Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

openshift-apps/sanitarium: First go at openshift role for playing with an SSH CA in stg

Browse source 
Signed-off-by: Rick Elrod <relrod@redhat.com>
This commit is contained in:
Rick Elrod 2019-11-08 16:22:31 +00:00 committed by Pierre-Yves Chibon
parent f6606cc106
commit 3bf33234a8
5 changed files with 214 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

59
playbooks/openshift-apps/sanitarium.yml Normal file
View file

@ -0,0 +1,59 @@
- name: make the app be real
#hosts: os_masters[0]:os_masters_stg[0]
hosts: os_masters_stg[0]
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: openshift/project
app: sanitarium
description: sanitarium
appowners:
- codeblock
- puiterwijk
- role: openshift/secret-file
app: sanitarium
key: intermediate
secret_name: intermediate
privatefile: "sanitarium/intermediate.{{env}}.key"
- role: openshift/secret-file
app: sanitarium
key: signer
secret_name: signer
privatefile: "sanitarium/signer.{{env}}"
- role: openshift/object
app: sanitarium
objectname: secret.yml
template: secret.yml
- role: openshift/imagestream
app: sanitarium
imagename: sanitarium
- role: openshift/object
app: sanitarium
file: buildconfig.yml
objectname: buildconfig.yml
- role: openshift/start-build
app: sanitarium
buildname: sanitarium
- role: openshift/object
app: sanitarium
file: service.yml
objectname: service.yml
- role: openshift/route
app: sanitarium
routename: sanitarium
host: sanitarium-sanitarium.app.os{{env_suffix}}.fedoraproject.org
serviceport: web
servicename: sanitarium
- role: openshift/object
app: sanitarium
file: deploymentconfig.yml
objectname: deploymentconfig.yml
- role: openshift/rollout
app: sanitarium
dcname: sanitarium

23
roles/openshift-apps/sanitarium/files/buildconfig.yml Normal file
View file

@ -0,0 +1,23 @@
---
apiVersion: v1
kind: BuildConfig
metadata:
name: sanitarium
labels:
app: sanitarium
spec:
completionDeadlineSeconds: 1800
runPolicy: Serial
strategy:
dockerStrategy:
dockerfilePath: Dockerfile.server
source:
type: Git
git:
uri: https://github.com/puiterwijk/Sanitarium.git
triggers:
- type: ConfigChange
output:
to:
kind: ImageStreamTag
name: sanitarium:latest

106
roles/openshift-apps/sanitarium/files/deploymentconfig.yml Normal file
View file

@ -0,0 +1,106 @@
apiVersion: v1
kind: DeploymentConfig
metadata:
name: sanitarium
labels:
app: sanitarium
spec:
replicas: 1
selector:
app: sanitarium
strategy:
activeDeadlineSeconds: 21600
recreateParams:
timeoutSeconds: 600
template:
metadata:
name: sanitarium
labels:
app: sanitarium
spec:
containers:
- env:
- name: SERVICE_ROOT
value: 'https://sanitarium-sanitarium.app.os.fedoraproject.org'
- name: OIDC_PROVIDER_ROOT
value: 'https://id.fedoraproject.org/openidc/'
- name: OIDC_CLIENT_ID
value: sshcerttest
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: sanitarium
key: oidc-client-secret
- name: OIDC_SUPPORTS_OOB
value: 'no'
- name: OIDC_REQUIRED_SCOPES
value: 'openid,profile'
- name: REQUIRE_TPM
value: 'no'
- name: REQUIRE_MEASUREMENT
value: 'no'
- name: OIDC_TOKEN_INFO_URL
value: 'https://id.fedoraproject.org/openidc/TokenInfo'
- name: OIDC_USERNAME_CLAIM
value: sub
- name: INTERMEDIATE_CERT_VALIDITY
value: 8h
- name: SSH_CERT_VALIDITY
value: 5m
- name: SSH_CERT_SIGNING_KEY_PATH
value: /sshkey/signer.key
- name: SSH_CERT_ADD_GITHUB
value: 'yes'
- name: INTERMEDIATE_SIGNING_KEY_PATH
value: /sshkey/intermediate.key
image: >-
docker-registry.default.svc:5000/sanitarium:latest
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /info
port: 8080
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: sanitarium
ports:
- containerPort: 8080
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /info
port: 8080
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
memory: 80Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- name: signer
mountPath: /sshkey/signer.key
readyOnly: true
- name: intermediate
mountPath: /sshkey/intermediate.key
readyOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: signer
secret:
secretName: signer
- name: intermediate
secret:
secretName: intermediate
triggers:
- type: ConfigChange

13
roles/openshift-apps/sanitarium/files/service.yml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: sanitarium
labels:
app: sanitarium
spec:
ports:
- name: web
port: 8080
targetPort: 8080
selector:
deploymentconfig: sanitarium

13
roles/openshift-apps/sanitarium/templates/secret.yml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
name: sanitarium
labels:
app: sanitarium
stringData:
{% if env == 'staging' %}
oidc-client-secret: "{{sanitarium_stg_oidc_secret}}"
{% endif %}
{% if env == 'production' %}
oidc-client-secret: "{{sanitarium_prod_oidc_secret}}"
{% endif %}