firmitas: add namespace template

add template for deployment add tempalte for namespace creation add template for persistent volume claim creation add tasks to apply each template add playbook Add default values for firmitas_pagure_apikey and firmitas_pagure_host yamllint changes add buildconfig task/template Signed-off-by: David Kirwan <davidkirwanirl@gmail.com>
2024-05-15 06:36:07 +01:00 · 2024-05-15 06:36:07 +01:00 · f4308fb4c3
commit f4308fb4c3
parent 696f49465c
13 changed files with 207 additions and 0 deletions
--- a/playbooks/openshift-apps/firmitas.yml
+++ b/playbooks/openshift-apps/firmitas.yml
@ -0,0 +1,15 @@
+---
+- hosts: os_control_stg #:os_control
+  user: root
+  gather_facts: false
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+    - name: Firmitas Role
+      include_role:
+        name: openshift-apps/firmitas
+        tasks_from: main
--- a/roles/openshift-apps/firmitas/default/main.yml
+++ b/roles/openshift-apps/firmitas/default/main.yml
@ -0,0 +1,12 @@
+firmitas_namespace: "firmitas"
+firmitas_project_description: "Firmitas is a monitoring application which alerts about the expiration of RabbitMQ certs."
+firmitas_application_name: "{{ firmitas_namespace }}"
+firmitas_pagure_secret_volume_name: "firmitas-pagure-volume"
+firmitas_pagure_secret_name: "firmitas-pagure-secret"
+firmitas_stg_pagure_apikey: "OVERRIDEME" # in the ansible-private repo
+firmitas_stg_pagure_host: "OVERRIDEME" # in the ansible-private repo
+firmitas_pagure_apikey: "OVERRIDEME" # in the ansible-private repo
+firmitas_pagure_host: "OVERRIDEME" # in the ansible-private repo
+firmitas_certs_location: "https://infrastructure.fedoraproject.org/infra/rabbitmq-certs/"
+firmitas_requester: "t0xic0der"
+firmitas_image: "image-registry.openshift-image-registry.svc:5000/{{ firmitas_namespace }}/{{ firmitas_application_name }}:latest"
--- a/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml
+++ b/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml
@ -0,0 +1,15 @@
+---
+# generate the templates for project to be created
+- name: create the buildconfig template
+  template:
+    src: "buildconfig.yml"
+    dest: "/root/ocp4/openshift-apps/firmitas/buildconfig.yml"
+    mode: 0770
+
+# apply created openshift resources
+- name: oc apply resources
+  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/buildconfig.yml"
+
+# Start a build
+- name: "oc start-build {{ firmitas_application_name }}-build"
+  command: "/root/bin/oc start-build {{ firmitas_application_name }}-build"
--- a/roles/openshift-apps/firmitas/tasks/create-deployment.yml
+++ b/roles/openshift-apps/firmitas/tasks/create-deployment.yml
@ -0,0 +1,11 @@
+---
+# generate the templates for project to be created
+- name: create the deployment template
+  template:
+    src: "deployment.yml"
+    dest: "/root/ocp4/openshift-apps/firmitas/deployment.yml"
+    mode: 0770
+
+# apply created openshift resources
+- name: oc apply resources
+  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/deployment.yml"
--- a/roles/openshift-apps/firmitas/tasks/create-namespace.yml
+++ b/roles/openshift-apps/firmitas/tasks/create-namespace.yml
@ -0,0 +1,11 @@
+---
+# generate the templates for project to be created
+- name: create the namespace template
+  template:
+    src: "namespace.yml"
+    dest: "/root/ocp4/openshift-apps/firmitas/namespace.yml"
+    mode: 0770
+
+# apply created openshift resources
+- name: oc apply resources
+  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/namespace.yml"
--- a/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml
+++ b/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml
@ -0,0 +1,11 @@
+---
+# generate the templates for project to be created
+- name: create the pagure api secret template
+  template:
+    src: "secret-pagure-apikey.yml"
+    dest: "/root/ocp4/openshift-apps/firmitas/secret-pagure-apikey.yml"
+    mode: 0770
+
+# apply created openshift resources
+- name: oc apply resources
+  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/secret-pagure-apikey.yml"
--- a/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml
+++ b/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml
@ -0,0 +1,11 @@
+---
+# generate the templates for project to be created
+- name: create the persistent volume template
+  template:
+    src: "persistent-volume-claim.yml"
+    dest: "/root/ocp4/openshift-apps/firmitas/persistent-volume-claim.yml"
+    mode: 0770
+
+# apply created openshift resources
+- name: oc apply resources
+  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/persistent-volume-claim.yml"
--- a/roles/openshift-apps/firmitas/tasks/main.yml
+++ b/roles/openshift-apps/firmitas/tasks/main.yml
@ -0,0 +1,7 @@
+---
+
+- include_tasks: create-namespace.yml
+- include_tasks: create-pagure-apikey-secret.yml
+- include_tasks: create-persistent-volume-claim.yml
+- include_tasks: create-buildconfig.yml
+- include_tasks: create-deployment.yml
--- a/roles/openshift-apps/firmitas/templates/buildconfig.yml
+++ b/roles/openshift-apps/firmitas/templates/buildconfig.yml
@ -0,0 +1,23 @@
+---
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  name: "{{ firmitas_application_name }}-build"
+spec:
+  source:
+    git:
+{% if env == 'staging' %}
+      ref: main
+{% else %}
+      ref: main
+{% endif %}
+      uri: https://github.com/fedora-infra/firmitas.git
+    type: Git
+  strategy:
+    type: Docker
+  successfulBuildsHistoryLimit: 3
+  output:
+    to:
+      kind: ImageStreamTag
+      name: "{{ firmitas_application_name }}:latest"
+
--- a/roles/openshift-apps/firmitas/templates/deployment.yml
+++ b/roles/openshift-apps/firmitas/templates/deployment.yml
@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{firmitas_application_name}}"
+  namespace: "{{firmitas_namespace}}"
+spec:
+  replicas: 1
+  template:
+    metadata:
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
+      containers:
+      - image: "{{ firmitas_image }}"
+        name: firmitas
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 6789
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 6789
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 100m
+            memory: 1024Mi
+          requests:
+            cpu: 10m
+            memory: 256Mi
+        volumeMounts:
+          - name: "{{ firmitas_pagure_secret_volume_name }}"
+            mountPath: "/etc/firmitas/"
+      volumes:
+        - name: "{{ firmitas_pagure_secret_volume_name }}"
+          secret:
+            secretName: "{{ firmitas_pagure_secret_name }}"
+      terminationGracePeriodSeconds: 10
+
--- a/roles/openshift-apps/firmitas/templates/namespace.yml
+++ b/roles/openshift-apps/firmitas/templates/namespace.yml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/description: "{{ firmitas_project_description }}"
+    openshift.io/display-name: "{{firmitas_application_name}}"
+    openshift.io/requester: "{{ firmitas_requester }}"
+  name: "{{ firmitas_namespace }}"
+
--- a/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml
+++ b/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml
@ -0,0 +1,15 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: "{{firmitas_application_name}}-volume"
+  namespace: "{{firmitas_namespace}}"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName:
+  storageClassName: ocs-storagecluster-ceph-rbd
+  volumeMode: Filesystem
+
--- a/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml
+++ b/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ firmitas_namespace }}-pagure-apikey-secret"
+  namespace: "{{ firmitas_namespace }}"
+data:
+  firmitas-pagure-apikey:
+    "{{ (env == 'production')|ternary(firmitas_pagure_apikey, firmitas_stg_pagure_apikey) | b64encode }}"
+  firmitas-pagure-host:
+    "{{ (env == 'production')|ternary( firmitas_pagure_host, firmitas_stg_pagure_host) | b64encode }}"
+