diff --git a/playbooks/openshift-apps/firmitas.yml b/playbooks/openshift-apps/firmitas.yml new file mode 100644 index 0000000000..ed92588966 --- /dev/null +++ b/playbooks/openshift-apps/firmitas.yml @@ -0,0 +1,15 @@ +--- +- hosts: os_control_stg #:os_control + user: root + gather_facts: false + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: Firmitas Role + include_role: + name: openshift-apps/firmitas + tasks_from: main diff --git a/roles/openshift-apps/firmitas/default/main.yml b/roles/openshift-apps/firmitas/default/main.yml new file mode 100644 index 0000000000..63eab83f49 --- /dev/null +++ b/roles/openshift-apps/firmitas/default/main.yml @@ -0,0 +1,12 @@ +firmitas_namespace: "firmitas" +firmitas_project_description: "Firmitas is a monitoring application which alerts about the expiration of RabbitMQ certs." +firmitas_application_name: "{{ firmitas_namespace }}" +firmitas_pagure_secret_volume_name: "firmitas-pagure-volume" +firmitas_pagure_secret_name: "firmitas-pagure-secret" +firmitas_stg_pagure_apikey: "OVERRIDEME" # in the ansible-private repo +firmitas_stg_pagure_host: "OVERRIDEME" # in the ansible-private repo +firmitas_pagure_apikey: "OVERRIDEME" # in the ansible-private repo +firmitas_pagure_host: "OVERRIDEME" # in the ansible-private repo +firmitas_certs_location: "https://infrastructure.fedoraproject.org/infra/rabbitmq-certs/" +firmitas_requester: "t0xic0der" +firmitas_image: "image-registry.openshift-image-registry.svc:5000/{{ firmitas_namespace }}/{{ firmitas_application_name }}:latest" diff --git a/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml b/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml new file mode 100644 index 0000000000..0805e9e030 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml @@ -0,0 +1,15 @@ +--- +# generate the templates for project to be created +- name: create the buildconfig template + template: + src: "buildconfig.yml" + dest: "/root/ocp4/openshift-apps/firmitas/buildconfig.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/buildconfig.yml" + +# Start a build +- name: "oc start-build {{ firmitas_application_name }}-build" + command: "/root/bin/oc start-build {{ firmitas_application_name }}-build" diff --git a/roles/openshift-apps/firmitas/tasks/create-deployment.yml b/roles/openshift-apps/firmitas/tasks/create-deployment.yml new file mode 100644 index 0000000000..48cb4851a8 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-deployment.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the deployment template + template: + src: "deployment.yml" + dest: "/root/ocp4/openshift-apps/firmitas/deployment.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/deployment.yml" diff --git a/roles/openshift-apps/firmitas/tasks/create-namespace.yml b/roles/openshift-apps/firmitas/tasks/create-namespace.yml new file mode 100644 index 0000000000..c916a027a3 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-namespace.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the namespace template + template: + src: "namespace.yml" + dest: "/root/ocp4/openshift-apps/firmitas/namespace.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/namespace.yml" diff --git a/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml b/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml new file mode 100644 index 0000000000..df69b94061 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the pagure api secret template + template: + src: "secret-pagure-apikey.yml" + dest: "/root/ocp4/openshift-apps/firmitas/secret-pagure-apikey.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/secret-pagure-apikey.yml" diff --git a/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml b/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml new file mode 100644 index 0000000000..d609a0e780 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the persistent volume template + template: + src: "persistent-volume-claim.yml" + dest: "/root/ocp4/openshift-apps/firmitas/persistent-volume-claim.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/persistent-volume-claim.yml" diff --git a/roles/openshift-apps/firmitas/tasks/main.yml b/roles/openshift-apps/firmitas/tasks/main.yml new file mode 100644 index 0000000000..85cbf431ad --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- include_tasks: create-namespace.yml +- include_tasks: create-pagure-apikey-secret.yml +- include_tasks: create-persistent-volume-claim.yml +- include_tasks: create-buildconfig.yml +- include_tasks: create-deployment.yml diff --git a/roles/openshift-apps/firmitas/templates/buildconfig.yml b/roles/openshift-apps/firmitas/templates/buildconfig.yml new file mode 100644 index 0000000000..dc187156f4 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/buildconfig.yml @@ -0,0 +1,23 @@ +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + name: "{{ firmitas_application_name }}-build" +spec: + source: + git: +{% if env == 'staging' %} + ref: main +{% else %} + ref: main +{% endif %} + uri: https://github.com/fedora-infra/firmitas.git + type: Git + strategy: + type: Docker + successfulBuildsHistoryLimit: 3 + output: + to: + kind: ImageStreamTag + name: "{{ firmitas_application_name }}:latest" + diff --git a/roles/openshift-apps/firmitas/templates/deployment.yml b/roles/openshift-apps/firmitas/templates/deployment.yml new file mode 100644 index 0000000000..99fa64a315 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/deployment.yml @@ -0,0 +1,56 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{firmitas_application_name}}" + namespace: "{{firmitas_namespace}}" +spec: + replicas: 1 + template: + metadata: + spec: + securityContext: + runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault + containers: + - image: "{{ firmitas_image }}" + name: firmitas + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 6789 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 6789 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 1024Mi + requests: + cpu: 10m + memory: 256Mi + volumeMounts: + - name: "{{ firmitas_pagure_secret_volume_name }}" + mountPath: "/etc/firmitas/" + volumes: + - name: "{{ firmitas_pagure_secret_volume_name }}" + secret: + secretName: "{{ firmitas_pagure_secret_name }}" + terminationGracePeriodSeconds: 10 + diff --git a/roles/openshift-apps/firmitas/templates/namespace.yml b/roles/openshift-apps/firmitas/templates/namespace.yml new file mode 100644 index 0000000000..bcbe6f65cc --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/namespace.yml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/description: "{{ firmitas_project_description }}" + openshift.io/display-name: "{{firmitas_application_name}}" + openshift.io/requester: "{{ firmitas_requester }}" + name: "{{ firmitas_namespace }}" + diff --git a/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml b/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml new file mode 100644 index 0000000000..ec585d5b63 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml @@ -0,0 +1,15 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: "{{firmitas_application_name}}-volume" + namespace: "{{firmitas_namespace}}" +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeName: + storageClassName: ocs-storagecluster-ceph-rbd + volumeMode: Filesystem + diff --git a/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml b/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml new file mode 100644 index 0000000000..5068c57110 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ firmitas_namespace }}-pagure-apikey-secret" + namespace: "{{ firmitas_namespace }}" +data: + firmitas-pagure-apikey: + "{{ (env == 'production')|ternary(firmitas_pagure_apikey, firmitas_stg_pagure_apikey) | b64encode }}" + firmitas-pagure-host: + "{{ (env == 'production')|ternary( firmitas_pagure_host, firmitas_stg_pagure_host) | b64encode }}" +