From 42d330a1cf2990fee39dab36250524ebfb303428 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Wed, 6 Sep 2017 15:11:55 -0400 Subject: CFME 4.6 work begins. CFME 4.5 references added to the release-3.6 branch --- roles/openshift_cfme/README.md | 411 +----- roles/openshift_cfme/defaults/main.yml | 188 ++- roles/openshift_cfme/files/miq-backup-job.yaml | 28 + roles/openshift_cfme/files/miq-backup-pvc.yaml | 10 + .../files/miq-pv-backup-example.yaml | 13 + roles/openshift_cfme/files/miq-pv-db-example.yaml | 13 + .../files/miq-pv-server-example.yaml | 27 + roles/openshift_cfme/files/miq-restore-job.yaml | 35 + roles/openshift_cfme/files/miq-scc-httpd.yaml | 38 + .../openshift_cfme/files/miq-template-ext-db.yaml | 771 ++++++++++ roles/openshift_cfme/files/miq-template.yaml | 1490 ++++++++++++-------- roles/openshift_cfme/handlers/main.yml | 3 + roles/openshift_cfme/meta/main.yml | 3 +- roles/openshift_cfme/tasks/accounts.yml | 65 + roles/openshift_cfme/tasks/create_pvs.yml | 36 - roles/openshift_cfme/tasks/main.yml | 176 ++- roles/openshift_cfme/tasks/nfs.yml | 51 - roles/openshift_cfme/tasks/storage/create_pvs.yml | 36 + roles/openshift_cfme/tasks/storage/nfs.yml | 103 ++ roles/openshift_cfme/tasks/storage/storage.yml | 3 + roles/openshift_cfme/tasks/template.yml | 72 + roles/openshift_cfme/tasks/tune_masters.yml | 12 - roles/openshift_cfme/tasks/validate.yml | 34 + roles/openshift_cfme/templates/miq-pv-db.yaml.j2 | 13 - .../openshift_cfme/templates/miq-pv-region.yaml.j2 | 13 - .../openshift_cfme/templates/miq-pv-server.yaml.j2 | 13 - 26 files changed, 2441 insertions(+), 1216 deletions(-) create mode 100644 roles/openshift_cfme/files/miq-backup-job.yaml create mode 100644 roles/openshift_cfme/files/miq-backup-pvc.yaml create mode 100644 roles/openshift_cfme/files/miq-pv-backup-example.yaml create mode 100644 roles/openshift_cfme/files/miq-pv-db-example.yaml create mode 100644 roles/openshift_cfme/files/miq-pv-server-example.yaml create mode 100644 roles/openshift_cfme/files/miq-restore-job.yaml create mode 100644 roles/openshift_cfme/files/miq-scc-httpd.yaml create mode 100644 roles/openshift_cfme/files/miq-template-ext-db.yaml create mode 100644 roles/openshift_cfme/tasks/accounts.yml delete mode 100644 roles/openshift_cfme/tasks/create_pvs.yml delete mode 100644 roles/openshift_cfme/tasks/nfs.yml create mode 100644 roles/openshift_cfme/tasks/storage/create_pvs.yml create mode 100644 roles/openshift_cfme/tasks/storage/nfs.yml create mode 100644 roles/openshift_cfme/tasks/storage/storage.yml create mode 100644 roles/openshift_cfme/tasks/template.yml delete mode 100644 roles/openshift_cfme/tasks/tune_masters.yml create mode 100644 roles/openshift_cfme/tasks/validate.yml delete mode 100644 roles/openshift_cfme/templates/miq-pv-db.yaml.j2 delete mode 100644 roles/openshift_cfme/templates/miq-pv-region.yaml.j2 delete mode 100644 roles/openshift_cfme/templates/miq-pv-server.yaml.j2 (limited to 'roles/openshift_cfme') diff --git a/roles/openshift_cfme/README.md b/roles/openshift_cfme/README.md index 8283afed6..f6b62b358 100644 --- a/roles/openshift_cfme/README.md +++ b/roles/openshift_cfme/README.md @@ -1,404 +1,27 @@ -# OpenShift-Ansible - CFME Role +## OpenShift-Ansible - CFME Role -# PROOF OF CONCEPT - Alpha Version +# CloudForms - 4.6 -This role is based on the work in the upstream -[manageiq/manageiq-pods](https://github.com/ManageIQ/manageiq-pods) -project. For additional literature on configuration specific to -ManageIQ (optional post-installation tasks), visit the project's -[upstream documentation page](http://manageiq.org/docs/get-started/basic-configuration). +**Important Note**: As of 2017-09-06 the `master` branch of the +[openshift-ansible](https://github.com/openshift/openshift-ansible) +repository is now tracking changes for CloudForms 4.6. -Please submit a -[new issue](https://github.com/openshift/openshift-ansible/issues/new) -if you run into bugs with this role or wish to request enhancements. +If you installed CFME **4.5** previously using this role then you +**must** use the role from the stable `release-3.6` branch. -# Important Notes +This role, `openshift_cfme`, in OpenShift Container Platform (OCP) 3.7 +**will not** be backwards compatible with the previous tech preview +released in OCP 3.6. -This is an early *proof of concept* role to install the Cloud Forms -Management Engine (ManageIQ) on OpenShift Container Platform (OCP). -* This role is still in **ALPHA STATUS** -* Many options are hard-coded still (ex: NFS setup) -* Not many configurable options yet -* **Should** be ran on a dedicated cluster -* **Will not run** on undersized infra -* The terms *CFME* and *MIQ* / *ManageIQ* are interchangeable +# CFME/MIQ 4.5 Legacy Instructions -## Requirements +* [OCP 3.6 - CFME 4.5 Installation Instruction](https://github.com/openshift/openshift-ansible/tree/release-3.6/roles/openshift_cfme) -**NOTE:** These requirements are copied from the upstream -[manageiq/manageiq-pods](https://github.com/ManageIQ/manageiq-pods) -project. +The instructions linked in the bulleted item above are for the **TECH +PREVIEW** CloudForms Management Engine (ManageIQ) 4.5 release. -### Prerequisites: +# CloudForms 4.5 Pull Requests -* - [OpenShift Origin 1.5](https://docs.openshift.com/container-platform/3.5/welcome/index.html) - or - [higher](https://docs.openshift.com/container-platform/latest/welcome/index.html) - provisioned -* NFS or other compatible volume provider -* A cluster-admin user (created by role if required) - -### Cluster Sizing - -In order to avoid random deployment failures due to resource -starvation, we recommend a minimum cluster size for a **test** -environment. - -| Type | Size | CPUs | Memory | -|----------------|---------|----------|----------| -| Masters | `1+` | `8` | `12GB` | -| Nodes | `2+` | `4` | `8GB` | -| PV Storage | `25GB` | `N/A` | `N/A` | - - -![Basic CFME Deployment](img/CFMEBasicDeployment.png) - -**CFME has hard-requirements for memory. CFME will NOT install if your - infrastructure does not meet or exceed the requirements given - above. Do not run this playbook if you do not have the required - memory, you will just waste your time.** - - -### Other sizing considerations - -* Recommendations assume MIQ will be the **only application running** - on this cluster. -* Alternatively, you can provision an infrastructure node to run - registry/metrics/router/logging pods. -* Each MIQ application pod will consume at least `3GB` of RAM on initial - deployment (blank deployment without providers). -* RAM consumption will ramp up higher depending on appliance use, once - providers are added expect higher resource consumption. - - -### Assumptions - -1) You meet/exceed the [cluster sizing](#cluster-sizing) requirements -1) Your NFS server is on your master host -1) Your PV backing NFS storage volume is mounted on `/exports/` - -Required directories that NFS will export to back the PVs: - -* `/exports/miq-pv0[123]` - -If the required directories are not present at install-time, they will -be created using the recommended permissions per the -[upstream documentation](https://github.com/ManageIQ/manageiq-pods#make-persistent-volumes-to-host-the-miq-database-and-application-data): - -* UID/GID: `root`/`root` -* Mode: `0775` - -**IMPORTANT:** If you are using a separate volume (`/dev/vdX`) for NFS - storage, **ensure** it is mounted on `/exports/` **before** running - this role. - - - -## Role Variables - -Core variables in this role: - -| Name | Default value | Description | -|-------------------------------|---------------|---------------| -| `openshift_cfme_install_app` | `False` | `True`: Install everything and create a new CFME app, `False`: Just install all of the templates and scaffolding | - - -Variables you may override have defaults defined in -[defaults/main.yml](defaults/main.yml). - - -# Important Notes - -This is a **tech preview** status role presently. Use it with the same -caution you would give any other pre-release software. - -**Most importantly** follow this one rule: don't re-run the entrypoint -playbook multiple times in a row without cleaning up after previous -runs if some of the CFME steps have ran. This is a known -flake. Cleanup instructions are provided at the bottom of this README. - - -# Usage - -This section describes the basic usage of this role. All parameters -will use their [default values](defaults/main.yml). - -## Pre-flight Checks - -**IMPORTANT:** As documented above in [the prerequisites](#prerequisites), - you **must already** have your OCP cluster up and running. - -**Optional:** The ManageIQ pod is fairly large (about 1.7 GB) so to -save some spin-up time post-deployment, you can begin pre-pulling the -docker image to each of your nodes now: - -``` -root@node0x # docker pull docker.io/manageiq/manageiq-pods:app-latest-fine -``` - -## Getting Started - -1) The *entry point playbook* to install CFME is located in -[the BYO playbooks](../../playbooks/byo/openshift-cfme/config.yml) -directory - -2) Update your existing `hosts` inventory file and ensure the -parameter `openshift_cfme_install_app` is set to `True` under the -`[OSEv3:vars]` block. - -2) Using your existing `hosts` inventory file, run `ansible-playbook` -with the entry point playbook: - -``` -$ ansible-playbook -v -i playbooks/byo/openshift-cfme/config.yml -``` - -## Next Steps - -Once complete, the playbook will let you know: - - -``` -TASK [openshift_cfme : Status update] ********************************************************* -ok: [ho.st.na.me] => { - "msg": "CFME has been deployed. Note that there will be a delay before it is fully initialized.\n" -} -``` - -This will take several minutes (*possibly 10 or more*, depending on -your network connection). However, you can get some insight into the -deployment process during initialization. - -### oc describe pod manageiq-0 - -*Some useful information about the output you will see if you run the -`oc describe pod manageiq-0` command* - -**Readiness probe**s - These will take a while to become -`Healthy`. The initial health probes won't even happen for at least 8 -minutes depending on how long it takes you to pull down the large -images. ManageIQ is a large application so it may take a considerable -amount of time for it to deploy and be marked as `Healthy`. - -If you go to the node you know the application is running on (check -for `Successfully assigned manageiq-0 to ` in the `describe` -output) you can run a `docker pull` command to monitor the progress of -the image pull: - -``` -[root@cfme-node ~]# docker pull docker.io/manageiq/manageiq-pods:app-latest-fine -Trying to pull repository docker.io/manageiq/manageiq-pods ... -sha256:6c055ca9d3c65cd694d6c0e28986b5239ba56bbdf0488cccdaa283d545258f8a: Pulling from docker.io/manageiq/manageiq-pods -Digest: sha256:6c055ca9d3c65cd694d6c0e28986b5239ba56bbdf0488cccdaa283d545258f8a -Status: Image is up to date for docker.io/manageiq/manageiq-pods:app-latest-fine -``` - -The example above demonstrates the case where the image has been -successfully pulled already. - -If the image isn't completely pulled already then you will see -multiple progress bars detailing each image layer download status. - - -### rsh - -*Useful inspection/progress monitoring techniques with the `oc rsh` -command.* - - -On your master node, switch to the `cfme` project (or whatever you -named it if you overrode the `openshift_cfme_project` variable) and -check on the pod states: - -``` -[root@cfme-master01 ~]# oc project cfme -Now using project "cfme" on server "https://10.10.0.100:8443". - -[root@cfme-master01 ~]# oc get pod -NAME READY STATUS RESTARTS AGE -manageiq-0 0/1 Running 0 14m -memcached-1-3lk7g 1/1 Running 0 14m -postgresql-1-12slb 1/1 Running 0 14m -``` - -Note how the `manageiq-0` pod says `0/1` under the **READY** -column. After some time (depending on your network connection) you'll -be able to `rsh` into the pod to find out more of what's happening in -real time. First, the easy-mode command, run this once `rsh` is -available and then watch until it says `Started Initialize Appliance -Database`: - -``` -[root@cfme-master01 ~]# oc rsh manageiq-0 journalctl -f -u appliance-initialize.service -``` - -For the full explanation of what this means, and more interactive -inspection techniques, keep reading on. - -To obtain a shell on our `manageiq` pod we use this command: - -``` -[root@cfme-master01 ~]# oc rsh manageiq-0 bash -l -``` - -The `rsh` command opens a shell in your pod for you. In this case it's -the pod called `manageiq-0`. `systemd` is managing the services in -this pod so we can use the `list-units` command to see what is running -currently: `# systemctl list-units | grep appliance`. - -If you see the `appliance-initialize` service running, this indicates -that basic setup is still in progress. We can monitor the process with -the `journalctl` command like so: - - -``` -[root@manageiq-0 vmdb]# journalctl -f -u appliance-initialize.service -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Checking deployment status == -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: No pre-existing EVM configuration found on region PV -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Checking for existing data on server PV == -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Starting New Deployment == -Jun 14 14:55:52 manageiq-0 appliance-initialize.sh[58]: == Applying memcached config == -Jun 14 14:55:53 manageiq-0 appliance-initialize.sh[58]: == Initializing Appliance == -Jun 14 14:55:57 manageiq-0 appliance-initialize.sh[58]: create encryption key -Jun 14 14:55:57 manageiq-0 appliance-initialize.sh[58]: configuring external database -Jun 14 14:55:57 manageiq-0 appliance-initialize.sh[58]: Checking for connections to the database... -Jun 14 14:56:09 manageiq-0 appliance-initialize.sh[58]: Create region starting -Jun 14 14:58:15 manageiq-0 appliance-initialize.sh[58]: Create region complete -Jun 14 14:58:15 manageiq-0 appliance-initialize.sh[58]: == Initializing PV data == -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: == Initializing PV data backup == -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: sending incremental file list -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: created directory /persistent/server-deploy/backup/backup_2017_06_14_145816 -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/REGION -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/certs/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/certs/v2_key -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/config/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: region-data/var/www/miq/vmdb/config/database.yml -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/miq/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/miq/vmdb/ -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: server-data/var/www/miq/vmdb/GUID -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: sent 1330 bytes received 136 bytes 2932.00 bytes/sec -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: total size is 770 speedup is 0.53 -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: == Restoring PV data symlinks == -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/REGION symlink is already in place, skipping -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/config/database.yml symlink is already in place, skipping -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/certs/v2_key symlink is already in place, skipping -Jun 14 14:58:16 manageiq-0 appliance-initialize.sh[58]: /var/www/miq/vmdb/log symlink is already in place, skipping -Jun 14 14:58:28 manageiq-0 systemctl[304]: Removed symlink /etc/systemd/system/multi-user.target.wants/appliance-initialize.service. -Jun 14 14:58:29 manageiq-0 systemd[1]: Started Initialize Appliance Database. -``` - -Most of what we see here (above) is the initial database seeding -process. This process isn't very quick, so be patient. - -At the bottom of the log there is a special line from the `systemctl` -service, `Removed symlink -/etc/systemd/system/multi-user.target.wants/appliance-initialize.service`. The -`appliance-initialize` service is no longer marked as enabled. This -indicates that the base application initialization is complete now. - -We're not done yet though, there are other ancillary services which -run in this pod to support the application. *Still in the rsh shell*, -Use the `ps` command to monitor for the `httpd` processes -starting. You will see output similar to the following when that stage -has completed: - -``` -[root@manageiq-0 vmdb]# ps aux | grep http -root 1941 0.0 0.1 249820 7640 ? Ss 15:02 0:00 /usr/sbin/httpd -DFOREGROUND -apache 1942 0.0 0.0 250752 6012 ? S 15:02 0:00 /usr/sbin/httpd -DFOREGROUND -apache 1943 0.0 0.0 250472 5952 ? S 15:02 0:00 /usr/sbin/httpd -DFOREGROUND -apache 1944 0.0 0.0 250472 5916 ? S 15:02 0:00 /usr/sbin/httpd -DFOREGROUND -apache 1945 0.0 0.0 250360 5764 ? S 15:02 0:00 /usr/sbin/httpd -DFOREGROUND -``` - -Furthermore, you can find other related processes by just looking for -ones with `MIQ` in their name: - -``` -[root@manageiq-0 vmdb]# ps aux | grep miq -root 333 27.7 4.2 555884 315916 ? Sl 14:58 3:59 MIQ Server -root 1976 0.6 4.0 507224 303740 ? SNl 15:02 0:03 MIQ: MiqGenericWorker id: 1, queue: generic -root 1984 0.6 4.0 507224 304312 ? SNl 15:02 0:03 MIQ: MiqGenericWorker id: 2, queue: generic -root 1992 0.9 4.0 508252 304888 ? SNl 15:02 0:05 MIQ: MiqPriorityWorker id: 3, queue: generic -root 2000 0.7 4.0 510308 304696 ? SNl 15:02 0:04 MIQ: MiqPriorityWorker id: 4, queue: generic -root 2008 1.2 4.0 514000 303612 ? SNl 15:02 0:07 MIQ: MiqScheduleWorker id: 5 -root 2026 0.2 4.0 517504 303644 ? SNl 15:02 0:01 MIQ: MiqEventHandler id: 6, queue: ems -root 2036 0.2 4.0 518532 303768 ? SNl 15:02 0:01 MIQ: MiqReportingWorker id: 7, queue: reporting -root 2044 0.2 4.0 519560 303812 ? SNl 15:02 0:01 MIQ: MiqReportingWorker id: 8, queue: reporting -root 2059 0.2 4.0 528372 303956 ? SNl 15:02 0:01 puma 3.3.0 (tcp://127.0.0.1:5000) [MIQ: Web Server Worker] -root 2067 0.9 4.0 529664 305716 ? SNl 15:02 0:05 puma 3.3.0 (tcp://127.0.0.1:3000) [MIQ: Web Server Worker] -root 2075 0.2 4.0 529408 304056 ? SNl 15:02 0:01 puma 3.3.0 (tcp://127.0.0.1:4000) [MIQ: Web Server Worker] -root 2329 0.0 0.0 10640 972 ? S+ 15:13 0:00 grep --color=auto -i miq -``` - -Finally, *still in the rsh shell*, to test if the application is -running correctly, we can request the application homepage. If the -page is available the page title will be `ManageIQ: Login`: - -``` -[root@manageiq-0 vmdb]# curl -s -k https://localhost | grep -A2 '' -<title> -ManageIQ: Login - -``` - -**Note:** The `-s` flag makes `curl` operations silent and the `-k` -flag to ignore errors about untrusted certificates. - - - -# Additional Upstream Resources - -Below are some useful resources from the upstream project -documentation. You may find these of value. - -* [Verify Setup Was Successful](https://github.com/ManageIQ/manageiq-pods#verifying-the-setup-was-successful) -* [POD Access And Routes](https://github.com/ManageIQ/manageiq-pods#pod-access-and-routes) -* [Troubleshooting](https://github.com/ManageIQ/manageiq-pods#troubleshooting) - - -# Manual Cleanup - -At this time uninstallation/cleanup is still a manual process. You -will have to follow a few steps to fully remove CFME from your -cluster. - -Delete the project: - -* `oc delete project cfme` - -Delete the PVs: - -* `oc delete pv miq-pv01` -* `oc delete pv miq-pv02` -* `oc delete pv miq-pv03` - -Clean out the old PV data: - -* `cd /exports/` -* `find miq* -type f -delete` -* `find miq* -type d -delete` - -Remove the NFS exports: - -* `rm /etc/exports.d/openshift_cfme.exports` -* `exportfs -ar` - -Delete the user: - -* `oc delete user cfme` - -**NOTE:** The `oc delete project cfme` command will return quickly -however it will continue to operate in the background. Continue -running `oc get project` after you've completed the other steps to -monitor the pods and final project termination progress. +We are no longer accepting pull requests for the *Tech Preview* +CloudForms 4.5 release. diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml index b82c2e602..9a36f902d 100644 --- a/roles/openshift_cfme/defaults/main.yml +++ b/roles/openshift_cfme/defaults/main.yml @@ -1,32 +1,154 @@ --- -# Namespace for the CFME project (Note: changed post-3.6 to use -# reserved 'openshift-' namespace prefix) +# Namespace for the CFME project openshift_cfme_project: openshift-cfme # Namespace/project description -openshift_cfme_project_description: ManageIQ - CloudForms Management Engine -# Basic user assigned the `admin` role for the project -openshift_cfme_user: cfme -# Project system account for enabling privileged pods -openshift_cfme_service_account: "system:serviceaccount:{{ openshift_cfme_project }}:default" -# All the required exports -openshift_cfme_pv_exports: - - miq-pv01 - - miq-pv02 - - miq-pv03 -# PV template files and their created object names -openshift_cfme_pv_data: - - pv_name: miq-pv01 - pv_template: miq-pv-db.yaml - pv_label: CFME DB PV - - pv_name: miq-pv02 - pv_template: miq-pv-region.yaml - pv_label: CFME Region PV - - pv_name: miq-pv03 - pv_template: miq-pv-server.yaml - pv_label: CFME Server PV - -# Tuning parameter to use more than 5 images at once from an ImageStream -openshift_cfme_maxImagesBulkImportedPerRepository: 100 +openshift_cfme_project_description: ManageIQ - CloudForms Management Engine 4.6 + +###################################################################### +# BASE TEMPLATE AND DATABASE OPTIONS +###################################################################### +# Which flavor of CFME would you like? You may install CFME using a +# podified PostgreSQL server, or you may choose to use an existing +# PostgreSQL server. +# +# Choose 'miq-template' for a podified database install +# Choose 'miq-template-ext-db' for an external database install +openshift_cfme_app_template: miq-template + +# If you are using the miq-template-ext-db template then you must add +# the required database parameters to the +# openshift_cfme_template_parameters variable. For example: +# +# openshift_cfme_template_parameters: +# DATABASE_USER: root +# DATABASE_PASSWORD: @_grrrr8Pa$$.h3r3 +# DATABASE_IP: 10.1.1.10 +# DATABASE_PORT: 5432 +# DATABASE_NAME: vmdb_production + +###################################################################### +# STORAGE OPTIONS +###################################################################### +# DEFAULT - 'nfs' +# Allowed options: nfs, external, preconfigured, cloudprovider. +openshift_cfme_storage_class: nfs +# * nfs - Best used for proof-of-concept installs. Will setup NFS on a +# cluster host (defaults to your first master in the inventory file) +# to back the required PVCs. The application requires a PVC and the +# database (which may be hosted externally) may require a +# second. PVC minimum required sizes are: 5GiB for the MIQ +# application, and 15GiB for the PostgreSQL database (20GiB minimum +# available space on an volume/partition if used specifically for +# NFS purposes) +# +# * external - You are using an external NFS server, such as a netapp +# appliance. See the STORAGE - NFS OPTIONS section below for +# required information. +# +# * preconfigured - This CFME role will do NOTHING to modify storage +# settings. This option assumes expert knowledge and that you have +# done everything required ahead of time. +# +# * cloudprovider - You are using an OCP cloudprovider integration for +# your storage class. For this to work you must have already +# configured the required inventory parameters for your cloud +# provider +# +# Ensure 'openshift_cloudprovider_kind' is defined (aws or gce) and +# that the applicable cloudprovider parameters are provided. + +###################################################################### +# STORAGE - NFS OPTIONS +###################################################################### +# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a +# netapp appliance, then you must set the hostname here. Leave the +# value as 'false' if you are not using external NFS +openshift_cfme_storage_external_nfs_hostname: false +# [OPTIONAL] - If you are using external NFS then you must set the base +# path to the exports location here. +# +# Or, change this value if you want to change the default path used +# for local NFS exports. +openshift_cfme_storage_external_nfs_base_dir: /exports/ + + +###################################################################### +# VARIOUS CONSTANTS - DO NOT OVERRIDE THESE UNDER ANY CIRCUMSTANCES +###################################################################### + +###################################################################### +# Misc enumerated values +# Allowed choices for the storage class parameter +openshift_cfme_storage_classes: + - nfs + - external + - preconfigured + - cloudprovider +# Name of the application templates with object/parameter definitions +openshift_cfme_app_templates: + - miq-template-ext-db + - miq-template +# PostgreSQL database connection parameters +openshift_cfme_db_parameters: + - DATABASE_USER + - DATABASE_PASSWORD + - DATABASE_IP + - DATABASE_PORT + - DATABASE_NAME + + +###################################################################### +# ACCOUNTING +###################################################################### +# Service Account SSCs +openshift_system_account_sccs: + - name: miq-anyuid + resource_name: anyuid + - name: miq-orchestrator + resource_name: anyuid + - name: miq-privileged + resource_name: privileged + - name: miq-httpd + resource_name: miq-httpd + +# Service Account Roles +openshift_cfme_system_account_roles: + - name: miq-orchestrator + resource_name: view + - name: miq-orchestrator + resource_name: edit + + +###################################################################### +# SCAFFOLDING - These are parameters we pre-seed that a user may or +# may not set later +###################################################################### +# A hash of parameters you want to override or set in the +# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in +# your inventory file as a simple hash. Acceptable values are defined +# under the .parameters list in files/miq-template{-ext-db}.yaml +# Example: +# +# openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} +openshift_cfme_template_parameters: {} + +# # All the required exports +# openshift_cfme_pv_exports: +# - miq-pv01 +# - miq-pv02 +# - miq-pv03 +# # PV template files and their created object names +# openshift_cfme_pv_data: +# - pv_name: miq-pv01 +# pv_template: miq-pv-db.yaml +# pv_label: CFME DB PV +# - pv_name: miq-pv02 +# pv_template: miq-pv-region.yaml +# pv_label: CFME Region PV +# - pv_name: miq-pv03 +# pv_template: miq-pv-server.yaml +# pv_label: CFME Server PV + # TODO: Refactor '_install_app' variable. This is just for testing but # maybe in the future it should control the entire yes/no for CFME. # @@ -34,9 +156,11 @@ openshift_cfme_maxImagesBulkImportedPerRepository: 100 # --template=manageiq). If False everything UP TO 'new-app' is ran. openshift_cfme_install_app: False # Docker image to pull -openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -openshift_cfme_postgresql_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -openshift_cfme_memcached_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-memcached' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'app-latest-fine' }}" -openshift_cfme_memcached_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'memcached-latest-fine' }}" -openshift_cfme_postgresql_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'postgresql-latest-fine' }}" +# openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" +# openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'frontend-latest' }}" + +# openshift_cfme_memcached_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-memcached' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" +# openshift_cfme_memcached_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'memcached-latest-fine' }}" + +# openshift_cfme_postgresql_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'postgresql-latest-fine' }}" +# openshift_cfme_postgresql_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-postgresql' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" diff --git a/roles/openshift_cfme/files/miq-backup-job.yaml b/roles/openshift_cfme/files/miq-backup-job.yaml new file mode 100644 index 000000000..044cb73a5 --- /dev/null +++ b/roles/openshift_cfme/files/miq-backup-job.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: manageiq-backup +spec: + template: + metadata: + name: manageiq-backup + spec: + containers: + - name: postgresql + image: docker.io/manageiq/postgresql:latest + command: + - "/opt/manageiq/container-scripts/backup_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: manageiq-secrets + key: database-url + volumeMounts: + - name: miq-backup-vol + mountPath: "/backups" + volumes: + - name: miq-backup-vol + persistentVolumeClaim: + claimName: manageiq-backup + restartPolicy: Never diff --git a/roles/openshift_cfme/files/miq-backup-pvc.yaml b/roles/openshift_cfme/files/miq-backup-pvc.yaml new file mode 100644 index 000000000..25696ef23 --- /dev/null +++ b/roles/openshift_cfme/files/miq-backup-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: manageiq-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 15Gi diff --git a/roles/openshift_cfme/files/miq-pv-backup-example.yaml b/roles/openshift_cfme/files/miq-pv-backup-example.yaml new file mode 100644 index 000000000..a5cf54d4e --- /dev/null +++ b/roles/openshift_cfme/files/miq-pv-backup-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: miq-pv03 +spec: + capacity: + storage: 15Gi + accessModes: + - ReadWriteOnce + nfs: + path: "/exports/miq-pv03" + server: "" + persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/files/miq-pv-db-example.yaml b/roles/openshift_cfme/files/miq-pv-db-example.yaml new file mode 100644 index 000000000..7d66552db --- /dev/null +++ b/roles/openshift_cfme/files/miq-pv-db-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: miq-pv01 +spec: + capacity: + storage: 15Gi + accessModes: + - ReadWriteOnce + nfs: + path: "/exports/miq-pv01" + server: "" + persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/files/miq-pv-server-example.yaml b/roles/openshift_cfme/files/miq-pv-server-example.yaml new file mode 100644 index 000000000..e4a23334b --- /dev/null +++ b/roles/openshift_cfme/files/miq-pv-server-example.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: "${PV_NAME}" +spec: + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + nfs: + path: "/${BASE_PATH}/${PV_NAME}" + server: "${NFS_SERVER}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: BASE_PATH + displayName: BasePath + required: true + description: The parent directory of your NFS exports + value: /exports +- name: PV_NAME + displayName: PVName + required: true + description: The name of this PV +- name: NFS_SERVER + displayName: NFSServer + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_cfme/files/miq-restore-job.yaml b/roles/openshift_cfme/files/miq-restore-job.yaml new file mode 100644 index 000000000..eea284dd4 --- /dev/null +++ b/roles/openshift_cfme/files/miq-restore-job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: manageiq-restore +spec: + template: + metadata: + name: manageiq-restore + spec: + containers: + - name: postgresql + image: docker.io/manageiq/postgresql:latest + command: + - "/opt/manageiq/container-scripts/restore_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: manageiq-secrets + key: database-url + - name: BACKUP_VERSION + value: latest + volumeMounts: + - name: miq-backup-vol + mountPath: "/backups" + - name: miq-prod-vol + mountPath: "/restore" + volumes: + - name: miq-backup-vol + persistentVolumeClaim: + claimName: manageiq-backup + - name: miq-prod-vol + persistentVolumeClaim: + claimName: manageiq-postgresql + restartPolicy: Never diff --git a/roles/openshift_cfme/files/miq-scc-httpd.yaml b/roles/openshift_cfme/files/miq-scc-httpd.yaml new file mode 100644 index 000000000..0817b4908 --- /dev/null +++ b/roles/openshift_cfme/files/miq-scc-httpd.yaml @@ -0,0 +1,38 @@ +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: v1 +defaultAddCapabilities: +- SYS_ADMIN +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: miq-httpd provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus. + creationTimestamp: + name: miq-httpd +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +- SYS_CHROOT +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- secret diff --git a/roles/openshift_cfme/files/miq-template-ext-db.yaml b/roles/openshift_cfme/files/miq-template-ext-db.yaml new file mode 100644 index 000000000..82cd5d49e --- /dev/null +++ b/roles/openshift_cfme/files/miq-template-ext-db.yaml @@ -0,0 +1,771 @@ +apiVersion: v1 +kind: Template +labels: + template: manageiq-ext-db +metadata: + name: manageiq-ext-db + annotations: + description: ManageIQ appliance with persistent storage using a external DB host + tags: instant-app,manageiq,miq + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances ManageIQ pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 80 + scheme: HTTP + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: MEMCACHED_SERVICE_NAME + value: "${MEMCACHED_SERVICE_NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for ManageIQ backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: + name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${MEMCACHED_SERVICE_NAME}" + template: + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + labels: + name: "${MEMCACHED_SERVICE_NAME}" + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Remote database service + spec: + ports: + - name: postgresql + port: 5432 + targetPort: "${{DATABASE_PORT}}" + selector: {} +- apiVersion: v1 + kind: Endpoints + metadata: + name: "${DATABASE_SERVICE_NAME}" + subsets: + - addresses: + - ip: "${DATABASE_IP}" + ports: + - port: "${{DATABASE_PORT}}" + name: postgresql +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: miq-privileged + serviceAccountName: miq-privileged +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + + KeepAlive on + ProxyPreserveHost on + ProxyPass /ws/ ws://${NAME}/ws/ + ProxyPassReverse /ws/ ws://${NAME}/ws/ + ProxyPass / http://${NAME}/ + ProxyPassReverse / http://${NAME}/ + +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: miq-anyuid + serviceAccountName: miq-anyuid +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: manageiq +- name: V2_KEY + displayName: ManageIQ Encryption Key + required: true + description: Encryption Key for ManageIQ Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_IP + displayName: PostgreSQL Server IP + required: true + description: PostgreSQL external server IP used to configure service. + value: '' +- name: DATABASE_PORT + displayName: PostgreSQL Server Port + required: true + description: PostgreSQL external server port used to configure service. + value: '5432' +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: docker.io/manageiq/memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: APPLICATION_IMG_NAME + displayName: Application Image Name + description: This is the Application image name requested to deploy. + value: docker.io/manageiq/manageiq-pods +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the ManageIQ Frontend Application image tag/version requested to deploy. + value: frontend-latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the ManageIQ Backend Application image tag/version requested to deploy. + value: backend-latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: docker.io/manageiq/embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: docker.io/manageiq/httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache httpd Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_cfme/files/miq-template.yaml b/roles/openshift_cfme/files/miq-template.yaml index 8f0d2af38..3f5a12205 100644 --- a/roles/openshift_cfme/files/miq-template.yaml +++ b/roles/openshift_cfme/files/miq-template.yaml @@ -1,566 +1,948 @@ ---- -path: /tmp/miq-template-out -data: - apiVersion: v1 - kind: Template - labels: - template: manageiq +apiVersion: v1 +kind: Template +labels: + template: manageiq +metadata: + name: manageiq + annotations: + description: ManageIQ appliance with persistent storage + tags: instant-app,manageiq,miq + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${DATABASE_SERVICE_NAME}-configs" + data: + 01_miq_overrides.conf: | + #------------------------------------------------------------------------------ + # CONNECTIONS AND AUTHENTICATION + #------------------------------------------------------------------------------ + + tcp_keepalives_count = 9 + tcp_keepalives_idle = 3 + tcp_keepalives_interval = 75 + + #------------------------------------------------------------------------------ + # RESOURCE USAGE (except WAL) + #------------------------------------------------------------------------------ + + shared_preload_libraries = 'pglogical,repmgr_funcs' + max_worker_processes = 10 + + #------------------------------------------------------------------------------ + # WRITE AHEAD LOG + #------------------------------------------------------------------------------ + + wal_level = 'logical' + wal_log_hints = on + wal_buffers = 16MB + checkpoint_completion_target = 0.9 + + #------------------------------------------------------------------------------ + # REPLICATION + #------------------------------------------------------------------------------ + + max_wal_senders = 10 + wal_sender_timeout = 0 + max_replication_slots = 10 + hot_standby = on + + #------------------------------------------------------------------------------ + # ERROR REPORTING AND LOGGING + #------------------------------------------------------------------------------ + + log_filename = 'postgresql.log' + log_rotation_age = 0 + log_min_duration_statement = 5000 + log_connections = on + log_disconnections = on + log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' + log_lock_waits = on + + #------------------------------------------------------------------------------ + # AUTOVACUUM PARAMETERS + #------------------------------------------------------------------------------ + + log_autovacuum_min_duration = 0 + autovacuum_naptime = 5min + autovacuum_vacuum_threshold = 500 + autovacuum_analyze_threshold = 500 + autovacuum_vacuum_scale_factor = 0.05 + + #------------------------------------------------------------------------------ + # LOCK MANAGEMENT + #------------------------------------------------------------------------------ + + deadlock_timeout = 5s + + #------------------------------------------------------------------------------ + # VERSION/PLATFORM COMPATIBILITY + #------------------------------------------------------------------------------ + + escape_string_warning = off + standard_conforming_strings = off +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + + KeepAlive on + ProxyPreserveHost on + ProxyPass /ws/ ws://${NAME}/ws/ + ProxyPassReverse /ws/ ws://${NAME}/ws/ + ProxyPass / http://${NAME}/ + ProxyPassReverse / http://${NAME}/ + +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service metadata: - name: manageiq annotations: - description: "ManageIQ appliance with persistent storage" - tags: "instant-app,manageiq,miq" - iconClass: "icon-rails" - objects: - - apiVersion: v1 - kind: Secret - metadata: - name: "${NAME}-secrets" - stringData: - pg-password: "${DATABASE_PASSWORD}" - - apiVersion: v1 - kind: Service - metadata: - annotations: - description: "Exposes and load balances ManageIQ pods" - service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' - name: ${NAME} - spec: - clusterIP: None - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - selector: - name: ${NAME} - - apiVersion: v1 - kind: Route - metadata: - name: ${NAME} - spec: - host: ${APPLICATION_DOMAIN} - port: - targetPort: https - tls: - termination: passthrough - to: - kind: Service - name: ${NAME} - - apiVersion: v1 - kind: ImageStream - metadata: - name: miq-app - annotations: - description: "Keeps track of the ManageIQ image changes" - spec: - dockerImageRepository: "${APPLICATION_IMG_NAME}" - - apiVersion: v1 - kind: ImageStream - metadata: - name: miq-postgresql - annotations: - description: "Keeps track of the PostgreSQL image changes" - spec: - dockerImageRepository: "${POSTGRESQL_IMG_NAME}" - - apiVersion: v1 - kind: ImageStream - metadata: - name: miq-memcached - annotations: - description: "Keeps track of the Memcached image changes" - spec: - dockerImageRepository: "${MEMCACHED_IMG_NAME}" - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: "${NAME}-${DATABASE_SERVICE_NAME}" - spec: - accessModes: + description: Exposes and load balances ManageIQ pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: "${NAME}-${DATABASE_SERVICE_NAME}" + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${DATABASE_VOLUME_CAPACITY}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 80 + scheme: HTTP + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: MEMCACHED_SERVICE_NAME + value: "${MEMCACHED_SERVICE_NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: - ReadWriteOnce - resources: - requests: - storage: ${DATABASE_VOLUME_CAPACITY} - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: "${NAME}-region" - spec: - accessModes: + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for ManageIQ backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: - ReadWriteOnce - resources: - requests: - storage: ${APPLICATION_REGION_VOLUME_CAPACITY} - - apiVersion: apps/v1beta1 - kind: "StatefulSet" - metadata: - name: ${NAME} - annotations: - description: "Defines how to deploy the ManageIQ appliance" - spec: - serviceName: "${NAME}" - replicas: "${APPLICATION_REPLICA_COUNT}" - template: - metadata: - labels: - name: ${NAME} - name: ${NAME} - spec: - containers: - - name: manageiq - image: "${APPLICATION_IMG_NAME}:${APPLICATION_IMG_TAG}" - livenessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 480 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: / - port: 443 - scheme: HTTPS - initialDelaySeconds: 200 - timeoutSeconds: 3 - ports: - - containerPort: 80 - protocol: TCP - - containerPort: 443 - protocol: TCP - securityContext: - privileged: true - volumeMounts: - - - name: "${NAME}-server" - mountPath: "/persistent" - - - name: "${NAME}-region" - mountPath: "/persistent-region" - env: - - - name: "APPLICATION_INIT_DELAY" - value: "${APPLICATION_INIT_DELAY}" - - - name: "DATABASE_SERVICE_NAME" - value: "${DATABASE_SERVICE_NAME}" - - - name: "DATABASE_REGION" - value: "${DATABASE_REGION}" - - - name: "MEMCACHED_SERVICE_NAME" - value: "${MEMCACHED_SERVICE_NAME}" - - - name: "POSTGRESQL_USER" - value: "${DATABASE_USER}" - - - name: "POSTGRESQL_PASSWORD" - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: "pg-password" - - - name: "POSTGRESQL_DATABASE" - value: "${DATABASE_NAME}" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - value: "${POSTGRESQL_MAX_CONNECTIONS}" - - - name: "POSTGRESQL_SHARED_BUFFERS" - value: "${POSTGRESQL_SHARED_BUFFERS}" - resources: - requests: - memory: "${APPLICATION_MEM_REQ}" - cpu: "${APPLICATION_CPU_REQ}" - limits: - memory: "${APPLICATION_MEM_LIMIT}" - lifecycle: - preStop: - exec: - command: - - /opt/manageiq/container-scripts/sync-pv-data - volumes: - - - name: "${NAME}-region" - persistentVolumeClaim: - claimName: ${NAME}-region - volumeClaimTemplates: - - metadata: - name: "${NAME}-server" - annotations: - # Uncomment this if using dynamic volume provisioning. - # https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html - # volume.alpha.kubernetes.io/storage-class: anything - spec: - accessModes: [ ReadWriteOnce ] - resources: - requests: - storage: "${APPLICATION_VOLUME_CAPACITY}" - - apiVersion: v1 - kind: "Service" - metadata: + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: name: "${MEMCACHED_SERVICE_NAME}" - annotations: - description: "Exposes the memcached server" - spec: - ports: - - - name: "memcached" - port: 11211 - targetPort: 11211 - selector: - name: "${MEMCACHED_SERVICE_NAME}" - - apiVersion: v1 - kind: "DeploymentConfig" - metadata: +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: name: "${MEMCACHED_SERVICE_NAME}" - annotations: - description: "Defines how to deploy memcached" - spec: - strategy: - type: "Recreate" - triggers: - - - type: "ImageChange" - imageChangeParams: - automatic: true - containerNames: - - "memcached" - from: - kind: "ImageStreamTag" - name: "miq-memcached:${MEMCACHED_IMG_TAG}" - - - type: "ConfigChange" - replicas: 1 - selector: + template: + metadata: name: "${MEMCACHED_SERVICE_NAME}" - template: - metadata: + labels: name: "${MEMCACHED_SERVICE_NAME}" - labels: - name: "${MEMCACHED_SERVICE_NAME}" - spec: - volumes: [] - containers: - - - name: "memcached" - image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" - ports: - - - containerPort: 11211 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 5 - tcpSocket: - port: 11211 - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - tcpSocket: - port: 11211 - volumeMounts: [] - env: - - - name: "MEMCACHED_MAX_MEMORY" - value: "${MEMCACHED_MAX_MEMORY}" - - - name: "MEMCACHED_MAX_CONNECTIONS" - value: "${MEMCACHED_MAX_CONNECTIONS}" - - - name: "MEMCACHED_SLAB_PAGE_SIZE" - value: "${MEMCACHED_SLAB_PAGE_SIZE}" - resources: - requests: - memory: "${MEMCACHED_MEM_REQ}" - cpu: "${MEMCACHED_CPU_REQ}" - limits: - memory: "${MEMCACHED_MEM_LIMIT}" - - apiVersion: v1 - kind: "Service" - metadata: + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Exposes the database server + spec: + ports: + - name: postgresql + port: 5432 + targetPort: 5432 + selector: name: "${DATABASE_SERVICE_NAME}" - annotations: - description: "Exposes the database server" - spec: - ports: - - - name: "postgresql" - port: 5432 - targetPort: 5432 - selector: - name: "${DATABASE_SERVICE_NAME}" - - apiVersion: v1 - kind: "DeploymentConfig" - metadata: +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the database + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: name: "${DATABASE_SERVICE_NAME}" - annotations: - description: "Defines how to deploy the database" - spec: - strategy: - type: "Recreate" - triggers: - - - type: "ImageChange" - imageChangeParams: - automatic: true - containerNames: - - "postgresql" - from: - kind: "ImageStreamTag" - name: "miq-postgresql:${POSTGRESQL_IMG_TAG}" - - - type: "ConfigChange" - replicas: 1 - selector: + template: + metadata: name: "${DATABASE_SERVICE_NAME}" - template: - metadata: + labels: name: "${DATABASE_SERVICE_NAME}" - labels: - name: "${DATABASE_SERVICE_NAME}" - spec: - volumes: - - - name: "miq-pgdb-volume" - persistentVolumeClaim: - claimName: "${NAME}-${DATABASE_SERVICE_NAME}" - containers: - - - name: "postgresql" - image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" - ports: - - - containerPort: 5432 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 15 - exec: - command: - - "/bin/sh" - - "-i" - - "-c" - - "psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'" - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 60 - tcpSocket: - port: 5432 - volumeMounts: - - - name: "miq-pgdb-volume" - mountPath: "/var/lib/pgsql/data" - env: - - - name: "POSTGRESQL_USER" - value: "${DATABASE_USER}" - - - name: "POSTGRESQL_PASSWORD" - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: "pg-password" - - - name: "POSTGRESQL_DATABASE" - value: "${DATABASE_NAME}" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - value: "${POSTGRESQL_MAX_CONNECTIONS}" - - - name: "POSTGRESQL_SHARED_BUFFERS" - value: "${POSTGRESQL_SHARED_BUFFERS}" - resources: - requests: - memory: "${POSTGRESQL_MEM_REQ}" - cpu: "${POSTGRESQL_CPU_REQ}" - limits: - memory: "${POSTGRESQL_MEM_LIMIT}" - - parameters: - - - name: "NAME" - displayName: Name - required: true - description: "The name assigned to all of the frontend objects defined in this template." - value: manageiq - - - name: "DATABASE_SERVICE_NAME" - displayName: "PostgreSQL Service Name" - required: true - description: "The name of the OpenShift Service exposed for the PostgreSQL container." - value: "postgresql" - - - name: "DATABASE_USER" - displayName: "PostgreSQL User" - required: true - description: "PostgreSQL user that will access the database." - value: "root" - - - name: "DATABASE_PASSWORD" - displayName: "PostgreSQL Password" - required: true - description: "Password for the PostgreSQL user." - from: "[a-zA-Z0-9]{8}" - generate: expression - - - name: "DATABASE_NAME" - required: true - displayName: "PostgreSQL Database Name" - description: "Name of the PostgreSQL database accessed." - value: "vmdb_production" - - - name: "DATABASE_REGION" - required: true - displayName: "Application Database Region" - description: "Database region that will be used for application." - value: "0" - - - name: "MEMCACHED_SERVICE_NAME" - required: true - displayName: "Memcached Service Name" - description: "The name of the OpenShift Service exposed for the Memcached container." - value: "memcached" - - - name: "MEMCACHED_MAX_MEMORY" - displayName: "Memcached Max Memory" - description: "Memcached maximum memory for memcached object storage in MB." - value: "64" - - - name: "MEMCACHED_MAX_CONNECTIONS" - displayName: "Memcached Max Connections" - description: "Memcached maximum number of connections allowed." - value: "1024" - - - name: "MEMCACHED_SLAB_PAGE_SIZE" - displayName: "Memcached Slab Page Size" - description: "Memcached size of each slab page." - value: "1m" - - - name: "POSTGRESQL_MAX_CONNECTIONS" - displayName: "PostgreSQL Max Connections" - description: "PostgreSQL maximum number of database connections allowed." - value: "100" - - - name: "POSTGRESQL_SHARED_BUFFERS" - displayName: "PostgreSQL Shared Buffer Amount" - description: "Amount of memory dedicated for PostgreSQL shared memory buffers." - value: "256MB" - - - name: "APPLICATION_CPU_REQ" - displayName: "Application Min CPU Requested" - required: true - description: "Minimum amount of CPU time the Application container will need (expressed in millicores)." - value: "1000m" - - - name: "POSTGRESQL_CPU_REQ" - displayName: "PostgreSQL Min CPU Requested" - required: true - description: "Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores)." - value: "500m" - - - name: "MEMCACHED_CPU_REQ" - displayName: "Memcached Min CPU Requested" - required: true - description: "Minimum amount of CPU time the Memcached container will need (expressed in millicores)." - value: "200m" - - - name: "APPLICATION_MEM_REQ" - displayName: "Application Min RAM Requested" - required: true - description: "Minimum amount of memory the Application container will need." - value: "6144Mi" - - - name: "POSTGRESQL_MEM_REQ" - displayName: "PostgreSQL Min RAM Requested" - required: true - description: "Minimum amount of memory the PostgreSQL container will need." - value: "1024Mi" - - - name: "MEMCACHED_MEM_REQ" - displayName: "Memcached Min RAM Requested" - required: true - description: "Minimum amount of memory the Memcached container will need." - value: "64Mi" - - - name: "APPLICATION_MEM_LIMIT" - displayName: "Application Max RAM Limit" - required: true - description: "Maximum amount of memory the Application container can consume." - value: "16384Mi" - - - name: "POSTGRESQL_MEM_LIMIT" - displayName: "PostgreSQL Max RAM Limit" - required: true - description: "Maximum amount of memory the PostgreSQL container can consume." - value: "8192Mi" - - - name: "MEMCACHED_MEM_LIMIT" - displayName: "Memcached Max RAM Limit" - required: true - description: "Maximum amount of memory the Memcached container can consume." - value: "256Mi" - - - name: "POSTGRESQL_IMG_NAME" - displayName: "PostgreSQL Image Name" - description: "This is the PostgreSQL image name requested to deploy." - value: "docker.io/manageiq/manageiq-pods" - - - name: "POSTGRESQL_IMG_TAG" - displayName: "PostgreSQL Image Tag" - description: "This is the PostgreSQL image tag/version requested to deploy." - value: "postgresql-latest-fine" - - - name: "MEMCACHED_IMG_NAME" - displayName: "Memcached Image Name" - description: "This is the Memcached image name requested to deploy." - value: "docker.io/manageiq/manageiq-pods" - - - name: "MEMCACHED_IMG_TAG" - displayName: "Memcached Image Tag" - description: "This is the Memcached image tag/version requested to deploy." - value: "memcached-latest-fine" - - - name: "APPLICATION_IMG_NAME" - displayName: "Application Image Name" - description: "This is the Application image name requested to deploy." - value: "docker.io/manageiq/manageiq-pods" - - - name: "APPLICATION_IMG_TAG" - displayName: "Application Image Tag" - description: "This is the Application image tag/version requested to deploy." - value: "app-latest-fine" - - - name: "APPLICATION_DOMAIN" - displayName: "Application Hostname" - description: "The exposed hostname that will route to the application service, if left blank a value will be defaulted." - value: "" - - - name: "APPLICATION_REPLICA_COUNT" - displayName: "Application Replica Count" - description: "This is the number of Application replicas requested to deploy." - value: "1" - - - name: "APPLICATION_INIT_DELAY" - displayName: "Application Init Delay" - required: true - description: "Delay in seconds before we attempt to initialize the application." - value: "15" - - - name: "APPLICATION_VOLUME_CAPACITY" - displayName: "Application Volume Capacity" - required: true - description: "Volume space available for application data." - value: "5Gi" - - - name: "APPLICATION_REGION_VOLUME_CAPACITY" - displayName: "Application Region Volume Capacity" - required: true - description: "Volume space available for region application data." - value: "5Gi" - - - name: "DATABASE_VOLUME_CAPACITY" - displayName: "Database Volume Capacity" - required: true - description: "Volume space available for database." - value: "15Gi" + spec: + volumes: + - name: miq-pgdb-volume + persistentVolumeClaim: + claimName: "${NAME}-${DATABASE_SERVICE_NAME}" + - name: miq-pg-configs + configMap: + name: "${DATABASE_SERVICE_NAME}-configs" + containers: + - name: postgresql + image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" + ports: + - containerPort: 5432 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 15 + exec: + command: + - "/bin/sh" + - "-i" + - "-c" + - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 60 + tcpSocket: + port: 5432 + volumeMounts: + - name: miq-pgdb-volume + mountPath: "/var/lib/pgsql/data" + - name: miq-pg-configs + mountPath: "${POSTGRESQL_CONFIG_DIR}" + env: + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${DATABASE_NAME}" + - name: POSTGRESQL_MAX_CONNECTIONS + value: "${POSTGRESQL_MAX_CONNECTIONS}" + - name: POSTGRESQL_SHARED_BUFFERS + value: "${POSTGRESQL_SHARED_BUFFERS}" + - name: POSTGRESQL_CONFIG_DIR + value: "${POSTGRESQL_CONFIG_DIR}" + resources: + requests: + memory: "${POSTGRESQL_MEM_REQ}" + cpu: "${POSTGRESQL_CPU_REQ}" + limits: + memory: "${POSTGRESQL_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: miq-privileged + serviceAccountName: miq-privileged +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: miq-anyuid + serviceAccountName: miq-anyuid +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: manageiq +- name: V2_KEY + displayName: ManageIQ Encryption Key + required: true + description: Encryption Key for ManageIQ Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: POSTGRESQL_CONFIG_DIR + displayName: PostgreSQL Configuration Overrides + description: Directory used to store PostgreSQL configuration overrides. + value: "/var/lib/pgsql/conf.d" +- name: POSTGRESQL_MAX_CONNECTIONS + displayName: PostgreSQL Max Connections + description: PostgreSQL maximum number of database connections allowed. + value: '1000' +- name: POSTGRESQL_SHARED_BUFFERS + displayName: PostgreSQL Shared Buffer Amount + description: Amount of memory dedicated for PostgreSQL shared memory buffers. + value: 1GB +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: POSTGRESQL_CPU_REQ + displayName: PostgreSQL Min CPU Requested + required: true + description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). + value: 500m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: POSTGRESQL_MEM_REQ + displayName: PostgreSQL Min RAM Requested + required: true + description: Minimum amount of memory the PostgreSQL container will need. + value: 4Gi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: POSTGRESQL_MEM_LIMIT + displayName: PostgreSQL Max RAM Limit + required: true + description: Maximum amount of memory the PostgreSQL container can consume. + value: 8Gi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: POSTGRESQL_IMG_NAME + displayName: PostgreSQL Image Name + description: This is the PostgreSQL image name requested to deploy. + value: docker.io/manageiq/postgresql +- name: POSTGRESQL_IMG_TAG + displayName: PostgreSQL Image Tag + description: This is the PostgreSQL image tag/version requested to deploy. + value: latest +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: docker.io/manageiq/memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: APPLICATION_IMG_NAME + displayName: Application Image Name + description: This is the Application image name requested to deploy. + value: docker.io/manageiq/manageiq-pods +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the ManageIQ Frontend Application image tag/version requested to deploy. + value: frontend-latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the ManageIQ Backend Application image tag/version requested to deploy. + value: backend-latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: docker.io/manageiq/embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: DATABASE_VOLUME_CAPACITY + displayName: Database Volume Capacity + required: true + description: Volume space available for database. + value: 15Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: docker.io/manageiq/httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_cfme/handlers/main.yml b/roles/openshift_cfme/handlers/main.yml index 7e90b09a4..8b84dfb71 100644 --- a/roles/openshift_cfme/handlers/main.yml +++ b/roles/openshift_cfme/handlers/main.yml @@ -35,3 +35,6 @@ retries: 120 delay: 1 changed_when: false + +- name: OpenShift-CFME - Reload NFS Exports + command: exportfs -ar diff --git a/roles/openshift_cfme/meta/main.yml b/roles/openshift_cfme/meta/main.yml index 162d817f0..0fce4a28a 100644 --- a/roles/openshift_cfme/meta/main.yml +++ b/roles/openshift_cfme/meta/main.yml @@ -16,4 +16,5 @@ galaxy_info: dependencies: - role: lib_openshift - role: lib_utils -- role: openshift_master_facts +# - role: openshift_facts +# - role: openshift_master_facts diff --git a/roles/openshift_cfme/tasks/accounts.yml b/roles/openshift_cfme/tasks/accounts.yml new file mode 100644 index 000000000..261e7858b --- /dev/null +++ b/roles/openshift_cfme/tasks/accounts.yml @@ -0,0 +1,65 @@ +--- +# This role task file is responsible for user/system account creation, +# and ensuring correct access is provided as required. + +# TODO: This is currently not idempotent, bug report will be filed +# after this. Currently this task will return 'changed' if it just +# created a user, updated a user, or doesn't modify a user at +# all. Seems to be failing some kind of 'does it need updating' test +# condition and running the replace command regardless. +- name: Check if the miq-httpd scc exists + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: scc + name: miq-httpd + register: miq_httpd_scc_exists + +# TODO: Cleanup when conditions +- name: Copy the miq-httpd SCC to the cluster + copy: + src: miq-scc-httpd.yaml + dest: "{{ template_dir }}" + when: + - miq_httpd_scc_exists.results.results | length == 1 + - miq_httpd_scc_exists.results.results[0] == {} + +- name: Ensure the CFME miq-httpd SCC exists + oc_obj: + state: present + name: miq-httpd + namespace: "{{ openshift_cfme_project }}" + kind: scc + files: + - "{{ template_dir }}/miq-scc-httpd.yaml" + delete_after: True + run_once: True + when: + - miq_httpd_scc_exists.results.results | length == 1 + - miq_httpd_scc_exists.results.results[0] == {} + +- name: Ensure the CFME system users exist + oc_serviceaccount: + namespace: "{{ openshift_cfme_project }}" + state: present + name: "{{ item.name }}" + with_items: + - "{{ openshift_system_account_sccs }}" + +- name: Ensure the CFME system accounts have all the required SCCs + oc_adm_policy_user: + namespace: "{{ openshift_cfme_project }}" + user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}" + resource_kind: scc + resource_name: "{{ item.resource_name }}" + with_items: + - "{{ openshift_system_account_sccs }}" + +- name: Ensure the CFME system accounts have the required roles + oc_adm_policy_user: + namespace: "{{ openshift_cfme_project }}" + user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}" + resource_kind: role + resource_name: "{{ item.resource_name }}" + with_items: + - "{{ openshift_cfme_system_account_roles }}" diff --git a/roles/openshift_cfme/tasks/create_pvs.yml b/roles/openshift_cfme/tasks/create_pvs.yml deleted file mode 100644 index 7fa7d3997..000000000 --- a/roles/openshift_cfme/tasks/create_pvs.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Check for existance and then conditionally: -# - evaluate templates -# - PVs -# -# These tasks idempotently create required CFME PV objects. Do not -# call this file directly. This file is intended to be ran as an -# include that has a 'with_items' attached to it. Hence the use below -# of variables like "{{ item.pv_label }}" - -- name: "Check if the {{ item.pv_label }} template has been created already" - oc_obj: - namespace: "{{ openshift_cfme_project }}" - state: list - kind: pv - name: "{{ item.pv_name }}" - register: miq_pv_check - -# Skip all of this if the PV already exists -- block: - - name: "Ensure the {{ item.pv_label }} template is evaluated" - template: - src: "{{ item.pv_template }}.j2" - dest: "{{ template_dir }}/{{ item.pv_template }}" - - - name: "Ensure {{ item.pv_label }} is created" - oc_obj: - namespace: "{{ openshift_cfme_project }}" - kind: pv - name: "{{ item.pv_name }}" - state: present - delete_after: True - files: - - "{{ template_dir }}/{{ item.pv_template }}" - when: - - not miq_pv_check.results.results.0 diff --git a/roles/openshift_cfme/tasks/main.yml b/roles/openshift_cfme/tasks/main.yml index 74ae16d91..cf5a7fdeb 100644 --- a/roles/openshift_cfme/tasks/main.yml +++ b/roles/openshift_cfme/tasks/main.yml @@ -1,117 +1,99 @@ --- -###################################################################### +######################################################################) # Users, projects, and privileges -- name: Ensure the CFME user exists - oc_user: - state: present - username: "{{ openshift_cfme_user }}" +- name: Run pre-install CFME validation checks + include: validate.yml -- name: Ensure the CFME namespace exists with CFME user as admin +- name: "Ensure the CFME '{{ openshift_cfme_project }}' namespace exists" oc_project: state: present name: "{{ openshift_cfme_project }}" display_name: "{{ openshift_cfme_project_description }}" - admin: "{{ openshift_cfme_user }}" - -- name: Ensure the CFME namespace service account is privileged - oc_adm_policy_user: - namespace: "{{ openshift_cfme_project }}" - user: "{{ openshift_cfme_service_account }}" - resource_kind: scc - resource_name: privileged - state: present -###################################################################### -# NFS -# In the case that we are not running on a cloud provider, volumes must be statically provisioned - -- include: nfs.yml - when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) +- name: Create and Authorize CFME Accounts + include: accounts.yml ###################################################################### -# CFME App Template -# -# Note, this is different from the create_pvs.yml tasks in that the -# application template does not require any jinja2 evaluation. -# -# TODO: Handle the case where the server template is updated in -# openshift-ansible and the change needs to be landed on the managed -# cluster. - -- name: Check if the CFME Server template has been created already - oc_obj: - namespace: "{{ openshift_cfme_project }}" - state: list - kind: template - name: manageiq - register: miq_server_check - -- name: Copy over CFME Server template - copy: - src: miq-template.yaml - dest: "{{ template_dir }}/miq-template.yaml" - -- name: Ensure the server template was read from disk +# STORAGE - Initialize basic storage classes +#--------------------------------------------------------------------- +# * nfs - set up NFS shares on the first master for a proof of concept +- name: Create required NFS exports for CFME app storage + include: storage/nfs.yml + when: openshift_cfme_storage_class == 'nfs' + +#--------------------------------------------------------------------- +# * external - NFS again, but pointing to a pre-configured NFS server +- name: Note Storage Type - External NFS debug: - var=r_openshift_cfme_miq_template_content + msg: Setting up external NFS storage, openshift_cfme_storage_class is 'external' + when: openshift_cfme_storage_class == 'external' -- name: Ensure CFME Server Template exists - oc_obj: - namespace: "{{ openshift_cfme_project }}" - kind: template - name: "manageiq" - state: present - content: "{{ r_openshift_cfme_miq_template_content }}" +#--------------------------------------------------------------------- +# * cloudprovider - use an existing cloudprovider based storage +- name: Note Storage Type - Cloud Provider + debug: + msg: Validating cloud provider storage type, openshift_cfme_storage_class is 'cloudprovider' + when: openshift_cfme_storage_class == 'cloudprovider' + +#--------------------------------------------------------------------- +# * preconfigured - don't do anything, assume it's all there ready to go +- name: Note Storage Type - Preconfigured + debug: + msg: Skipping storage configuration, openshift_cfme_storage_class is 'preconfigured' + when: openshift_cfme_storage_class == 'preconfigured' ###################################################################### -# Let's do this - -- name: Ensure the CFME Server is created - oc_process: - namespace: "{{ openshift_cfme_project }}" - template_name: manageiq - create: True - params: - APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}" - POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}" - MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}" - APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}" - POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}" - MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}" - register: cfme_new_app_process - run_once: True - when: - # User said to install CFME in their inventory - - openshift_cfme_install_app | bool - # # The server app doesn't exist already - # - not miq_server_check.results.results.0 - -- debug: - var: cfme_new_app_process +# APPLICATION TEMPLATE +- name: Install the correct CFME app template + include: template.yml ###################################################################### -# Various cleanup steps - -# TODO: Not sure what to do about this right now. Might be able to -# just delete it? This currently warns about "Unable to find -# '' in expected paths." -- name: Ensure the temporary PV/App templates are erased - file: - path: "{{ item }}" - state: absent - with_fileglob: - - "{{ template_dir }}/*.yaml" - -- name: Ensure the temporary PV/app template directory is erased - file: - path: "{{ template_dir }}" - state: absent +# APP & DB Storage + ###################################################################### -- name: Status update - debug: - msg: > - CFME has been deployed. Note that there will be a delay before - it is fully initialized. +# ###################################################################### +# # Let's do this + +# - name: Ensure the CFME Server is created +# oc_process: +# namespace: "{{ openshift_cfme_project }}" +# template_name: manageiq +# create: True +# params: +# APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}" +# POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}" +# MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}" +# APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}" +# POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}" +# MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}" +# register: cfme_new_app_process +# run_once: True +# when: +# # User said to install CFME in their inventory +# - openshift_cfme_install_app | bool +# # # The server app doesn't exist already +# # - not miq_server_check.results.results.0 + +# - debug: +# var: cfme_new_app_process + +# ###################################################################### +# # Various cleanup steps + +# # TODO: Not sure what to do about this right now. Might be able to +# # just delete it? This currently warns about "Unable to find +# # '' in expected paths." +# - name: Ensure the temporary PV/App templates are erased +# file: +# path: "{{ item }}" +# state: absent +# with_fileglob: +# - "{{ template_dir }}/*.yaml" + +# - name: Ensure the temporary PV/app template directory is erased +# file: +# path: "{{ template_dir }}" +# state: absent diff --git a/roles/openshift_cfme/tasks/nfs.yml b/roles/openshift_cfme/tasks/nfs.yml deleted file mode 100644 index ca04628a8..000000000 --- a/roles/openshift_cfme/tasks/nfs.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# Tasks to statically provision NFS volumes -# Include if not using dynamic volume provisioning - -- name: Set openshift_cfme_nfs_server fact - when: openshift_cfme_nfs_server is not defined - set_fact: - # Hostname/IP of the NFS server. Currently defaults to first master - openshift_cfme_nfs_server: "{{ oo_nfs_to_config.0 }}" - -- name: Ensure the /exports/ directory exists - file: - path: /exports/ - state: directory - mode: 0755 - owner: root - group: root - -- name: Ensure the miq-pv0X export directories exist - file: - path: "/exports/{{ item }}" - state: directory - mode: 0775 - owner: root - group: root - with_items: "{{ openshift_cfme_pv_exports }}" - -- name: Ensure the NFS exports for CFME PVs exist - copy: - src: openshift_cfme.exports - dest: /etc/exports.d/openshift_cfme.exports - register: nfs_exports_updated - -- name: Ensure the NFS export table is refreshed if exports were added - command: exportfs -ar - when: - - nfs_exports_updated.changed - - -###################################################################### -# Create the required CFME PVs. Check out these online docs if you -# need a refresher on includes looping with items: -# * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0 -# * http://stackoverflow.com/a/35128533 -# -# TODO: Handle the case where a PV template is updated in -# openshift-ansible and the change needs to be landed on the managed -# cluster. - -- include: create_pvs.yml - with_items: "{{ openshift_cfme_pv_data }}" diff --git a/roles/openshift_cfme/tasks/storage/create_pvs.yml b/roles/openshift_cfme/tasks/storage/create_pvs.yml new file mode 100644 index 000000000..7fa7d3997 --- /dev/null +++ b/roles/openshift_cfme/tasks/storage/create_pvs.yml @@ -0,0 +1,36 @@ +--- +# Check for existance and then conditionally: +# - evaluate templates +# - PVs +# +# These tasks idempotently create required CFME PV objects. Do not +# call this file directly. This file is intended to be ran as an +# include that has a 'with_items' attached to it. Hence the use below +# of variables like "{{ item.pv_label }}" + +- name: "Check if the {{ item.pv_label }} template has been created already" + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: pv + name: "{{ item.pv_name }}" + register: miq_pv_check + +# Skip all of this if the PV already exists +- block: + - name: "Ensure the {{ item.pv_label }} template is evaluated" + template: + src: "{{ item.pv_template }}.j2" + dest: "{{ template_dir }}/{{ item.pv_template }}" + + - name: "Ensure {{ item.pv_label }} is created" + oc_obj: + namespace: "{{ openshift_cfme_project }}" + kind: pv + name: "{{ item.pv_name }}" + state: present + delete_after: True + files: + - "{{ template_dir }}/{{ item.pv_template }}" + when: + - not miq_pv_check.results.results.0 diff --git a/roles/openshift_cfme/tasks/storage/nfs.yml b/roles/openshift_cfme/tasks/storage/nfs.yml new file mode 100644 index 000000000..8151f9fbb --- /dev/null +++ b/roles/openshift_cfme/tasks/storage/nfs.yml @@ -0,0 +1,103 @@ +--- +# Tasks to statically provision NFS volumes +# Include if not using dynamic volume provisioning + +- name: Note Storage Type - NFS + debug: + msg: Setting up NFS storage, openshift_cfme_storage_class is 'nfs' + +- name: TODO + debug: + msg: TODO - replace hard-coded hostname below with oo_nfs_to_config.0 + +- name: Set openshift_cfme_nfs_server fact + when: openshift_cfme_nfs_server is not defined + set_fact: + # Hostname/IP of the NFS server. Currently defaults to first master + openshift_cfme_nfs_server: m01.example.com + +# TODO: I was going to try to apply the openshift_storage_nfs role to +# handle this, however, that role is not written to be used by +# itself. Attempting to use it to create CFME exports would just add +# more hard-coded values to the role. That said, we're doing this here +# manually for now until some one comes up with a better solution, or +# the role is made to accept parameters in a more functional way. +# +# I can't really even include the openshift_storage_nfs role in here +# to do basic setup stuff because it would just result in a lot of +# unwanted exports getting set up for the users. + +- name: Ensure the /exports/ directory exists + file: + path: /exports/ + state: directory + mode: 0755 + owner: root + group: root + +- name: Ensure exports directory exists + file: + path: /etc/exports.d/ + state: directory + +# # TODO - with_items should be passed a list of storage configs for the +# # desired CFME setup. This might mean a local or remote nfs server, as +# # well as fully qualified filesystem paths. +# - name: Ensure export directories exist +# file: +# path: "{{ item.storage.nfs.directory }}/{{ item.storage.volume.name }}" +# state: directory +# mode: 0777 +# owner: nfsnobody +# group: nfsnobody +# with_items: + +- name: Enable and start services + systemd: + name: nfs-server + state: started + enabled: yes + register: start_result + +- set_fact: + nfs_service_status_changed: "{{ start_result | changed }}" + +- name: restart nfs-server + systemd: + name: nfs-server + state: restarted + when: nfs_service_status_changed | default(false) + notify: + - "OpenShift-CFME - Reload NFS Exports" + +###################################################################### +# TODO: Move the export directory and PV creation into individual +# tasks under the respective server/database task files. + +# # - name: Ensure the miq-pv0X export directories exist +# # file: +# # path: "/exports/{{ item }}" +# # state: directory +# # mode: 0775 +# # owner: nfsnobody +# # group: nfsnobody +# # with_items: "{{ openshift_cfme_pv_exports }}" + +# # - name: Ensure the NFS exports for CFME PVs exist +# # copy: +# # src: openshift_cfme.exports +# # dest: /etc/exports.d/openshift_cfme.exports +# # register: nfs_exports_updated + + +# # Create the required CFME PVs. Check out these online docs if you +# # need a refresher on includes looping with items: +# # * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0 +# # * http://stackoverflow.com/a/35128533 + +# # TODO: Handle the case where a PV template is updated in +# # openshift-ansible and the change needs to be landed on the managed +# # cluster. + +# # - include: create_pvs.yml +# # with_items: "{{ openshift_cfme_pv_data }}" diff --git a/roles/openshift_cfme/tasks/storage/storage.yml b/roles/openshift_cfme/tasks/storage/storage.yml new file mode 100644 index 000000000..d8bf7aa3e --- /dev/null +++ b/roles/openshift_cfme/tasks/storage/storage.yml @@ -0,0 +1,3 @@ +--- +- include: nfs.yml + when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) diff --git a/roles/openshift_cfme/tasks/template.yml b/roles/openshift_cfme/tasks/template.yml new file mode 100644 index 000000000..11ccae3e6 --- /dev/null +++ b/roles/openshift_cfme/tasks/template.yml @@ -0,0 +1,72 @@ +--- +# Tasks for ensuring the correct CFME templates are landed on the remote system + +###################################################################### +# CFME App Template +# +# Note, this is different from the create_pvs.yml tasks in that the +# application template does not require any jinja2 evaluation. +# +# TODO: Handle the case where the server template is updated in +# openshift-ansible and the change needs to be landed on the managed +# cluster. + +###################################################################### +# STANDARD PODIFIED DATABASE TEMPLATE +- when: openshift_cfme_app_template == 'miq-template' + block: + - name: Check if the CFME Server template has been created already + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: template + name: manageiq + register: miq_server_check + + - name: Copy over CFME Server template + copy: + src: miq-template.yaml + dest: "{{ template_dir }}/" + when: + - miq_server_check.results.results == [{}] + + - name: Ensure CFME Server Template is created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + name: manageiq + state: present + kind: template + files: + - "{{ template_dir }}/miq-template.yaml" + when: + - miq_server_check.results.results == [{}] + +###################################################################### +# EXTERNAL DATABASE TEMPLATE +- when: openshift_cfme_app_template == 'miq-template-ext-db' + block: + - name: Check if the CFME Ext-DB Server template has been created already + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: template + name: manageiq-ext-db + register: miq_ext_db_server_check + + - name: Copy over CFME Ext-DB Server template + copy: + src: miq-template-ext-db.yaml + dest: "{{ template_dir }}/" + when: + - miq_ext_db_server_check.results.results == [{}] + + - name: Ensure CFME Ext-DB Server Template is created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + name: manageiq-ext-db + state: present + kind: template + files: + - "{{ template_dir }}/miq-template-ext-db.yaml" + when: + - miq_ext_db_server_check.results.results == [{}] diff --git a/roles/openshift_cfme/tasks/tune_masters.yml b/roles/openshift_cfme/tasks/tune_masters.yml deleted file mode 100644 index 02b0f10bf..000000000 --- a/roles/openshift_cfme/tasks/tune_masters.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Ensure bulk image import limit is tuned - yedit: - src: /etc/origin/master/master-config.yaml - key: 'imagePolicyConfig.maxImagesBulkImportedPerRepository' - value: "{{ openshift_cfme_maxImagesBulkImportedPerRepository | int() }}" - state: present - backup: True - notify: - - restart master - -- meta: flush_handlers diff --git a/roles/openshift_cfme/tasks/validate.yml b/roles/openshift_cfme/tasks/validate.yml new file mode 100644 index 000000000..61448aa3b --- /dev/null +++ b/roles/openshift_cfme/tasks/validate.yml @@ -0,0 +1,34 @@ +--- +# Validate configuration parameters passed to the openshift_cfme role + +- name: Ensure openshift_cfme_app_template is valid + assert: + that: + - openshift_cfme_app_template in openshift_cfme_app_templates + msg: "openshift_cfme_app_template must be one of {{ openshift_cfme_app_templates | join(', ') }}" + +- name: Ensure openshift_cfme_storage_class is a valid type + assert: + that: + - openshift_cfme_storage_class in openshift_cfme_storage_classes + msg: "openshift_cfme_storage_class must be one of {{ openshift_cfme_storage_classes | join(', ') }}" + +- name: Ensure external NFS storage has a valid NFS server hostname defined + assert: + that: + - openshift_cfme_storage_external_nfs_hostname is not False + msg: The selected storage class 'external' requires a valid hostname for the openshift_cfme_storage_external_nfs_hostname parameter + when: + - openshift_cfme_storage_class == 'external' + +- name: Validate Cloud Provider storage class + assert: + that: + - openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce' + msg: | + openshift_cfme_storage_class is 'cloudprovider' but you have an + invalid kind defined. See 'openshift_cloudprovider_kind' in the + example inventories for the required parameters for your + selected cloud provider. Working providers: 'aws' and 'gce'. + when: + - openshift_cloudprovider_kind is defined diff --git a/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 deleted file mode 100644 index 280f3e97a..000000000 --- a/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: miq-pv01 -spec: - capacity: - storage: 15Gi - accessModes: - - ReadWriteOnce - nfs: - path: {{ openshift_cfme_nfs_directory }}/miq-pv01 - server: {{ openshift_cfme_nfs_server }} - persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 deleted file mode 100644 index fe80dffa5..000000000 --- a/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: miq-pv02 -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - nfs: - path: {{ openshift_cfme_nfs_directory }}/miq-pv02 - server: {{ openshift_cfme_nfs_server }} - persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 deleted file mode 100644 index f84b67ea9..000000000 --- a/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: miq-pv03 -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - nfs: - path: {{ openshift_cfme_nfs_directory }}/miq-pv03 - server: {{ openshift_cfme_nfs_server }} - persistentVolumeReclaimPolicy: Retain -- cgit v1.2.3 From 8e10c53974b4b87e483ed0dfec3946383aa071c7 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Fri, 15 Sep 2017 17:18:22 -0400 Subject: Import upstream templates. Do the work. Validate parameters. --- roles/openshift_cfme/README.md | 373 +++++++- roles/openshift_cfme/defaults/main.yml | 133 ++- roles/openshift_cfme/files/miq-backup-job.yaml | 28 - roles/openshift_cfme/files/miq-backup-pvc.yaml | 10 - .../files/miq-pv-backup-example.yaml | 13 - roles/openshift_cfme/files/miq-pv-db-example.yaml | 13 - .../files/miq-pv-server-example.yaml | 27 - roles/openshift_cfme/files/miq-restore-job.yaml | 35 - roles/openshift_cfme/files/miq-scc-httpd.yaml | 38 - .../openshift_cfme/files/miq-template-ext-db.yaml | 771 ----------------- roles/openshift_cfme/files/miq-template.yaml | 948 --------------------- roles/openshift_cfme/files/openshift_cfme.exports | 3 - .../templates/cloudforms/cfme-backup-job.yaml | 28 + .../templates/cloudforms/cfme-backup-pvc.yaml | 10 + .../cloudforms/cfme-pv-backup-example.yaml | 13 + .../templates/cloudforms/cfme-pv-db-example.yaml | 38 + .../cloudforms/cfme-pv-server-example.yaml | 38 + .../templates/cloudforms/cfme-restore-job.yaml | 35 + .../templates/cloudforms/cfme-scc-sysadmin.yaml | 38 + .../templates/cloudforms/cfme-template-ext-db.yaml | 763 +++++++++++++++++ .../files/templates/cloudforms/cfme-template.yaml | 940 ++++++++++++++++++++ .../files/templates/manageiq/miq-backup-job.yaml | 28 + .../files/templates/manageiq/miq-backup-pvc.yaml | 10 + .../templates/manageiq/miq-pv-backup-example.yaml | 13 + .../templates/manageiq/miq-pv-db-example.yaml | 38 + .../templates/manageiq/miq-pv-server-example.yaml | 38 + .../files/templates/manageiq/miq-restore-job.yaml | 35 + .../templates/manageiq/miq-template-ext-db.yaml | 771 +++++++++++++++++ .../files/templates/manageiq/miq-template.yaml | 948 +++++++++++++++++++++ roles/openshift_cfme/handlers/main.yml | 40 - roles/openshift_cfme/meta/main.yml | 2 - roles/openshift_cfme/tasks/accounts.yml | 51 +- roles/openshift_cfme/tasks/main.yml | 76 +- .../tasks/storage/create_nfs_pvs.yml | 43 + roles/openshift_cfme/tasks/storage/create_pvs.yml | 36 - roles/openshift_cfme/tasks/storage/nfs.yml | 156 ++-- roles/openshift_cfme/tasks/template.yml | 124 ++- roles/openshift_cfme/tasks/uninstall.yml | 63 +- roles/openshift_cfme/tasks/validate.yml | 52 +- .../openshift_cfme-miq-template-ext-db.exports.j2 | 1 + .../openshift_cfme-miq-template.exports.j2 | 2 + roles/openshift_cfme/vars/main.yml | 69 ++ 42 files changed, 4553 insertions(+), 2338 deletions(-) delete mode 100644 roles/openshift_cfme/files/miq-backup-job.yaml delete mode 100644 roles/openshift_cfme/files/miq-backup-pvc.yaml delete mode 100644 roles/openshift_cfme/files/miq-pv-backup-example.yaml delete mode 100644 roles/openshift_cfme/files/miq-pv-db-example.yaml delete mode 100644 roles/openshift_cfme/files/miq-pv-server-example.yaml delete mode 100644 roles/openshift_cfme/files/miq-restore-job.yaml delete mode 100644 roles/openshift_cfme/files/miq-scc-httpd.yaml delete mode 100644 roles/openshift_cfme/files/miq-template-ext-db.yaml delete mode 100644 roles/openshift_cfme/files/miq-template.yaml delete mode 100644 roles/openshift_cfme/files/openshift_cfme.exports create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-backup-job.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-backup-pvc.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-pv-backup-example.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-pv-db-example.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-pv-server-example.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-restore-job.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-scc-sysadmin.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-template-ext-db.yaml create mode 100644 roles/openshift_cfme/files/templates/cloudforms/cfme-template.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-backup-job.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-backup-pvc.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-pv-backup-example.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-pv-db-example.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-pv-server-example.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-restore-job.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-template-ext-db.yaml create mode 100644 roles/openshift_cfme/files/templates/manageiq/miq-template.yaml create mode 100644 roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml delete mode 100644 roles/openshift_cfme/tasks/storage/create_pvs.yml create mode 100644 roles/openshift_cfme/templates/openshift_cfme-miq-template-ext-db.exports.j2 create mode 100644 roles/openshift_cfme/templates/openshift_cfme-miq-template.exports.j2 create mode 100644 roles/openshift_cfme/vars/main.yml (limited to 'roles/openshift_cfme') diff --git a/roles/openshift_cfme/README.md b/roles/openshift_cfme/README.md index f6b62b358..5d90e532f 100644 --- a/roles/openshift_cfme/README.md +++ b/roles/openshift_cfme/README.md @@ -1,27 +1,366 @@ -## OpenShift-Ansible - CFME Role +# CloudForms Availability -# CloudForms - 4.6 +As noted in [Limitations - Product Choice](#product-choice), +CloudForms 4.6 is not yet released. Until such time, this role is +limited to installing ManageIQ, the open source project that CFME is +based on. -**Important Note**: As of 2017-09-06 the `master` branch of the -[openshift-ansible](https://github.com/openshift/openshift-ansible) -repository is now tracking changes for CloudForms 4.6. +# Table of Contents -If you installed CFME **4.5** previously using this role then you -**must** use the role from the stable `release-3.6` branch. + * [Introduction](#introduction) + * [Requirements](#requirements) + * [Role Variables](#role-variables) + * [Getting Started](#getting-started) + * [All Defaults](#all-defaults) + * [External NFS Storage](#external-nfs-storage) + * [Override PV sizes](#override-pv-sizes) + * [Override Memory Requirements](#override-memory-requirements) + * [External PostgreSQL Database](#external-postgresql-database) + * [Limitations](#limitations) + * [Product Choice](#product-choice) + * [Storage](#storage) + * [Database](#database) + * [Configuration](#configuration) + * [Configuration - Storage Classes](#configuration---storage-classes) + * [NFS (Default)](#nfs-default) + * [NFS External](#nfs-external) + * [Cloud Provider](#cloud-provider) + * [Preconfigured (Expert Configuration Only)](#preconfigured-expert-configuration-only) + * [Configuration - Database](#configuration---database) + * [Podified Database](#podified-database) + * [External Database](#external-database) + * [Customization](#customization) + * [Additional Information](#additional-information) -This role, `openshift_cfme`, in OpenShift Container Platform (OCP) 3.7 -**will not** be backwards compatible with the previous tech preview -released in OCP 3.6. +# Introduction +This role will allow a user to install CFME 4.6 or ManageIQ on an OCP +3.7 cluster. The role provides customization options for overriding +default deployment parameters. The role includes several choices for +storage classes. -# CFME/MIQ 4.5 Legacy Instructions +This role includes the following storage class options -* [OCP 3.6 - CFME 4.5 Installation Instruction](https://github.com/openshift/openshift-ansible/tree/release-3.6/roles/openshift_cfme) +* NFS - **Default** - local, on cluster +* NFS External - NFS somewhere else, like a storage appliance +* Cloud Provider - Use automatic storage provisioning from your cloud + provider (`gce` or `aws`) +* Preconfigured - **expert only**, assumes you created everything ahead + of time -The instructions linked in the bulleted item above are for the **TECH -PREVIEW** CloudForms Management Engine (ManageIQ) 4.5 release. +This role allows you to host the required PostgreSQL database podified +(on a pod in the cluster) or externally (on an existing PostgreSQL +host). -# CloudForms 4.5 Pull Requests +You may skip ahead to the [Getting Started](#getting-started) section +now for examples of how to set up your Ansible inventory for various +deployment configurations. However, you are **strongly urged** to read +through the [Configuration](#configuration) and +[Customization](#customization) sections first. -We are no longer accepting pull requests for the *Tech Preview* -CloudForms 4.5 release. +# Requirements + +* OCP 3.7 must be installed **before** running this role. + +The **default** requirements are listed in the table below. These can +be overridden through customization parameters (See +[Customization](#customization), below). + +**Note** that the application performance will suffer, or possibly +even fail to deploy, if these requirements are not satisfied. + + +| Item | Requirement | Description | Customization Parameter | +|---------------------|---------------|----------------------------------------------|-------------------------------| +| Application Memory | `≥ 4.0 Gi` | Minimum required memory for the application | `APPLICATION_MEM_REQ` | +| Application Storage | `≥ 5.0 Gi` | Minimum PV size required for the application | `APPLICATION_VOLUME_CAPACITY` | +| PostgreSQL Memory | `≥ 6.0 Gi` | Minimum required memory for the database | `POSTGRESQL_MEM_REQ` | +| PostgreSQL Storage | `≥ 15.0 Gi` | Minimum PV size required for the database | `DATABASE_VOLUME_CAPACITY` | +| Cluster Hosts | `≥ 3` | Number of hosts in your cluster | `∅` | + +The implications of this table are summarized below: + +* You need several cluster nodes +* Your cluster nodes must have lots of memory available +* You will need several GiB's of storage available + + +# Role Variables + + + +| Variable | Required | Default | Description | +|------------------------------------------------|:--------:|:------------------------------:|-------------------------------------| +| `openshift_cfme_project` | **No** | `openshift-cfme` | Namespace for the installation. | +| `openshift_cfme_project_description` | **No** | *CloudForms Management Engine* | Namespace/project description. | +| **PRODUCT CHOICE** | | | | | +| `openshift_cfme_app_template` | **No** | `miq-template` | The project flavor to install. Choices:
  • `miq-template`: ManageIQ using a podified database
  • `miq-template-ext-db`: ManageIQ using an external database
  • `cfme-template`: CloudForms using a podified database[1]
  • `cfme-template-ext-db`: CloudForms using an external database.[1]
| +| **STORAGE OPTIONS** | | | | | +| `openshift_cfme_storage_class` | **No** | `nfs` | Storage type to use, choices:
  • `nfs` - Best used for proof-of-concept installs. Will setup NFS on a cluster host (defaults to your first master in the inventory file) to back the required PVCs. The application requires a PVC and the database (which may be hosted externally) may require a second. PVC minimum required sizes are 5GiB for the MIQ application, and 15GiB for the PostgreSQL database (20GiB minimum available space on a volume/partition if used specifically for NFS purposes)
  • `nfs_external` - You are using an external NFS server, such as a netapp appliance. See the [Configuration - Storage Classes](#configuration---storage-classes) section below for required information.
  • `preconfigured` - This CFME role will do NOTHING to modify storage settings. This option assumes expert knowledge and that you have done everything required ahead of time.
  • `cloudprovider` - You are using an OCP cloudprovider integration for your storage class. For this to work you must have already configured the required inventory parameters for your cloud provider. Ensure `openshift_cloudprovider_kind` is defined (aws or gce) and that the applicable cloudprovider parameters are provided. | +| `openshift_cfme_storage_nfs_external_hostname` | **No** | `false` | If you are using an *external NFS server*, such as a netapp appliance, then you must set the hostname here. Leave the value as `false` if you are not using external NFS.
    *Additionally*: **External NFS REQUIRES** that you create the NFS exports that will back the application PV and optionally the database PV. +| `openshift_cfme_storage_nfs_base_dir` | **No** | `/exports/` | If you are using **External NFS** then you may set the base path to the exports location here.
    **Local NFS Note**: You *may* also change this value if you want to change the default path used for local NFS exports. | +| `openshift_cfme_storage_nfs_local_hostname` | **No** | `false` | If you do not have an `[nfs]` group in your inventory, or want to simply manually define the local NFS host in your cluster, set this parameter to the hostname of the preferred NFS server. The server must be a part of your OCP/Origin cluster. | +| **CUSTOMIZATION OPTIONS** | | | | | +| `openshift_cfme_app_pv_size` | **No** | `5Gi` | How large the application PV will be in Kube units (`Gi`, `Mi`, etc) [2]| +| `openshift_cfme_db_pv_size` | **No** | `15Gi` | How large the database PV will be in Kube units [2]| +| `openshift_cfme_template_parameters` | **No** | `{}` | A dictionary of any parameters you want to override in the application/pv templates. + +* [1] `cfme-template*` will be available once CFME 4.6 is released +* [2] If you override the PV sizes, read + [Override PV Sizes](#override-pv-sizes) (below) for additional + required parameters + + + +# Getting Started + +Below are some inventory snippets that can help you get started right +away. + +Once you've settled on a configuration scheme (and you have installed +OCP 3.7) you can install CFME using this `ansible-playbook` +invocation: + +``` +$ ansible-playbook -v -i playbooks/byo/openshift-cfme/config.yml +``` + +## All Defaults + +This example is the simplest. All of the default values and choices +are used. This will result in a fully podified CFME installation. All +application components, as well as the PostgreSQL database will be +created as pods in the OCP cluster. + +```ini +[OSEv3:vars] +openshift_cfme_app_template=miq-template +``` + +## External NFS Storage + +This is as the previous example, except that instead of using local +NFS services in the cluster it will use an external NFS server (such +as a storage appliance). Note the two new parameters: + +* `openshift_cfme_storage_class` - set to `nfs_external` +* `openshift_cfme_storage_nfs_external_hostname` - set to the hostname + of the NFS server + +```ini +[OSEv3:vars] +openshift_cfme_app_template=miq-template +openshift_cfme_storage_class=nfs_external +openshift_cfme_storage_nfs_external_hostname=nfs.example.com +``` + +If the external NFS host exports directories under a different parent +directory, such as `/exports/hosted/prod` then we would add an +additional parameter, `openshift_cfme_storage_nfs_base_dir`: + +```ini +# ... +openshift_cfme_storage_nfs_base_dir=/exports/hosted/prod +``` + +## Override PV sizes + +This example will override the PV sizes. Note that we must **also +set** template parameters in the `openshift_cfme_template_parameters` +parameter so that the application/db will be able to make claims on +created PVs without clobbering each other. + +```ini +[OSEv3:vars] +openshift_cfme_app_template=miq-template +openshift_cfme_app_pv_size=10Gi +openshift_cfme_db_pv_size=25Gi +openshift_cfme_template_parameters={'APPLICATION_VOLUME_CAPACITY': '10Gi', 'DATABASE_VOLUME_CAPACITY': '25Gi'} +``` + +## Override Memory Requirements + +In a test or proof-of-concept installation you may need to reduce the +application/database memory requirements to fit within your +capacity. Note that reducing memory limits can result in reduced +performance or a complete failure to initialize the application. + +```ini +[OSEv3:vars] +openshift_cfme_app_template=miq-template +openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '3000Mi', 'POSTGRESQL_MEM_REQ': '1Gi', 'ANSIBLE_MEM_REQ': '512Mi'} +``` + +Here we have instructed the installer to process the application +template with the parameter `APPLICATION_MEM_REQ` set to `3000Mi`, +`POSTGRESQL_MEM_REQ` set to `1Gi`, and `ANSIBLE_MEM_REQ` set to +`512Mi`. + +These parameters can be combined with the PV size override parameters +displayed in the previous example. + +## External PostgreSQL Database + +To use an external database you must change the +`openshift_cfme_app_template` parameter value to `miq-template-ext-db` +or `cfme-template-ext-db`. + +Additionally, database connection information **must** be supplied in +the `openshift_cfme_template_parameters` customization parameter. See +[Customization - Database - External](#external-database) for more +information. + +```ini +[OSEv3:vars] +openshift_cfme_app_template=miq-template-ext-db +openshift_cfme_template_parameters={'DATABASE_IP': '10.9.8.7', 'DATABASE_PASSWORD': 'r1ck&M0r7y', ... } +``` + +# Limitations + +This release is the first OpenShift CFME release in the OCP 3.7 +series. It is not complete yet. + +## Product Choice + +Due to staggered release dates, **CFME support is not +integrated**. Presently this role will only deploy a ManageIQ +installation. This role will be updated once CFME 4.6 is released and +this limitation note will be removed. + +## Storage + +While all storage classes (`nfs`, `nfs_external`, `preconfigured`, and +`cloudprovider`) are presently supported, the local `nfs` storage +class has some specific limitations: + +1. Currently only verified to work if your first master is your NFS + host +1. Overriding the base exports path is not recommended as this may + cause configuration conflicts with other exports on your host + + +# Configuration + +Before you can deploy CFME you must decide *how* you want to deploy +it. There are two major decisions to make: + +1. Do you want an external, or a podified database? +1. Which storage class will back your PVs? + +## Configuration - Storage Classes + +OpenShift CFME supports several storage class options. + +### NFS (Default) + +The NFS storage class is best suited for proof-of-concept and +test/demo deployments. It is also the **default** storage class for +deployments. No additional configuration is required for this choice. + +### NFS External + +External NFS leans on pre-configured NFS servers to provide exports +for the required PVs. For external NFS you must have: + +* For CFME: a `cfme-app` and optionally a `cfme-db` (for podified database) exports +* For ManageIQ: an `miq-app` and optionally an `miq-db` (for podified database) exports + +Additional configuration is required to use external NFS. The +`openshift_cfme_storage_nfs_external_hostname` parameter must be set +to the hostname or IP of your external NFS server. + +If `/exports` is not the parent directory to your CFME exports then +you must set the base directory via the +`openshift_cfme_storage_nfs_base_dir` parameter. + +For example, if your server export is `/exports/hosted/prod/miq-app` +then you must set +`openshift_cfme_storage_nfs_base_dir=/exports/hosted/prod`. + +### Cloud Provider + +CFME can also use a cloud provider storage to back required PVs. For +this functionality to work you must have also configured the +`openshift_cloudprovider_kind` variable and all associated parameters +specific to your chosen cloud provider. + +Using this storage class, when the application is created the required +PVs will automatically be provisioned using the configured cloud +provider storage integration. + +### Preconfigured (Expert Configuration Only) + +The *preconfigured* storage class implies that you know exactly what +you're doing and that all storage requirements have been taken care +ahead of time. Typically this means that you've already created the +correctly sized PVs. + +## Configuration - Database + +### Podified Database + +Any `POSTGRES_*` or `DATABASE_*` template parameters in +[miq-template.yaml](files/templates/manageiq/miq-template.yaml) or +[cfme-template.yaml](files/templates/cloudforms/cfme-template.yaml) +may be customized through the `openshift_cfme_template_parameters` +hash. + +### External Database + +External PostgreSQL databases require you to provide database +connection parameters. You must set the required connection keys in +the `openshift_cfme_template_parameters` parameter in your +inventory. The following keys are required: + +* `DATABASE_USER` +* `DATABASE_PASSWORD` +* `DATABASE_IP` +* `DATABASE_PORT` - *note: Most PostgreSQL servers run on port `5432`* +* `DATABASE_NAME` + +Your inventory would contain a line similar to this: + +```ini +[OSEv3:vars] +openshift_cfme_app_template=miq-template-ext-db +openshift_cfme_template_parameters={'DATABASE_IP': '10.9.8.7', 'DATABASE_PASSWORD': 'r1ck&M0r7y', ...} +``` + +**Note** the new value for the `openshift_cfme_app_template` +parameter, `miq-template-ext-db`. + +# Customization + +Application and database parameters may be customized by means of the +`openshift_cfme_template_parameters` inventory parameter. + +**For example**, if you wanted to reduce the memory requirement of the +PostgreSQL pod then you could configure the parameter like this: + +`openshift_cfme_template_parameters={'POSTGRESQL_MEM_REQ': '1Gi'}` + +When the CFME template is processed `1Gi` will be used for the value +of the `POSTGRESQL_MEM_REQ` template parameter. + +Any parameter in the `parameters` section of the +[miq-template.yaml](files/templates/manageiq/miq-template.yaml) or +[miq-template-ext-db.yaml](files/templates/manageiq/miq-template-ext-db.yaml) +may be overridden through the `openshift_cfme_template_parameters` +hash. This applies to **CloudForms** installations as well: +[cfme-template.yaml](files/templates/cloudforms/cfme-template.yaml), +[cfme-template-ext-db.yaml](files/templates/cloudforms/cfme-template-ext-db.yaml). + + +# Additional Information + +The upstream project, +[@manageiq/manageiq-pods](https://github.com/ManageIQ/manageiq-pods), +contains a wealth of additional information useful for managing and +operating your CFME installation. Topics include: + +* [Verifying Successful Installation](https://github.com/ManageIQ/manageiq-pods#verifying-the-setup-was-successful) +* [Disabling Image Change Triggers](https://github.com/ManageIQ/manageiq-pods#disable-image-change-triggers) +* [Scaling CFME](https://github.com/ManageIQ/manageiq-pods#scale-miq) +* [Backing up and Restoring the DB](https://github.com/ManageIQ/manageiq-pods#backup-and-restore-of-the-miq-database) +* [Troubleshooting](https://github.com/ManageIQ/manageiq-pods#troubleshooting) diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml index 9a36f902d..b833bbb45 100644 --- a/roles/openshift_cfme/defaults/main.yml +++ b/roles/openshift_cfme/defaults/main.yml @@ -2,7 +2,7 @@ # Namespace for the CFME project openshift_cfme_project: openshift-cfme # Namespace/project description -openshift_cfme_project_description: ManageIQ - CloudForms Management Engine 4.6 +openshift_cfme_project_description: CloudForms Management Engine ###################################################################### # BASE TEMPLATE AND DATABASE OPTIONS @@ -17,20 +17,25 @@ openshift_cfme_app_template: miq-template # If you are using the miq-template-ext-db template then you must add # the required database parameters to the -# openshift_cfme_template_parameters variable. For example: +# openshift_cfme_template_parameters variable. You only need to +# provide parameters that differ from the ones in the following +# example. Any omitted parameter by the user will be default to its +# default below: # # openshift_cfme_template_parameters: -# DATABASE_USER: root -# DATABASE_PASSWORD: @_grrrr8Pa$$.h3r3 -# DATABASE_IP: 10.1.1.10 +# DATABASE_USER: 'root' +# DATABASE_PASSWORD: '' +# DATABASE_IP: '' # DATABASE_PORT: 5432 -# DATABASE_NAME: vmdb_production +# DATABASE_NAME: 'vmdb_production' +# +# See also var: __openshift_cfme_default_db_connection_info ###################################################################### # STORAGE OPTIONS ###################################################################### # DEFAULT - 'nfs' -# Allowed options: nfs, external, preconfigured, cloudprovider. +# Allowed options: nfs, nfs_external, preconfigured, cloudprovider. openshift_cfme_storage_class: nfs # * nfs - Best used for proof-of-concept installs. Will setup NFS on a # cluster host (defaults to your first master in the inventory file) @@ -41,8 +46,8 @@ openshift_cfme_storage_class: nfs # available space on an volume/partition if used specifically for # NFS purposes) # -# * external - You are using an external NFS server, such as a netapp -# appliance. See the STORAGE - NFS OPTIONS section below for +# * nfs_external - You are using an external NFS server, such as a +# netapp appliance. See the STORAGE - NFS OPTIONS section below for # required information. # # * preconfigured - This CFME role will do NOTHING to modify storage @@ -57,67 +62,43 @@ openshift_cfme_storage_class: nfs # Ensure 'openshift_cloudprovider_kind' is defined (aws or gce) and # that the applicable cloudprovider parameters are provided. -###################################################################### +#--------------------------------------------------------------------- # STORAGE - NFS OPTIONS -###################################################################### +#--------------------------------------------------------------------- # [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a # netapp appliance, then you must set the hostname here. Leave the -# value as 'false' if you are not using external NFS -openshift_cfme_storage_external_nfs_hostname: false +# value as 'false' if you are not using external NFS. +openshift_cfme_storage_nfs_external_hostname: false # [OPTIONAL] - If you are using external NFS then you must set the base # path to the exports location here. # -# Or, change this value if you want to change the default path used -# for local NFS exports. -openshift_cfme_storage_external_nfs_base_dir: /exports/ - - -###################################################################### -# VARIOUS CONSTANTS - DO NOT OVERRIDE THESE UNDER ANY CIRCUMSTANCES -###################################################################### - -###################################################################### -# Misc enumerated values -# Allowed choices for the storage class parameter -openshift_cfme_storage_classes: - - nfs - - external - - preconfigured - - cloudprovider -# Name of the application templates with object/parameter definitions -openshift_cfme_app_templates: - - miq-template-ext-db - - miq-template -# PostgreSQL database connection parameters -openshift_cfme_db_parameters: - - DATABASE_USER - - DATABASE_PASSWORD - - DATABASE_IP - - DATABASE_PORT - - DATABASE_NAME - - -###################################################################### -# ACCOUNTING -###################################################################### -# Service Account SSCs -openshift_system_account_sccs: - - name: miq-anyuid - resource_name: anyuid - - name: miq-orchestrator - resource_name: anyuid - - name: miq-privileged - resource_name: privileged - - name: miq-httpd - resource_name: miq-httpd - -# Service Account Roles -openshift_cfme_system_account_roles: - - name: miq-orchestrator - resource_name: view - - name: miq-orchestrator - resource_name: edit +# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports +# that will back the application PV and optionally the database +# pv. Export path definitions, relative to +# {{ openshift_cfme_storage_nfs_base_dir }} +# +# * REQUIRED[ALWAYS]: /miq-app - MIQ Server PV. +# +# * REQUIRED[NFS_EXTERNAL]: /miq-db - Podified DB PB +# +# LOCAL NFS NOTE: +# +# You may may also change this value if you want to change the default +# path used for local NFS exports. +openshift_cfme_storage_nfs_base_dir: /exports +# +# LOCAL NFS NOTE: +# +# You may override the automatically selected LOCAL NFS server by +# setting this variable. Useful for testing specific task files. +openshift_cfme_storage_nfs_local_hostname: false +#--------------------------------------------------------------------- +# DEFAULT PV SIZES +# How large to make the MIQ application PV +openshift_cfme_app_pv_size: 5Gi +# How large to make the MIQ PostgreSQL PV +openshift_cfme_db_pv_size: 15Gi ###################################################################### # SCAFFOLDING - These are parameters we pre-seed that a user may or @@ -132,29 +113,11 @@ openshift_cfme_system_account_roles: # openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} openshift_cfme_template_parameters: {} -# # All the required exports -# openshift_cfme_pv_exports: -# - miq-pv01 -# - miq-pv02 -# - miq-pv03 -# # PV template files and their created object names -# openshift_cfme_pv_data: -# - pv_name: miq-pv01 -# pv_template: miq-pv-db.yaml -# pv_label: CFME DB PV -# - pv_name: miq-pv02 -# pv_template: miq-pv-region.yaml -# pv_label: CFME Region PV -# - pv_name: miq-pv03 -# pv_template: miq-pv-server.yaml -# pv_label: CFME Server PV - -# TODO: Refactor '_install_app' variable. This is just for testing but -# maybe in the future it should control the entire yes/no for CFME. -# -# Whether or not the manageiq app should be initialized ('oc new-app +###################################################################### +# Whether or not the cfme app should be initialized ('oc new-app # --template=manageiq). If False everything UP TO 'new-app' is ran. -openshift_cfme_install_app: False +openshift_cfme_install_app: false + # Docker image to pull # openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" # openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'frontend-latest' }}" diff --git a/roles/openshift_cfme/files/miq-backup-job.yaml b/roles/openshift_cfme/files/miq-backup-job.yaml deleted file mode 100644 index 044cb73a5..000000000 --- a/roles/openshift_cfme/files/miq-backup-job.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: manageiq-backup -spec: - template: - metadata: - name: manageiq-backup - spec: - containers: - - name: postgresql - image: docker.io/manageiq/postgresql:latest - command: - - "/opt/manageiq/container-scripts/backup_db" - env: - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: manageiq-secrets - key: database-url - volumeMounts: - - name: miq-backup-vol - mountPath: "/backups" - volumes: - - name: miq-backup-vol - persistentVolumeClaim: - claimName: manageiq-backup - restartPolicy: Never diff --git a/roles/openshift_cfme/files/miq-backup-pvc.yaml b/roles/openshift_cfme/files/miq-backup-pvc.yaml deleted file mode 100644 index 25696ef23..000000000 --- a/roles/openshift_cfme/files/miq-backup-pvc.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: manageiq-backup -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 15Gi diff --git a/roles/openshift_cfme/files/miq-pv-backup-example.yaml b/roles/openshift_cfme/files/miq-pv-backup-example.yaml deleted file mode 100644 index a5cf54d4e..000000000 --- a/roles/openshift_cfme/files/miq-pv-backup-example.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: miq-pv03 -spec: - capacity: - storage: 15Gi - accessModes: - - ReadWriteOnce - nfs: - path: "/exports/miq-pv03" - server: "" - persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/files/miq-pv-db-example.yaml b/roles/openshift_cfme/files/miq-pv-db-example.yaml deleted file mode 100644 index 7d66552db..000000000 --- a/roles/openshift_cfme/files/miq-pv-db-example.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: miq-pv01 -spec: - capacity: - storage: 15Gi - accessModes: - - ReadWriteOnce - nfs: - path: "/exports/miq-pv01" - server: "" - persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/files/miq-pv-server-example.yaml b/roles/openshift_cfme/files/miq-pv-server-example.yaml deleted file mode 100644 index e4a23334b..000000000 --- a/roles/openshift_cfme/files/miq-pv-server-example.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: "${PV_NAME}" -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - nfs: - path: "/${BASE_PATH}/${PV_NAME}" - server: "${NFS_SERVER}" - persistentVolumeReclaimPolicy: Retain -parameters: -- name: BASE_PATH - displayName: BasePath - required: true - description: The parent directory of your NFS exports - value: /exports -- name: PV_NAME - displayName: PVName - required: true - description: The name of this PV -- name: NFS_SERVER - displayName: NFSServer - required: true - description: The hostname or IP address of the NFS server diff --git a/roles/openshift_cfme/files/miq-restore-job.yaml b/roles/openshift_cfme/files/miq-restore-job.yaml deleted file mode 100644 index eea284dd4..000000000 --- a/roles/openshift_cfme/files/miq-restore-job.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: manageiq-restore -spec: - template: - metadata: - name: manageiq-restore - spec: - containers: - - name: postgresql - image: docker.io/manageiq/postgresql:latest - command: - - "/opt/manageiq/container-scripts/restore_db" - env: - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: manageiq-secrets - key: database-url - - name: BACKUP_VERSION - value: latest - volumeMounts: - - name: miq-backup-vol - mountPath: "/backups" - - name: miq-prod-vol - mountPath: "/restore" - volumes: - - name: miq-backup-vol - persistentVolumeClaim: - claimName: manageiq-backup - - name: miq-prod-vol - persistentVolumeClaim: - claimName: manageiq-postgresql - restartPolicy: Never diff --git a/roles/openshift_cfme/files/miq-scc-httpd.yaml b/roles/openshift_cfme/files/miq-scc-httpd.yaml deleted file mode 100644 index 0817b4908..000000000 --- a/roles/openshift_cfme/files/miq-scc-httpd.yaml +++ /dev/null @@ -1,38 +0,0 @@ -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: false -allowedCapabilities: -apiVersion: v1 -defaultAddCapabilities: -- SYS_ADMIN -fsGroup: - type: RunAsAny -groups: -- system:cluster-admins -kind: SecurityContextConstraints -metadata: - annotations: - kubernetes.io/description: miq-httpd provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus. - creationTimestamp: - name: miq-httpd -priority: 10 -readOnlyRootFilesystem: false -requiredDropCapabilities: -- MKNOD -- SYS_CHROOT -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- secret diff --git a/roles/openshift_cfme/files/miq-template-ext-db.yaml b/roles/openshift_cfme/files/miq-template-ext-db.yaml deleted file mode 100644 index 82cd5d49e..000000000 --- a/roles/openshift_cfme/files/miq-template-ext-db.yaml +++ /dev/null @@ -1,771 +0,0 @@ -apiVersion: v1 -kind: Template -labels: - template: manageiq-ext-db -metadata: - name: manageiq-ext-db - annotations: - description: ManageIQ appliance with persistent storage using a external DB host - tags: instant-app,manageiq,miq - iconClass: icon-rails -objects: -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-orchestrator -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-anyuid -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-privileged -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-httpd -- apiVersion: v1 - kind: Secret - metadata: - name: "${NAME}-secrets" - stringData: - pg-password: "${DATABASE_PASSWORD}" - database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 - v2-key: "${V2_KEY}" -- apiVersion: v1 - kind: Secret - metadata: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - stringData: - rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" - secret-key: "${ANSIBLE_SECRET_KEY}" - admin-password: "${ANSIBLE_ADMIN_PASSWORD}" -- apiVersion: v1 - kind: Service - metadata: - annotations: - description: Exposes and load balances ManageIQ pods - service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' - name: "${NAME}" - spec: - clusterIP: None - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - selector: - name: "${NAME}" -- apiVersion: v1 - kind: Route - metadata: - name: "${HTTPD_SERVICE_NAME}" - spec: - host: "${APPLICATION_DOMAIN}" - port: - targetPort: http - tls: - termination: edge - insecureEdgeTerminationPolicy: Redirect - to: - kind: Service - name: "${HTTPD_SERVICE_NAME}" -- apiVersion: apps/v1beta1 - kind: StatefulSet - metadata: - name: "${NAME}" - annotations: - description: Defines how to deploy the ManageIQ appliance - spec: - serviceName: "${NAME}" - replicas: "${APPLICATION_REPLICA_COUNT}" - template: - metadata: - labels: - name: "${NAME}" - name: "${NAME}" - spec: - containers: - - name: manageiq - image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" - livenessProbe: - tcpSocket: - port: 80 - initialDelaySeconds: 480 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: "/" - port: 80 - scheme: HTTP - initialDelaySeconds: 200 - timeoutSeconds: 3 - ports: - - containerPort: 80 - protocol: TCP - volumeMounts: - - name: "${NAME}-server" - mountPath: "/persistent" - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: APPLICATION_INIT_DELAY - value: "${APPLICATION_INIT_DELAY}" - - name: DATABASE_SERVICE_NAME - value: "${DATABASE_SERVICE_NAME}" - - name: DATABASE_REGION - value: "${DATABASE_REGION}" - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: database-url - - name: MEMCACHED_SERVER - value: "${MEMCACHED_SERVICE_NAME}:11211" - - name: MEMCACHED_SERVICE_NAME - value: "${MEMCACHED_SERVICE_NAME}" - - name: V2_KEY - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: v2-key - - name: ANSIBLE_SERVICE_NAME - value: "${ANSIBLE_SERVICE_NAME}" - - name: ANSIBLE_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: admin-password - resources: - requests: - memory: "${APPLICATION_MEM_REQ}" - cpu: "${APPLICATION_CPU_REQ}" - limits: - memory: "${APPLICATION_MEM_LIMIT}" - lifecycle: - preStop: - exec: - command: - - "/opt/manageiq/container-scripts/sync-pv-data" - serviceAccount: miq-orchestrator - serviceAccountName: miq-orchestrator - terminationGracePeriodSeconds: 90 - volumeClaimTemplates: - - metadata: - name: "${NAME}-server" - annotations: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "${APPLICATION_VOLUME_CAPACITY}" -- apiVersion: v1 - kind: Service - metadata: - annotations: - description: Headless service for ManageIQ backend pods - name: "${NAME}-backend" - spec: - clusterIP: None - selector: - name: "${NAME}-backend" -- apiVersion: apps/v1beta1 - kind: StatefulSet - metadata: - name: "${NAME}-backend" - annotations: - description: Defines how to deploy the ManageIQ appliance - spec: - serviceName: "${NAME}-backend" - replicas: 0 - template: - metadata: - labels: - name: "${NAME}-backend" - name: "${NAME}-backend" - spec: - containers: - - name: manageiq - image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" - livenessProbe: - exec: - command: - - pidof - - MIQ Server - initialDelaySeconds: 480 - timeoutSeconds: 3 - volumeMounts: - - name: "${NAME}-server" - mountPath: "/persistent" - env: - - name: APPLICATION_INIT_DELAY - value: "${APPLICATION_INIT_DELAY}" - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: database-url - - name: MIQ_SERVER_DEFAULT_ROLES - value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate - - name: FRONTEND_SERVICE_NAME - value: "${NAME}" - - name: MEMCACHED_SERVER - value: "${MEMCACHED_SERVICE_NAME}:11211" - - name: V2_KEY - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: v2-key - - name: ANSIBLE_SERVICE_NAME - value: "${ANSIBLE_SERVICE_NAME}" - - name: ANSIBLE_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: admin-password - resources: - requests: - memory: "${APPLICATION_MEM_REQ}" - cpu: "${APPLICATION_CPU_REQ}" - limits: - memory: "${APPLICATION_MEM_LIMIT}" - lifecycle: - preStop: - exec: - command: - - "/opt/manageiq/container-scripts/sync-pv-data" - serviceAccount: miq-orchestrator - serviceAccountName: miq-orchestrator - terminationGracePeriodSeconds: 90 - volumeClaimTemplates: - - metadata: - name: "${NAME}-server" - annotations: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "${APPLICATION_VOLUME_CAPACITY}" -- apiVersion: v1 - kind: Service - metadata: - name: "${MEMCACHED_SERVICE_NAME}" - annotations: - description: Exposes the memcached server - spec: - ports: - - name: memcached - port: 11211 - targetPort: 11211 - selector: - name: "${MEMCACHED_SERVICE_NAME}" -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "${MEMCACHED_SERVICE_NAME}" - annotations: - description: Defines how to deploy memcached - spec: - strategy: - type: Recreate - triggers: - - type: ConfigChange - replicas: 1 - selector: - name: "${MEMCACHED_SERVICE_NAME}" - template: - metadata: - name: "${MEMCACHED_SERVICE_NAME}" - labels: - name: "${MEMCACHED_SERVICE_NAME}" - spec: - volumes: [] - containers: - - name: memcached - image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" - ports: - - containerPort: 11211 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 5 - tcpSocket: - port: 11211 - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - tcpSocket: - port: 11211 - volumeMounts: [] - env: - - name: MEMCACHED_MAX_MEMORY - value: "${MEMCACHED_MAX_MEMORY}" - - name: MEMCACHED_MAX_CONNECTIONS - value: "${MEMCACHED_MAX_CONNECTIONS}" - - name: MEMCACHED_SLAB_PAGE_SIZE - value: "${MEMCACHED_SLAB_PAGE_SIZE}" - resources: - requests: - memory: "${MEMCACHED_MEM_REQ}" - cpu: "${MEMCACHED_CPU_REQ}" - limits: - memory: "${MEMCACHED_MEM_LIMIT}" -- apiVersion: v1 - kind: Service - metadata: - name: "${DATABASE_SERVICE_NAME}" - annotations: - description: Remote database service - spec: - ports: - - name: postgresql - port: 5432 - targetPort: "${{DATABASE_PORT}}" - selector: {} -- apiVersion: v1 - kind: Endpoints - metadata: - name: "${DATABASE_SERVICE_NAME}" - subsets: - - addresses: - - ip: "${DATABASE_IP}" - ports: - - port: "${{DATABASE_PORT}}" - name: postgresql -- apiVersion: v1 - kind: Service - metadata: - annotations: - description: Exposes and load balances Ansible pods - service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' - name: "${ANSIBLE_SERVICE_NAME}" - spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - selector: - name: "${ANSIBLE_SERVICE_NAME}" -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "${ANSIBLE_SERVICE_NAME}" - annotations: - description: Defines how to deploy the Ansible appliance - spec: - strategy: - type: Recreate - serviceName: "${ANSIBLE_SERVICE_NAME}" - replicas: 0 - template: - metadata: - labels: - name: "${ANSIBLE_SERVICE_NAME}" - name: "${ANSIBLE_SERVICE_NAME}" - spec: - containers: - - name: ansible - image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" - livenessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 480 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: "/" - port: 443 - scheme: HTTPS - initialDelaySeconds: 200 - timeoutSeconds: 3 - ports: - - containerPort: 80 - protocol: TCP - - containerPort: 443 - protocol: TCP - securityContext: - privileged: true - env: - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: admin-password - - name: RABBITMQ_USER_NAME - value: "${ANSIBLE_RABBITMQ_USER_NAME}" - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: rabbit-password - - name: ANSIBLE_SECRET_KEY - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: secret-key - - name: DATABASE_SERVICE_NAME - value: "${DATABASE_SERVICE_NAME}" - - name: POSTGRESQL_USER - value: "${DATABASE_USER}" - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: pg-password - - name: POSTGRESQL_DATABASE - value: "${ANSIBLE_DATABASE_NAME}" - resources: - requests: - memory: "${ANSIBLE_MEM_REQ}" - cpu: "${ANSIBLE_CPU_REQ}" - limits: - memory: "${ANSIBLE_MEM_LIMIT}" - serviceAccount: miq-privileged - serviceAccountName: miq-privileged -- apiVersion: v1 - kind: ConfigMap - metadata: - name: "${HTTPD_SERVICE_NAME}-configs" - data: - application.conf: | - # Timeout: The number of seconds before receives and sends time out. - Timeout 120 - - RewriteEngine On - Options SymLinksIfOwnerMatch - - - KeepAlive on - ProxyPreserveHost on - ProxyPass /ws/ ws://${NAME}/ws/ - ProxyPassReverse /ws/ ws://${NAME}/ws/ - ProxyPass / http://${NAME}/ - ProxyPassReverse / http://${NAME}/ - -- apiVersion: v1 - kind: ConfigMap - metadata: - name: "${HTTPD_SERVICE_NAME}-auth-configs" - data: - auth-type: internal - auth-configuration.conf: | - # External Authentication Configuration File - # - # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication -- apiVersion: v1 - kind: Service - metadata: - name: "${HTTPD_SERVICE_NAME}" - annotations: - description: Exposes the httpd server - service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' - spec: - ports: - - name: http - port: 80 - targetPort: 80 - selector: - name: httpd -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "${HTTPD_SERVICE_NAME}" - annotations: - description: Defines how to deploy httpd - spec: - strategy: - type: Recreate - recreateParams: - timeoutSeconds: 1200 - triggers: - - type: ConfigChange - replicas: 1 - selector: - name: "${HTTPD_SERVICE_NAME}" - template: - metadata: - name: "${HTTPD_SERVICE_NAME}" - labels: - name: "${HTTPD_SERVICE_NAME}" - spec: - volumes: - - name: httpd-config - configMap: - name: "${HTTPD_SERVICE_NAME}-configs" - - name: httpd-auth-config - configMap: - name: "${HTTPD_SERVICE_NAME}-auth-configs" - containers: - - name: httpd - image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" - ports: - - containerPort: 80 - livenessProbe: - exec: - command: - - pidof - - httpd - initialDelaySeconds: 15 - timeoutSeconds: 3 - readinessProbe: - tcpSocket: - port: 80 - initialDelaySeconds: 10 - timeoutSeconds: 3 - volumeMounts: - - name: httpd-config - mountPath: "${HTTPD_CONFIG_DIR}" - - name: httpd-auth-config - mountPath: "${HTTPD_AUTH_CONFIG_DIR}" - resources: - requests: - memory: "${HTTPD_MEM_REQ}" - cpu: "${HTTPD_CPU_REQ}" - limits: - memory: "${HTTPD_MEM_LIMIT}" - env: - - name: HTTPD_AUTH_TYPE - valueFrom: - configMapKeyRef: - name: "${HTTPD_SERVICE_NAME}-auth-configs" - key: auth-type - lifecycle: - postStart: - exec: - command: - - "/usr/bin/save-container-environment" - serviceAccount: miq-anyuid - serviceAccountName: miq-anyuid -parameters: -- name: NAME - displayName: Name - required: true - description: The name assigned to all of the frontend objects defined in this template. - value: manageiq -- name: V2_KEY - displayName: ManageIQ Encryption Key - required: true - description: Encryption Key for ManageIQ Passwords - from: "[a-zA-Z0-9]{43}" - generate: expression -- name: DATABASE_SERVICE_NAME - displayName: PostgreSQL Service Name - required: true - description: The name of the OpenShift Service exposed for the PostgreSQL container. - value: postgresql -- name: DATABASE_USER - displayName: PostgreSQL User - required: true - description: PostgreSQL user that will access the database. - value: root -- name: DATABASE_PASSWORD - displayName: PostgreSQL Password - required: true - description: Password for the PostgreSQL user. - from: "[a-zA-Z0-9]{8}" - generate: expression -- name: DATABASE_IP - displayName: PostgreSQL Server IP - required: true - description: PostgreSQL external server IP used to configure service. - value: '' -- name: DATABASE_PORT - displayName: PostgreSQL Server Port - required: true - description: PostgreSQL external server port used to configure service. - value: '5432' -- name: DATABASE_NAME - required: true - displayName: PostgreSQL Database Name - description: Name of the PostgreSQL database accessed. - value: vmdb_production -- name: DATABASE_REGION - required: true - displayName: Application Database Region - description: Database region that will be used for application. - value: '0' -- name: ANSIBLE_DATABASE_NAME - displayName: Ansible PostgreSQL database name - required: true - description: The database to be used by the Ansible continer - value: awx -- name: MEMCACHED_SERVICE_NAME - required: true - displayName: Memcached Service Name - description: The name of the OpenShift Service exposed for the Memcached container. - value: memcached -- name: MEMCACHED_MAX_MEMORY - displayName: Memcached Max Memory - description: Memcached maximum memory for memcached object storage in MB. - value: '64' -- name: MEMCACHED_MAX_CONNECTIONS - displayName: Memcached Max Connections - description: Memcached maximum number of connections allowed. - value: '1024' -- name: MEMCACHED_SLAB_PAGE_SIZE - displayName: Memcached Slab Page Size - description: Memcached size of each slab page. - value: 1m -- name: ANSIBLE_SERVICE_NAME - displayName: Ansible Service Name - description: The name of the OpenShift Service exposed for the Ansible container. - value: ansible -- name: ANSIBLE_ADMIN_PASSWORD - displayName: Ansible admin User password - required: true - description: The password for the Ansible container admin user - from: "[a-zA-Z0-9]{32}" - generate: expression -- name: ANSIBLE_SECRET_KEY - displayName: Ansible Secret Key - required: true - description: Encryption key for the Ansible container - from: "[a-f0-9]{32}" - generate: expression -- name: ANSIBLE_RABBITMQ_USER_NAME - displayName: RabbitMQ Username - required: true - description: Username for the Ansible RabbitMQ Server - value: ansible -- name: ANSIBLE_RABBITMQ_PASSWORD - displayName: RabbitMQ Server Password - required: true - description: Password for the Ansible RabbitMQ Server - from: "[a-zA-Z0-9]{32}" - generate: expression -- name: APPLICATION_CPU_REQ - displayName: Application Min CPU Requested - required: true - description: Minimum amount of CPU time the Application container will need (expressed in millicores). - value: 1000m -- name: MEMCACHED_CPU_REQ - displayName: Memcached Min CPU Requested - required: true - description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). - value: 200m -- name: ANSIBLE_CPU_REQ - displayName: Ansible Min CPU Requested - required: true - description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). - value: 1000m -- name: APPLICATION_MEM_REQ - displayName: Application Min RAM Requested - required: true - description: Minimum amount of memory the Application container will need. - value: 6144Mi -- name: MEMCACHED_MEM_REQ - displayName: Memcached Min RAM Requested - required: true - description: Minimum amount of memory the Memcached container will need. - value: 64Mi -- name: ANSIBLE_MEM_REQ - displayName: Ansible Min RAM Requested - required: true - description: Minimum amount of memory the Ansible container will need. - value: 2048Mi -- name: APPLICATION_MEM_LIMIT - displayName: Application Max RAM Limit - required: true - description: Maximum amount of memory the Application container can consume. - value: 16384Mi -- name: MEMCACHED_MEM_LIMIT - displayName: Memcached Max RAM Limit - required: true - description: Maximum amount of memory the Memcached container can consume. - value: 256Mi -- name: ANSIBLE_MEM_LIMIT - displayName: Ansible Max RAM Limit - required: true - description: Maximum amount of memory the Ansible container can consume. - value: 8096Mi -- name: MEMCACHED_IMG_NAME - displayName: Memcached Image Name - description: This is the Memcached image name requested to deploy. - value: docker.io/manageiq/memcached -- name: MEMCACHED_IMG_TAG - displayName: Memcached Image Tag - description: This is the Memcached image tag/version requested to deploy. - value: latest -- name: APPLICATION_IMG_NAME - displayName: Application Image Name - description: This is the Application image name requested to deploy. - value: docker.io/manageiq/manageiq-pods -- name: FRONTEND_APPLICATION_IMG_TAG - displayName: Front end Application Image Tag - description: This is the ManageIQ Frontend Application image tag/version requested to deploy. - value: frontend-latest -- name: BACKEND_APPLICATION_IMG_TAG - displayName: Back end Application Image Tag - description: This is the ManageIQ Backend Application image tag/version requested to deploy. - value: backend-latest -- name: ANSIBLE_IMG_NAME - displayName: Ansible Image Name - description: This is the Ansible image name requested to deploy. - value: docker.io/manageiq/embedded-ansible -- name: ANSIBLE_IMG_TAG - displayName: Ansible Image Tag - description: This is the Ansible image tag/version requested to deploy. - value: latest -- name: APPLICATION_DOMAIN - displayName: Application Hostname - description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. - value: '' -- name: APPLICATION_REPLICA_COUNT - displayName: Application Replica Count - description: This is the number of Application replicas requested to deploy. - value: '1' -- name: APPLICATION_INIT_DELAY - displayName: Application Init Delay - required: true - description: Delay in seconds before we attempt to initialize the application. - value: '15' -- name: APPLICATION_VOLUME_CAPACITY - displayName: Application Volume Capacity - required: true - description: Volume space available for application data. - value: 5Gi -- name: HTTPD_SERVICE_NAME - required: true - displayName: Apache httpd Service Name - description: The name of the OpenShift Service exposed for the httpd container. - value: httpd -- name: HTTPD_IMG_NAME - displayName: Apache httpd Image Name - description: This is the httpd image name requested to deploy. - value: docker.io/manageiq/httpd -- name: HTTPD_IMG_TAG - displayName: Apache httpd Image Tag - description: This is the httpd image tag/version requested to deploy. - value: latest -- name: HTTPD_CONFIG_DIR - displayName: Apache httpd Configuration Directory - description: Directory used to store the Apache configuration files. - value: "/etc/httpd/conf.d" -- name: HTTPD_AUTH_CONFIG_DIR - displayName: External Authentication Configuration Directory - description: Directory used to store the external authentication configuration files. - value: "/etc/httpd/auth-conf.d" -- name: HTTPD_CPU_REQ - displayName: Apache httpd Min CPU Requested - required: true - description: Minimum amount of CPU time the httpd container will need (expressed in millicores). - value: 500m -- name: HTTPD_MEM_REQ - displayName: Apache httpd Min RAM Requested - required: true - description: Minimum amount of memory the httpd container will need. - value: 512Mi -- name: HTTPD_MEM_LIMIT - displayName: Apache httpd Max RAM Limit - required: true - description: Maximum amount of memory the httpd container can consume. - value: 8192Mi diff --git a/roles/openshift_cfme/files/miq-template.yaml b/roles/openshift_cfme/files/miq-template.yaml deleted file mode 100644 index 3f5a12205..000000000 --- a/roles/openshift_cfme/files/miq-template.yaml +++ /dev/null @@ -1,948 +0,0 @@ -apiVersion: v1 -kind: Template -labels: - template: manageiq -metadata: - name: manageiq - annotations: - description: ManageIQ appliance with persistent storage - tags: instant-app,manageiq,miq - iconClass: icon-rails -objects: -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-orchestrator -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-anyuid -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-privileged -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: miq-httpd -- apiVersion: v1 - kind: Secret - metadata: - name: "${NAME}-secrets" - stringData: - pg-password: "${DATABASE_PASSWORD}" - database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 - v2-key: "${V2_KEY}" -- apiVersion: v1 - kind: Secret - metadata: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - stringData: - rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" - secret-key: "${ANSIBLE_SECRET_KEY}" - admin-password: "${ANSIBLE_ADMIN_PASSWORD}" -- apiVersion: v1 - kind: ConfigMap - metadata: - name: "${DATABASE_SERVICE_NAME}-configs" - data: - 01_miq_overrides.conf: | - #------------------------------------------------------------------------------ - # CONNECTIONS AND AUTHENTICATION - #------------------------------------------------------------------------------ - - tcp_keepalives_count = 9 - tcp_keepalives_idle = 3 - tcp_keepalives_interval = 75 - - #------------------------------------------------------------------------------ - # RESOURCE USAGE (except WAL) - #------------------------------------------------------------------------------ - - shared_preload_libraries = 'pglogical,repmgr_funcs' - max_worker_processes = 10 - - #------------------------------------------------------------------------------ - # WRITE AHEAD LOG - #------------------------------------------------------------------------------ - - wal_level = 'logical' - wal_log_hints = on - wal_buffers = 16MB - checkpoint_completion_target = 0.9 - - #------------------------------------------------------------------------------ - # REPLICATION - #------------------------------------------------------------------------------ - - max_wal_senders = 10 - wal_sender_timeout = 0 - max_replication_slots = 10 - hot_standby = on - - #------------------------------------------------------------------------------ - # ERROR REPORTING AND LOGGING - #------------------------------------------------------------------------------ - - log_filename = 'postgresql.log' - log_rotation_age = 0 - log_min_duration_statement = 5000 - log_connections = on - log_disconnections = on - log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' - log_lock_waits = on - - #------------------------------------------------------------------------------ - # AUTOVACUUM PARAMETERS - #------------------------------------------------------------------------------ - - log_autovacuum_min_duration = 0 - autovacuum_naptime = 5min - autovacuum_vacuum_threshold = 500 - autovacuum_analyze_threshold = 500 - autovacuum_vacuum_scale_factor = 0.05 - - #------------------------------------------------------------------------------ - # LOCK MANAGEMENT - #------------------------------------------------------------------------------ - - deadlock_timeout = 5s - - #------------------------------------------------------------------------------ - # VERSION/PLATFORM COMPATIBILITY - #------------------------------------------------------------------------------ - - escape_string_warning = off - standard_conforming_strings = off -- apiVersion: v1 - kind: ConfigMap - metadata: - name: "${HTTPD_SERVICE_NAME}-configs" - data: - application.conf: | - # Timeout: The number of seconds before receives and sends time out. - Timeout 120 - - RewriteEngine On - Options SymLinksIfOwnerMatch - - - KeepAlive on - ProxyPreserveHost on - ProxyPass /ws/ ws://${NAME}/ws/ - ProxyPassReverse /ws/ ws://${NAME}/ws/ - ProxyPass / http://${NAME}/ - ProxyPassReverse / http://${NAME}/ - -- apiVersion: v1 - kind: ConfigMap - metadata: - name: "${HTTPD_SERVICE_NAME}-auth-configs" - data: - auth-type: internal - auth-configuration.conf: | - # External Authentication Configuration File - # - # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication -- apiVersion: v1 - kind: Service - metadata: - annotations: - description: Exposes and load balances ManageIQ pods - service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' - name: "${NAME}" - spec: - clusterIP: None - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - selector: - name: "${NAME}" -- apiVersion: v1 - kind: Route - metadata: - name: "${HTTPD_SERVICE_NAME}" - spec: - host: "${APPLICATION_DOMAIN}" - port: - targetPort: http - tls: - termination: edge - insecureEdgeTerminationPolicy: Redirect - to: - kind: Service - name: "${HTTPD_SERVICE_NAME}" -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: "${NAME}-${DATABASE_SERVICE_NAME}" - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "${DATABASE_VOLUME_CAPACITY}" -- apiVersion: apps/v1beta1 - kind: StatefulSet - metadata: - name: "${NAME}" - annotations: - description: Defines how to deploy the ManageIQ appliance - spec: - serviceName: "${NAME}" - replicas: "${APPLICATION_REPLICA_COUNT}" - template: - metadata: - labels: - name: "${NAME}" - name: "${NAME}" - spec: - containers: - - name: manageiq - image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" - livenessProbe: - tcpSocket: - port: 80 - initialDelaySeconds: 480 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: "/" - port: 80 - scheme: HTTP - initialDelaySeconds: 200 - timeoutSeconds: 3 - ports: - - containerPort: 80 - protocol: TCP - volumeMounts: - - name: "${NAME}-server" - mountPath: "/persistent" - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: APPLICATION_INIT_DELAY - value: "${APPLICATION_INIT_DELAY}" - - name: DATABASE_SERVICE_NAME - value: "${DATABASE_SERVICE_NAME}" - - name: DATABASE_REGION - value: "${DATABASE_REGION}" - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: database-url - - name: MEMCACHED_SERVER - value: "${MEMCACHED_SERVICE_NAME}:11211" - - name: MEMCACHED_SERVICE_NAME - value: "${MEMCACHED_SERVICE_NAME}" - - name: V2_KEY - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: v2-key - - name: ANSIBLE_SERVICE_NAME - value: "${ANSIBLE_SERVICE_NAME}" - - name: ANSIBLE_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: admin-password - resources: - requests: - memory: "${APPLICATION_MEM_REQ}" - cpu: "${APPLICATION_CPU_REQ}" - limits: - memory: "${APPLICATION_MEM_LIMIT}" - lifecycle: - preStop: - exec: - command: - - "/opt/manageiq/container-scripts/sync-pv-data" - serviceAccount: miq-orchestrator - serviceAccountName: miq-orchestrator - terminationGracePeriodSeconds: 90 - volumeClaimTemplates: - - metadata: - name: "${NAME}-server" - annotations: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "${APPLICATION_VOLUME_CAPACITY}" -- apiVersion: v1 - kind: Service - metadata: - annotations: - description: Headless service for ManageIQ backend pods - name: "${NAME}-backend" - spec: - clusterIP: None - selector: - name: "${NAME}-backend" -- apiVersion: apps/v1beta1 - kind: StatefulSet - metadata: - name: "${NAME}-backend" - annotations: - description: Defines how to deploy the ManageIQ appliance - spec: - serviceName: "${NAME}-backend" - replicas: 0 - template: - metadata: - labels: - name: "${NAME}-backend" - name: "${NAME}-backend" - spec: - containers: - - name: manageiq - image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" - livenessProbe: - exec: - command: - - pidof - - MIQ Server - initialDelaySeconds: 480 - timeoutSeconds: 3 - volumeMounts: - - name: "${NAME}-server" - mountPath: "/persistent" - env: - - name: APPLICATION_INIT_DELAY - value: "${APPLICATION_INIT_DELAY}" - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: database-url - - name: MIQ_SERVER_DEFAULT_ROLES - value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate - - name: FRONTEND_SERVICE_NAME - value: "${NAME}" - - name: MEMCACHED_SERVER - value: "${MEMCACHED_SERVICE_NAME}:11211" - - name: V2_KEY - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: v2-key - - name: ANSIBLE_SERVICE_NAME - value: "${ANSIBLE_SERVICE_NAME}" - - name: ANSIBLE_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: admin-password - resources: - requests: - memory: "${APPLICATION_MEM_REQ}" - cpu: "${APPLICATION_CPU_REQ}" - limits: - memory: "${APPLICATION_MEM_LIMIT}" - lifecycle: - preStop: - exec: - command: - - "/opt/manageiq/container-scripts/sync-pv-data" - serviceAccount: miq-orchestrator - serviceAccountName: miq-orchestrator - terminationGracePeriodSeconds: 90 - volumeClaimTemplates: - - metadata: - name: "${NAME}-server" - annotations: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "${APPLICATION_VOLUME_CAPACITY}" -- apiVersion: v1 - kind: Service - metadata: - name: "${MEMCACHED_SERVICE_NAME}" - annotations: - description: Exposes the memcached server - spec: - ports: - - name: memcached - port: 11211 - targetPort: 11211 - selector: - name: "${MEMCACHED_SERVICE_NAME}" -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "${MEMCACHED_SERVICE_NAME}" - annotations: - description: Defines how to deploy memcached - spec: - strategy: - type: Recreate - triggers: - - type: ConfigChange - replicas: 1 - selector: - name: "${MEMCACHED_SERVICE_NAME}" - template: - metadata: - name: "${MEMCACHED_SERVICE_NAME}" - labels: - name: "${MEMCACHED_SERVICE_NAME}" - spec: - volumes: [] - containers: - - name: memcached - image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" - ports: - - containerPort: 11211 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 5 - tcpSocket: - port: 11211 - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - tcpSocket: - port: 11211 - volumeMounts: [] - env: - - name: MEMCACHED_MAX_MEMORY - value: "${MEMCACHED_MAX_MEMORY}" - - name: MEMCACHED_MAX_CONNECTIONS - value: "${MEMCACHED_MAX_CONNECTIONS}" - - name: MEMCACHED_SLAB_PAGE_SIZE - value: "${MEMCACHED_SLAB_PAGE_SIZE}" - resources: - requests: - memory: "${MEMCACHED_MEM_REQ}" - cpu: "${MEMCACHED_CPU_REQ}" - limits: - memory: "${MEMCACHED_MEM_LIMIT}" -- apiVersion: v1 - kind: Service - metadata: - name: "${DATABASE_SERVICE_NAME}" - annotations: - description: Exposes the database server - spec: - ports: - - name: postgresql - port: 5432 - targetPort: 5432 - selector: - name: "${DATABASE_SERVICE_NAME}" -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "${DATABASE_SERVICE_NAME}" - annotations: - description: Defines how to deploy the database - spec: - strategy: - type: Recreate - triggers: - - type: ConfigChange - replicas: 1 - selector: - name: "${DATABASE_SERVICE_NAME}" - template: - metadata: - name: "${DATABASE_SERVICE_NAME}" - labels: - name: "${DATABASE_SERVICE_NAME}" - spec: - volumes: - - name: miq-pgdb-volume - persistentVolumeClaim: - claimName: "${NAME}-${DATABASE_SERVICE_NAME}" - - name: miq-pg-configs - configMap: - name: "${DATABASE_SERVICE_NAME}-configs" - containers: - - name: postgresql - image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" - ports: - - containerPort: 5432 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 15 - exec: - command: - - "/bin/sh" - - "-i" - - "-c" - - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 60 - tcpSocket: - port: 5432 - volumeMounts: - - name: miq-pgdb-volume - mountPath: "/var/lib/pgsql/data" - - name: miq-pg-configs - mountPath: "${POSTGRESQL_CONFIG_DIR}" - env: - - name: POSTGRESQL_USER - value: "${DATABASE_USER}" - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: pg-password - - name: POSTGRESQL_DATABASE - value: "${DATABASE_NAME}" - - name: POSTGRESQL_MAX_CONNECTIONS - value: "${POSTGRESQL_MAX_CONNECTIONS}" - - name: POSTGRESQL_SHARED_BUFFERS - value: "${POSTGRESQL_SHARED_BUFFERS}" - - name: POSTGRESQL_CONFIG_DIR - value: "${POSTGRESQL_CONFIG_DIR}" - resources: - requests: - memory: "${POSTGRESQL_MEM_REQ}" - cpu: "${POSTGRESQL_CPU_REQ}" - limits: - memory: "${POSTGRESQL_MEM_LIMIT}" -- apiVersion: v1 - kind: Service - metadata: - annotations: - description: Exposes and load balances Ansible pods - service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' - name: "${ANSIBLE_SERVICE_NAME}" - spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - selector: - name: "${ANSIBLE_SERVICE_NAME}" -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "${ANSIBLE_SERVICE_NAME}" - annotations: - description: Defines how to deploy the Ansible appliance - spec: - strategy: - type: Recreate - serviceName: "${ANSIBLE_SERVICE_NAME}" - replicas: 0 - template: - metadata: - labels: - name: "${ANSIBLE_SERVICE_NAME}" - name: "${ANSIBLE_SERVICE_NAME}" - spec: - containers: - - name: ansible - image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" - livenessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 480 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: "/" - port: 443 - scheme: HTTPS - initialDelaySeconds: 200 - timeoutSeconds: 3 - ports: - - containerPort: 80 - protocol: TCP - - containerPort: 443 - protocol: TCP - securityContext: - privileged: true - env: - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: admin-password - - name: RABBITMQ_USER_NAME - value: "${ANSIBLE_RABBITMQ_USER_NAME}" - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: rabbit-password - - name: ANSIBLE_SECRET_KEY - valueFrom: - secretKeyRef: - name: "${ANSIBLE_SERVICE_NAME}-secrets" - key: secret-key - - name: DATABASE_SERVICE_NAME - value: "${DATABASE_SERVICE_NAME}" - - name: POSTGRESQL_USER - value: "${DATABASE_USER}" - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: "${NAME}-secrets" - key: pg-password - - name: POSTGRESQL_DATABASE - value: "${ANSIBLE_DATABASE_NAME}" - resources: - requests: - memory: "${ANSIBLE_MEM_REQ}" - cpu: "${ANSIBLE_CPU_REQ}" - limits: - memory: "${ANSIBLE_MEM_LIMIT}" - serviceAccount: miq-privileged - serviceAccountName: miq-privileged -- apiVersion: v1 - kind: Service - metadata: - name: "${HTTPD_SERVICE_NAME}" - annotations: - description: Exposes the httpd server - service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' - spec: - ports: - - name: http - port: 80 - targetPort: 80 - selector: - name: httpd -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "${HTTPD_SERVICE_NAME}" - annotations: - description: Defines how to deploy httpd - spec: - strategy: - type: Recreate - recreateParams: - timeoutSeconds: 1200 - triggers: - - type: ConfigChange - replicas: 1 - selector: - name: "${HTTPD_SERVICE_NAME}" - template: - metadata: - name: "${HTTPD_SERVICE_NAME}" - labels: - name: "${HTTPD_SERVICE_NAME}" - spec: - volumes: - - name: httpd-config - configMap: - name: "${HTTPD_SERVICE_NAME}-configs" - - name: httpd-auth-config - configMap: - name: "${HTTPD_SERVICE_NAME}-auth-configs" - containers: - - name: httpd - image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" - ports: - - containerPort: 80 - livenessProbe: - exec: - command: - - pidof - - httpd - initialDelaySeconds: 15 - timeoutSeconds: 3 - readinessProbe: - tcpSocket: - port: 80 - initialDelaySeconds: 10 - timeoutSeconds: 3 - volumeMounts: - - name: httpd-config - mountPath: "${HTTPD_CONFIG_DIR}" - - name: httpd-auth-config - mountPath: "${HTTPD_AUTH_CONFIG_DIR}" - resources: - requests: - memory: "${HTTPD_MEM_REQ}" - cpu: "${HTTPD_CPU_REQ}" - limits: - memory: "${HTTPD_MEM_LIMIT}" - env: - - name: HTTPD_AUTH_TYPE - valueFrom: - configMapKeyRef: - name: "${HTTPD_SERVICE_NAME}-auth-configs" - key: auth-type - lifecycle: - postStart: - exec: - command: - - "/usr/bin/save-container-environment" - serviceAccount: miq-anyuid - serviceAccountName: miq-anyuid -parameters: -- name: NAME - displayName: Name - required: true - description: The name assigned to all of the frontend objects defined in this template. - value: manageiq -- name: V2_KEY - displayName: ManageIQ Encryption Key - required: true - description: Encryption Key for ManageIQ Passwords - from: "[a-zA-Z0-9]{43}" - generate: expression -- name: DATABASE_SERVICE_NAME - displayName: PostgreSQL Service Name - required: true - description: The name of the OpenShift Service exposed for the PostgreSQL container. - value: postgresql -- name: DATABASE_USER - displayName: PostgreSQL User - required: true - description: PostgreSQL user that will access the database. - value: root -- name: DATABASE_PASSWORD - displayName: PostgreSQL Password - required: true - description: Password for the PostgreSQL user. - from: "[a-zA-Z0-9]{8}" - generate: expression -- name: DATABASE_NAME - required: true - displayName: PostgreSQL Database Name - description: Name of the PostgreSQL database accessed. - value: vmdb_production -- name: DATABASE_REGION - required: true - displayName: Application Database Region - description: Database region that will be used for application. - value: '0' -- name: ANSIBLE_DATABASE_NAME - displayName: Ansible PostgreSQL database name - required: true - description: The database to be used by the Ansible continer - value: awx -- name: MEMCACHED_SERVICE_NAME - required: true - displayName: Memcached Service Name - description: The name of the OpenShift Service exposed for the Memcached container. - value: memcached -- name: MEMCACHED_MAX_MEMORY - displayName: Memcached Max Memory - description: Memcached maximum memory for memcached object storage in MB. - value: '64' -- name: MEMCACHED_MAX_CONNECTIONS - displayName: Memcached Max Connections - description: Memcached maximum number of connections allowed. - value: '1024' -- name: MEMCACHED_SLAB_PAGE_SIZE - displayName: Memcached Slab Page Size - description: Memcached size of each slab page. - value: 1m -- name: POSTGRESQL_CONFIG_DIR - displayName: PostgreSQL Configuration Overrides - description: Directory used to store PostgreSQL configuration overrides. - value: "/var/lib/pgsql/conf.d" -- name: POSTGRESQL_MAX_CONNECTIONS - displayName: PostgreSQL Max Connections - description: PostgreSQL maximum number of database connections allowed. - value: '1000' -- name: POSTGRESQL_SHARED_BUFFERS - displayName: PostgreSQL Shared Buffer Amount - description: Amount of memory dedicated for PostgreSQL shared memory buffers. - value: 1GB -- name: ANSIBLE_SERVICE_NAME - displayName: Ansible Service Name - description: The name of the OpenShift Service exposed for the Ansible container. - value: ansible -- name: ANSIBLE_ADMIN_PASSWORD - displayName: Ansible admin User password - required: true - description: The password for the Ansible container admin user - from: "[a-zA-Z0-9]{32}" - generate: expression -- name: ANSIBLE_SECRET_KEY - displayName: Ansible Secret Key - required: true - description: Encryption key for the Ansible container - from: "[a-f0-9]{32}" - generate: expression -- name: ANSIBLE_RABBITMQ_USER_NAME - displayName: RabbitMQ Username - required: true - description: Username for the Ansible RabbitMQ Server - value: ansible -- name: ANSIBLE_RABBITMQ_PASSWORD - displayName: RabbitMQ Server Password - required: true - description: Password for the Ansible RabbitMQ Server - from: "[a-zA-Z0-9]{32}" - generate: expression -- name: APPLICATION_CPU_REQ - displayName: Application Min CPU Requested - required: true - description: Minimum amount of CPU time the Application container will need (expressed in millicores). - value: 1000m -- name: POSTGRESQL_CPU_REQ - displayName: PostgreSQL Min CPU Requested - required: true - description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). - value: 500m -- name: MEMCACHED_CPU_REQ - displayName: Memcached Min CPU Requested - required: true - description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). - value: 200m -- name: ANSIBLE_CPU_REQ - displayName: Ansible Min CPU Requested - required: true - description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). - value: 1000m -- name: APPLICATION_MEM_REQ - displayName: Application Min RAM Requested - required: true - description: Minimum amount of memory the Application container will need. - value: 6144Mi -- name: POSTGRESQL_MEM_REQ - displayName: PostgreSQL Min RAM Requested - required: true - description: Minimum amount of memory the PostgreSQL container will need. - value: 4Gi -- name: MEMCACHED_MEM_REQ - displayName: Memcached Min RAM Requested - required: true - description: Minimum amount of memory the Memcached container will need. - value: 64Mi -- name: ANSIBLE_MEM_REQ - displayName: Ansible Min RAM Requested - required: true - description: Minimum amount of memory the Ansible container will need. - value: 2048Mi -- name: APPLICATION_MEM_LIMIT - displayName: Application Max RAM Limit - required: true - description: Maximum amount of memory the Application container can consume. - value: 16384Mi -- name: POSTGRESQL_MEM_LIMIT - displayName: PostgreSQL Max RAM Limit - required: true - description: Maximum amount of memory the PostgreSQL container can consume. - value: 8Gi -- name: MEMCACHED_MEM_LIMIT - displayName: Memcached Max RAM Limit - required: true - description: Maximum amount of memory the Memcached container can consume. - value: 256Mi -- name: ANSIBLE_MEM_LIMIT - displayName: Ansible Max RAM Limit - required: true - description: Maximum amount of memory the Ansible container can consume. - value: 8096Mi -- name: POSTGRESQL_IMG_NAME - displayName: PostgreSQL Image Name - description: This is the PostgreSQL image name requested to deploy. - value: docker.io/manageiq/postgresql -- name: POSTGRESQL_IMG_TAG - displayName: PostgreSQL Image Tag - description: This is the PostgreSQL image tag/version requested to deploy. - value: latest -- name: MEMCACHED_IMG_NAME - displayName: Memcached Image Name - description: This is the Memcached image name requested to deploy. - value: docker.io/manageiq/memcached -- name: MEMCACHED_IMG_TAG - displayName: Memcached Image Tag - description: This is the Memcached image tag/version requested to deploy. - value: latest -- name: APPLICATION_IMG_NAME - displayName: Application Image Name - description: This is the Application image name requested to deploy. - value: docker.io/manageiq/manageiq-pods -- name: FRONTEND_APPLICATION_IMG_TAG - displayName: Front end Application Image Tag - description: This is the ManageIQ Frontend Application image tag/version requested to deploy. - value: frontend-latest -- name: BACKEND_APPLICATION_IMG_TAG - displayName: Back end Application Image Tag - description: This is the ManageIQ Backend Application image tag/version requested to deploy. - value: backend-latest -- name: ANSIBLE_IMG_NAME - displayName: Ansible Image Name - description: This is the Ansible image name requested to deploy. - value: docker.io/manageiq/embedded-ansible -- name: ANSIBLE_IMG_TAG - displayName: Ansible Image Tag - description: This is the Ansible image tag/version requested to deploy. - value: latest -- name: APPLICATION_DOMAIN - displayName: Application Hostname - description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. - value: '' -- name: APPLICATION_REPLICA_COUNT - displayName: Application Replica Count - description: This is the number of Application replicas requested to deploy. - value: '1' -- name: APPLICATION_INIT_DELAY - displayName: Application Init Delay - required: true - description: Delay in seconds before we attempt to initialize the application. - value: '15' -- name: APPLICATION_VOLUME_CAPACITY - displayName: Application Volume Capacity - required: true - description: Volume space available for application data. - value: 5Gi -- name: DATABASE_VOLUME_CAPACITY - displayName: Database Volume Capacity - required: true - description: Volume space available for database. - value: 15Gi -- name: HTTPD_SERVICE_NAME - required: true - displayName: Apache httpd Service Name - description: The name of the OpenShift Service exposed for the httpd container. - value: httpd -- name: HTTPD_IMG_NAME - displayName: Apache httpd Image Name - description: This is the httpd image name requested to deploy. - value: docker.io/manageiq/httpd -- name: HTTPD_IMG_TAG - displayName: Apache httpd Image Tag - description: This is the httpd image tag/version requested to deploy. - value: latest -- name: HTTPD_CONFIG_DIR - displayName: Apache Configuration Directory - description: Directory used to store the Apache configuration files. - value: "/etc/httpd/conf.d" -- name: HTTPD_AUTH_CONFIG_DIR - displayName: External Authentication Configuration Directory - description: Directory used to store the external authentication configuration files. - value: "/etc/httpd/auth-conf.d" -- name: HTTPD_CPU_REQ - displayName: Apache httpd Min CPU Requested - required: true - description: Minimum amount of CPU time the httpd container will need (expressed in millicores). - value: 500m -- name: HTTPD_MEM_REQ - displayName: Apache httpd Min RAM Requested - required: true - description: Minimum amount of memory the httpd container will need. - value: 512Mi -- name: HTTPD_MEM_LIMIT - displayName: Apache httpd Max RAM Limit - required: true - description: Maximum amount of memory the httpd container can consume. - value: 8192Mi diff --git a/roles/openshift_cfme/files/openshift_cfme.exports b/roles/openshift_cfme/files/openshift_cfme.exports deleted file mode 100644 index 5457d41fc..000000000 --- a/roles/openshift_cfme/files/openshift_cfme.exports +++ /dev/null @@ -1,3 +0,0 @@ -/exports/miq-pv01 *(rw,no_root_squash,no_wdelay) -/exports/miq-pv02 *(rw,no_root_squash,no_wdelay) -/exports/miq-pv03 *(rw,no_root_squash,no_wdelay) diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-backup-job.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-backup-job.yaml new file mode 100644 index 000000000..c3bc1d20c --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-backup-job.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: cloudforms-backup +spec: + template: + metadata: + name: cloudforms-backup + spec: + containers: + - name: postgresql + image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest + command: + - "/opt/rh/cfme-container-scripts/backup_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: cloudforms-secrets + key: database-url + volumeMounts: + - name: cfme-backup-vol + mountPath: "/backups" + volumes: + - name: cfme-backup-vol + persistentVolumeClaim: + claimName: cloudforms-backup + restartPolicy: Never diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-backup-pvc.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-backup-pvc.yaml new file mode 100644 index 000000000..92598ce82 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-backup-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: cloudforms-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 15Gi diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-backup-example.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-backup-example.yaml new file mode 100644 index 000000000..4fe349897 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-backup-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: cfme-pv03 +spec: + capacity: + storage: 15Gi + accessModes: + - ReadWriteOnce + nfs: + path: "/exports/cfme-pv03" + server: "" + persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-db-example.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-db-example.yaml new file mode 100644 index 000000000..0cdd821b5 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-db-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: + template: cloudforms-db-pv +metadata: + name: cloudforms-db-pv + annotations: + description: PV Template for CFME PostgreSQL DB + tags: PVS, CFME +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: cfme-db + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: + - ReadWriteOnce + nfs: + path: "${BASE_PATH}/cfme-db" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for DB + required: true + description: The size of the CFME DB PV given in Gi + value: 15Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-server-example.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-server-example.yaml new file mode 100644 index 000000000..527090ae8 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-pv-server-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: + template: cloudforms-app-pv +metadata: + name: cloudforms-app-pv + annotations: + description: PV Template for CFME Server + tags: PVS, CFME +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: cfme-app + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: + - ReadWriteOnce + nfs: + path: "${BASE_PATH}/cfme-app" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for App + required: true + description: The size of the CFME APP PV given in Gi + value: 5Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-restore-job.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-restore-job.yaml new file mode 100644 index 000000000..8b23f8a33 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-restore-job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: cloudforms-restore +spec: + template: + metadata: + name: cloudforms-restore + spec: + containers: + - name: postgresql + image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest + command: + - "/opt/rh/cfme-container-scripts/restore_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: cloudforms-secrets + key: database-url + - name: BACKUP_VERSION + value: latest + volumeMounts: + - name: cfme-backup-vol + mountPath: "/backups" + - name: cfme-prod-vol + mountPath: "/restore" + volumes: + - name: cfme-backup-vol + persistentVolumeClaim: + claimName: cloudforms-backup + - name: cfme-prod-vol + persistentVolumeClaim: + claimName: cloudforms-postgresql + restartPolicy: Never diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-scc-sysadmin.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-scc-sysadmin.yaml new file mode 100644 index 000000000..d2ece9298 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-scc-sysadmin.yaml @@ -0,0 +1,38 @@ +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: +apiVersion: v1 +defaultAddCapabilities: +- SYS_ADMIN +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus. + creationTimestamp: + name: cfme-sysadmin +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +- SYS_CHROOT +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- secret diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-template-ext-db.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-template-ext-db.yaml new file mode 100644 index 000000000..4a04f3372 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-template-ext-db.yaml @@ -0,0 +1,763 @@ +apiVersion: v1 +kind: Template +labels: + template: cloudforms-ext-db +metadata: + name: cloudforms-ext-db + annotations: + description: CloudForms appliance with persistent storage using a external DB host + tags: instant-app,cloudforms,cfme + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances CloudForms pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: cloudforms + image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 80 + scheme: HTTP + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for CloudForms backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: cloudforms + image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: + name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${MEMCACHED_SERVICE_NAME}" + template: + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + labels: + name: "${MEMCACHED_SERVICE_NAME}" + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Remote database service + spec: + ports: + - name: postgresql + port: 5432 + targetPort: "${{DATABASE_PORT}}" + selector: {} +- apiVersion: v1 + kind: Endpoints + metadata: + name: "${DATABASE_SERVICE_NAME}" + subsets: + - addresses: + - ip: "${DATABASE_IP}" + ports: + - port: "${{DATABASE_PORT}}" + name: postgresql +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: cfme-privileged + serviceAccountName: cfme-privileged +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + + KeepAlive on + ProxyPreserveHost on + ProxyPass /ws/ ws://${NAME}/ws/ + ProxyPassReverse /ws/ ws://${NAME}/ws/ + ProxyPass / http://${NAME}/ + ProxyPassReverse / http://${NAME}/ + +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: cfme-httpd + serviceAccountName: cfme-httpd +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: cloudforms +- name: V2_KEY + displayName: CloudForms Encryption Key + required: true + description: Encryption Key for CloudForms Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_IP + displayName: PostgreSQL Server IP + required: true + description: PostgreSQL external server IP used to configure service. + value: '' +- name: DATABASE_PORT + displayName: PostgreSQL Server Port + required: true + description: PostgreSQL external server port used to configure service. + value: '5432' +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: FRONTEND_APPLICATION_IMG_NAME + displayName: Frontend Application Image Name + description: This is the Frontend Application image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME + displayName: Backend Application Image Name + description: This is the Backend Application image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the CloudForms Frontend Application image tag/version requested to deploy. + value: latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the CloudForms Backend Application image tag/version requested to deploy. + value: latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache httpd Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_cfme/files/templates/cloudforms/cfme-template.yaml b/roles/openshift_cfme/files/templates/cloudforms/cfme-template.yaml new file mode 100644 index 000000000..d7c9f5af7 --- /dev/null +++ b/roles/openshift_cfme/files/templates/cloudforms/cfme-template.yaml @@ -0,0 +1,940 @@ +apiVersion: v1 +kind: Template +labels: + template: cloudforms +metadata: + name: cloudforms + annotations: + description: CloudForms appliance with persistent storage + tags: instant-app,cloudforms,cfme + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: cfme-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${DATABASE_SERVICE_NAME}-configs" + data: + 01_miq_overrides.conf: | + #------------------------------------------------------------------------------ + # CONNECTIONS AND AUTHENTICATION + #------------------------------------------------------------------------------ + + tcp_keepalives_count = 9 + tcp_keepalives_idle = 3 + tcp_keepalives_interval = 75 + + #------------------------------------------------------------------------------ + # RESOURCE USAGE (except WAL) + #------------------------------------------------------------------------------ + + shared_preload_libraries = 'pglogical,repmgr_funcs' + max_worker_processes = 10 + + #------------------------------------------------------------------------------ + # WRITE AHEAD LOG + #------------------------------------------------------------------------------ + + wal_level = 'logical' + wal_log_hints = on + wal_buffers = 16MB + checkpoint_completion_target = 0.9 + + #------------------------------------------------------------------------------ + # REPLICATION + #------------------------------------------------------------------------------ + + max_wal_senders = 10 + wal_sender_timeout = 0 + max_replication_slots = 10 + hot_standby = on + + #------------------------------------------------------------------------------ + # ERROR REPORTING AND LOGGING + #------------------------------------------------------------------------------ + + log_filename = 'postgresql.log' + log_rotation_age = 0 + log_min_duration_statement = 5000 + log_connections = on + log_disconnections = on + log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' + log_lock_waits = on + + #------------------------------------------------------------------------------ + # AUTOVACUUM PARAMETERS + #------------------------------------------------------------------------------ + + log_autovacuum_min_duration = 0 + autovacuum_naptime = 5min + autovacuum_vacuum_threshold = 500 + autovacuum_analyze_threshold = 500 + autovacuum_vacuum_scale_factor = 0.05 + + #------------------------------------------------------------------------------ + # LOCK MANAGEMENT + #------------------------------------------------------------------------------ + + deadlock_timeout = 5s + + #------------------------------------------------------------------------------ + # VERSION/PLATFORM COMPATIBILITY + #------------------------------------------------------------------------------ + + escape_string_warning = off + standard_conforming_strings = off +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + + KeepAlive on + ProxyPreserveHost on + ProxyPass /ws/ ws://${NAME}/ws/ + ProxyPassReverse /ws/ ws://${NAME}/ws/ + ProxyPass / http://${NAME}/ + ProxyPassReverse / http://${NAME}/ + +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances CloudForms pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: "${NAME}-${DATABASE_SERVICE_NAME}" + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${DATABASE_VOLUME_CAPACITY}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: cloudforms + image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 80 + scheme: HTTP + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for CloudForms backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the CloudForms appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: cloudforms + image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/rh/cfme-container-scripts/sync-pv-data" + serviceAccount: cfme-orchestrator + serviceAccountName: cfme-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: + name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${MEMCACHED_SERVICE_NAME}" + template: + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + labels: + name: "${MEMCACHED_SERVICE_NAME}" + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Exposes the database server + spec: + ports: + - name: postgresql + port: 5432 + targetPort: 5432 + selector: + name: "${DATABASE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the database + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${DATABASE_SERVICE_NAME}" + template: + metadata: + name: "${DATABASE_SERVICE_NAME}" + labels: + name: "${DATABASE_SERVICE_NAME}" + spec: + volumes: + - name: cfme-pgdb-volume + persistentVolumeClaim: + claimName: "${NAME}-${DATABASE_SERVICE_NAME}" + - name: cfme-pg-configs + configMap: + name: "${DATABASE_SERVICE_NAME}-configs" + containers: + - name: postgresql + image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" + ports: + - containerPort: 5432 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 15 + exec: + command: + - "/bin/sh" + - "-i" + - "-c" + - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 60 + tcpSocket: + port: 5432 + volumeMounts: + - name: cfme-pgdb-volume + mountPath: "/var/lib/pgsql/data" + - name: cfme-pg-configs + mountPath: "${POSTGRESQL_CONFIG_DIR}" + env: + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${DATABASE_NAME}" + - name: POSTGRESQL_MAX_CONNECTIONS + value: "${POSTGRESQL_MAX_CONNECTIONS}" + - name: POSTGRESQL_SHARED_BUFFERS + value: "${POSTGRESQL_SHARED_BUFFERS}" + - name: POSTGRESQL_CONFIG_DIR + value: "${POSTGRESQL_CONFIG_DIR}" + resources: + requests: + memory: "${POSTGRESQL_MEM_REQ}" + cpu: "${POSTGRESQL_CPU_REQ}" + limits: + memory: "${POSTGRESQL_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: cfme-privileged + serviceAccountName: cfme-privileged +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: cfme-httpd + serviceAccountName: cfme-httpd +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: cloudforms +- name: V2_KEY + displayName: CloudForms Encryption Key + required: true + description: Encryption Key for CloudForms Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: POSTGRESQL_CONFIG_DIR + displayName: PostgreSQL Configuration Overrides + description: Directory used to store PostgreSQL configuration overrides. + value: "/var/lib/pgsql/conf.d" +- name: POSTGRESQL_MAX_CONNECTIONS + displayName: PostgreSQL Max Connections + description: PostgreSQL maximum number of database connections allowed. + value: '1000' +- name: POSTGRESQL_SHARED_BUFFERS + displayName: PostgreSQL Shared Buffer Amount + description: Amount of memory dedicated for PostgreSQL shared memory buffers. + value: 1GB +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: POSTGRESQL_CPU_REQ + displayName: PostgreSQL Min CPU Requested + required: true + description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). + value: 500m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: POSTGRESQL_MEM_REQ + displayName: PostgreSQL Min RAM Requested + required: true + description: Minimum amount of memory the PostgreSQL container will need. + value: 4Gi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: POSTGRESQL_MEM_LIMIT + displayName: PostgreSQL Max RAM Limit + required: true + description: Maximum amount of memory the PostgreSQL container can consume. + value: 8Gi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: POSTGRESQL_IMG_NAME + displayName: PostgreSQL Image Name + description: This is the PostgreSQL image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql +- name: POSTGRESQL_IMG_TAG + displayName: PostgreSQL Image Tag + description: This is the PostgreSQL image tag/version requested to deploy. + value: latest +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: FRONTEND_APPLICATION_IMG_NAME + displayName: Frontend Application Image Name + description: This is the Frontend Application image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui +- name: BACKEND_APPLICATION_IMG_NAME + displayName: Backend Application Image Name + description: This is the Backend Application image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the CloudForms Frontend Application image tag/version requested to deploy. + value: latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the CloudForms Backend Application image tag/version requested to deploy. + value: latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: DATABASE_VOLUME_CAPACITY + displayName: Database Volume Capacity + required: true + description: Volume space available for database. + value: 15Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-backup-job.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-backup-job.yaml new file mode 100644 index 000000000..044cb73a5 --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-backup-job.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: manageiq-backup +spec: + template: + metadata: + name: manageiq-backup + spec: + containers: + - name: postgresql + image: docker.io/manageiq/postgresql:latest + command: + - "/opt/manageiq/container-scripts/backup_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: manageiq-secrets + key: database-url + volumeMounts: + - name: miq-backup-vol + mountPath: "/backups" + volumes: + - name: miq-backup-vol + persistentVolumeClaim: + claimName: manageiq-backup + restartPolicy: Never diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-backup-pvc.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-backup-pvc.yaml new file mode 100644 index 000000000..25696ef23 --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-backup-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: manageiq-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 15Gi diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-pv-backup-example.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-pv-backup-example.yaml new file mode 100644 index 000000000..a5cf54d4e --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-pv-backup-example.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: miq-pv03 +spec: + capacity: + storage: 15Gi + accessModes: + - ReadWriteOnce + nfs: + path: "/exports/miq-pv03" + server: "" + persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-pv-db-example.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-pv-db-example.yaml new file mode 100644 index 000000000..a803bebe2 --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-pv-db-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: + template: manageiq-db-pv +metadata: + name: manageiq-db-pv + annotations: + description: PV Template for MIQ PostgreSQL DB + tags: PVS, MIQ +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: miq-db + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: + - ReadWriteOnce + nfs: + path: "${BASE_PATH}/miq-db" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for DB + required: true + description: The size of the MIQ DB PV given in Gi + value: 15Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-pv-server-example.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-pv-server-example.yaml new file mode 100644 index 000000000..1288544d1 --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-pv-server-example.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +labels: + template: manageiq-app-pv +metadata: + name: manageiq-app-pv + annotations: + description: PV Template for MIQ Server + tags: PVS, MIQ +objects: +- apiVersion: v1 + kind: PersistentVolume + metadata: + name: miq-app + spec: + capacity: + storage: "${PV_SIZE}" + accessModes: + - ReadWriteOnce + nfs: + path: "${BASE_PATH}/miq-app" + server: "${NFS_HOST}" + persistentVolumeReclaimPolicy: Retain +parameters: +- name: PV_SIZE + displayName: PV Size for App + required: true + description: The size of the MIQ APP PV given in Gi + value: 5Gi +- name: BASE_PATH + displayName: Exports Directory Base Path + required: true + description: The parent directory of your NFS exports + value: "/exports" +- name: NFS_HOST + displayName: NFS Server Hostname + required: true + description: The hostname or IP address of the NFS server diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-restore-job.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-restore-job.yaml new file mode 100644 index 000000000..eea284dd4 --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-restore-job.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: manageiq-restore +spec: + template: + metadata: + name: manageiq-restore + spec: + containers: + - name: postgresql + image: docker.io/manageiq/postgresql:latest + command: + - "/opt/manageiq/container-scripts/restore_db" + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: manageiq-secrets + key: database-url + - name: BACKUP_VERSION + value: latest + volumeMounts: + - name: miq-backup-vol + mountPath: "/backups" + - name: miq-prod-vol + mountPath: "/restore" + volumes: + - name: miq-backup-vol + persistentVolumeClaim: + claimName: manageiq-backup + - name: miq-prod-vol + persistentVolumeClaim: + claimName: manageiq-postgresql + restartPolicy: Never diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-template-ext-db.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-template-ext-db.yaml new file mode 100644 index 000000000..82cd5d49e --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-template-ext-db.yaml @@ -0,0 +1,771 @@ +apiVersion: v1 +kind: Template +labels: + template: manageiq-ext-db +metadata: + name: manageiq-ext-db + annotations: + description: ManageIQ appliance with persistent storage using a external DB host + tags: instant-app,manageiq,miq + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances ManageIQ pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 80 + scheme: HTTP + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: MEMCACHED_SERVICE_NAME + value: "${MEMCACHED_SERVICE_NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for ManageIQ backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: + name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${MEMCACHED_SERVICE_NAME}" + template: + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + labels: + name: "${MEMCACHED_SERVICE_NAME}" + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Remote database service + spec: + ports: + - name: postgresql + port: 5432 + targetPort: "${{DATABASE_PORT}}" + selector: {} +- apiVersion: v1 + kind: Endpoints + metadata: + name: "${DATABASE_SERVICE_NAME}" + subsets: + - addresses: + - ip: "${DATABASE_IP}" + ports: + - port: "${{DATABASE_PORT}}" + name: postgresql +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: miq-privileged + serviceAccountName: miq-privileged +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + + KeepAlive on + ProxyPreserveHost on + ProxyPass /ws/ ws://${NAME}/ws/ + ProxyPassReverse /ws/ ws://${NAME}/ws/ + ProxyPass / http://${NAME}/ + ProxyPassReverse / http://${NAME}/ + +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: miq-anyuid + serviceAccountName: miq-anyuid +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: manageiq +- name: V2_KEY + displayName: ManageIQ Encryption Key + required: true + description: Encryption Key for ManageIQ Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_IP + displayName: PostgreSQL Server IP + required: true + description: PostgreSQL external server IP used to configure service. + value: '' +- name: DATABASE_PORT + displayName: PostgreSQL Server Port + required: true + description: PostgreSQL external server port used to configure service. + value: '5432' +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: docker.io/manageiq/memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: APPLICATION_IMG_NAME + displayName: Application Image Name + description: This is the Application image name requested to deploy. + value: docker.io/manageiq/manageiq-pods +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the ManageIQ Frontend Application image tag/version requested to deploy. + value: frontend-latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the ManageIQ Backend Application image tag/version requested to deploy. + value: backend-latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: docker.io/manageiq/embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: docker.io/manageiq/httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache httpd Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_cfme/files/templates/manageiq/miq-template.yaml b/roles/openshift_cfme/files/templates/manageiq/miq-template.yaml new file mode 100644 index 000000000..3f5a12205 --- /dev/null +++ b/roles/openshift_cfme/files/templates/manageiq/miq-template.yaml @@ -0,0 +1,948 @@ +apiVersion: v1 +kind: Template +labels: + template: manageiq +metadata: + name: manageiq + annotations: + description: ManageIQ appliance with persistent storage + tags: instant-app,manageiq,miq + iconClass: icon-rails +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-orchestrator +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-anyuid +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-privileged +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: miq-httpd +- apiVersion: v1 + kind: Secret + metadata: + name: "${NAME}-secrets" + stringData: + pg-password: "${DATABASE_PASSWORD}" + database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5 + v2-key: "${V2_KEY}" +- apiVersion: v1 + kind: Secret + metadata: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + stringData: + rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}" + secret-key: "${ANSIBLE_SECRET_KEY}" + admin-password: "${ANSIBLE_ADMIN_PASSWORD}" +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${DATABASE_SERVICE_NAME}-configs" + data: + 01_miq_overrides.conf: | + #------------------------------------------------------------------------------ + # CONNECTIONS AND AUTHENTICATION + #------------------------------------------------------------------------------ + + tcp_keepalives_count = 9 + tcp_keepalives_idle = 3 + tcp_keepalives_interval = 75 + + #------------------------------------------------------------------------------ + # RESOURCE USAGE (except WAL) + #------------------------------------------------------------------------------ + + shared_preload_libraries = 'pglogical,repmgr_funcs' + max_worker_processes = 10 + + #------------------------------------------------------------------------------ + # WRITE AHEAD LOG + #------------------------------------------------------------------------------ + + wal_level = 'logical' + wal_log_hints = on + wal_buffers = 16MB + checkpoint_completion_target = 0.9 + + #------------------------------------------------------------------------------ + # REPLICATION + #------------------------------------------------------------------------------ + + max_wal_senders = 10 + wal_sender_timeout = 0 + max_replication_slots = 10 + hot_standby = on + + #------------------------------------------------------------------------------ + # ERROR REPORTING AND LOGGING + #------------------------------------------------------------------------------ + + log_filename = 'postgresql.log' + log_rotation_age = 0 + log_min_duration_statement = 5000 + log_connections = on + log_disconnections = on + log_line_prefix = '%t:%r:%c:%u@%d:[%p]:' + log_lock_waits = on + + #------------------------------------------------------------------------------ + # AUTOVACUUM PARAMETERS + #------------------------------------------------------------------------------ + + log_autovacuum_min_duration = 0 + autovacuum_naptime = 5min + autovacuum_vacuum_threshold = 500 + autovacuum_analyze_threshold = 500 + autovacuum_vacuum_scale_factor = 0.05 + + #------------------------------------------------------------------------------ + # LOCK MANAGEMENT + #------------------------------------------------------------------------------ + + deadlock_timeout = 5s + + #------------------------------------------------------------------------------ + # VERSION/PLATFORM COMPATIBILITY + #------------------------------------------------------------------------------ + + escape_string_warning = off + standard_conforming_strings = off +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-configs" + data: + application.conf: | + # Timeout: The number of seconds before receives and sends time out. + Timeout 120 + + RewriteEngine On + Options SymLinksIfOwnerMatch + + + KeepAlive on + ProxyPreserveHost on + ProxyPass /ws/ ws://${NAME}/ws/ + ProxyPassReverse /ws/ ws://${NAME}/ws/ + ProxyPass / http://${NAME}/ + ProxyPassReverse / http://${NAME}/ + +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-type: internal + auth-configuration.conf: | + # External Authentication Configuration File + # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances ManageIQ pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${NAME}" + spec: + clusterIP: None + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + name: "${NAME}" +- apiVersion: v1 + kind: Route + metadata: + name: "${HTTPD_SERVICE_NAME}" + spec: + host: "${APPLICATION_DOMAIN}" + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: "${HTTPD_SERVICE_NAME}" +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: "${NAME}-${DATABASE_SERVICE_NAME}" + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${DATABASE_VOLUME_CAPACITY}" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}" + replicas: "${APPLICATION_REPLICA_COUNT}" + template: + metadata: + labels: + name: "${NAME}" + name: "${NAME}" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 80 + scheme: HTTP + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: DATABASE_REGION + value: "${DATABASE_REGION}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: MEMCACHED_SERVICE_NAME + value: "${MEMCACHED_SERVICE_NAME}" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Headless service for ManageIQ backend pods + name: "${NAME}-backend" + spec: + clusterIP: None + selector: + name: "${NAME}-backend" +- apiVersion: apps/v1beta1 + kind: StatefulSet + metadata: + name: "${NAME}-backend" + annotations: + description: Defines how to deploy the ManageIQ appliance + spec: + serviceName: "${NAME}-backend" + replicas: 0 + template: + metadata: + labels: + name: "${NAME}-backend" + name: "${NAME}-backend" + spec: + containers: + - name: manageiq + image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}" + livenessProbe: + exec: + command: + - pidof + - MIQ Server + initialDelaySeconds: 480 + timeoutSeconds: 3 + volumeMounts: + - name: "${NAME}-server" + mountPath: "/persistent" + env: + - name: APPLICATION_INIT_DELAY + value: "${APPLICATION_INIT_DELAY}" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: database-url + - name: MIQ_SERVER_DEFAULT_ROLES + value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate + - name: FRONTEND_SERVICE_NAME + value: "${NAME}" + - name: MEMCACHED_SERVER + value: "${MEMCACHED_SERVICE_NAME}:11211" + - name: V2_KEY + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: v2-key + - name: ANSIBLE_SERVICE_NAME + value: "${ANSIBLE_SERVICE_NAME}" + - name: ANSIBLE_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + resources: + requests: + memory: "${APPLICATION_MEM_REQ}" + cpu: "${APPLICATION_CPU_REQ}" + limits: + memory: "${APPLICATION_MEM_LIMIT}" + lifecycle: + preStop: + exec: + command: + - "/opt/manageiq/container-scripts/sync-pv-data" + serviceAccount: miq-orchestrator + serviceAccountName: miq-orchestrator + terminationGracePeriodSeconds: 90 + volumeClaimTemplates: + - metadata: + name: "${NAME}-server" + annotations: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${APPLICATION_VOLUME_CAPACITY}" +- apiVersion: v1 + kind: Service + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Exposes the memcached server + spec: + ports: + - name: memcached + port: 11211 + targetPort: 11211 + selector: + name: "${MEMCACHED_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + annotations: + description: Defines how to deploy memcached + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${MEMCACHED_SERVICE_NAME}" + template: + metadata: + name: "${MEMCACHED_SERVICE_NAME}" + labels: + name: "${MEMCACHED_SERVICE_NAME}" + spec: + volumes: [] + containers: + - name: memcached + image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}" + ports: + - containerPort: 11211 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + tcpSocket: + port: 11211 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + tcpSocket: + port: 11211 + volumeMounts: [] + env: + - name: MEMCACHED_MAX_MEMORY + value: "${MEMCACHED_MAX_MEMORY}" + - name: MEMCACHED_MAX_CONNECTIONS + value: "${MEMCACHED_MAX_CONNECTIONS}" + - name: MEMCACHED_SLAB_PAGE_SIZE + value: "${MEMCACHED_SLAB_PAGE_SIZE}" + resources: + requests: + memory: "${MEMCACHED_MEM_REQ}" + cpu: "${MEMCACHED_CPU_REQ}" + limits: + memory: "${MEMCACHED_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Exposes the database server + spec: + ports: + - name: postgresql + port: 5432 + targetPort: 5432 + selector: + name: "${DATABASE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${DATABASE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the database + spec: + strategy: + type: Recreate + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${DATABASE_SERVICE_NAME}" + template: + metadata: + name: "${DATABASE_SERVICE_NAME}" + labels: + name: "${DATABASE_SERVICE_NAME}" + spec: + volumes: + - name: miq-pgdb-volume + persistentVolumeClaim: + claimName: "${NAME}-${DATABASE_SERVICE_NAME}" + - name: miq-pg-configs + configMap: + name: "${DATABASE_SERVICE_NAME}-configs" + containers: + - name: postgresql + image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}" + ports: + - containerPort: 5432 + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 15 + exec: + command: + - "/bin/sh" + - "-i" + - "-c" + - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 60 + tcpSocket: + port: 5432 + volumeMounts: + - name: miq-pgdb-volume + mountPath: "/var/lib/pgsql/data" + - name: miq-pg-configs + mountPath: "${POSTGRESQL_CONFIG_DIR}" + env: + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${DATABASE_NAME}" + - name: POSTGRESQL_MAX_CONNECTIONS + value: "${POSTGRESQL_MAX_CONNECTIONS}" + - name: POSTGRESQL_SHARED_BUFFERS + value: "${POSTGRESQL_SHARED_BUFFERS}" + - name: POSTGRESQL_CONFIG_DIR + value: "${POSTGRESQL_CONFIG_DIR}" + resources: + requests: + memory: "${POSTGRESQL_MEM_REQ}" + cpu: "${POSTGRESQL_CPU_REQ}" + limits: + memory: "${POSTGRESQL_MEM_LIMIT}" +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances Ansible pods + service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]' + name: "${ANSIBLE_SERVICE_NAME}" + spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + name: "${ANSIBLE_SERVICE_NAME}" +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${ANSIBLE_SERVICE_NAME}" + annotations: + description: Defines how to deploy the Ansible appliance + spec: + strategy: + type: Recreate + serviceName: "${ANSIBLE_SERVICE_NAME}" + replicas: 0 + template: + metadata: + labels: + name: "${ANSIBLE_SERVICE_NAME}" + name: "${ANSIBLE_SERVICE_NAME}" + spec: + containers: + - name: ansible + image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}" + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 480 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/" + port: 443 + scheme: HTTPS + initialDelaySeconds: 200 + timeoutSeconds: 3 + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + securityContext: + privileged: true + env: + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: admin-password + - name: RABBITMQ_USER_NAME + value: "${ANSIBLE_RABBITMQ_USER_NAME}" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: rabbit-password + - name: ANSIBLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: "${ANSIBLE_SERVICE_NAME}-secrets" + key: secret-key + - name: DATABASE_SERVICE_NAME + value: "${DATABASE_SERVICE_NAME}" + - name: POSTGRESQL_USER + value: "${DATABASE_USER}" + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: "${NAME}-secrets" + key: pg-password + - name: POSTGRESQL_DATABASE + value: "${ANSIBLE_DATABASE_NAME}" + resources: + requests: + memory: "${ANSIBLE_MEM_REQ}" + cpu: "${ANSIBLE_CPU_REQ}" + limits: + memory: "${ANSIBLE_MEM_LIMIT}" + serviceAccount: miq-privileged + serviceAccountName: miq-privileged +- apiVersion: v1 + kind: Service + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Exposes the httpd server + service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]' + spec: + ports: + - name: http + port: 80 + targetPort: 80 + selector: + name: httpd +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "${HTTPD_SERVICE_NAME}" + annotations: + description: Defines how to deploy httpd + spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 1200 + triggers: + - type: ConfigChange + replicas: 1 + selector: + name: "${HTTPD_SERVICE_NAME}" + template: + metadata: + name: "${HTTPD_SERVICE_NAME}" + labels: + name: "${HTTPD_SERVICE_NAME}" + spec: + volumes: + - name: httpd-config + configMap: + name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + containers: + - name: httpd + image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" + ports: + - containerPort: 80 + livenessProbe: + exec: + command: + - pidof + - httpd + initialDelaySeconds: 15 + timeoutSeconds: 3 + readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: httpd-config + mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" + resources: + requests: + memory: "${HTTPD_MEM_REQ}" + cpu: "${HTTPD_CPU_REQ}" + limits: + memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/save-container-environment" + serviceAccount: miq-anyuid + serviceAccountName: miq-anyuid +parameters: +- name: NAME + displayName: Name + required: true + description: The name assigned to all of the frontend objects defined in this template. + value: manageiq +- name: V2_KEY + displayName: ManageIQ Encryption Key + required: true + description: Encryption Key for ManageIQ Passwords + from: "[a-zA-Z0-9]{43}" + generate: expression +- name: DATABASE_SERVICE_NAME + displayName: PostgreSQL Service Name + required: true + description: The name of the OpenShift Service exposed for the PostgreSQL container. + value: postgresql +- name: DATABASE_USER + displayName: PostgreSQL User + required: true + description: PostgreSQL user that will access the database. + value: root +- name: DATABASE_PASSWORD + displayName: PostgreSQL Password + required: true + description: Password for the PostgreSQL user. + from: "[a-zA-Z0-9]{8}" + generate: expression +- name: DATABASE_NAME + required: true + displayName: PostgreSQL Database Name + description: Name of the PostgreSQL database accessed. + value: vmdb_production +- name: DATABASE_REGION + required: true + displayName: Application Database Region + description: Database region that will be used for application. + value: '0' +- name: ANSIBLE_DATABASE_NAME + displayName: Ansible PostgreSQL database name + required: true + description: The database to be used by the Ansible continer + value: awx +- name: MEMCACHED_SERVICE_NAME + required: true + displayName: Memcached Service Name + description: The name of the OpenShift Service exposed for the Memcached container. + value: memcached +- name: MEMCACHED_MAX_MEMORY + displayName: Memcached Max Memory + description: Memcached maximum memory for memcached object storage in MB. + value: '64' +- name: MEMCACHED_MAX_CONNECTIONS + displayName: Memcached Max Connections + description: Memcached maximum number of connections allowed. + value: '1024' +- name: MEMCACHED_SLAB_PAGE_SIZE + displayName: Memcached Slab Page Size + description: Memcached size of each slab page. + value: 1m +- name: POSTGRESQL_CONFIG_DIR + displayName: PostgreSQL Configuration Overrides + description: Directory used to store PostgreSQL configuration overrides. + value: "/var/lib/pgsql/conf.d" +- name: POSTGRESQL_MAX_CONNECTIONS + displayName: PostgreSQL Max Connections + description: PostgreSQL maximum number of database connections allowed. + value: '1000' +- name: POSTGRESQL_SHARED_BUFFERS + displayName: PostgreSQL Shared Buffer Amount + description: Amount of memory dedicated for PostgreSQL shared memory buffers. + value: 1GB +- name: ANSIBLE_SERVICE_NAME + displayName: Ansible Service Name + description: The name of the OpenShift Service exposed for the Ansible container. + value: ansible +- name: ANSIBLE_ADMIN_PASSWORD + displayName: Ansible admin User password + required: true + description: The password for the Ansible container admin user + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: ANSIBLE_SECRET_KEY + displayName: Ansible Secret Key + required: true + description: Encryption key for the Ansible container + from: "[a-f0-9]{32}" + generate: expression +- name: ANSIBLE_RABBITMQ_USER_NAME + displayName: RabbitMQ Username + required: true + description: Username for the Ansible RabbitMQ Server + value: ansible +- name: ANSIBLE_RABBITMQ_PASSWORD + displayName: RabbitMQ Server Password + required: true + description: Password for the Ansible RabbitMQ Server + from: "[a-zA-Z0-9]{32}" + generate: expression +- name: APPLICATION_CPU_REQ + displayName: Application Min CPU Requested + required: true + description: Minimum amount of CPU time the Application container will need (expressed in millicores). + value: 1000m +- name: POSTGRESQL_CPU_REQ + displayName: PostgreSQL Min CPU Requested + required: true + description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores). + value: 500m +- name: MEMCACHED_CPU_REQ + displayName: Memcached Min CPU Requested + required: true + description: Minimum amount of CPU time the Memcached container will need (expressed in millicores). + value: 200m +- name: ANSIBLE_CPU_REQ + displayName: Ansible Min CPU Requested + required: true + description: Minimum amount of CPU time the Ansible container will need (expressed in millicores). + value: 1000m +- name: APPLICATION_MEM_REQ + displayName: Application Min RAM Requested + required: true + description: Minimum amount of memory the Application container will need. + value: 6144Mi +- name: POSTGRESQL_MEM_REQ + displayName: PostgreSQL Min RAM Requested + required: true + description: Minimum amount of memory the PostgreSQL container will need. + value: 4Gi +- name: MEMCACHED_MEM_REQ + displayName: Memcached Min RAM Requested + required: true + description: Minimum amount of memory the Memcached container will need. + value: 64Mi +- name: ANSIBLE_MEM_REQ + displayName: Ansible Min RAM Requested + required: true + description: Minimum amount of memory the Ansible container will need. + value: 2048Mi +- name: APPLICATION_MEM_LIMIT + displayName: Application Max RAM Limit + required: true + description: Maximum amount of memory the Application container can consume. + value: 16384Mi +- name: POSTGRESQL_MEM_LIMIT + displayName: PostgreSQL Max RAM Limit + required: true + description: Maximum amount of memory the PostgreSQL container can consume. + value: 8Gi +- name: MEMCACHED_MEM_LIMIT + displayName: Memcached Max RAM Limit + required: true + description: Maximum amount of memory the Memcached container can consume. + value: 256Mi +- name: ANSIBLE_MEM_LIMIT + displayName: Ansible Max RAM Limit + required: true + description: Maximum amount of memory the Ansible container can consume. + value: 8096Mi +- name: POSTGRESQL_IMG_NAME + displayName: PostgreSQL Image Name + description: This is the PostgreSQL image name requested to deploy. + value: docker.io/manageiq/postgresql +- name: POSTGRESQL_IMG_TAG + displayName: PostgreSQL Image Tag + description: This is the PostgreSQL image tag/version requested to deploy. + value: latest +- name: MEMCACHED_IMG_NAME + displayName: Memcached Image Name + description: This is the Memcached image name requested to deploy. + value: docker.io/manageiq/memcached +- name: MEMCACHED_IMG_TAG + displayName: Memcached Image Tag + description: This is the Memcached image tag/version requested to deploy. + value: latest +- name: APPLICATION_IMG_NAME + displayName: Application Image Name + description: This is the Application image name requested to deploy. + value: docker.io/manageiq/manageiq-pods +- name: FRONTEND_APPLICATION_IMG_TAG + displayName: Front end Application Image Tag + description: This is the ManageIQ Frontend Application image tag/version requested to deploy. + value: frontend-latest +- name: BACKEND_APPLICATION_IMG_TAG + displayName: Back end Application Image Tag + description: This is the ManageIQ Backend Application image tag/version requested to deploy. + value: backend-latest +- name: ANSIBLE_IMG_NAME + displayName: Ansible Image Name + description: This is the Ansible image name requested to deploy. + value: docker.io/manageiq/embedded-ansible +- name: ANSIBLE_IMG_TAG + displayName: Ansible Image Tag + description: This is the Ansible image tag/version requested to deploy. + value: latest +- name: APPLICATION_DOMAIN + displayName: Application Hostname + description: The exposed hostname that will route to the application service, if left blank a value will be defaulted. + value: '' +- name: APPLICATION_REPLICA_COUNT + displayName: Application Replica Count + description: This is the number of Application replicas requested to deploy. + value: '1' +- name: APPLICATION_INIT_DELAY + displayName: Application Init Delay + required: true + description: Delay in seconds before we attempt to initialize the application. + value: '15' +- name: APPLICATION_VOLUME_CAPACITY + displayName: Application Volume Capacity + required: true + description: Volume space available for application data. + value: 5Gi +- name: DATABASE_VOLUME_CAPACITY + displayName: Database Volume Capacity + required: true + description: Volume space available for database. + value: 15Gi +- name: HTTPD_SERVICE_NAME + required: true + displayName: Apache httpd Service Name + description: The name of the OpenShift Service exposed for the httpd container. + value: httpd +- name: HTTPD_IMG_NAME + displayName: Apache httpd Image Name + description: This is the httpd image name requested to deploy. + value: docker.io/manageiq/httpd +- name: HTTPD_IMG_TAG + displayName: Apache httpd Image Tag + description: This is the httpd image tag/version requested to deploy. + value: latest +- name: HTTPD_CONFIG_DIR + displayName: Apache Configuration Directory + description: Directory used to store the Apache configuration files. + value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the external authentication configuration files. + value: "/etc/httpd/auth-conf.d" +- name: HTTPD_CPU_REQ + displayName: Apache httpd Min CPU Requested + required: true + description: Minimum amount of CPU time the httpd container will need (expressed in millicores). + value: 500m +- name: HTTPD_MEM_REQ + displayName: Apache httpd Min RAM Requested + required: true + description: Minimum amount of memory the httpd container will need. + value: 512Mi +- name: HTTPD_MEM_LIMIT + displayName: Apache httpd Max RAM Limit + required: true + description: Maximum amount of memory the httpd container can consume. + value: 8192Mi diff --git a/roles/openshift_cfme/handlers/main.yml b/roles/openshift_cfme/handlers/main.yml index 8b84dfb71..e69de29bb 100644 --- a/roles/openshift_cfme/handlers/main.yml +++ b/roles/openshift_cfme/handlers/main.yml @@ -1,40 +0,0 @@ ---- -###################################################################### -# NOTE: These are duplicated from roles/openshift_master/handlers/main.yml -# -# TODO: Use the consolidated 'openshift_handlers' role once it's ready -# See: https://github.com/openshift/openshift-ansible/pull/4041#discussion_r118770782 -###################################################################### - -- name: restart master api - systemd: name={{ openshift.common.service_type }}-master-api state=restarted - when: (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - notify: Verify API Server - -- name: restart master controllers - systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted - when: (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - -- name: Verify API Server - # Using curl here since the uri module requires python-httplib2 and - # wait_for port doesn't provide health information. - command: > - curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} - --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} - {{ openshift.master.api_url }}/healthz/ready - args: - # Disables the following warning: - # Consider using get_url or uri module rather than running curl - warn: no - register: api_available_output - until: api_available_output.stdout == 'ok' - retries: 120 - delay: 1 - changed_when: false - -- name: OpenShift-CFME - Reload NFS Exports - command: exportfs -ar diff --git a/roles/openshift_cfme/meta/main.yml b/roles/openshift_cfme/meta/main.yml index 0fce4a28a..07ad51126 100644 --- a/roles/openshift_cfme/meta/main.yml +++ b/roles/openshift_cfme/meta/main.yml @@ -16,5 +16,3 @@ galaxy_info: dependencies: - role: lib_openshift - role: lib_utils -# - role: openshift_facts -# - role: openshift_master_facts diff --git a/roles/openshift_cfme/tasks/accounts.yml b/roles/openshift_cfme/tasks/accounts.yml index 261e7858b..64976cd0e 100644 --- a/roles/openshift_cfme/tasks/accounts.yml +++ b/roles/openshift_cfme/tasks/accounts.yml @@ -1,65 +1,28 @@ --- # This role task file is responsible for user/system account creation, # and ensuring correct access is provided as required. - -# TODO: This is currently not idempotent, bug report will be filed -# after this. Currently this task will return 'changed' if it just -# created a user, updated a user, or doesn't modify a user at -# all. Seems to be failing some kind of 'does it need updating' test -# condition and running the replace command regardless. -- name: Check if the miq-httpd scc exists - oc_obj: - namespace: "{{ openshift_cfme_project }}" - state: list - kind: scc - name: miq-httpd - register: miq_httpd_scc_exists - -# TODO: Cleanup when conditions -- name: Copy the miq-httpd SCC to the cluster - copy: - src: miq-scc-httpd.yaml - dest: "{{ template_dir }}" - when: - - miq_httpd_scc_exists.results.results | length == 1 - - miq_httpd_scc_exists.results.results[0] == {} - -- name: Ensure the CFME miq-httpd SCC exists - oc_obj: - state: present - name: miq-httpd - namespace: "{{ openshift_cfme_project }}" - kind: scc - files: - - "{{ template_dir }}/miq-scc-httpd.yaml" - delete_after: True - run_once: True - when: - - miq_httpd_scc_exists.results.results | length == 1 - - miq_httpd_scc_exists.results.results[0] == {} - -- name: Ensure the CFME system users exist +- name: Ensure the CFME system accounts exist oc_serviceaccount: namespace: "{{ openshift_cfme_project }}" state: present - name: "{{ item.name }}" + name: "{{ openshift_cfme_flavor_short }}{{ item.name }}" with_items: - - "{{ openshift_system_account_sccs }}" + - "{{ __openshift_system_account_sccs }}" - name: Ensure the CFME system accounts have all the required SCCs oc_adm_policy_user: namespace: "{{ openshift_cfme_project }}" - user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}" + user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ openshift_cfme_flavor_short }}{{ item.name }}" resource_kind: scc resource_name: "{{ item.resource_name }}" with_items: - - "{{ openshift_system_account_sccs }}" + - "{{ __openshift_system_account_sccs }}" - name: Ensure the CFME system accounts have the required roles oc_adm_policy_user: namespace: "{{ openshift_cfme_project }}" - user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}" + user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ openshift_cfme_flavor_short }}{{ item.name }}" resource_kind: role resource_name: "{{ item.resource_name }}" with_items: - - "{{ openshift_cfme_system_account_roles }}" + - "{{ __openshift_cfme_system_account_roles }}" diff --git a/roles/openshift_cfme/tasks/main.yml b/roles/openshift_cfme/tasks/main.yml index cf5a7fdeb..78a6710b3 100644 --- a/roles/openshift_cfme/tasks/main.yml +++ b/roles/openshift_cfme/tasks/main.yml @@ -15,7 +15,7 @@ include: accounts.yml ###################################################################### -# STORAGE - Initialize basic storage classes +# STORAGE - Initialize basic storage class #--------------------------------------------------------------------- # * nfs - set up NFS shares on the first master for a proof of concept - name: Create required NFS exports for CFME app storage @@ -26,8 +26,8 @@ # * external - NFS again, but pointing to a pre-configured NFS server - name: Note Storage Type - External NFS debug: - msg: Setting up external NFS storage, openshift_cfme_storage_class is 'external' - when: openshift_cfme_storage_class == 'external' + msg: "Setting up external NFS storage, openshift_cfme_storage_class is {{ openshift_cfme_storage_class }}" + when: openshift_cfme_storage_class == 'nfs_external' #--------------------------------------------------------------------- # * cloudprovider - use an existing cloudprovider based storage @@ -45,55 +45,35 @@ ###################################################################### # APPLICATION TEMPLATE -- name: Install the correct CFME app template +- name: Install the CFME app and PV templates include: template.yml ###################################################################### # APP & DB Storage +# For local/external NFS backed installations +- name: "Create the required App and DB PVs using {{ openshift_cfme_storage_class }}" + include: storage/create_nfs_pvs.yml + when: + - openshift_cfme_storage_class in ['nfs', 'nfs_external'] ###################################################################### - -# ###################################################################### -# # Let's do this - -# - name: Ensure the CFME Server is created -# oc_process: -# namespace: "{{ openshift_cfme_project }}" -# template_name: manageiq -# create: True -# params: -# APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}" -# POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}" -# MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}" -# APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}" -# POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}" -# MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}" -# register: cfme_new_app_process -# run_once: True -# when: -# # User said to install CFME in their inventory -# - openshift_cfme_install_app | bool -# # # The server app doesn't exist already -# # - not miq_server_check.results.results.0 - -# - debug: -# var: cfme_new_app_process - -# ###################################################################### -# # Various cleanup steps - -# # TODO: Not sure what to do about this right now. Might be able to -# # just delete it? This currently warns about "Unable to find -# # '' in expected paths." -# - name: Ensure the temporary PV/App templates are erased -# file: -# path: "{{ item }}" -# state: absent -# with_fileglob: -# - "{{ template_dir }}/*.yaml" - -# - name: Ensure the temporary PV/app template directory is erased -# file: -# path: "{{ template_dir }}" -# state: absent +# CREATE APP +- name: Note the correct ext-db template name + set_fact: + openshift_cfme_template_name: "{{ openshift_cfme_flavor }}-ext-db" + when: + - openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template-ext-db'] + +- name: Note the correct podified db template name + set_fact: + openshift_cfme_template_name: "{{ openshift_cfme_flavor }}" + when: + - openshift_cfme_app_template in ['miq-template', 'cfme-template'] + +- name: Ensure the CFME App is created + oc_process: + namespace: "{{ openshift_cfme_project }}" + template_name: "{{ openshift_cfme_template_name }}" + create: True + params: "{{ openshift_cfme_template_parameters }}" diff --git a/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml b/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml new file mode 100644 index 000000000..0a67b2193 --- /dev/null +++ b/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml @@ -0,0 +1,43 @@ +--- +# Create the required PVs for the App and the DB +- name: Check if the CFME App PV has been created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: pv + name: "{{ openshift_cfme_flavor_short }}-app" + register: miq_app_pv_check + +- name: Check if the CFME DB PV has been created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: pv + name: "{{ openshift_cfme_flavor_short }}-db" + register: miq_db_pv_check + when: + - openshift_cfme_app_template in ['miq-template', 'cfme-template'] + +- name: Ensure the CFME App PV is created + oc_process: + namespace: "{{ openshift_cfme_project }}" + template_name: "{{ openshift_cfme_flavor }}-app-pv" + create: True + params: + PV_SIZE: "{{ openshift_cfme_app_pv_size }}" + BASE_PATH: "{{ openshift_cfme_storage_nfs_base_dir }}" + NFS_HOST: "{{ openshift_cfme_nfs_server }}" + when: miq_app_pv_check.results.results == [{}] + +- name: Ensure the CFME DB PV is created + oc_process: + namespace: "{{ openshift_cfme_project }}" + template_name: "{{ openshift_cfme_flavor }}-db-pv" + create: True + params: + PV_SIZE: "{{ openshift_cfme_db_pv_size }}" + BASE_PATH: "{{ openshift_cfme_storage_nfs_base_dir }}" + NFS_HOST: "{{ openshift_cfme_nfs_server }}" + when: + - openshift_cfme_app_template in ['miq-template', 'cfme-template'] + - miq_db_pv_check.results.results == [{}] diff --git a/roles/openshift_cfme/tasks/storage/create_pvs.yml b/roles/openshift_cfme/tasks/storage/create_pvs.yml deleted file mode 100644 index 7fa7d3997..000000000 --- a/roles/openshift_cfme/tasks/storage/create_pvs.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Check for existance and then conditionally: -# - evaluate templates -# - PVs -# -# These tasks idempotently create required CFME PV objects. Do not -# call this file directly. This file is intended to be ran as an -# include that has a 'with_items' attached to it. Hence the use below -# of variables like "{{ item.pv_label }}" - -- name: "Check if the {{ item.pv_label }} template has been created already" - oc_obj: - namespace: "{{ openshift_cfme_project }}" - state: list - kind: pv - name: "{{ item.pv_name }}" - register: miq_pv_check - -# Skip all of this if the PV already exists -- block: - - name: "Ensure the {{ item.pv_label }} template is evaluated" - template: - src: "{{ item.pv_template }}.j2" - dest: "{{ template_dir }}/{{ item.pv_template }}" - - - name: "Ensure {{ item.pv_label }} is created" - oc_obj: - namespace: "{{ openshift_cfme_project }}" - kind: pv - name: "{{ item.pv_name }}" - state: present - delete_after: True - files: - - "{{ template_dir }}/{{ item.pv_template }}" - when: - - not miq_pv_check.results.results.0 diff --git a/roles/openshift_cfme/tasks/storage/nfs.yml b/roles/openshift_cfme/tasks/storage/nfs.yml index 8151f9fbb..c17544480 100644 --- a/roles/openshift_cfme/tasks/storage/nfs.yml +++ b/roles/openshift_cfme/tasks/storage/nfs.yml @@ -2,102 +2,66 @@ # Tasks to statically provision NFS volumes # Include if not using dynamic volume provisioning -- name: Note Storage Type - NFS - debug: - msg: Setting up NFS storage, openshift_cfme_storage_class is 'nfs' - -- name: TODO - debug: - msg: TODO - replace hard-coded hostname below with oo_nfs_to_config.0 - -- name: Set openshift_cfme_nfs_server fact - when: openshift_cfme_nfs_server is not defined +- name: Ensure we save the local NFS server if one is provided set_fact: - # Hostname/IP of the NFS server. Currently defaults to first master - openshift_cfme_nfs_server: m01.example.com - -# TODO: I was going to try to apply the openshift_storage_nfs role to -# handle this, however, that role is not written to be used by -# itself. Attempting to use it to create CFME exports would just add -# more hard-coded values to the role. That said, we're doing this here -# manually for now until some one comes up with a better solution, or -# the role is made to accept parameters in a more functional way. -# -# I can't really even include the openshift_storage_nfs role in here -# to do basic setup stuff because it would just result in a lot of -# unwanted exports getting set up for the users. - -- name: Ensure the /exports/ directory exists - file: - path: /exports/ - state: directory - mode: 0755 - owner: root - group: root - -- name: Ensure exports directory exists - file: - path: /etc/exports.d/ - state: directory - -# # TODO - with_items should be passed a list of storage configs for the -# # desired CFME setup. This might mean a local or remote nfs server, as -# # well as fully qualified filesystem paths. -# - name: Ensure export directories exist -# file: -# path: "{{ item.storage.nfs.directory }}/{{ item.storage.volume.name }}" -# state: directory -# mode: 0777 -# owner: nfsnobody -# group: nfsnobody -# with_items: - -- name: Enable and start services - systemd: - name: nfs-server - state: started - enabled: yes - register: start_result - -- set_fact: - nfs_service_status_changed: "{{ start_result | changed }}" + openshift_cfme_nfs_server: "{{ openshift_cfme_storage_nfs_local_hostname }}" + when: + - openshift_cfme_storage_nfs_local_hostname is defined + - openshift_cfme_storage_nfs_local_hostname != False + - openshift_cfme_storage_class == "nfs" -- name: restart nfs-server - systemd: - name: nfs-server - state: restarted - when: nfs_service_status_changed | default(false) - notify: - - "OpenShift-CFME - Reload NFS Exports" - -###################################################################### -# TODO: Move the export directory and PV creation into individual -# tasks under the respective server/database task files. - -# # - name: Ensure the miq-pv0X export directories exist -# # file: -# # path: "/exports/{{ item }}" -# # state: directory -# # mode: 0775 -# # owner: nfsnobody -# # group: nfsnobody -# # with_items: "{{ openshift_cfme_pv_exports }}" - -# # - name: Ensure the NFS exports for CFME PVs exist -# # copy: -# # src: openshift_cfme.exports -# # dest: /etc/exports.d/openshift_cfme.exports -# # register: nfs_exports_updated - - -# # Create the required CFME PVs. Check out these online docs if you -# # need a refresher on includes looping with items: -# # * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0 -# # * http://stackoverflow.com/a/35128533 - -# # TODO: Handle the case where a PV template is updated in -# # openshift-ansible and the change needs to be landed on the managed -# # cluster. +- name: Ensure we save the local NFS server + set_fact: + openshift_cfme_nfs_server: "{{ groups['oo_nfs_to_config'].0 }}" + when: + - openshift_cfme_nfs_server is not defined + - openshift_cfme_storage_class == "nfs" -# # - include: create_pvs.yml -# # with_items: "{{ openshift_cfme_pv_data }}" +- name: Ensure we save the external NFS server + set_fact: + openshift_cfme_nfs_server: "{{ openshift_cfme_storage_nfs_external_hostname }}" + when: + - openshift_cfme_storage_class == "nfs_external" + +- name: Failed NFS server detection + assert: + that: + - openshift_cfme_nfs_server is defined + msg: | + "Unable to detect an NFS server. The 'nfs_external' + openshift_cfme_storage_class option requires that you set + openshift_cfme_storage_nfs_external_hostname. NFS hosts detected + for local nfs services: {{ groups['oo_nfs_to_config'] | join(', ') }}" + +- name: Setting up NFS storage + block: + - name: Include the NFS Setup role tasks + include_role: + role: openshift_nfs + tasks_from: setup + vars: + l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}" + + - name: Create the App export + include_role: + role: openshift_nfs + tasks_from: create_export + vars: + l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}" + l_nfs_export_config: "{{ openshift_cfme_flavor_short }}" + l_nfs_export_name: "{{ openshift_cfme_flavor_short }}-app" + l_nfs_options: "*(rw,no_root_squash,no_wdelay)" + + - name: Create the DB export + include_role: + role: openshift_nfs + tasks_from: create_export + vars: + l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}" + l_nfs_export_config: "{{ openshift_cfme_flavor_short }}" + l_nfs_export_name: "{{ openshift_cfme_flavor_short }}-db" + l_nfs_options: "*(rw,no_root_squash,no_wdelay)" + when: + - openshift_cfme_app_template in ['miq-template', 'cfme-template'] + + delegate_to: "{{ openshift_cfme_nfs_server }}" diff --git a/roles/openshift_cfme/tasks/template.yml b/roles/openshift_cfme/tasks/template.yml index 11ccae3e6..2061e2bd7 100644 --- a/roles/openshift_cfme/tasks/template.yml +++ b/roles/openshift_cfme/tasks/template.yml @@ -4,69 +4,125 @@ ###################################################################### # CFME App Template # -# Note, this is different from the create_pvs.yml tasks in that the -# application template does not require any jinja2 evaluation. +# Note, this is different from the create_nfs_pvs.yml tasks in that +# the application template does not require any jinja2 evaluation. # -# TODO: Handle the case where the server template is updated in -# openshift-ansible and the change needs to be landed on the managed -# cluster. +# TODO: Handle the case where the server or PV templates are updated +# in openshift-ansible and the change needs to be landed on the +# managed cluster. ###################################################################### # STANDARD PODIFIED DATABASE TEMPLATE -- when: openshift_cfme_app_template == 'miq-template' +- when: openshift_cfme_app_template in ['miq-template', 'cfme-template'] block: - name: Check if the CFME Server template has been created already oc_obj: namespace: "{{ openshift_cfme_project }}" state: list kind: template - name: manageiq + name: "{{ openshift_cfme_flavor }}" register: miq_server_check - - name: Copy over CFME Server template - copy: - src: miq-template.yaml - dest: "{{ template_dir }}/" - when: - - miq_server_check.results.results == [{}] + - when: miq_server_check.results.results == [{}] + block: + - name: Copy over CFME Server template + copy: + src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-template.yaml" + dest: "{{ template_dir }}/" - - name: Ensure CFME Server Template is created - oc_obj: - namespace: "{{ openshift_cfme_project }}" - name: manageiq - state: present - kind: template - files: - - "{{ template_dir }}/miq-template.yaml" - when: - - miq_server_check.results.results == [{}] + - name: Ensure CFME Server Template is created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + name: "{{ openshift_cfme_flavor }}" + state: present + kind: template + files: + - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-template.yaml" ###################################################################### # EXTERNAL DATABASE TEMPLATE -- when: openshift_cfme_app_template == 'miq-template-ext-db' +- when: openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template'] block: - name: Check if the CFME Ext-DB Server template has been created already oc_obj: namespace: "{{ openshift_cfme_project }}" state: list kind: template - name: manageiq-ext-db + name: "{{ openshift_cfme_flavor }}-ext-db" register: miq_ext_db_server_check - - name: Copy over CFME Ext-DB Server template + - when: miq_ext_db_server_check.results.results == [{}] + block: + - name: Copy over CFME Ext-DB Server template + copy: + src: "templates/{{ openshift_cfme_flavor }}/{{openshift_cfme_flavor_short}}-template-ext-db.yaml" + dest: "{{ template_dir }}/" + + - name: Ensure CFME Ext-DB Server Template is created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + name: "{{ openshift_cfme_flavor }}-ext-db" + state: present + kind: template + files: + - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-template-ext-db.yaml" + +# End app template creation. +###################################################################### + +###################################################################### +# Begin conditional PV template creations + +# Required for the application server +- name: Check if the CFME App PV template has been created already + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: template + name: "{{ openshift_cfme_flavor }}-app-pv" + register: miq_app_pv_check + +- when: miq_app_pv_check.results.results == [{}] + block: + - name: Copy over CFME App PV template copy: - src: miq-template-ext-db.yaml + src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-pv-server-example.yaml" dest: "{{ template_dir }}/" - when: - - miq_ext_db_server_check.results.results == [{}] - - name: Ensure CFME Ext-DB Server Template is created + - name: Ensure CFME App PV Template is created oc_obj: namespace: "{{ openshift_cfme_project }}" - name: manageiq-ext-db + name: "{{ openshift_cfme_flavor }}-app-pv" state: present kind: template files: - - "{{ template_dir }}/miq-template-ext-db.yaml" - when: - - miq_ext_db_server_check.results.results == [{}] + - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-pv-server-example.yaml" + +#--------------------------------------------------------------------- + +# Required for database if the installation is fully podified +- when: openshift_cfme_app_template in ['miq-template', 'cfme-template'] + block: + - name: Check if the CFME DB PV template has been created already + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: template + name: "{{ openshift_cfme_flavor }}-db-pv" + register: miq_db_pv_check + + - when: miq_db_pv_check.results.results == [{}] + block: + - name: Copy over CFME DB PV template + copy: + src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-pv-db-example.yaml" + dest: "{{ template_dir }}/" + + - name: Ensure CFME DB PV Template is created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + name: "{{ openshift_cfme_flavor }}-db-pv" + state: present + kind: template + files: + - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-pv-db-example.yaml" diff --git a/roles/openshift_cfme/tasks/uninstall.yml b/roles/openshift_cfme/tasks/uninstall.yml index 406b59364..068d065c2 100644 --- a/roles/openshift_cfme/tasks/uninstall.yml +++ b/roles/openshift_cfme/tasks/uninstall.yml @@ -1,46 +1,23 @@ --- -- include_role: - name: lib_openshift +- name: Start removing all the objects + command: "oc delete -n {{ openshift_cfme_project }} {{ item }} --all" + with_items: + - rc + - dc + - po + - svc + - pv + - pvc + - statefulsets + - routes -- name: Uninstall CFME - ManageIQ - debug: - msg: Uninstalling Cloudforms Management Engine - ManageIQ +- name: Remove the project + command: "oc delete -n {{ openshift_cfme_project }} project {{ openshift_cfme_project }}" -- name: Ensure the CFME project is removed - oc_project: - state: absent - name: "{{ openshift_cfme_project }}" - -- name: Ensure the CFME template is removed - oc_obj: - namespace: "{{ openshift_cfme_project }}" - state: absent - kind: template - name: manageiq - -- name: Ensure the CFME PVs are removed - oc_obj: - state: absent - all_namespaces: True - kind: pv - name: "{{ item }}" - with_items: "{{ openshift_cfme_pv_exports }}" - when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) - -- name: Ensure the CFME user is removed - oc_user: - state: absent - username: "{{ openshift_cfme_user }}" - -- name: Ensure the CFME NFS Exports are removed - file: - path: /etc/exports.d/openshift_cfme.exports - state: absent - register: nfs_exports_removed - when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) - -- name: Ensure the NFS export table is refreshed if exports were removed - command: exportfs -ar - when: - - nfs_exports_removed.changed - - not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) +- name: Verify project has been destroyed + command: "oc get project {{ openshift_cfme_project }}" + ignore_errors: True + register: project_terminated + until: project_terminated.stderr.find("NotFound") != -1 + delay: 5 + retries: 30 diff --git a/roles/openshift_cfme/tasks/validate.yml b/roles/openshift_cfme/tasks/validate.yml index 61448aa3b..c7409d9ab 100644 --- a/roles/openshift_cfme/tasks/validate.yml +++ b/roles/openshift_cfme/tasks/validate.yml @@ -1,26 +1,35 @@ --- # Validate configuration parameters passed to the openshift_cfme role +###################################################################### +# CORE PARAMETERS - name: Ensure openshift_cfme_app_template is valid assert: that: - - openshift_cfme_app_template in openshift_cfme_app_templates - msg: "openshift_cfme_app_template must be one of {{ openshift_cfme_app_templates | join(', ') }}" + - openshift_cfme_app_template in __openshift_cfme_app_templates + msg: "openshift_cfme_app_template must be one of {{ __openshift_cfme_app_templates | join(', ') }}" - name: Ensure openshift_cfme_storage_class is a valid type assert: that: - - openshift_cfme_storage_class in openshift_cfme_storage_classes - msg: "openshift_cfme_storage_class must be one of {{ openshift_cfme_storage_classes | join(', ') }}" + - openshift_cfme_storage_class in __openshift_cfme_storage_classes + msg: "openshift_cfme_storage_class must be one of {{ __openshift_cfme_storage_classes | join(', ') }}" +###################################################################### +# STORAGE PARAMS - NFS - name: Ensure external NFS storage has a valid NFS server hostname defined assert: that: - - openshift_cfme_storage_external_nfs_hostname is not False - msg: The selected storage class 'external' requires a valid hostname for the openshift_cfme_storage_external_nfs_hostname parameter + - openshift_cfme_storage_nfs_external_hostname | default(False) + msg: The selected storage class 'nfs_external' requires a valid hostname for the openshift_cfme_storage_nfs_hostname parameter when: - - openshift_cfme_storage_class == 'external' + - openshift_cfme_storage_class == 'nfs_external' +# that 'nfs' types have one of the following set: +# + +###################################################################### +# STORAGE PARAMS -CLOUD PROVIDER - name: Validate Cloud Provider storage class assert: that: @@ -31,4 +40,33 @@ example inventories for the required parameters for your selected cloud provider. Working providers: 'aws' and 'gce'. when: + - openshift_cfme_storage_class == 'cloudprovider' - openshift_cloudprovider_kind is defined + +- name: Validate 'cloudprovider' Storage Class has required parameters defined + assert: + that: + - openshift_cloudprovider_kind is defined + msg: | + openshift_cfme_storage_class is 'cloudprovider' but you do not + have 'openshift_cloudprovider_kind' defined, this is + required. Search the example inventories for + 'openshift_cloudprovider_kind'. The required parameters for your + selected cloud provider must be defined in your inventory as + well. Working providers: 'aws' and 'gce'. + when: + - openshift_cfme_storage_class == 'cloudprovider' + +###################################################################### +# DATABASE CONNECTION VALIDATION +- name: Validate all required database parameters were provided for ext-db template + assert: + that: + - item in openshift_cfme_template_parameters + msg: | + "You are not using podified database services and a required + database parameter {{ item }} was not found in + 'openshift_cfme_template_parameters'" + with_items: "{{ __openshift_cfme_required_db_conn_params }}" + when: + - openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template-ext-db'] diff --git a/roles/openshift_cfme/templates/openshift_cfme-miq-template-ext-db.exports.j2 b/roles/openshift_cfme/templates/openshift_cfme-miq-template-ext-db.exports.j2 new file mode 100644 index 000000000..f43a93ba0 --- /dev/null +++ b/roles/openshift_cfme/templates/openshift_cfme-miq-template-ext-db.exports.j2 @@ -0,0 +1 @@ +{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-app *(rw,no_root_squash,no_wdelay) diff --git a/roles/openshift_cfme/templates/openshift_cfme-miq-template.exports.j2 b/roles/openshift_cfme/templates/openshift_cfme-miq-template.exports.j2 new file mode 100644 index 000000000..4a4d85a23 --- /dev/null +++ b/roles/openshift_cfme/templates/openshift_cfme-miq-template.exports.j2 @@ -0,0 +1,2 @@ +{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-app *(rw,no_root_squash,no_wdelay) +{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-db *(rw,no_root_squash,no_wdelay) diff --git a/roles/openshift_cfme/vars/main.yml b/roles/openshift_cfme/vars/main.yml new file mode 100644 index 000000000..f79724afa --- /dev/null +++ b/roles/openshift_cfme/vars/main.yml @@ -0,0 +1,69 @@ +--- +# Misc enumerated values +#--------------------------------------------------------------------- +# Allowed choices for the storage class parameter +__openshift_cfme_storage_classes: + - nfs + - nfs_external + - preconfigured + - cloudprovider + +# Name of the application templates with object/parameter definitions +__openshift_cfme_app_templates: + - miq-template-ext-db + - miq-template + - cfme-template-ext-db + - cfme-template + +# PostgreSQL database connection parameters +__openshift_cfme_db_parameters: + - DATABASE_USER + - DATABASE_PASSWORD + - DATABASE_IP + - DATABASE_PORT + - DATABASE_NAME + +# # Commented out until we can support both CFME and MIQ +# # openshift_cfme_flavor: "{{ 'cloudforms' if openshift_deployment_type == 'openshift-enterprise' else 'manageiq' }}" +#openshift_cfme_flavor: cloudforms +openshift_cfme_flavor: manageiq +# TODO: Make this conditional as well based on the prior variable +# # openshift_cfme_flavor_short: "{{ 'cfme' if openshift_deployment_type == 'openshift-enterprise' else 'miq' }}" +# openshift_cfme_flavor_short: cfme +openshift_cfme_flavor_short: miq + +###################################################################### +# ACCOUNTING +###################################################################### +# Service Account SSCs +__openshift_system_account_sccs: + - name: -anyuid + resource_name: anyuid + - name: -orchestrator + resource_name: anyuid + - name: -privileged + resource_name: privileged + - name: -httpd + resource_name: anyuid + +# Service Account Roles +__openshift_cfme_system_account_roles: + - name: -orchestrator + resource_name: view + - name: -orchestrator + resource_name: edit + +###################################################################### +# DEFAULTS +###################################################################### +# User only has to provide parameters they need to override, we will +# do a hash update method with the provided user parameters to create +# the final connection structure. +# +# TODO: Update user provided configs with this if they are missing fields +__openshift_cfme_required_db_conn_params: + - DATABASE_USER + - DATABASE_PASSWORD + - DATABASE_IP + - DATABASE_PORT + - DATABASE_NAME -- cgit v1.2.3 From e98941e16d176749ace5181ae06c61bbe0cf6119 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Tue, 3 Oct 2017 16:17:15 -0400 Subject: Documentation * Update README * Add parameter docs to inventory examples * Remove unused graphic * Update defaults --- roles/openshift_cfme/README.md | 251 +++++++++++++++-------- roles/openshift_cfme/defaults/main.yml | 19 +- roles/openshift_cfme/img/CFMEBasicDeployment.png | Bin 38316 -> 0 bytes 3 files changed, 164 insertions(+), 106 deletions(-) delete mode 100644 roles/openshift_cfme/img/CFMEBasicDeployment.png (limited to 'roles/openshift_cfme') diff --git a/roles/openshift_cfme/README.md b/roles/openshift_cfme/README.md index 5d90e532f..98cefa6b4 100644 --- a/roles/openshift_cfme/README.md +++ b/roles/openshift_cfme/README.md @@ -1,13 +1,23 @@ # CloudForms Availability As noted in [Limitations - Product Choice](#product-choice), -CloudForms 4.6 is not yet released. Until such time, this role is -limited to installing ManageIQ, the open source project that CFME is -based on. +[CloudForms](https://www.redhat.com/en/technologies/management/cloudforms) +(CFME) 4.6 is not yet released. Until such time, this role is limited +to installing [ManageIQ](http://manageiq.org) (MIQ), the open source +project that CFME is based on. + +After CFME 4.6 is available to customers this role will enable +(optional) logic which will install CFME or MIQ based on your +deployment type (`openshift_deployment_type`): + +* `openshift-enterprise` → CloudForms +* `origin` → ManageIQ + # Table of Contents * [Introduction](#introduction) + * [Important Notes](#important-notes) * [Requirements](#requirements) * [Role Variables](#role-variables) * [Getting Started](#getting-started) @@ -18,49 +28,60 @@ based on. * [External PostgreSQL Database](#external-postgresql-database) * [Limitations](#limitations) * [Product Choice](#product-choice) - * [Storage](#storage) - * [Database](#database) * [Configuration](#configuration) - * [Configuration - Storage Classes](#configuration---storage-classes) + * [Database](#database) + * [Podified](#podified) + * [External](#external) + * [Storage Classes](#storage-classes) * [NFS (Default)](#nfs-default) * [NFS External](#nfs-external) * [Cloud Provider](#cloud-provider) * [Preconfigured (Expert Configuration Only)](#preconfigured-expert-configuration-only) - * [Configuration - Database](#configuration---database) - * [Podified Database](#podified-database) - * [External Database](#external-database) * [Customization](#customization) * [Additional Information](#additional-information) # Introduction -This role will allow a user to install CFME 4.6 or ManageIQ on an OCP +This role will allow a user to install CFME 4.6 or MIQ on an OCP 3.7 cluster. The role provides customization options for overriding -default deployment parameters. The role includes several choices for -storage classes. +default deployment parameters. This role allows the user to deploy +different installation flavors: + +* **Fully Podified** - In this way all application services are ran as + pods in the container platform. +* **External Database** - In this way the application utilizes an + externally hosted database server. All other services are ran in the + container platform. -This role includes the following storage class options +This role includes the following storage class options: * NFS - **Default** - local, on cluster * NFS External - NFS somewhere else, like a storage appliance * Cloud Provider - Use automatic storage provisioning from your cloud - provider (`gce` or `aws`) + provider (*gce* or *aws*) * Preconfigured - **expert only**, assumes you created everything ahead of time -This role allows you to host the required PostgreSQL database podified -(on a pod in the cluster) or externally (on an existing PostgreSQL -host). - You may skip ahead to the [Getting Started](#getting-started) section now for examples of how to set up your Ansible inventory for various -deployment configurations. However, you are **strongly urged** to read -through the [Configuration](#configuration) and -[Customization](#customization) sections first. +deployment configurations. However, you are **strongly urged** to +first read through the [Configuration](#configuration) and +[Customization](#customization) sections as well as the following +[Important Note](#important-notes). -# Requirements +## Important Notes + +Not all parameters are present in **both** template versions (podified +db and external db). For example, while the podified database template +has a `POSTGRESQL_MEM_REQ` parameter, no such parameter is present in +the external db template, as there is no need for this information due +to there being no databases that require pods. -* OCP 3.7 must be installed **before** running this role. +*Be extra careful* if you are overriding template +parameters. Including parameters not defined in a template **will +cause errors**. + +# Requirements The **default** requirements are listed in the table below. These can be overridden through customization parameters (See @@ -76,27 +97,32 @@ even fail to deploy, if these requirements are not satisfied. | Application Storage | `≥ 5.0 Gi` | Minimum PV size required for the application | `APPLICATION_VOLUME_CAPACITY` | | PostgreSQL Memory | `≥ 6.0 Gi` | Minimum required memory for the database | `POSTGRESQL_MEM_REQ` | | PostgreSQL Storage | `≥ 15.0 Gi` | Minimum PV size required for the database | `DATABASE_VOLUME_CAPACITY` | -| Cluster Hosts | `≥ 3` | Number of hosts in your cluster | `∅` | +| Cluster Hosts | `≥ 3` | Number of hosts in your cluster | | The implications of this table are summarized below: * You need several cluster nodes * Your cluster nodes must have lots of memory available -* You will need several GiB's of storage available +* You will need several GiB's of storage available, either locally or + on your cloud provider # Role Variables +The following is a table of the publicly exposed variables that may be +used in your Ansible inventory to control the behavior of this +installer. | Variable | Required | Default | Description | |------------------------------------------------|:--------:|:------------------------------:|-------------------------------------| | `openshift_cfme_project` | **No** | `openshift-cfme` | Namespace for the installation. | | `openshift_cfme_project_description` | **No** | *CloudForms Management Engine* | Namespace/project description. | +| `openshift_cfme_install_cfme` | **No** | `false` | Boolean, set to `true` to install the application | | **PRODUCT CHOICE** | | | | | | `openshift_cfme_app_template` | **No** | `miq-template` | The project flavor to install. Choices:
    • `miq-template`: ManageIQ using a podified database
    • `miq-template-ext-db`: ManageIQ using an external database
    • `cfme-template`: CloudForms using a podified database[1]
    • `cfme-template-ext-db`: CloudForms using an external database.[1]
    | -| **STORAGE OPTIONS** | | | | | -| `openshift_cfme_storage_class` | **No** | `nfs` | Storage type to use, choices:
    • `nfs` - Best used for proof-of-concept installs. Will setup NFS on a cluster host (defaults to your first master in the inventory file) to back the required PVCs. The application requires a PVC and the database (which may be hosted externally) may require a second. PVC minimum required sizes are 5GiB for the MIQ application, and 15GiB for the PostgreSQL database (20GiB minimum available space on a volume/partition if used specifically for NFS purposes)
    • `nfs_external` - You are using an external NFS server, such as a netapp appliance. See the [Configuration - Storage Classes](#configuration---storage-classes) section below for required information.
    • `preconfigured` - This CFME role will do NOTHING to modify storage settings. This option assumes expert knowledge and that you have done everything required ahead of time.
    • `cloudprovider` - You are using an OCP cloudprovider integration for your storage class. For this to work you must have already configured the required inventory parameters for your cloud provider. Ensure `openshift_cloudprovider_kind` is defined (aws or gce) and that the applicable cloudprovider parameters are provided. | +| **STORAGE CLASSES** | | | | | +| `openshift_cfme_storage_class` | **No** | `nfs` | Storage type to use, choices:
      • `nfs` - Best used for proof-of-concept installs. Will setup NFS on a cluster host (defaults to your first master in the inventory file) to back the required PVCs. The application requires a PVC and the database (which may be hosted externally) may require a second. PVC minimum required sizes are 5GiB for the MIQ application, and 15GiB for the PostgreSQL database (20GiB minimum available space on a volume/partition if used specifically for NFS purposes)
      • `nfs_external` - You are using an external NFS server, such as a netapp appliance. See the [Configuration - Storage Classes](#storage-classes) section below for required information.
      • `preconfigured` - This CFME role will do NOTHING to modify storage settings. This option assumes expert knowledge and that you have done everything required ahead of time.
      • `cloudprovider` - You are using an OCP cloudprovider integration for your storage class. For this to work you must have already configured the required inventory parameters for your cloud provider. Ensure `openshift_cloudprovider_kind` is defined (aws or gce) and that the applicable cloudprovider parameters are provided. | | `openshift_cfme_storage_nfs_external_hostname` | **No** | `false` | If you are using an *external NFS server*, such as a netapp appliance, then you must set the hostname here. Leave the value as `false` if you are not using external NFS.
        *Additionally*: **External NFS REQUIRES** that you create the NFS exports that will back the application PV and optionally the database PV. | `openshift_cfme_storage_nfs_base_dir` | **No** | `/exports/` | If you are using **External NFS** then you may set the base path to the exports location here.
        **Local NFS Note**: You *may* also change this value if you want to change the default path used for local NFS exports. | | `openshift_cfme_storage_nfs_local_hostname` | **No** | `false` | If you do not have an `[nfs]` group in your inventory, or want to simply manually define the local NFS host in your cluster, set this parameter to the hostname of the preferred NFS server. The server must be a part of your OCP/Origin cluster. | @@ -117,9 +143,8 @@ The implications of this table are summarized below: Below are some inventory snippets that can help you get started right away. -Once you've settled on a configuration scheme (and you have installed -OCP 3.7) you can install CFME using this `ansible-playbook` -invocation: +Once you've settled on a configuration scheme you can install CFME +using this `ansible-playbook` invocation: ``` $ ansible-playbook -v -i playbooks/byo/openshift-cfme/config.yml @@ -130,7 +155,7 @@ $ ansible-playbook -v -i playbooks/byo/openshift-cfme/config.ym This example is the simplest. All of the default values and choices are used. This will result in a fully podified CFME installation. All application components, as well as the PostgreSQL database will be -created as pods in the OCP cluster. +created as pods in the container platform. ```ini [OSEv3:vars] @@ -207,13 +232,13 @@ or `cfme-template-ext-db`. Additionally, database connection information **must** be supplied in the `openshift_cfme_template_parameters` customization parameter. See -[Customization - Database - External](#external-database) for more +[Customization - Database - External](#external) for more information. ```ini [OSEv3:vars] -openshift_cfme_app_template=miq-template-ext-db -openshift_cfme_template_parameters={'DATABASE_IP': '10.9.8.7', 'DATABASE_PASSWORD': 'r1ck&M0r7y', ... } +openshift_cfme_app_template=cfme-template-ext-db +openshift_cfme_template_parameters={'DATABASE_USER': 'root', 'DATABASE_PASSWORD': 'r1ck&M0r7y', 'DATABASE_IP': '10.10.10.10', 'DATABASE_PORT': '5432', 'DATABASE_NAME': 'cfme'} ``` # Limitations @@ -228,18 +253,6 @@ integrated**. Presently this role will only deploy a ManageIQ installation. This role will be updated once CFME 4.6 is released and this limitation note will be removed. -## Storage - -While all storage classes (`nfs`, `nfs_external`, `preconfigured`, and -`cloudprovider`) are presently supported, the local `nfs` storage -class has some specific limitations: - -1. Currently only verified to work if your first master is your NFS - host -1. Overriding the base exports path is not recommended as this may - cause configuration conflicts with other exports on your host - - # Configuration Before you can deploy CFME you must decide *how* you want to deploy @@ -248,15 +261,101 @@ it. There are two major decisions to make: 1. Do you want an external, or a podified database? 1. Which storage class will back your PVs? -## Configuration - Storage Classes +## Database + +### Podified + +Any `POSTGRES_*` or `DATABASE_*` template parameters in +[miq-template.yaml](files/templates/manageiq/miq-template.yaml) or +[cfme-template.yaml](files/templates/cloudforms/cfme-template.yaml) +may be customized through the `openshift_cfme_template_parameters` +hash. + +### External + +Any `POSTGRES_*` or `DATABASE_*` template parameters in +[miq-template-ext-db.yaml](files/templates/manageiq/miq-template-ext-db.yaml) +or +[cfme-template-ext-db.yaml](files/templates/cloudforms/cfme-template-ext-db.yaml) +may be customized through the `openshift_cfme_template_parameters` +hash. + +External PostgreSQL databases require you to provide database +connection parameters. You must set the required connection keys in +the `openshift_cfme_template_parameters` parameter in your +inventory. The following keys are required: + +* `DATABASE_USER` +* `DATABASE_PASSWORD` +* `DATABASE_IP` +* `DATABASE_PORT` - *note: Most PostgreSQL servers run on port `5432`* +* `DATABASE_NAME` + +Your inventory would contain a line similar to this: + +```ini +[OSEv3:vars] +openshift_cfme_app_template=cfme-template-ext-db +openshift_cfme_template_parameters={'DATABASE_USER': 'root', 'DATABASE_PASSWORD': 'r1ck&M0r7y', 'DATABASE_IP': '10.10.10.10', 'DATABASE_PORT': '5432', 'DATABASE_NAME': 'cfme'} +``` + +**Note** the new value for the `openshift_cfme_app_template` +parameter, `cfme-template-ext-db` (ManageIQ installations would use +`miq-template-ext-db` instead). + +At run time you may run into errors similar to this: + +``` +TASK [openshift_cfme : Ensure the CFME App is created] *********************************** +task path: /home/tbielawa/rhat/os/openshift-ansible/roles/openshift_cfme/tasks/main.yml:74 +Tuesday 03 October 2017 15:30:44 -0400 (0:00:00.056) 0:00:12.278 ******* +{"cmd": "/usr/bin/oc create -f /tmp/postgresql-ZPEWQS -n openshift-cfme", "kind": "Endpoints", "results": {}, "returncode": 1, "stderr": "Error from server (BadRequest): error when creating \"/tmp/postgresql-ZPEWQS\": Endpoints in version \"v1\" cannot be handled as a Endpoints: [pos 218]: json: decNum: got first char 'f'\n", "stdout": ""} +``` + +Or like this: + +``` +TASK [openshift_cfme : Ensure the CFME App is created] *********************************** +task path: /home/tbielawa/rhat/os/openshift-ansible/roles/openshift_cfme/tasks/main.yml:74 +Tuesday 03 October 2017 16:05:36 -0400 (0:00:00.052) 0:00:18.948 ******* +fatal: [m01.example.com]: FAILED! => {"changed": true, "failed": true, "msg": +{"cmd": "/usr/bin/oc create -f /tmp/postgresql-igS5sx -n openshift-cfme", "kind": "Endpoints", "results": {}, "returncode": 1, "stderr": "The Endpoints \"postgresql\" is invalid: subsets[0].addresses[0].ip: Invalid value: \"doo\": must be a valid IP address, (e.g. 10.9.8.7)\n", "stdout": ""}, +``` + +While intimidating at first, there are useful bits of information in +here. Examine the error output closely and we can tell exactly what is +wrong. + +In the first example we see `Endpoints in version \"v1\" cannot be +handled as a Endpoints: [pos 218]: json: decNum: got first char +...`. This is because in my example I used the value `foo` for the +parameter `DATABASE_PORT`. + +In the second example we see `The Endpoints \"postgresql\" is invalid: +subsets[0].addresses[0].ip: Invalid value: \"doo\": must be a valid IP +address ...`. This is because in my example I used the value `doo` in +the `DATABASE_IP` field. + +Luckily for us when the templates are processed behind the scenes they +are also running type checking validation. So, don't worry, just look +closely at the errors and ensure you are providing the correct values +for each parameter. + +## Storage Classes OpenShift CFME supports several storage class options. -### NFS (Default) +### NFS (Default) The NFS storage class is best suited for proof-of-concept and test/demo deployments. It is also the **default** storage class for -deployments. No additional configuration is required for this choice. +deployments. No additional configuration is required for this +choice. + +Customization is provided through the following role variables: + +* `openshift_cfme_storage_nfs_base_dir` +* `openshift_cfme_storage_nfs_local_hostname` ### NFS External @@ -266,15 +365,19 @@ for the required PVs. For external NFS you must have: * For CFME: a `cfme-app` and optionally a `cfme-db` (for podified database) exports * For ManageIQ: an `miq-app` and optionally an `miq-db` (for podified database) exports -Additional configuration is required to use external NFS. The -`openshift_cfme_storage_nfs_external_hostname` parameter must be set -to the hostname or IP of your external NFS server. +Configuration is provided through the following role variables: + +* `openshift_cfme_storage_nfs_external_hostname` +* `openshift_cfme_storage_nfs_base_dir` + +The `openshift_cfme_storage_nfs_external_hostname` parameter must be +set to the hostname or IP of your external NFS server. -If `/exports` is not the parent directory to your CFME exports then -you must set the base directory via the +If `/exports` is not the parent directory to your exports then you +must set the base directory via the `openshift_cfme_storage_nfs_base_dir` parameter. -For example, if your server export is `/exports/hosted/prod/miq-app` +For example, if your server export is `/exports/hosted/prod/cfme-app` then you must set `openshift_cfme_storage_nfs_base_dir=/exports/hosted/prod`. @@ -289,6 +392,9 @@ Using this storage class, when the application is created the required PVs will automatically be provisioned using the configured cloud provider storage integration. +There are no additional variables to configure the behavior of this +storage class. + ### Preconfigured (Expert Configuration Only) The *preconfigured* storage class implies that you know exactly what @@ -296,39 +402,8 @@ you're doing and that all storage requirements have been taken care ahead of time. Typically this means that you've already created the correctly sized PVs. -## Configuration - Database - -### Podified Database - -Any `POSTGRES_*` or `DATABASE_*` template parameters in -[miq-template.yaml](files/templates/manageiq/miq-template.yaml) or -[cfme-template.yaml](files/templates/cloudforms/cfme-template.yaml) -may be customized through the `openshift_cfme_template_parameters` -hash. - -### External Database - -External PostgreSQL databases require you to provide database -connection parameters. You must set the required connection keys in -the `openshift_cfme_template_parameters` parameter in your -inventory. The following keys are required: - -* `DATABASE_USER` -* `DATABASE_PASSWORD` -* `DATABASE_IP` -* `DATABASE_PORT` - *note: Most PostgreSQL servers run on port `5432`* -* `DATABASE_NAME` - -Your inventory would contain a line similar to this: - -```ini -[OSEv3:vars] -openshift_cfme_app_template=miq-template-ext-db -openshift_cfme_template_parameters={'DATABASE_IP': '10.9.8.7', 'DATABASE_PASSWORD': 'r1ck&M0r7y', ...} -``` - -**Note** the new value for the `openshift_cfme_app_template` -parameter, `miq-template-ext-db`. +There are no additional variables to configure the behavior of this +storage class. # Customization diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml index b833bbb45..2c728b612 100644 --- a/roles/openshift_cfme/defaults/main.yml +++ b/roles/openshift_cfme/defaults/main.yml @@ -14,22 +14,9 @@ openshift_cfme_project_description: CloudForms Management Engine # Choose 'miq-template' for a podified database install # Choose 'miq-template-ext-db' for an external database install openshift_cfme_app_template: miq-template - # If you are using the miq-template-ext-db template then you must add # the required database parameters to the -# openshift_cfme_template_parameters variable. You only need to -# provide parameters that differ from the ones in the following -# example. Any omitted parameter by the user will be default to its -# default below: -# -# openshift_cfme_template_parameters: -# DATABASE_USER: 'root' -# DATABASE_PASSWORD: '' -# DATABASE_IP: '' -# DATABASE_PORT: 5432 -# DATABASE_NAME: 'vmdb_production' -# -# See also var: __openshift_cfme_default_db_connection_info +# openshift_cfme_template_parameters variable. ###################################################################### # STORAGE OPTIONS @@ -77,10 +64,6 @@ openshift_cfme_storage_nfs_external_hostname: false # pv. Export path definitions, relative to # {{ openshift_cfme_storage_nfs_base_dir }} # -# * REQUIRED[ALWAYS]: /miq-app - MIQ Server PV. -# -# * REQUIRED[NFS_EXTERNAL]: /miq-db - Podified DB PB -# # LOCAL NFS NOTE: # # You may may also change this value if you want to change the default diff --git a/roles/openshift_cfme/img/CFMEBasicDeployment.png b/roles/openshift_cfme/img/CFMEBasicDeployment.png deleted file mode 100644 index a89c1e325..000000000 Binary files a/roles/openshift_cfme/img/CFMEBasicDeployment.png and /dev/null differ -- cgit v1.2.3 From 534113870fc5e6c47fe8dbba1322a462c9cbef37 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Tue, 3 Oct 2017 17:21:49 -0400 Subject: Hooks for installing CFME during full openshift installation --- roles/openshift_cfme/defaults/main.yml | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'roles/openshift_cfme') diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml index 2c728b612..a1a6e7190 100644 --- a/roles/openshift_cfme/defaults/main.yml +++ b/roles/openshift_cfme/defaults/main.yml @@ -95,18 +95,3 @@ openshift_cfme_db_pv_size: 15Gi # # openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '512Mi'} openshift_cfme_template_parameters: {} - -###################################################################### -# Whether or not the cfme app should be initialized ('oc new-app -# --template=manageiq). If False everything UP TO 'new-app' is ran. -openshift_cfme_install_app: false - -# Docker image to pull -# openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -# openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'frontend-latest' }}" - -# openshift_cfme_memcached_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-memcached' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -# openshift_cfme_memcached_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'memcached-latest-fine' }}" - -# openshift_cfme_postgresql_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'postgresql-latest-fine' }}" -# openshift_cfme_postgresql_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-postgresql' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}" -- cgit v1.2.3 From 99811e05a245ef23e806f5c847f72d267b142bf1 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Wed, 4 Oct 2017 10:06:50 -0400 Subject: Add notes about SA token. Improve NFS validation. --- roles/openshift_cfme/README.md | 68 +++++++++++++++------- roles/openshift_cfme/defaults/main.yml | 7 --- .../tasks/storage/create_nfs_pvs.yml | 26 +++++++++ roles/openshift_cfme/tasks/validate.yml | 36 +++++++++--- roles/openshift_cfme/vars/main.yml | 7 +++ 5 files changed, 107 insertions(+), 37 deletions(-) (limited to 'roles/openshift_cfme') diff --git a/roles/openshift_cfme/README.md b/roles/openshift_cfme/README.md index 98cefa6b4..26618ffb8 100644 --- a/roles/openshift_cfme/README.md +++ b/roles/openshift_cfme/README.md @@ -67,7 +67,7 @@ now for examples of how to set up your Ansible inventory for various deployment configurations. However, you are **strongly urged** to first read through the [Configuration](#configuration) and [Customization](#customization) sections as well as the following -[Important Note](#important-notes). +[Important Notes](#important-notes). ## Important Notes @@ -81,6 +81,30 @@ to there being no databases that require pods. parameters. Including parameters not defined in a template **will cause errors**. +**Container Provider Integration** - If you want add your container +platform (OCP/Origin) as a *Container Provider* in CFME/MIQ then you +must ensure that the infrastructure management hooks are installed. + +* During your OCP/Origin install, ensure that you have the + `openshift_use_manageiq` parameter set to `true` in your inventory + at install time. This will create a `management-infra` project and a + service account user. +* After CFME/MIQ is installed, obtain the `management-admin` service + account token and copy it somewhere safe. + +```bash +$ oc serviceaccounts get-token -n management-infra management-admin +eyJhuGdiOiJSUzI1NiIsInR5dCI6IkpXVCJ9.eyJpd9MiOiJrbWJldm5lbGVzL9NldnZpY2VhY2NvbW50Iiwiy9ViZXJuZXRldy5puy9zZXJ2yWNlYWNju9VubC9uYW1ld9BhY2UiOiJtYW5hZ2VtZW50LWluZnJhIiwiy9ViZXJuZXRldy5puy9zZXJ2yWNlYWNju9VubC9zZWNyZXQuumFtZSI6Im1humFnZW1lunQtYWRtyW4tbG9rZW4tdDBnOTAiLCJrbWJldm5lbGVzLmlvL9NldnZpY2VhY2NvbW50L9NldnZpY2UtYWNju9VubC5uYW1lIjoiuWFuYWbluWVubC1hZG1puiIsImt1YmVyumV0ZXMuyW8vd2VybmljZWFjY291unQvd2VybmljZS1hY2NvbW50LnVpZCI6IjRiZDM2MWQ1LWE1NDAtMTFlNy04YzI5LTUyNTQwMDliMmNkZCIsInN1YiI6InN5d9RluTpzZXJ2yWNlYWNju9VubDptYW5hZ2VtZW50LWluZnJhOm1humFnZW1lunQtYWRtyW4ifQ.B6sZLGD9O4vBu9MHwiG-C_4iEwjBXb7Af8BPw-LNlujDmHhOnQ-Oo4QxQKyj9edynfmDy2yutUyJ2Mm9HfDGWg4C9xhWImHoq6Nl7T5_9djkeGKkK7Ejvg4fA-IkrzEsZeQuluBvXnE6wvP0LCjUo_dx4pPyZJyp46teV9NqKQeDzeysjlMCyqp6AK6-Lj8ILG8YA6d_97HlzL_EgFBLAu0lBSn-uC_9J0gLysqBtK6TI0nExfhv9Bm1_5bdHEbKHPW7xIlYlI9AgmyTyhsQ6SoQWtL2khBjkG9TlPBq9wYJj9bzqgVZlqEfICZxgtXO7sYyuoje4y8lo0YQ0kZmig +``` + +* In the CFME/MIQ web interface, navigate to `Compute` → + `Containers` → `Providers` and select `⚙ Configuration` → `⊕ + Add a new Containers Provider` + +*See the [upstream documentation](http://manageiq.org/docs/reference/latest/doc-Managing_Providers/miq/index.html#containers-providers) for additional information.* + + + # Requirements The **default** requirements are listed in the table below. These can @@ -105,7 +129,8 @@ The implications of this table are summarized below: * Your cluster nodes must have lots of memory available * You will need several GiB's of storage available, either locally or on your cloud provider - +* PV sizes can be changed by providing override values to template + parameters (see also: [Customization](#customization)) # Role Variables @@ -127,15 +152,10 @@ installer. | `openshift_cfme_storage_nfs_base_dir` | **No** | `/exports/` | If you are using **External NFS** then you may set the base path to the exports location here.
        **Local NFS Note**: You *may* also change this value if you want to change the default path used for local NFS exports. | | `openshift_cfme_storage_nfs_local_hostname` | **No** | `false` | If you do not have an `[nfs]` group in your inventory, or want to simply manually define the local NFS host in your cluster, set this parameter to the hostname of the preferred NFS server. The server must be a part of your OCP/Origin cluster. | | **CUSTOMIZATION OPTIONS** | | | | | -| `openshift_cfme_app_pv_size` | **No** | `5Gi` | How large the application PV will be in Kube units (`Gi`, `Mi`, etc) [2]| -| `openshift_cfme_db_pv_size` | **No** | `15Gi` | How large the database PV will be in Kube units [2]| | `openshift_cfme_template_parameters` | **No** | `{}` | A dictionary of any parameters you want to override in the application/pv templates. -* [1] `cfme-template*` will be available once CFME 4.6 is released -* [2] If you override the PV sizes, read - [Override PV Sizes](#override-pv-sizes) (below) for additional - required parameters - +* [1] The `cfme-template`s will be available and + automatically detected once CFME 4.6 is released # Getting Started @@ -143,13 +163,21 @@ installer. Below are some inventory snippets that can help you get started right away. -Once you've settled on a configuration scheme you can install CFME -using this `ansible-playbook` invocation: +If you want to install CFME/MIQ at the same time you install your +OCP/Origin cluster, ensure that `openshift_cfme_install_cfme` is set +to `true` in your inventory. Call the standard +`playbooks/byo/config.yml` playbook to begin the cluster and CFME/MIQ +installation. + +If you are installing CFME/MIQ on an *already provisioned cluster* +then you can call the CFME/MIQ playbook directly: ``` $ ansible-playbook -v -i playbooks/byo/openshift-cfme/config.yml ``` +*Note: Use `miq-template` in the following examples for ManageIQ installs* + ## All Defaults This example is the simplest. All of the default values and choices @@ -159,7 +187,7 @@ created as pods in the container platform. ```ini [OSEv3:vars] -openshift_cfme_app_template=miq-template +openshift_cfme_app_template=cfme-template ``` ## External NFS Storage @@ -174,7 +202,7 @@ as a storage appliance). Note the two new parameters: ```ini [OSEv3:vars] -openshift_cfme_app_template=miq-template +openshift_cfme_app_template=cfme-template openshift_cfme_storage_class=nfs_external openshift_cfme_storage_nfs_external_hostname=nfs.example.com ``` @@ -190,16 +218,14 @@ openshift_cfme_storage_nfs_base_dir=/exports/hosted/prod ## Override PV sizes -This example will override the PV sizes. Note that we must **also -set** template parameters in the `openshift_cfme_template_parameters` -parameter so that the application/db will be able to make claims on -created PVs without clobbering each other. +This example will override the PV sizes. Note that we set the PV sizes +in the template parameters, `openshift_cfme_template_parameters`. This +ensures that the application/db will be able to make claims on created +PVs without clobbering each other. ```ini [OSEv3:vars] -openshift_cfme_app_template=miq-template -openshift_cfme_app_pv_size=10Gi -openshift_cfme_db_pv_size=25Gi +openshift_cfme_app_template=cfme-template openshift_cfme_template_parameters={'APPLICATION_VOLUME_CAPACITY': '10Gi', 'DATABASE_VOLUME_CAPACITY': '25Gi'} ``` @@ -212,7 +238,7 @@ performance or a complete failure to initialize the application. ```ini [OSEv3:vars] -openshift_cfme_app_template=miq-template +openshift_cfme_app_template=cfme-template openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '3000Mi', 'POSTGRESQL_MEM_REQ': '1Gi', 'ANSIBLE_MEM_REQ': '512Mi'} ``` diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml index a1a6e7190..8ba672262 100644 --- a/roles/openshift_cfme/defaults/main.yml +++ b/roles/openshift_cfme/defaults/main.yml @@ -76,13 +76,6 @@ openshift_cfme_storage_nfs_base_dir: /exports # setting this variable. Useful for testing specific task files. openshift_cfme_storage_nfs_local_hostname: false -#--------------------------------------------------------------------- -# DEFAULT PV SIZES -# How large to make the MIQ application PV -openshift_cfme_app_pv_size: 5Gi -# How large to make the MIQ PostgreSQL PV -openshift_cfme_db_pv_size: 15Gi - ###################################################################### # SCAFFOLDING - These are parameters we pre-seed that a user may or # may not set later diff --git a/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml b/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml index 0a67b2193..b8d4ec8c5 100644 --- a/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml +++ b/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml @@ -1,5 +1,31 @@ --- # Create the required PVs for the App and the DB +- name: Note the App PV Size from Template Parameters + set_fact: + openshift_cfme_app_pv_size: "{{ openshift_cfme_template_parameters.APPLICATION_VOLUME_CAPACITY }}" + when: + - openshift_cfme_template_parameters.APPLICATION_VOLUME_CAPACITY is defined + +- name: Note the App PV Size from defaults + set_fact: + openshift_cfme_app_pv_size: "{{ __openshift_cfme_app_pv_size }}" + when: + - openshift_cfme_template_parameters.APPLICATION_VOLUME_CAPACITY is not defined + +- when: openshift_cfme_app_template in ['miq-template', 'cfme-template'] + block: + - name: Note the DB PV Size from Template Parameters + set_fact: + openshift_cfme_db_pv_size: "{{ openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY }}" + when: + - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is defined + + - name: Note the DB PV Size from defaults + set_fact: + openshift_cfme_db_pv_size: "{{ __openshift_cfme_db_pv_size }}" + when: + - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is not defined + - name: Check if the CFME App PV has been created oc_obj: namespace: "{{ openshift_cfme_project }}" diff --git a/roles/openshift_cfme/tasks/validate.yml b/roles/openshift_cfme/tasks/validate.yml index c7409d9ab..1ba813a43 100644 --- a/roles/openshift_cfme/tasks/validate.yml +++ b/roles/openshift_cfme/tasks/validate.yml @@ -7,13 +7,18 @@ assert: that: - openshift_cfme_app_template in __openshift_cfme_app_templates - msg: "openshift_cfme_app_template must be one of {{ __openshift_cfme_app_templates | join(', ') }}" + + msg: | + "openshift_cfme_app_template must be one of {{ + __openshift_cfme_app_templates | join(', ') }}" - name: Ensure openshift_cfme_storage_class is a valid type assert: that: - openshift_cfme_storage_class in __openshift_cfme_storage_classes - msg: "openshift_cfme_storage_class must be one of {{ __openshift_cfme_storage_classes | join(', ') }}" + msg: | + "openshift_cfme_storage_class must be one of {{ + __openshift_cfme_storage_classes | join(', ') }}" ###################################################################### # STORAGE PARAMS - NFS @@ -21,12 +26,24 @@ assert: that: - openshift_cfme_storage_nfs_external_hostname | default(False) - msg: The selected storage class 'nfs_external' requires a valid hostname for the openshift_cfme_storage_nfs_hostname parameter + msg: | + The selected storage class 'nfs_external' requires a valid + hostname for the openshift_cfme_storage_nfs_hostname parameter when: - openshift_cfme_storage_class == 'nfs_external' -# that 'nfs' types have one of the following set: -# +- name: Ensure local NFS storage has a valid NFS server to use + fail: + msg: | + No NFS hosts detected or defined but storage class is set to + 'nfs'. Add hosts to your [nfs] group or define one manually with + the 'openshift_cfme_storage_nfs_local_hostname' parameter + when: + - openshift_cfme_storage_class == 'nfs' + # You haven't created any NFS groups + - (groups.nfs is defined and groups.nfs | length == 0) or (groups.nfs is not defined) + # You did not manually specify a host to use + - (openshift_cfme_storage_nfs_local_hostname is not defined) or (openshift_cfme_storage_nfs_local_hostname == false) ###################################################################### # STORAGE PARAMS -CLOUD PROVIDER @@ -36,9 +53,10 @@ - openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce' msg: | openshift_cfme_storage_class is 'cloudprovider' but you have an - invalid kind defined. See 'openshift_cloudprovider_kind' in the - example inventories for the required parameters for your - selected cloud provider. Working providers: 'aws' and 'gce'. + invalid kind defined, '{{ openshift_cloudprovider_kind }}'. See + 'openshift_cloudprovider_kind' in the example inventories for + the required parameters for your selected cloud + provider. Working providers: 'aws' and 'gce'. when: - openshift_cfme_storage_class == 'cloudprovider' - openshift_cloudprovider_kind is defined @@ -64,7 +82,7 @@ that: - item in openshift_cfme_template_parameters msg: | - "You are not using podified database services and a required + "You are using external database services but a required database parameter {{ item }} was not found in 'openshift_cfme_template_parameters'" with_items: "{{ __openshift_cfme_required_db_conn_params }}" diff --git a/roles/openshift_cfme/vars/main.yml b/roles/openshift_cfme/vars/main.yml index f79724afa..9764f464c 100644 --- a/roles/openshift_cfme/vars/main.yml +++ b/roles/openshift_cfme/vars/main.yml @@ -8,6 +8,13 @@ __openshift_cfme_storage_classes: - preconfigured - cloudprovider +#--------------------------------------------------------------------- +# DEFAULT PV SIZES +# How large to make the MIQ application PV +__openshift_cfme_app_pv_size: 5Gi +# How large to make the MIQ PostgreSQL PV +__openshift_cfme_db_pv_size: 15Gi + # Name of the application templates with object/parameter definitions __openshift_cfme_app_templates: - miq-template-ext-db -- cgit v1.2.3 From d4c1a0443e7c38343752f880d6ae3c2c2c33ab54 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Wed, 4 Oct 2017 12:54:49 -0400 Subject: Fix lint error --- .../openshift_cfme/tasks/storage/create_nfs_pvs.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'roles/openshift_cfme') diff --git a/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml b/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml index b8d4ec8c5..d5252464e 100644 --- a/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml +++ b/roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml @@ -14,17 +14,17 @@ - when: openshift_cfme_app_template in ['miq-template', 'cfme-template'] block: - - name: Note the DB PV Size from Template Parameters - set_fact: - openshift_cfme_db_pv_size: "{{ openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY }}" - when: - - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is defined + - name: Note the DB PV Size from Template Parameters + set_fact: + openshift_cfme_db_pv_size: "{{ openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY }}" + when: + - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is defined - - name: Note the DB PV Size from defaults - set_fact: - openshift_cfme_db_pv_size: "{{ __openshift_cfme_db_pv_size }}" - when: - - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is not defined + - name: Note the DB PV Size from defaults + set_fact: + openshift_cfme_db_pv_size: "{{ __openshift_cfme_db_pv_size }}" + when: + - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is not defined - name: Check if the CFME App PV has been created oc_obj: -- cgit v1.2.3