From f4308fb4c33c44de2be227fd46c2367dacd6b724 Mon Sep 17 00:00:00 2001 From: David Kirwan Date: Wed, 15 May 2024 06:36:07 +0100 Subject: [PATCH] firmitas: add namespace template add template for deployment add tempalte for namespace creation add template for persistent volume claim creation add tasks to apply each template add playbook Add default values for firmitas_pagure_apikey and firmitas_pagure_host yamllint changes add buildconfig task/template Signed-off-by: David Kirwan --- playbooks/openshift-apps/firmitas.yml | 15 +++++ .../openshift-apps/firmitas/default/main.yml | 12 ++++ .../firmitas/tasks/create-buildconfig.yml | 15 +++++ .../firmitas/tasks/create-deployment.yml | 11 ++++ .../firmitas/tasks/create-namespace.yml | 11 ++++ .../tasks/create-pagure-apikey-secret.yml | 11 ++++ .../tasks/create-persistent-volume-claim.yml | 11 ++++ roles/openshift-apps/firmitas/tasks/main.yml | 7 +++ .../firmitas/templates/buildconfig.yml | 23 ++++++++ .../firmitas/templates/deployment.yml | 56 +++++++++++++++++++ .../firmitas/templates/namespace.yml | 9 +++ .../templates/persistent-volume-claim.yml | 15 +++++ .../templates/secret-pagure-apikey.yml | 11 ++++ 13 files changed, 207 insertions(+) create mode 100644 playbooks/openshift-apps/firmitas.yml create mode 100644 roles/openshift-apps/firmitas/default/main.yml create mode 100644 roles/openshift-apps/firmitas/tasks/create-buildconfig.yml create mode 100644 roles/openshift-apps/firmitas/tasks/create-deployment.yml create mode 100644 roles/openshift-apps/firmitas/tasks/create-namespace.yml create mode 100644 roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml create mode 100644 roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml create mode 100644 roles/openshift-apps/firmitas/tasks/main.yml create mode 100644 roles/openshift-apps/firmitas/templates/buildconfig.yml create mode 100644 roles/openshift-apps/firmitas/templates/deployment.yml create mode 100644 roles/openshift-apps/firmitas/templates/namespace.yml create mode 100644 roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml create mode 100644 roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml diff --git a/playbooks/openshift-apps/firmitas.yml b/playbooks/openshift-apps/firmitas.yml new file mode 100644 index 0000000000..ed92588966 --- /dev/null +++ b/playbooks/openshift-apps/firmitas.yml @@ -0,0 +1,15 @@ +--- +- hosts: os_control_stg #:os_control + user: root + gather_facts: false + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: Firmitas Role + include_role: + name: openshift-apps/firmitas + tasks_from: main diff --git a/roles/openshift-apps/firmitas/default/main.yml b/roles/openshift-apps/firmitas/default/main.yml new file mode 100644 index 0000000000..63eab83f49 --- /dev/null +++ b/roles/openshift-apps/firmitas/default/main.yml @@ -0,0 +1,12 @@ +firmitas_namespace: "firmitas" +firmitas_project_description: "Firmitas is a monitoring application which alerts about the expiration of RabbitMQ certs." +firmitas_application_name: "{{ firmitas_namespace }}" +firmitas_pagure_secret_volume_name: "firmitas-pagure-volume" +firmitas_pagure_secret_name: "firmitas-pagure-secret" +firmitas_stg_pagure_apikey: "OVERRIDEME" # in the ansible-private repo +firmitas_stg_pagure_host: "OVERRIDEME" # in the ansible-private repo +firmitas_pagure_apikey: "OVERRIDEME" # in the ansible-private repo +firmitas_pagure_host: "OVERRIDEME" # in the ansible-private repo +firmitas_certs_location: "https://infrastructure.fedoraproject.org/infra/rabbitmq-certs/" +firmitas_requester: "t0xic0der" +firmitas_image: "image-registry.openshift-image-registry.svc:5000/{{ firmitas_namespace }}/{{ firmitas_application_name }}:latest" diff --git a/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml b/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml new file mode 100644 index 0000000000..0805e9e030 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-buildconfig.yml @@ -0,0 +1,15 @@ +--- +# generate the templates for project to be created +- name: create the buildconfig template + template: + src: "buildconfig.yml" + dest: "/root/ocp4/openshift-apps/firmitas/buildconfig.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/buildconfig.yml" + +# Start a build +- name: "oc start-build {{ firmitas_application_name }}-build" + command: "/root/bin/oc start-build {{ firmitas_application_name }}-build" diff --git a/roles/openshift-apps/firmitas/tasks/create-deployment.yml b/roles/openshift-apps/firmitas/tasks/create-deployment.yml new file mode 100644 index 0000000000..48cb4851a8 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-deployment.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the deployment template + template: + src: "deployment.yml" + dest: "/root/ocp4/openshift-apps/firmitas/deployment.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/deployment.yml" diff --git a/roles/openshift-apps/firmitas/tasks/create-namespace.yml b/roles/openshift-apps/firmitas/tasks/create-namespace.yml new file mode 100644 index 0000000000..c916a027a3 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-namespace.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the namespace template + template: + src: "namespace.yml" + dest: "/root/ocp4/openshift-apps/firmitas/namespace.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/namespace.yml" diff --git a/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml b/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml new file mode 100644 index 0000000000..df69b94061 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-pagure-apikey-secret.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the pagure api secret template + template: + src: "secret-pagure-apikey.yml" + dest: "/root/ocp4/openshift-apps/firmitas/secret-pagure-apikey.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/secret-pagure-apikey.yml" diff --git a/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml b/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml new file mode 100644 index 0000000000..d609a0e780 --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/create-persistent-volume-claim.yml @@ -0,0 +1,11 @@ +--- +# generate the templates for project to be created +- name: create the persistent volume template + template: + src: "persistent-volume-claim.yml" + dest: "/root/ocp4/openshift-apps/firmitas/persistent-volume-claim.yml" + mode: 0770 + +# apply created openshift resources +- name: oc apply resources + command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/persistent-volume-claim.yml" diff --git a/roles/openshift-apps/firmitas/tasks/main.yml b/roles/openshift-apps/firmitas/tasks/main.yml new file mode 100644 index 0000000000..85cbf431ad --- /dev/null +++ b/roles/openshift-apps/firmitas/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- include_tasks: create-namespace.yml +- include_tasks: create-pagure-apikey-secret.yml +- include_tasks: create-persistent-volume-claim.yml +- include_tasks: create-buildconfig.yml +- include_tasks: create-deployment.yml diff --git a/roles/openshift-apps/firmitas/templates/buildconfig.yml b/roles/openshift-apps/firmitas/templates/buildconfig.yml new file mode 100644 index 0000000000..dc187156f4 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/buildconfig.yml @@ -0,0 +1,23 @@ +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + name: "{{ firmitas_application_name }}-build" +spec: + source: + git: +{% if env == 'staging' %} + ref: main +{% else %} + ref: main +{% endif %} + uri: https://github.com/fedora-infra/firmitas.git + type: Git + strategy: + type: Docker + successfulBuildsHistoryLimit: 3 + output: + to: + kind: ImageStreamTag + name: "{{ firmitas_application_name }}:latest" + diff --git a/roles/openshift-apps/firmitas/templates/deployment.yml b/roles/openshift-apps/firmitas/templates/deployment.yml new file mode 100644 index 0000000000..99fa64a315 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/deployment.yml @@ -0,0 +1,56 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{firmitas_application_name}}" + namespace: "{{firmitas_namespace}}" +spec: + replicas: 1 + template: + metadata: + spec: + securityContext: + runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault + containers: + - image: "{{ firmitas_image }}" + name: firmitas + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 6789 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 6789 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 1024Mi + requests: + cpu: 10m + memory: 256Mi + volumeMounts: + - name: "{{ firmitas_pagure_secret_volume_name }}" + mountPath: "/etc/firmitas/" + volumes: + - name: "{{ firmitas_pagure_secret_volume_name }}" + secret: + secretName: "{{ firmitas_pagure_secret_name }}" + terminationGracePeriodSeconds: 10 + diff --git a/roles/openshift-apps/firmitas/templates/namespace.yml b/roles/openshift-apps/firmitas/templates/namespace.yml new file mode 100644 index 0000000000..bcbe6f65cc --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/namespace.yml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/description: "{{ firmitas_project_description }}" + openshift.io/display-name: "{{firmitas_application_name}}" + openshift.io/requester: "{{ firmitas_requester }}" + name: "{{ firmitas_namespace }}" + diff --git a/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml b/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml new file mode 100644 index 0000000000..ec585d5b63 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/persistent-volume-claim.yml @@ -0,0 +1,15 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: "{{firmitas_application_name}}-volume" + namespace: "{{firmitas_namespace}}" +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeName: + storageClassName: ocs-storagecluster-ceph-rbd + volumeMode: Filesystem + diff --git a/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml b/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml new file mode 100644 index 0000000000..5068c57110 --- /dev/null +++ b/roles/openshift-apps/firmitas/templates/secret-pagure-apikey.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ firmitas_namespace }}-pagure-apikey-secret" + namespace: "{{ firmitas_namespace }}" +data: + firmitas-pagure-apikey: + "{{ (env == 'production')|ternary(firmitas_pagure_apikey, firmitas_stg_pagure_apikey) | b64encode }}" + firmitas-pagure-host: + "{{ (env == 'production')|ternary( firmitas_pagure_host, firmitas_stg_pagure_host) | b64encode }}" +