof + - MIQ Server initialDelaySeconds: 480 timeoutSeconds: 3 readinessProbe: - httpGet: - path: "/" + tcpSocket: port: 80 - scheme: HTTP initialDelaySeconds: 200 timeoutSeconds: 3 ports: @@ -126,6 +127,11 @@ objects: secretKeyRef: name: "${NAME}-secrets" key: v2-key + - name: APPLICATION_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: admin-password - name: ANSIBLE_ADMIN_PASSWORD valueFrom: secretKeyRef: @@ -433,18 +439,173 @@ objects: <VirtualHost *:80> KeepAlive on + # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP + ServerName https://%{REQUEST_HOST} + ProxyPreserveHost on - ProxyPass /ws/ ws://${NAME}/ws/ - ProxyPassReverse /ws/ ws://${NAME}/ws/ - ProxyPass / http://${NAME}/ + + RewriteCond %{REQUEST_URI} ^/ws [NC] + RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC] + RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] + RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L] + + # For httpd, some ErrorDocuments must by served by the httpd pod + RewriteCond %{REQUEST_URI} !^/proxy_pages + + # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod + RewriteCond %{REQUEST_URI} !^/saml2 + RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L] ProxyPassReverse / http://${NAME}/ + + # Ensures httpd stdout/stderr are seen by docker logs. + ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log" + CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common </VirtualHost> + authentication.conf: | + # Load appropriate authentication configuration files + # + Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth" + configuration-internal-auth: | + # Internal authentication + # + configuration-external-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/http.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-active-directory-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/krb5.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-saml-auth: | + LoadModule auth_mellon_module modules/mod_auth_mellon.so + + <Location /> + MellonEnable "info" + + MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml" + + MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key" + MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert" + MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml" + + MellonVariable "sp-cookie" + MellonSecureCookie On + MellonCookiePath "/" + + MellonIdP "IDP" + + MellonEndpointPath "/saml2" + + MellonUser username + MellonMergeEnvVars On + + MellonSetEnvNoPrefix "REMOTE_USER" username + MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email + MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname + MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname + MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname + MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups + </Location> + + <Location /saml_login> + AuthType "Mellon" + MellonEnable "auth" + Require valid-user + </Location> + + Include "conf.d/external-auth-remote-user-conf" + external-auth-load-modules-conf: | + LoadModule authnz_pam_module modules/mod_authnz_pam.so + LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so + LoadModule lookup_identity_module modules/mod_lookup_identity.so + LoadModule auth_kerb_module modules/mod_auth_kerb.so + external-auth-login-form-conf: | + <Location /dashboard/external_authenticate> + InterceptFormPAMService httpd-auth + InterceptFormLogin user_name + InterceptFormPassword user_password + InterceptFormLoginSkip admin + InterceptFormClearRemoteUserForSkipped on + </Location> + external-auth-application-api-conf: | + <LocationMatch ^/api> + SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in + SetEnvIf X-Auth-Token '^.+$' let_api_token_in + SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in + + AuthType Basic + AuthName "External Authentication (httpd) for API" + AuthBasicProvider PAM + + AuthPAMService httpd-auth + Require valid-user + Order Allow,Deny + Allow from env=let_admin_in + Allow from env=let_api_token_in + Allow from env=let_sys_token_in + Satisfy Any + </LocationMatch> + external-auth-lookup-user-details-conf: | + <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api> + LookupUserAttr mail REMOTE_USER_EMAIL + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + LookupUserAttr sn REMOTE_USER_LASTNAME + LookupUserAttr displayname REMOTE_USER_FULLNAME + LookupUserAttr domainname REMOTE_USER_DOMAIN + + LookupUserGroups REMOTE_USER_GROUPS ":" + LookupDbusTimeout 5000 + </LocationMatch> + external-auth-remote-user-conf: | + RequestHeader unset X_REMOTE_USER + + RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER + RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR + RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL + RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME + RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME + RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME + RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS + RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN - apiVersion: v1 kind: ConfigMap metadata: name: "${HTTPD_SERVICE_NAME}-auth-configs" data: auth-type: internal + auth-kerberos-realms: undefined auth-configuration.conf: | # External Authentication Configuration File # @@ -464,6 +625,20 @@ objects: selector: name: httpd - apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_DBUS_API_SERVICE_NAME}" + annotations: + description: Exposes the httpd server dbus api + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http-dbus-api + port: 8080 + targetPort: 8080 + selector: + name: httpd +- apiVersion: v1 kind: DeploymentConfig metadata: name: "${HTTPD_SERVICE_NAME}" @@ -497,6 +672,9 @@ objects: image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" ports: - containerPort: 80 + protocol: TCP + - containerPort: 8080 + protocol: TCP livenessProbe: exec: command: @@ -526,6 +704,11 @@ objects: configMapKeyRef: name: "${HTTPD_SERVICE_NAME}-auth-configs" key: auth-type + - name: HTTPD_AUTH_KERBEROS_REALMS + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-kerberos-realms lifecycle: postStart: exec: @@ -581,6 +764,11 @@ parameters: displayName: Application Database Region description: Database region that will be used for application. value: '0' +- name: APPLICATION_ADMIN_PASSWORD + displayName: Application Admin Password + required: true + description: Admin password that will be set on the application. + value: smartvm - name: ANSIBLE_DATABASE_NAME displayName: Ansible PostgreSQL database name required: true @@ -678,7 +866,7 @@ parameters: - name: MEMCACHED_IMG_NAME displayName: Memcached Image Name description: This is the Memcached image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached - name: MEMCACHED_IMG_TAG displayName: Memcached Image Tag description: This is the Memcached image tag/version requested to deploy. @@ -686,11 +874,11 @@ parameters: - name: FRONTEND_APPLICATION_IMG_NAME displayName: Frontend Application Image Name description: This is the Frontend Application image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui - name: BACKEND_APPLICATION_IMG_NAME displayName: Backend Application Image Name description: This is the Backend Application image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app - name: FRONTEND_APPLICATION_IMG_TAG displayName: Front end Application Image Tag description: This is the CloudForms Frontend Application image tag/version requested to deploy. @@ -702,7 +890,7 @@ parameters: - name: ANSIBLE_IMG_NAME displayName: Ansible Image Name description: This is the Ansible image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible - name: ANSIBLE_IMG_TAG displayName: Ansible Image Tag description: This is the Ansible image tag/version requested to deploy. @@ -730,10 +918,15 @@ parameters: displayName: Apache httpd Service Name description: The name of the OpenShift Service exposed for the httpd container. value: httpd +- name: HTTPD_DBUS_API_SERVICE_NAME + required: true + displayName: Apache httpd DBus API Service Name + description: The name of httpd dbus api service. + value: httpd-dbus-api - name: HTTPD_IMG_NAME displayName: Apache httpd Image Name description: This is the httpd image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd - name: HTTPD_IMG_TAG displayName: Apache httpd Image Tag description: This is the httpd image tag/version requested to deploy. diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml index d7c9f5af7..5c757b6c2 100644 --- a/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml +++ b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml @@ -31,6 +31,7 @@ objects: name: "${NAME}-secrets" stringData: pg-password: "${DATABASE_PASSWORD}" + admin-password: "${APPLICATION_ADMIN_PASSWORD}" database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 v2-key: "${V2_KEY}" - apiVersion: v1 @@ -128,18 +129,173 @@ objects: <VirtualHost *:80> KeepAlive on + # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP + ServerName https://%{REQUEST_HOST} + ProxyPreserveHost on - ProxyPass /ws/ ws://${NAME}/ws/ - ProxyPassReverse /ws/ ws://${NAME}/ws/ - ProxyPass / http://${NAME}/ + + RewriteCond %{REQUEST_URI} ^/ws [NC] + RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC] + RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] + RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L] + + # For httpd, some ErrorDocuments must by served by the httpd pod + RewriteCond %{REQUEST_URI} !^/proxy_pages + + # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod + RewriteCond %{REQUEST_URI} !^/saml2 + RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L] ProxyPassReverse / http://${NAME}/ + + # Ensures httpd stdout/stderr are seen by docker logs. + ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log" + CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common </VirtualHost> + authentication.conf: | + # Load appropriate authentication configuration files + # + Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth" + configuration-internal-auth: | + # Internal authentication + # + configuration-external-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/http.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-active-directory-auth: | + Include "conf.d/external-auth-load-modules-conf" + + <Location /dashboard/kerberos_authenticate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS} + Krb5KeyTab /etc/krb5.keytab + KrbServiceName Any + Require pam-account httpd-auth + + ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js + </Location> + + Include "conf.d/external-auth-login-form-conf" + Include "conf.d/external-auth-application-api-conf" + Include "conf.d/external-auth-lookup-user-details-conf" + Include "conf.d/external-auth-remote-user-conf" + configuration-saml-auth: | + LoadModule auth_mellon_module modules/mod_auth_mellon.so + + <Location /> + MellonEnable "info" + + MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml" + + MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key" + MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert" + MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml" + + MellonVariable "sp-cookie" + MellonSecureCookie On + MellonCookiePath "/" + + MellonIdP "IDP" + + MellonEndpointPath "/saml2" + + MellonUser username + MellonMergeEnvVars On + + MellonSetEnvNoPrefix "REMOTE_USER" username + MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email + MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname + MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname + MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname + MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups + </Location> + + <Location /saml_login> + AuthType "Mellon" + MellonEnable "auth" + Require valid-user + </Location> + + Include "conf.d/external-auth-remote-user-conf" + external-auth-load-modules-conf: | + LoadModule authnz_pam_module modules/mod_authnz_pam.so + LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so + LoadModule lookup_identity_module modules/mod_lookup_identity.so + LoadModule auth_kerb_module modules/mod_auth_kerb.so + external-auth-login-form-conf: | + <Location /dashboard/external_authenticate> + InterceptFormPAMService httpd-auth + InterceptFormLogin user_name + InterceptFormPassword user_password + InterceptFormLoginSkip admin + InterceptFormClearRemoteUserForSkipped on + </Location> + external-auth-application-api-conf: | + <LocationMatch ^/api> + SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in + SetEnvIf X-Auth-Token '^.+$' let_api_token_in + SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in + + AuthType Basic + AuthName "External Authentication (httpd) for API" + AuthBasicProvider PAM + + AuthPAMService httpd-auth + Require valid-user + Order Allow,Deny + Allow from env=let_admin_in + Allow from env=let_api_token_in + Allow from env=let_sys_token_in + Satisfy Any + </LocationMatch> + external-auth-lookup-user-details-conf: | + <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api> + LookupUserAttr mail REMOTE_USER_EMAIL + LookupUserAttr givenname REMOTE_USER_FIRSTNAME + LookupUserAttr sn REMOTE_USER_LASTNAME + LookupUserAttr displayname REMOTE_USER_FULLNAME + LookupUserAttr domainname REMOTE_USER_DOMAIN + + LookupUserGroups REMOTE_USER_GROUPS ":" + LookupDbusTimeout 5000 + </LocationMatch> + external-auth-remote-user-conf: | + RequestHeader unset X_REMOTE_USER + + RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER + RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR + RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL + RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME + RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME + RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME + RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS + RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN - apiVersion: v1 kind: ConfigMap metadata: name: "${HTTPD_SERVICE_NAME}-auth-configs" data: auth-type: internal + auth-kerberos-realms: undefined auth-configuration.conf: | # External Authentication Configuration File # @@ -203,15 +359,15 @@ objects: - name: cloudforms image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" livenessProbe: - tcpSocket: - port: 80 + exec: + command: + - pidof + - MIQ Server initialDelaySeconds: 480 timeoutSeconds: 3 readinessProbe: - httpGet: - path: "/" + tcpSocket: port: 80 - scheme: HTTP initialDelaySeconds: 200 timeoutSeconds: 3 ports: @@ -239,6 +395,11 @@ objects: secretKeyRef: name: "${NAME}-secrets" key: v2-key + - name: APPLICATION_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: admin-password - name: ANSIBLE_ADMIN_PASSWORD valueFrom: secretKeyRef: @@ -611,6 +772,20 @@ objects: selector: name: httpd - apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_DBUS_API_SERVICE_NAME}" + annotations: + description: Exposes the httpd server dbus api + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http-dbus-api + port: 8080 + targetPort: 8080 + selector: + name: httpd +- apiVersion: v1 kind: DeploymentConfig metadata: name: "${HTTPD_SERVICE_NAME}" @@ -644,6 +819,9 @@ objects: image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" ports: - containerPort: 80 + protocol: TCP + - containerPort: 8080 + protocol: TCP livenessProbe: exec: command: @@ -673,6 +851,11 @@ objects: configMapKeyRef: name: "${HTTPD_SERVICE_NAME}-auth-configs" key: auth-type + - name: HTTPD_AUTH_KERBEROS_REALMS + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-kerberos-realms lifecycle: postStart: exec: @@ -718,6 +901,11 @@ parameters: displayName: Application Database Region description: Database region that will be used for application. value: '0' +- name: APPLICATION_ADMIN_PASSWORD + displayName: Application Admin Password + required: true + description: Admin password that will be set on the application. + value: smartvm - name: ANSIBLE_DATABASE_NAME displayName: Ansible PostgreSQL database name required: true @@ -842,7 +1030,7 @@ parameters: - name: POSTGRESQL_IMG_NAME displayName: PostgreSQL Image Name description: This is the PostgreSQL image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql - name: POSTGRESQL_IMG_TAG displayName: PostgreSQL Image Tag description: This is the PostgreSQL image tag/version requested to deploy. @@ -850,7 +1038,7 @@ parameters: - name: MEMCACHED_IMG_NAME displayName: Memcached Image Name description: This is the Memcached image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached - name: MEMCACHED_IMG_TAG displayName: Memcached Image Tag description: This is the Memcached image tag/version requested to deploy. @@ -858,11 +1046,11 @@ parameters: - name: FRONTEND_APPLICATION_IMG_NAME displayName: Frontend Application Image Name description: This is the Frontend Application image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui - name: BACKEND_APPLICATION_IMG_NAME displayName: Backend Application Image Name description: This is the Backend Application image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app - name: FRONTEND_APPLICATION_IMG_TAG displayName: Front end Application Image Tag description: This is the CloudForms Frontend Application image tag/version requested to deploy. @@ -874,7 +1062,7 @@ parameters: - name: ANSIBLE_IMG_NAME displayName: Ansible Image Name description: This is the Ansible image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible - name: ANSIBLE_IMG_TAG displayName: Ansible Image Tag description: This is the Ansible image tag/version requested to deploy. @@ -907,10 +1095,15 @@ parameters: displayName: Apache httpd Service Name description: The name of the OpenShift Service exposed for the httpd container. value: httpd +- name: HTTPD_DBUS_API_SERVICE_NAME + required: true + displayName: Apache httpd DBus API Service Name + description: The name of httpd dbus api service. + value: httpd-dbus-api - name: HTTPD_IMG_NAME displayName: Apache httpd Image Name description: This is the httpd image name requested to deploy. - value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd + value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd - name: HTTPD_IMG_TAG displayName: Apache httpd Image Tag description: This is the httpd image tag/version requested to deploy. diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 14023ea73..4c9ab1864 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -5,6 +5,7 @@ admissionConfig: apiLevels: - v1 apiVersion: v1 +{% if not openshift.common.version_gte_3_9 %} assetConfig: logoutURL: "{{ openshift.master.logout_url | default('') }}" masterPublicURL: {{ openshift.master.public_api_url }} @@ -41,6 +42,8 @@ assetConfig: - {{ cipher_suite }} {% endfor %} {% endif %} +# assetconfig end +{% endif %} {% if openshift.master.audit_config | default(none) is not none %} auditConfig:{{ openshift.master.audit_config | lib_utils_to_padded_yaml(level=1) }} {% endif %} diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml index 0dd5d1621..6b6c21d71 100644 --- a/roles/openshift_metrics/tasks/install_metrics.yaml +++ b/roles/openshift_metrics/tasks/install_metrics.yaml @@ -67,8 +67,8 @@ with_items: "{{ hawkular_agent_object_defs.results }}" when: openshift_metrics_install_hawkular_agent | bool -# TODO: Remove when asset config is removed from master-config.yaml - include_tasks: update_master_config.yaml + when: not openshift.common.version_gte_3_9 # Update asset config in openshift-web-console namespace - name: Add metrics route information to web console asset config diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 5864d3c03..0fe4c2035 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -83,6 +83,7 @@ openshift_node_syscon_auth_mounts_l: destination: "/root/.docker" options: - ro + - bind # If we need to add new mounts in the future, or the user wants to mount data. # This should be in the same format as auth_mounts_l above. diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 754ecacaf..f56f24e12 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -14,33 +14,11 @@ #### Disable SWAP ##### # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory -- name: Check for swap usage - command: grep "^[^#].*swap" /etc/fstab - # grep: match any lines which don't begin with '#' and contain 'swap' - changed_when: false - failed_when: false - register: swap_result - -- when: - - swap_result.stdout_lines | length > 0 - - openshift_disable_swap | default(true) | bool - block: - - name: Disable swap - command: swapoff --all - - - name: Remove swap entries from /etc/fstab - replace: - dest: /etc/fstab - regexp: '(^[^#].*swap.*)' - replace: '# \1' - backup: yes - - - name: Add notice about disabling swap - lineinfile: - dest: /etc/fstab - line: '# OpenShift-Ansible Installer disabled swap per overcommit guidelines' - state: present -#### End Disable Swap Block #### +# swapoff is a custom module in lib_utils that comments out swap entries in +# /etc/fstab and runs swapoff -a, if necessary. +- name: Disable swap + swapoff: {} + when: openshift_disable_swap | default(true) | bool - name: include node installer include_tasks: install.yml diff --git a/roles/openshift_node/tasks/upgrade/config_changes.yml b/roles/openshift_node/tasks/upgrade/config_changes.yml index dd9183382..15ac76f7d 100644 --- a/roles/openshift_node/tasks/upgrade/config_changes.yml +++ b/roles/openshift_node/tasks/upgrade/config_changes.yml @@ -27,28 +27,12 @@ path: "/var/lib/cni/networks/openshift-sdn/" state: absent -# Disable Swap Block (pre) -- block: - - name: Remove swap entries from /etc/fstab - replace: - dest: /etc/fstab - regexp: '(^[^#].*swap.*)' - replace: '# \1' - backup: yes - - - name: Add notice about disabling swap - lineinfile: - dest: /etc/fstab - line: '# OpenShift-Ansible Installer disabled swap per overcommit guidelines' - state: present - - - name: Disable swap - command: swapoff --all - - when: - - openshift_node_upgrade_swap_result | default(False) | bool - - openshift_disable_swap | default(true) | bool -# End Disable Swap Block +# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory +# swapoff is a custom module in lib_utils that comments out swap entries in +# /etc/fstab and runs swapoff -a, if necessary. +- name: Disable swap + swapoff: {} + when: openshift_disable_swap | default(true) | bool - name: Apply 3.6 dns config changes yedit: diff --git a/roles/openshift_node/tasks/upgrade_pre.yml b/roles/openshift_node/tasks/upgrade_pre.yml index 3ae7dc6b6..aa1a75100 100644 --- a/roles/openshift_node/tasks/upgrade_pre.yml +++ b/roles/openshift_node/tasks/upgrade_pre.yml @@ -41,16 +41,3 @@ vars: openshift_version: "{{ openshift_pkg_version | default('') }}" when: not openshift_is_containerized | bool - -# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory -- name: Check for swap usage - command: grep "^[^#].*swap" /etc/fstab - # grep: match any lines which don't begin with '#' and contain 'swap' - changed_when: false - failed_when: false - register: swap_result - -# Set this fact here so we can use it during the next play, which is serial. -- name: set_fact swap_result - set_fact: - openshift_node_upgrade_swap_result: "{{ swap_result.stdout_lines | length > 0 | bool }}" diff --git a/roles/openshift_node/templates/node.service.j2 b/roles/openshift_node/templates/node.service.j2 index 777f4a449..7405cfd73 100644 --- a/roles/openshift_node/templates/node.service.j2 +++ b/roles/openshift_node/templates/node.service.j2 @@ -6,7 +6,7 @@ After=ovsdb-server.service After=ovs-vswitchd.service Wants={{ openshift_docker_service_name }}.service Documentation=https://github.com/openshift/origin -Requires=dnsmasq.service +Wants=dnsmasq.service After=dnsmasq.service {% if openshift_use_crio | bool %}Wants=cri-o.service{% endif %} diff --git a/roles/openshift_node/templates/openshift.docker.node.service b/roles/openshift_node/templates/openshift.docker.node.service index ae7b147a6..23823e3e5 100644 --- a/roles/openshift_node/templates/openshift.docker.node.service +++ b/roles/openshift_node/templates/openshift.docker.node.service @@ -13,7 +13,7 @@ After=ovs-vswitchd.service Wants={{ openshift_service_type }}-master.service Requires={{ openshift_service_type }}-node-dep.service After={{ openshift_service_type }}-node-dep.service -Requires=dnsmasq.service +Wants=dnsmasq.service After=dnsmasq.service [Service] diff --git a/roles/openshift_prometheus/README.md b/roles/openshift_prometheus/README.md index 1ebeacabf..6079e6016 100644 --- a/roles/openshift_prometheus/README.md +++ b/roles/openshift_prometheus/README.md @@ -31,7 +31,7 @@ For default values, see [`defaults/main.yaml`](defaults/main.yaml). e.g ``` -openshift_prometheus_args=['--storage.tsdb.retention=6h', '--storage.tsdb.min-block-duration=5s', '--storage.tsdb.max-block-duration=6m'] +openshift_prometheus_args=['--storage.tsdb.retention=6h', '--query.timeout=2m'] ``` ## PVC related variables diff --git a/roles/openshift_prometheus/defaults/main.yaml b/roles/openshift_prometheus/defaults/main.yaml index e30108d2c..1b21c4739 100644 --- a/roles/openshift_prometheus/defaults/main.yaml +++ b/roles/openshift_prometheus/defaults/main.yaml @@ -14,7 +14,7 @@ openshift_prometheus_node_selector: {"region":"infra"} openshift_prometheus_additional_rules_file: null #prometheus application arguments -openshift_prometheus_args: ['--storage.tsdb.retention=6h', '--storage.tsdb.min-block-duration=2m'] +openshift_prometheus_args: ['--storage.tsdb.retention=6h'] # storage # One of ['emptydir', 'pvc'] diff --git a/roles/openshift_sanitize_inventory/tasks/deprecations.yml b/roles/openshift_sanitize_inventory/tasks/deprecations.yml index 795b8ee60..b1ddbc07a 100644 --- a/roles/openshift_sanitize_inventory/tasks/deprecations.yml +++ b/roles/openshift_sanitize_inventory/tasks/deprecations.yml @@ -2,15 +2,18 @@ - name: Check for usage of deprecated variables set_fact: - __deprecation_message: "{{ __deprecation_message | default([]) }} + ['{{ __deprecation_header }} {{ item }} is a deprecated variable and will be no longer be used in the next minor release. Please update your inventory accordingly.']" + __deprecation_message: "{{ __deprecation_message | default( __deprecation_header ) }} \n\t{{ item }}" when: - hostvars[inventory_hostname][item] is defined with_items: "{{ __warn_deprecated_vars }}" - block: - debug: msg="{{__deprecation_message}}" - - pause: - seconds: "{{ 10 }}" + - run_once: true + set_stats: + data: + installer_phase_initialize: + message: "{{ __deprecation_message }}" when: - __deprecation_message | default ('') | length > 0 diff --git a/roles/openshift_sanitize_inventory/tasks/unsupported.yml b/roles/openshift_sanitize_inventory/tasks/unsupported.yml index 1c4984467..be0715ab5 100644 --- a/roles/openshift_sanitize_inventory/tasks/unsupported.yml +++ b/roles/openshift_sanitize_inventory/tasks/unsupported.yml @@ -45,7 +45,8 @@ - name: Ensure the hosted registry's GlusterFS storage is configured correctly when: - openshift_hosted_registry_storage_kind | default(none) in ['glusterfs'] - - openshift_hosted_registry_storage_glusterfs_ips is defined and openshift_hosted_registry_storage_glusterfs_ips != '' + - openshift_hosted_registry_storage_glusterfs_ips is defined + - openshift_hosted_registry_storage_glusterfs_ips != [] - "'glusterfs_registry' in groups | default([])" fail: msg: |- diff --git a/roles/openshift_sanitize_inventory/vars/main.yml b/roles/openshift_sanitize_inventory/vars/main.yml index df15948d2..51c6e0a64 100644 --- a/roles/openshift_sanitize_inventory/vars/main.yml +++ b/roles/openshift_sanitize_inventory/vars/main.yml @@ -1,6 +1,6 @@ --- -__deprecation_header: "[DEPRECATION WARNING]:" +__deprecation_header: "[DEPRECATION WARNING]: The following are deprecated variables and will be no longer be used in the next minor release. Please update your inventory accordingly." # this is a list of variables that we will be deprecating within the next minor release, this list should be expected to change from release to release __warn_deprecated_vars: diff --git a/roles/openshift_service_catalog/templates/api_server.j2 b/roles/openshift_service_catalog/templates/api_server.j2 index e345df32c..a18d29ef0 100644 --- a/roles/openshift_service_catalog/templates/api_server.j2 +++ b/roles/openshift_service_catalog/templates/api_server.j2 @@ -49,7 +49,7 @@ spec: - OriginatingIdentity=true image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }} command: ["/usr/bin/service-catalog"] - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: apiserver ports: - containerPort: 6443 diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2 index c61e05f73..6d3ee7d01 100644 --- a/roles/openshift_service_catalog/templates/controller_manager.j2 +++ b/roles/openshift_service_catalog/templates/controller_manager.j2 @@ -44,7 +44,7 @@ spec: {% endif %} image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }} command: ["/usr/bin/service-catalog"] - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: controller-manager ports: - containerPort: 8080 diff --git a/roles/openshift_storage_nfs/templates/exports.j2 b/roles/openshift_storage_nfs/templates/exports.j2 index 2ec8db019..13bd5370c 100644 --- a/roles/openshift_storage_nfs/templates/exports.j2 +++ b/roles/openshift_storage_nfs/templates/exports.j2 @@ -1,8 +1,8 @@ -{{ openshift_hosted_registry_storage_nfs_directory }}/{{ openshift_hosted_registry_storage_volume_name }} {{ openshift_hosted_registry_storage_nfs_options }} -{{ openshift_metrics_storage_nfs_directory }}/{{ openshift_metrics_storage_volume_name }} {{ openshift_metrics_storage_nfs_options }} -{{ openshift_logging_storage_nfs_directory }}/{{ openshift_logging_storage_volume_name }} {{ openshift_logging_storage_nfs_options }} -{{ openshift_loggingops_storage_nfs_directory }}/{{ openshift_loggingops_storage_volume_name }} {{ openshift_loggingops_storage_nfs_options }} -{{ openshift_hosted_etcd_storage_nfs_directory }}/{{ openshift_hosted_etcd_storage_volume_name }} {{ openshift_hosted_etcd_storage_nfs_options }} -{{ openshift_prometheus_storage_nfs_directory }}/{{ openshift_prometheus_storage_volume_name }} {{ openshift_prometheus_storage_nfs_options }} -{{ openshift_prometheus_alertmanager_storage_nfs_directory }}/{{ openshift_prometheus_alertmanager_storage_volume_name }} {{ openshift_prometheus_alertmanager_storage_nfs_options }} -{{ openshift_prometheus_alertbuffer_storage_nfs_directory }}/{{ openshift_prometheus_alertbuffer_storage_volume_name }} {{ openshift_prometheus_alertbuffer_storage_nfs_options }} +"{{ openshift_hosted_registry_storage_nfs_directory }}/{{ openshift_hosted_registry_storage_volume_name }}" {{ openshift_hosted_registry_storage_nfs_options }} +"{{ openshift_metrics_storage_nfs_directory }}/{{ openshift_metrics_storage_volume_name }}" {{ openshift_metrics_storage_nfs_options }} +"{{ openshift_logging_storage_nfs_directory }}/{{ openshift_logging_storage_volume_name }}" {{ openshift_logging_storage_nfs_options }} +"{{ openshift_loggingops_storage_nfs_directory }}/{{ openshift_loggingops_storage_volume_name }}" {{ openshift_loggingops_storage_nfs_options }} +"{{ openshift_hosted_etcd_storage_nfs_directory }}/{{ openshift_hosted_etcd_storage_volume_name }}" {{ openshift_hosted_etcd_storage_nfs_options }} +"{{ openshift_prometheus_storage_nfs_directory }}/{{ openshift_prometheus_storage_volume_name }}" {{ openshift_prometheus_storage_nfs_options }} +"{{ openshift_prometheus_alertmanager_storage_nfs_directory }}/{{ openshift_prometheus_alertmanager_storage_volume_name }}" {{ openshift_prometheus_alertmanager_storage_nfs_options }} +"{{ openshift_prometheus_alertbuffer_storage_nfs_directory }}/{{ openshift_prometheus_alertbuffer_storage_volume_name }}" {{ openshift_prometheus_alertbuffer_storage_nfs_options }} diff --git a/roles/openshift_version/defaults/main.yml b/roles/openshift_version/defaults/main.yml index e2e6538c9..513dff045 100644 --- a/roles/openshift_version/defaults/main.yml +++ b/roles/openshift_version/defaults/main.yml @@ -10,3 +10,4 @@ openshift_service_type: "{{ openshift_service_type_dict[openshift_deployment_typ openshift_use_crio_only: False l_first_master_version_task_file: "{{ openshift_is_containerized | ternary('first_master_containerized_version.yml', 'first_master_rpm_version.yml') }}" +l_force_image_tag_to_version: False diff --git a/roles/openshift_version/tasks/first_master.yml b/roles/openshift_version/tasks/first_master.yml index 374725086..e01a56dc1 100644 --- a/roles/openshift_version/tasks/first_master.yml +++ b/roles/openshift_version/tasks/first_master.yml @@ -24,7 +24,9 @@ - block: - debug: - msg: "openshift_image_tag was not defined. Falling back to v{{ openshift_version }}" + msg: "openshift_image_tag set to v{{ openshift_version }}" - set_fact: openshift_image_tag: v{{ openshift_version }} - when: openshift_image_tag is not defined + when: > + openshift_image_tag is not defined + or l_force_image_tag_to_version | bool diff --git a/roles/openshift_web_console/defaults/main.yml b/roles/openshift_web_console/defaults/main.yml index c747f73a8..627db393a 100644 --- a/roles/openshift_web_console/defaults/main.yml +++ b/roles/openshift_web_console/defaults/main.yml @@ -1,2 +1,2 @@ --- -openshift_web_console_nodeselector: "{{ openshift_hosted_infra_selector | default('region=infra') | map_from_pairs }}" +openshift_web_console_nodeselector: {"node-role.kubernetes.io/master":"true"} diff --git a/files/origin-components/console-config.yaml b/roles/openshift_web_console/files/console-config.yaml index 55c650fbe..55c650fbe 100644 --- a/files/origin-components/console-config.yaml +++ b/roles/openshift_web_console/files/console-config.yaml diff --git a/files/origin-components/console-rbac-template.yaml b/roles/openshift_web_console/files/console-rbac-template.yaml index 9ee117199..9ee117199 100644 --- a/files/origin-components/console-rbac-template.yaml +++ b/roles/openshift_web_console/files/console-rbac-template.yaml diff --git a/files/origin-components/console-template.yaml b/roles/openshift_web_console/files/console-template.yaml index 7bf2d0cf4..547e7a265 100644 --- a/files/origin-components/console-template.yaml +++ b/roles/openshift_web_console/files/console-template.yaml @@ -71,6 +71,10 @@ objects: path: / port: 8443 scheme: HTTPS + resources: + requests: + cpu: 100m + memory: 100Mi nodeSelector: "${{NODE_SELECTOR}}" volumes: - name: serving-cert @@ -112,6 +116,8 @@ objects: app: openshift-web-console annotations: service.alpha.openshift.io/serving-cert-secret-name: webconsole-serving-cert + prometheus.io/scrape: "true" + prometheus.io/scheme: https spec: selector: webconsole: "true" diff --git a/roles/openshift_web_console/tasks/install.yml b/roles/openshift_web_console/tasks/install.yml index cc5eef47d..ff33338a6 100644 --- a/roles/openshift_web_console/tasks/install.yml +++ b/roles/openshift_web_console/tasks/install.yml @@ -33,7 +33,7 @@ - name: Copy web console templates to temp directory copy: - src: "{{ __console_files_location }}/{{ item }}" + src: "{{ item }}" dest: "{{ mktemp.stdout }}/{{ item }}" with_items: - "{{ __console_template_file }}" diff --git a/roles/openshift_web_console/tasks/remove_old_asset_config.yml b/roles/openshift_web_console/tasks/remove_old_asset_config.yml new file mode 100644 index 000000000..34158150c --- /dev/null +++ b/roles/openshift_web_console/tasks/remove_old_asset_config.yml @@ -0,0 +1,19 @@ +--- +# Remove the obsolete assetConfig stanza from master-config.yaml. Since the +# web console has been split out into a separate deployment, those settings +# are no longer used. +- name: Remove assetConfig from master-config.yaml + yedit: + state: absent + src: "{{ openshift.common.config_base }}/master/master-config.yaml" + key: assetConfig + +# This file was written by wire_aggregator.yml. It is no longer needed since +# the web console now discovers if the template service broker is running on +# startup. Remove the file if it exists. +- name: Remove obsolete web console / service catalog extension file + file: + state: absent + # Hard-code the path instead of using `openshift.common.config_base` since + # the path is hard-coded in wire_aggregator.yml. + path: /etc/origin/master/openshift-ansible-catalog-console.js diff --git a/roles/openshift_web_console/vars/main.yml b/roles/openshift_web_console/vars/main.yml index e91048e38..72bff5d01 100644 --- a/roles/openshift_web_console/vars/main.yml +++ b/roles/openshift_web_console/vars/main.yml @@ -1,6 +1,4 @@ --- -__console_files_location: "../../../files/origin-components/" - __console_template_file: "console-template.yaml" __console_rbac_file: "console-rbac-template.yaml" __console_config_file: "console-config.yaml" diff --git a/files/origin-components/apiserver-config.yaml b/roles/template_service_broker/files/apiserver-config.yaml index e4048d1da..e4048d1da 100644 --- a/files/origin-components/apiserver-config.yaml +++ b/roles/template_service_broker/files/apiserver-config.yaml diff --git a/files/origin-components/apiserver-template.yaml b/roles/template_service_broker/files/apiserver-template.yaml index 4dd9395d0..4dd9395d0 100644 --- a/files/origin-components/apiserver-template.yaml +++ b/roles/template_service_broker/files/apiserver-template.yaml diff --git a/files/origin-components/rbac-template.yaml b/roles/template_service_broker/files/rbac-template.yaml index 0937a9065..0937a9065 100644 --- a/files/origin-components/rbac-template.yaml +++ b/roles/template_service_broker/files/rbac-template.yaml diff --git a/files/origin-components/template-service-broker-registration.yaml b/roles/template_service_broker/files/template-service-broker-registration.yaml index 95fb72924..95fb72924 100644 --- a/files/origin-components/template-service-broker-registration.yaml +++ b/roles/template_service_broker/files/template-service-broker-registration.yaml diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml index 4e6ad2ae5..d0a07c48d 100644 --- a/roles/template_service_broker/tasks/install.yml +++ b/roles/template_service_broker/tasks/install.yml @@ -28,7 +28,7 @@ changed_when: false - copy: - src: "{{ __tsb_files_location }}/{{ item }}" + src: "{{ item }}" dest: "{{ mktemp.stdout }}/{{ item }}" with_items: - "{{ __tsb_template_file }}" diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml index 48dc1327e..b46dd4771 100644 --- a/roles/template_service_broker/tasks/remove.yml +++ b/roles/template_service_broker/tasks/remove.yml @@ -9,7 +9,7 @@ changed_when: false - copy: - src: "{{ __tsb_files_location }}/{{ item }}" + src: "{{ item }}" dest: "{{ mktemp.stdout }}/{{ item }}" with_items: - "{{ __tsb_template_file }}" diff --git a/roles/template_service_broker/vars/main.yml b/roles/template_service_broker/vars/main.yml index a65340f16..7dec24a79 100644 --- a/roles/template_service_broker/vars/main.yml +++ b/roles/template_service_broker/vars/main.yml @@ -1,6 +1,4 @@ --- -__tsb_files_location: "../../../files/origin-components/" - __tsb_template_file: "apiserver-template.yaml" __tsb_config_file: "apiserver-config.yaml" __tsb_rbac_file: "rbac-template.yaml" |