summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.tito/packages/openshift-ansible2
-rw-r--r--openshift-ansible.spec46
-rw-r--r--playbooks/aws/provisioning_vars.yml.example18
-rw-r--r--playbooks/common/openshift-cluster/upgrades/pre/config.yml2
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml1
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml2
-rw-r--r--playbooks/init/evaluate_groups.yml2
-rw-r--r--roles/lib_utils/filter_plugins/openshift_aws_filters.py16
-rw-r--r--roles/lib_utils/library/swapoff.py137
-rw-r--r--roles/openshift_aws/defaults/main.yml7
-rw-r--r--roles/openshift_aws/tasks/elb.yml2
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-job.yaml28
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-pvc.yaml10
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-backup-example.yaml13
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml45
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-region-example.yaml13
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml45
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-restore-job.yaml35
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-scc-sysadmin.yaml38
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template-ext-db.yaml956
-rw-r--r--roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml1424
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-job.yaml28
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-pvc.yaml10
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-backup-example.yaml13
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml45
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-region-example.yaml13
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml45
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-restore-job.yaml35
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-scc-sysadmin.yaml38
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template-ext-db.yaml956
-rw-r--r--roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml1424
-rw-r--r--roles/openshift_hosted/tasks/registry.yml2
-rw-r--r--roles/openshift_loadbalancer/templates/haproxy.cfg.j23
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml2
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml2
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml219
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-template.yaml221
-rw-r--r--roles/openshift_metrics/tasks/oc_apply.yaml8
-rw-r--r--roles/openshift_node/tasks/main.yml32
-rw-r--r--roles/openshift_node/tasks/upgrade/config_changes.yml28
-rw-r--r--roles/openshift_node/tasks/upgrade_pre.yml13
-rw-r--r--roles/openshift_node/templates/node.service.j22
-rw-r--r--roles/openshift_node/templates/openshift.docker.node.service2
-rw-r--r--roles/openshift_provisioners/tasks/oc_apply.yaml12
-rw-r--r--roles/openshift_service_catalog/templates/api_server.j22
-rw-r--r--roles/openshift_service_catalog/templates/controller_manager.j22
-rw-r--r--roles/openshift_storage_nfs/templates/exports.j216
53 files changed, 4990 insertions, 1031 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index d6dd5a3c8..f4ea673a5 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.9.0-0.23.0 ./
+3.9.0-0.24.0 ./
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 719e54eb9..ed730bb7f 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -10,7 +10,7 @@
Name: openshift-ansible
Version: 3.9.0
-Release: 0.23.0%{?dist}
+Release: 0.24.0%{?dist}
Summary: Openshift and Atomic Enterprise Ansible
License: ASL 2.0
URL: https://github.com/openshift/openshift-ansible
@@ -204,6 +204,50 @@ Atomic OpenShift Utilities includes
%changelog
+* Wed Jan 24 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.24.0
+- Update CF 4.6 Beta templates in openshift_management directory
+ (simaishi@redhat.com)
+- installer: increase content width for commands, which may output URLs
+ (vrutkovs@redhat.com)
+- Only rollout console if config changed (spadgett@redhat.com)
+- Protect master installed version during node upgrades (mgugino@redhat.com)
+- [1506866] Update haproxy.cfg.j2 (rteague@redhat.com)
+- Split control plane and component install in deploy_cluster
+ (ccoleman@redhat.com)
+- Add clusterResourceOverridesEnabled to console config (spadgett@redhat.com)
+- [1537105] Add openshift_facts to flannel role (rteague@redhat.com)
+- PyYAML is required by openshift_facts on nodes (ccoleman@redhat.com)
+- Move origin-gce roles and playbooks into openshift-ansible
+ (ccoleman@redhat.com)
+- Directly select the ansible version (ccoleman@redhat.com)
+- use non-deprecated REGISTRY_OPENSHIFT_SERVER_ADDR variable to set the
+ registry hostname (bparees@redhat.com)
+- update Dockerfile to add boto3 dependency (jdiaz@redhat.com)
+- Lowercase node names when creating certificates (vrutkovs@redhat.com)
+- NFS Storage: make sure openshift_hosted_*_storage_nfs_directory are quoted
+ (vrutkovs@redhat.com)
+- Fix etcd scaleup playbook (mgugino@redhat.com)
+- Bug 1524805- ServiceCatalog now works disconnected (fabian@fabianism.us)
+- [1506750] Ensure proper hostname check override (rteague@redhat.com)
+- failed_when lists are implicitely ANDs, not ORs (vrutkovs@redhat.com)
+- un-hardcode default subnet az (jdiaz@redhat.com)
+- Ensure that node names are lowerecased before matching (sdodson@redhat.com)
+- Bug 1534020 - Only set logging and metrics URLs if console config map exists
+ (spadgett@redhat.com)
+- Add templates to v3.9 (simaishi@redhat.com)
+- Use Beta repo path (simaishi@redhat.com)
+- CF 4.6 templates (simaishi@redhat.com)
+- Add ability to mount volumes into system container nodes (mgugino@redhat.com)
+- Fix to master-internal elb scheme (mazzystr@gmail.com)
+- Allow 5 etcd hosts (sdodson@redhat.com)
+- Remove unused symlink (sdodson@redhat.com)
+- docker_creds: fix python3 exception (gscrivan@redhat.com)
+- docker_creds: fix python3 exception (gscrivan@redhat.com)
+- docker: use image from CentOS and Fedora registries (gscrivan@redhat.com)
+- crio: use Docker and CentOS registries for the image (gscrivan@redhat.com)
+- The provision_install file ends in yml not yaml! Ansible requirement
+ clarification. (mbruzek@gmail.com)
+
* Tue Jan 23 2018 Jenkins CD Merge Bot <smunilla@redhat.com> 3.9.0-0.23.0
- docker_image_availability: enable skopeo to use proxies (lmeyer@redhat.com)
- Install base_packages earlier (mgugino@redhat.com)
diff --git a/playbooks/aws/provisioning_vars.yml.example b/playbooks/aws/provisioning_vars.yml.example
index f6b1a6b5d..a1a8a5b08 100644
--- a/playbooks/aws/provisioning_vars.yml.example
+++ b/playbooks/aws/provisioning_vars.yml.example
@@ -41,11 +41,27 @@ openshift_pkg_version: # -3.7.0
# a vpc, set this to false.
#openshift_aws_create_vpc: true
+# when openshift_aws_create_vpc is true (the default), the VPC defined in
+# openshift_aws_vpc will be created
+#openshift_aws_vpc:
+# name: "{{ openshift_aws_vpc_name }}"
+# cidr: 172.31.0.0/16
+# subnets:
+# us-east-1:
+# - cidr: 172.31.48.0/20
+# az: "us-east-1c"
+# default_az: true
+# - cidr: 172.31.32.0/20
+# az: "us-east-1e"
+# - cidr: 172.31.16.0/20
+# az: "us-east-1a"
+
# Name of the vpc. Needs to be set if using a pre-existing vpc.
#openshift_aws_vpc_name: "{{ openshift_aws_clusterid }}"
# Name of the subnet in the vpc to use. Needs to be set if using a pre-existing
-# vpc + subnet.
+# vpc + subnet. Otherwise will use the subnet with 'default_az' set (see above
+# example VPC structure)
#openshift_aws_subnet_az:
# -------------- #
diff --git a/playbooks/common/openshift-cluster/upgrades/pre/config.yml b/playbooks/common/openshift-cluster/upgrades/pre/config.yml
index da63450b8..2b27f8dd0 100644
--- a/playbooks/common/openshift-cluster/upgrades/pre/config.yml
+++ b/playbooks/common/openshift-cluster/upgrades/pre/config.yml
@@ -49,7 +49,7 @@
# to a more specific version, respecting openshift_image_tag and openshift_pkg_version if
# defined, and overriding the normal behavior of protecting the installed version
openshift_release: "{{ openshift_upgrade_target }}"
- openshift_protect_installed_version: False
+ # openshift_protect_installed_version is passed n via upgrade_control_plane.yml
# l_openshift_version_set_hosts is passed via upgrade_control_plane.yml
# l_openshift_version_check_hosts is passed via upgrade_control_plane.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml
index d520c6aee..a2d21b69f 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml
@@ -23,6 +23,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config"
+ openshift_protect_installed_version: False
- import_playbook: validator.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml
index d88880140..9aa5a3b64 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml
@@ -35,6 +35,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_masters_to_config"
+ openshift_protect_installed_version: False
- import_playbook: validator.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml
index 4daa9e490..cc2ec2709 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml
@@ -23,6 +23,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config"
+ openshift_protect_installed_version: False
- import_playbook: validator.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml
index ce069e2d0..b1ecc75d3 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml
@@ -35,6 +35,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_masters_to_config"
+ openshift_protect_installed_version: False
- import_playbook: validator.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml
index a9bf354cc..a73b7d63a 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml
@@ -23,6 +23,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config"
+ openshift_protect_installed_version: False
- import_playbook: validator.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
index 3f26a6297..723b2e533 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml
@@ -36,6 +36,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_masters_to_config"
+ openshift_protect_installed_version: False
- import_playbook: validator.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml
index 20e0c165e..bf6e8605e 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml
@@ -20,6 +20,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config:oo_nodes_to_upgrade"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_nodes_to_config:oo_masters_to_config"
+ openshift_protect_installed_version: False
- import_playbook: validator.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml
index 0f48725f6..1dcc38def 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml
@@ -41,6 +41,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_masters_to_config"
+ openshift_protect_installed_version: False
when: hostvars[groups.oo_first_master.0].openshift_currently_installed_version | version_compare('3.8','<')
- name: Flag pre-upgrade checks complete for hosts without errors 3.8
@@ -82,6 +83,7 @@
l_upgrade_verify_targets_hosts: "oo_masters_to_config"
l_upgrade_docker_target_hosts: "oo_masters_to_config:oo_etcd_to_config"
l_upgrade_excluder_hosts: "oo_masters_to_config"
+ openshift_protect_installed_version: False
- name: Flag pre-upgrade checks complete for hosts without errors
hosts: oo_masters_to_config:oo_etcd_to_config
diff --git a/playbooks/init/evaluate_groups.yml b/playbooks/init/evaluate_groups.yml
index c4cd226c9..924ae481a 100644
--- a/playbooks/init/evaluate_groups.yml
+++ b/playbooks/init/evaluate_groups.yml
@@ -47,7 +47,7 @@
msg: >
Running etcd as an embedded service is no longer supported.
when:
- - g_etcd_hosts | default([]) | length not in [3,1]
+ - g_etcd_hosts | default([]) | length not in [5,3,1]
- not (openshift_node_bootstrap | default(False))
- name: Evaluate oo_all_hosts
diff --git a/roles/lib_utils/filter_plugins/openshift_aws_filters.py b/roles/lib_utils/filter_plugins/openshift_aws_filters.py
index dfcb11da3..f16048056 100644
--- a/roles/lib_utils/filter_plugins/openshift_aws_filters.py
+++ b/roles/lib_utils/filter_plugins/openshift_aws_filters.py
@@ -67,8 +67,24 @@ class FilterModule(object):
return tags
+ @staticmethod
+ def get_default_az(subnets):
+ ''' From a list of subnets/AZs in a specific region (from the VPC
+ structure), return the AZ that has the key/value
+ 'default_az=True.' '''
+
+ for subnet in subnets:
+ if subnet.get('default_az'):
+ return subnet['az']
+
+ # if there was none marked with default_az=True, just return the first
+ # one. (this does mean we could possible return an item that has
+ # default_az=False set
+ return subnets[0]['az']
+
def filters(self):
''' returns a mapping of filters to methods '''
return {'build_instance_tags': self.build_instance_tags,
+ 'get_default_az': self.get_default_az,
'scale_groups_match_capacity': self.scale_groups_match_capacity,
'scale_groups_serial': self.scale_groups_serial}
diff --git a/roles/lib_utils/library/swapoff.py b/roles/lib_utils/library/swapoff.py
new file mode 100644
index 000000000..925eeb17d
--- /dev/null
+++ b/roles/lib_utils/library/swapoff.py
@@ -0,0 +1,137 @@
+#!/usr/bin/env python
+# pylint: disable=missing-docstring
+#
+# Copyright 2017 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import subprocess
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+DOCUMENTATION = '''
+---
+module: swapoff
+
+short_description: Disable swap and comment from /etc/fstab
+
+version_added: "2.4"
+
+description:
+ - This module disables swap and comments entries from /etc/fstab
+
+author:
+ - "Michael Gugino <mgugino@redhat.com>"
+'''
+
+EXAMPLES = '''
+# Pass in a message
+- name: Disable Swap
+ swapoff: {}
+'''
+
+
+def check_swap_in_fstab(module):
+ '''Check for uncommented swap entries in fstab'''
+ res = subprocess.call(['grep', '^[^#].*swap', '/etc/fstab'])
+
+ if res == 2:
+ # rc 2 == cannot open file.
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': 'unable to read /etc/fstab',
+ 'state': 'unknown'}
+ module.fail_json(**result)
+ elif res == 1:
+ # No grep match, fstab looks good.
+ return False
+ elif res == 0:
+ # There is an uncommented entry for fstab.
+ return True
+ else:
+ # Some other grep error code, we shouldn't get here.
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': 'unknow problem with grep "^[^#].*swap" /etc/fstab ',
+ 'state': 'unknown'}
+ module.fail_json(**result)
+
+
+def check_swapon_status(module):
+ '''Check if swap is actually in use.'''
+ try:
+ res = subprocess.check_output(['swapon', '--show'])
+ except subprocess.CalledProcessError:
+ # Some other grep error code, we shouldn't get here.
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': 'unable to execute swapon --show',
+ 'state': 'unknown'}
+ module.fail_json(**result)
+ return 'NAME' in str(res)
+
+
+def comment_swap_fstab(module):
+ '''Comment out swap lines in /etc/fstab'''
+ res = subprocess.call(['sed', '-i.bak', 's/^[^#].*swap.*/#&/', '/etc/fstab'])
+ if res:
+ result = {'failed': True,
+ 'changed': False,
+ 'msg': 'sed failed to comment swap in /etc/fstab',
+ 'state': 'unknown'}
+ module.fail_json(**result)
+
+
+def run_swapoff(module, changed):
+ '''Run swapoff command'''
+ res = subprocess.call(['swapoff', '--all'])
+ if res:
+ result = {'failed': True,
+ 'changed': changed,
+ 'msg': 'swapoff --all returned {}'.format(str(res)),
+ 'state': 'unknown'}
+ module.fail_json(**result)
+
+
+def run_module():
+ '''Run this module'''
+ module = AnsibleModule(
+ supports_check_mode=False,
+ argument_spec={}
+ )
+ changed = False
+
+ swap_fstab_res = check_swap_in_fstab(module)
+ swap_is_inuse_res = check_swapon_status(module)
+
+ if swap_fstab_res:
+ comment_swap_fstab(module)
+ changed = True
+
+ if swap_is_inuse_res:
+ run_swapoff(module, changed)
+ changed = True
+
+ result = {'changed': changed}
+
+ module.exit_json(**result)
+
+
+def main():
+ run_module()
+
+
+if __name__ == '__main__':
+ main()
diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml
index a729e8dbd..e14d57702 100644
--- a/roles/openshift_aws/defaults/main.yml
+++ b/roles/openshift_aws/defaults/main.yml
@@ -59,7 +59,7 @@ openshift_aws_elb_name_dict:
external: "{{ openshift_aws_elb_basename }}-infra"
openshift_aws_elb_idle_timout: 400
-openshift_aws_elb_scheme: internet-facing
+
openshift_aws_elb_cert_arn: ''
openshift_aws_elb_dict:
@@ -282,8 +282,6 @@ openshift_aws_node_security_groups:
openshift_aws_vpc_tags:
Name: "{{ openshift_aws_vpc_name }}"
-openshift_aws_subnet_az: us-east-1c
-
openshift_aws_vpc:
name: "{{ openshift_aws_vpc_name }}"
cidr: 172.31.0.0/16
@@ -291,11 +289,14 @@ openshift_aws_vpc:
us-east-1:
- cidr: 172.31.48.0/20
az: "us-east-1c"
+ default_az: true
- cidr: 172.31.32.0/20
az: "us-east-1e"
- cidr: 172.31.16.0/20
az: "us-east-1a"
+openshift_aws_subnet_az: "{{ openshift_aws_vpc.subnets[openshift_aws_region] | get_default_az }}"
+
openshift_aws_node_run_bootstrap_startup: True
openshift_aws_node_user_data: ''
openshift_aws_node_config_namespace: openshift-node
diff --git a/roles/openshift_aws/tasks/elb.yml b/roles/openshift_aws/tasks/elb.yml
index 5d371ec7a..6f0028a3d 100644
--- a/roles/openshift_aws/tasks/elb.yml
+++ b/roles/openshift_aws/tasks/elb.yml
@@ -15,7 +15,7 @@
- "{{ subnetout.subnets[0].id }}"
health_check: "{{ openshift_aws_elb_health_check }}"
listeners: "{{ item.value }}"
- scheme: "{{ openshift_aws_elb_scheme }}"
+ scheme: "{{ (item.key == 'internal') | ternary('internal','internet-facing') }}"
tags: "{{ openshift_aws_elb_tags }}"
wait: True
register: new_elb
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-job.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-job.yaml
new file mode 100644
index 000000000..48d1d4e26
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-job.yaml
@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cloudforms-backup
+spec:
+ template:
+ metadata:
+ name: cloudforms-backup
+ spec:
+ containers:
+ - name: postgresql
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
+ command:
+ - "/opt/rh/cfme-container-scripts/backup_db"
+ env:
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: cloudforms-secrets
+ key: database-url
+ volumeMounts:
+ - name: cfme-backup-vol
+ mountPath: "/backups"
+ volumes:
+ - name: cfme-backup-vol
+ persistentVolumeClaim:
+ claimName: cloudforms-backup
+ restartPolicy: Never
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-pvc.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-pvc.yaml
new file mode 100644
index 000000000..92598ce82
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-backup-pvc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: cloudforms-backup
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 15Gi
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-backup-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-backup-example.yaml
new file mode 100644
index 000000000..4fe349897
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-backup-example.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+ name: cfme-pv03
+spec:
+ capacity:
+ storage: 15Gi
+ accessModes:
+ - ReadWriteOnce
+ nfs:
+ path: "/exports/cfme-pv03"
+ server: "<your-nfs-host-here>"
+ persistentVolumeReclaimPolicy: Retain
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml
index 250a99b8d..0cdd821b5 100644
--- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-db-example.yaml
@@ -1,13 +1,38 @@
apiVersion: v1
-kind: PersistentVolume
+kind: Template
+labels:
+ template: cloudforms-db-pv
metadata:
- name: cfme-pv01
-spec:
- capacity:
- storage: 15Gi
- accessModes:
+ name: cloudforms-db-pv
+ annotations:
+ description: PV Template for CFME PostgreSQL DB
+ tags: PVS, CFME
+objects:
+- apiVersion: v1
+ kind: PersistentVolume
+ metadata:
+ name: cfme-db
+ spec:
+ capacity:
+ storage: "${PV_SIZE}"
+ accessModes:
- ReadWriteOnce
- nfs:
- path: /exports/cfme-pv01
- server: <your-nfs-host-here>
- persistentVolumeReclaimPolicy: Retain
+ nfs:
+ path: "${BASE_PATH}/cfme-db"
+ server: "${NFS_HOST}"
+ persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+ displayName: PV Size for DB
+ required: true
+ description: The size of the CFME DB PV given in Gi
+ value: 15Gi
+- name: BASE_PATH
+ displayName: Exports Directory Base Path
+ required: true
+ description: The parent directory of your NFS exports
+ value: "/exports"
+- name: NFS_HOST
+ displayName: NFS Server Hostname
+ required: true
+ description: The hostname or IP address of the NFS server
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-region-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-region-example.yaml
deleted file mode 100644
index cba9bbe35..000000000
--- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-region-example.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
- name: cfme-pv02
-spec:
- capacity:
- storage: 5Gi
- accessModes:
- - ReadWriteOnce
- nfs:
- path: /exports/cfme-pv02
- server: <your-nfs-host-here>
- persistentVolumeReclaimPolicy: Retain
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml
index c08c21265..527090ae8 100644
--- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-pv-server-example.yaml
@@ -1,13 +1,38 @@
apiVersion: v1
-kind: PersistentVolume
+kind: Template
+labels:
+ template: cloudforms-app-pv
metadata:
- name: cfme-pv03
-spec:
- capacity:
- storage: 5Gi
- accessModes:
+ name: cloudforms-app-pv
+ annotations:
+ description: PV Template for CFME Server
+ tags: PVS, CFME
+objects:
+- apiVersion: v1
+ kind: PersistentVolume
+ metadata:
+ name: cfme-app
+ spec:
+ capacity:
+ storage: "${PV_SIZE}"
+ accessModes:
- ReadWriteOnce
- nfs:
- path: /exports/cfme-pv03
- server: <your-nfs-host-here>
- persistentVolumeReclaimPolicy: Retain
+ nfs:
+ path: "${BASE_PATH}/cfme-app"
+ server: "${NFS_HOST}"
+ persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+ displayName: PV Size for App
+ required: true
+ description: The size of the CFME APP PV given in Gi
+ value: 5Gi
+- name: BASE_PATH
+ displayName: Exports Directory Base Path
+ required: true
+ description: The parent directory of your NFS exports
+ value: "/exports"
+- name: NFS_HOST
+ displayName: NFS Server Hostname
+ required: true
+ description: The hostname or IP address of the NFS server
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-restore-job.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-restore-job.yaml
new file mode 100644
index 000000000..7fd4fc2e1
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-restore-job.yaml
@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cloudforms-restore
+spec:
+ template:
+ metadata:
+ name: cloudforms-restore
+ spec:
+ containers:
+ - name: postgresql
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
+ command:
+ - "/opt/rh/cfme-container-scripts/restore_db"
+ env:
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: cloudforms-secrets
+ key: database-url
+ - name: BACKUP_VERSION
+ value: latest
+ volumeMounts:
+ - name: cfme-backup-vol
+ mountPath: "/backups"
+ - name: cfme-prod-vol
+ mountPath: "/restore"
+ volumes:
+ - name: cfme-backup-vol
+ persistentVolumeClaim:
+ claimName: cloudforms-backup
+ - name: cfme-prod-vol
+ persistentVolumeClaim:
+ claimName: cloudforms-postgresql
+ restartPolicy: Never
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-scc-sysadmin.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-scc-sysadmin.yaml
new file mode 100644
index 000000000..d2ece9298
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-scc-sysadmin.yaml
@@ -0,0 +1,38 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+apiVersion: v1
+defaultAddCapabilities:
+- SYS_ADMIN
+fsGroup:
+ type: RunAsAny
+groups:
+- system:cluster-admins
+kind: SecurityContextConstraints
+metadata:
+ annotations:
+ kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus.
+ creationTimestamp:
+ name: cfme-sysadmin
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+- SYS_CHROOT
+runAsUser:
+ type: RunAsAny
+seLinuxContext:
+ type: MustRunAs
+supplementalGroups:
+ type: RunAsAny
+users:
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- secret
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template-ext-db.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template-ext-db.yaml
new file mode 100644
index 000000000..9866c29c3
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template-ext-db.yaml
@@ -0,0 +1,956 @@
+apiVersion: v1
+kind: Template
+labels:
+ template: cloudforms-ext-db
+metadata:
+ name: cloudforms-ext-db
+ annotations:
+ description: CloudForms appliance with persistent storage using a external DB host
+ tags: instant-app,cloudforms,cfme
+ iconClass: icon-rails
+objects:
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-orchestrator
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-anyuid
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-privileged
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-httpd
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${NAME}-secrets"
+ stringData:
+ pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
+ database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+ v2-key: "${V2_KEY}"
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ stringData:
+ rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+ secret-key: "${ANSIBLE_SECRET_KEY}"
+ admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes and load balances CloudForms pods
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+ name: "${NAME}"
+ spec:
+ clusterIP: None
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ selector:
+ name: "${NAME}"
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ spec:
+ host: "${APPLICATION_DOMAIN}"
+ port:
+ targetPort: http
+ tls:
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
+ to:
+ kind: Service
+ name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: apps/v1beta1
+ kind: StatefulSet
+ metadata:
+ name: "${NAME}"
+ annotations:
+ description: Defines how to deploy the CloudForms appliance
+ spec:
+ serviceName: "${NAME}"
+ replicas: "${APPLICATION_REPLICA_COUNT}"
+ template:
+ metadata:
+ labels:
+ name: "${NAME}"
+ name: "${NAME}"
+ spec:
+ containers:
+ - name: cloudforms
+ image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - MIQ Server
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ readinessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 200
+ timeoutSeconds: 3
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ volumeMounts:
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
+ env:
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_REGION
+ value: "${DATABASE_REGION}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ resources:
+ requests:
+ memory: "${APPLICATION_MEM_REQ}"
+ cpu: "${APPLICATION_CPU_REQ}"
+ limits:
+ memory: "${APPLICATION_MEM_LIMIT}"
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
+ volumeClaimTemplates:
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Headless service for CloudForms backend pods
+ name: "${NAME}-backend"
+ spec:
+ clusterIP: None
+ selector:
+ name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+ kind: StatefulSet
+ metadata:
+ name: "${NAME}-backend"
+ annotations:
+ description: Defines how to deploy the CloudForms appliance
+ spec:
+ serviceName: "${NAME}-backend"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${NAME}-backend"
+ name: "${NAME}-backend"
+ spec:
+ containers:
+ - name: cloudforms
+ image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - MIQ Server
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
+ env:
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: MIQ_SERVER_DEFAULT_ROLES
+ value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+ - name: FRONTEND_SERVICE_NAME
+ value: "${NAME}"
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ resources:
+ requests:
+ memory: "${APPLICATION_MEM_REQ}"
+ cpu: "${APPLICATION_CPU_REQ}"
+ limits:
+ memory: "${APPLICATION_MEM_LIMIT}"
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
+ volumeClaimTemplates:
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ annotations:
+ description: Exposes the memcached server
+ spec:
+ ports:
+ - name: memcached
+ port: 11211
+ targetPort: 11211
+ selector:
+ name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy memcached
+ spec:
+ strategy:
+ type: Recreate
+ triggers:
+ - type: ConfigChange
+ replicas: 1
+ selector:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ template:
+ metadata:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ labels:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ spec:
+ volumes: []
+ containers:
+ - name: memcached
+ image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+ ports:
+ - containerPort: 11211
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 5
+ tcpSocket:
+ port: 11211
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 30
+ tcpSocket:
+ port: 11211
+ volumeMounts: []
+ env:
+ - name: MEMCACHED_MAX_MEMORY
+ value: "${MEMCACHED_MAX_MEMORY}"
+ - name: MEMCACHED_MAX_CONNECTIONS
+ value: "${MEMCACHED_MAX_CONNECTIONS}"
+ - name: MEMCACHED_SLAB_PAGE_SIZE
+ value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+ resources:
+ requests:
+ memory: "${MEMCACHED_MEM_REQ}"
+ cpu: "${MEMCACHED_CPU_REQ}"
+ limits:
+ memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${DATABASE_SERVICE_NAME}"
+ annotations:
+ description: Remote database service
+ spec:
+ ports:
+ - name: postgresql
+ port: 5432
+ targetPort: "${{DATABASE_PORT}}"
+ selector: {}
+- apiVersion: v1
+ kind: Endpoints
+ metadata:
+ name: "${DATABASE_SERVICE_NAME}"
+ subsets:
+ - addresses:
+ - ip: "${DATABASE_IP}"
+ ports:
+ - port: "${{DATABASE_PORT}}"
+ name: postgresql
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes and load balances Ansible pods
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 443
+ selector:
+ name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy the Ansible appliance
+ spec:
+ strategy:
+ type: Recreate
+ serviceName: "${ANSIBLE_SERVICE_NAME}"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ containers:
+ - name: ansible
+ image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+ livenessProbe:
+ tcpSocket:
+ port: 443
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ readinessProbe:
+ httpGet:
+ path: "/"
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 200
+ timeoutSeconds: 3
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 443
+ protocol: TCP
+ securityContext:
+ privileged: true
+ env:
+ - name: ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ - name: RABBITMQ_USER_NAME
+ value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+ - name: RABBITMQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: rabbit-password
+ - name: ANSIBLE_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: secret-key
+ - name: DATABASE_SERVICE_NAME
+ value: "${DATABASE_SERVICE_NAME}"
+ - name: POSTGRESQL_USER
+ value: "${DATABASE_USER}"
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: pg-password
+ - name: POSTGRESQL_DATABASE
+ value: "${ANSIBLE_DATABASE_NAME}"
+ resources:
+ requests:
+ memory: "${ANSIBLE_MEM_REQ}"
+ cpu: "${ANSIBLE_CPU_REQ}"
+ limits:
+ memory: "${ANSIBLE_MEM_LIMIT}"
+ serviceAccount: cfme-privileged
+ serviceAccountName: cfme-privileged
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ data:
+ application.conf: |
+ # Timeout: The number of seconds before receives and sends time out.
+ Timeout 120
+
+ RewriteEngine On
+ Options SymLinksIfOwnerMatch
+
+ <VirtualHost *:80>
+ KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
+ ProxyPreserveHost on
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
+ ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
+ </VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ data:
+ auth-type: internal
+ auth-kerberos-realms: undefined
+ auth-configuration.conf: |
+ # External Authentication Configuration File
+ #
+ # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http
+ port: 80
+ targetPort: 80
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy httpd
+ spec:
+ strategy:
+ type: Recreate
+ recreateParams:
+ timeoutSeconds: 1200
+ triggers:
+ - type: ConfigChange
+ replicas: 1
+ selector:
+ name: "${HTTPD_SERVICE_NAME}"
+ template:
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ labels:
+ name: "${HTTPD_SERVICE_NAME}"
+ spec:
+ volumes:
+ - name: httpd-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ - name: httpd-auth-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ containers:
+ - name: httpd
+ image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - httpd
+ initialDelaySeconds: 15
+ timeoutSeconds: 3
+ readinessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 10
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: httpd-config
+ mountPath: "${HTTPD_CONFIG_DIR}"
+ - name: httpd-auth-config
+ mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+ resources:
+ requests:
+ memory: "${HTTPD_MEM_REQ}"
+ cpu: "${HTTPD_CPU_REQ}"
+ limits:
+ memory: "${HTTPD_MEM_LIMIT}"
+ env:
+ - name: HTTPD_AUTH_TYPE
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - "/usr/bin/save-container-environment"
+ serviceAccount: cfme-httpd
+ serviceAccountName: cfme-httpd
+parameters:
+- name: NAME
+ displayName: Name
+ required: true
+ description: The name assigned to all of the frontend objects defined in this template.
+ value: cloudforms
+- name: V2_KEY
+ displayName: CloudForms Encryption Key
+ required: true
+ description: Encryption Key for CloudForms Passwords
+ from: "[a-zA-Z0-9]{43}"
+ generate: expression
+- name: DATABASE_SERVICE_NAME
+ displayName: PostgreSQL Service Name
+ required: true
+ description: The name of the OpenShift Service exposed for the PostgreSQL container.
+ value: postgresql
+- name: DATABASE_USER
+ displayName: PostgreSQL User
+ required: true
+ description: PostgreSQL user that will access the database.
+ value: root
+- name: DATABASE_PASSWORD
+ displayName: PostgreSQL Password
+ required: true
+ description: Password for the PostgreSQL user.
+ from: "[a-zA-Z0-9]{8}"
+ generate: expression
+- name: DATABASE_IP
+ displayName: PostgreSQL Server IP
+ required: true
+ description: PostgreSQL external server IP used to configure service.
+ value: ''
+- name: DATABASE_PORT
+ displayName: PostgreSQL Server Port
+ required: true
+ description: PostgreSQL external server port used to configure service.
+ value: '5432'
+- name: DATABASE_NAME
+ required: true
+ displayName: PostgreSQL Database Name
+ description: Name of the PostgreSQL database accessed.
+ value: vmdb_production
+- name: DATABASE_REGION
+ required: true
+ displayName: Application Database Region
+ description: Database region that will be used for application.
+ value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
+- name: ANSIBLE_DATABASE_NAME
+ displayName: Ansible PostgreSQL database name
+ required: true
+ description: The database to be used by the Ansible continer
+ value: awx
+- name: MEMCACHED_SERVICE_NAME
+ required: true
+ displayName: Memcached Service Name
+ description: The name of the OpenShift Service exposed for the Memcached container.
+ value: memcached
+- name: MEMCACHED_MAX_MEMORY
+ displayName: Memcached Max Memory
+ description: Memcached maximum memory for memcached object storage in MB.
+ value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+ displayName: Memcached Max Connections
+ description: Memcached maximum number of connections allowed.
+ value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+ displayName: Memcached Slab Page Size
+ description: Memcached size of each slab page.
+ value: 1m
+- name: ANSIBLE_SERVICE_NAME
+ displayName: Ansible Service Name
+ description: The name of the OpenShift Service exposed for the Ansible container.
+ value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+ displayName: Ansible admin User password
+ required: true
+ description: The password for the Ansible container admin user
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: ANSIBLE_SECRET_KEY
+ displayName: Ansible Secret Key
+ required: true
+ description: Encryption key for the Ansible container
+ from: "[a-f0-9]{32}"
+ generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+ displayName: RabbitMQ Username
+ required: true
+ description: Username for the Ansible RabbitMQ Server
+ value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+ displayName: RabbitMQ Server Password
+ required: true
+ description: Password for the Ansible RabbitMQ Server
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: APPLICATION_CPU_REQ
+ displayName: Application Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+ value: 1000m
+- name: MEMCACHED_CPU_REQ
+ displayName: Memcached Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+ value: 200m
+- name: ANSIBLE_CPU_REQ
+ displayName: Ansible Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+ value: 1000m
+- name: APPLICATION_MEM_REQ
+ displayName: Application Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Application container will need.
+ value: 6144Mi
+- name: MEMCACHED_MEM_REQ
+ displayName: Memcached Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Memcached container will need.
+ value: 64Mi
+- name: ANSIBLE_MEM_REQ
+ displayName: Ansible Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Ansible container will need.
+ value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+ displayName: Application Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Application container can consume.
+ value: 16384Mi
+- name: MEMCACHED_MEM_LIMIT
+ displayName: Memcached Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Memcached container can consume.
+ value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+ displayName: Ansible Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Ansible container can consume.
+ value: 8096Mi
+- name: MEMCACHED_IMG_NAME
+ displayName: Memcached Image Name
+ description: This is the Memcached image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+ displayName: Memcached Image Tag
+ description: This is the Memcached image tag/version requested to deploy.
+ value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+ displayName: Frontend Application Image Name
+ description: This is the Frontend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+ displayName: Backend Application Image Name
+ description: This is the Backend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+ displayName: Front end Application Image Tag
+ description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+ value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+ displayName: Back end Application Image Tag
+ description: This is the CloudForms Backend Application image tag/version requested to deploy.
+ value: latest
+- name: ANSIBLE_IMG_NAME
+ displayName: Ansible Image Name
+ description: This is the Ansible image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+ displayName: Ansible Image Tag
+ description: This is the Ansible image tag/version requested to deploy.
+ value: latest
+- name: APPLICATION_DOMAIN
+ displayName: Application Hostname
+ description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+ value: ''
+- name: APPLICATION_REPLICA_COUNT
+ displayName: Application Replica Count
+ description: This is the number of Application replicas requested to deploy.
+ value: '1'
+- name: APPLICATION_INIT_DELAY
+ displayName: Application Init Delay
+ required: true
+ description: Delay in seconds before we attempt to initialize the application.
+ value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+ displayName: Application Volume Capacity
+ required: true
+ description: Volume space available for application data.
+ value: 5Gi
+- name: HTTPD_SERVICE_NAME
+ required: true
+ displayName: Apache httpd Service Name
+ description: The name of the OpenShift Service exposed for the httpd container.
+ value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
+- name: HTTPD_IMG_NAME
+ displayName: Apache httpd Image Name
+ description: This is the httpd image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+ displayName: Apache httpd Image Tag
+ description: This is the httpd image tag/version requested to deploy.
+ value: latest
+- name: HTTPD_CONFIG_DIR
+ displayName: Apache httpd Configuration Directory
+ description: Directory used to store the Apache configuration files.
+ value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+ displayName: External Authentication Configuration Directory
+ description: Directory used to store the external authentication configuration files.
+ value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+ displayName: Apache httpd Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+ value: 500m
+- name: HTTPD_MEM_REQ
+ displayName: Apache httpd Min RAM Requested
+ required: true
+ description: Minimum amount of memory the httpd container will need.
+ value: 512Mi
+- name: HTTPD_MEM_LIMIT
+ displayName: Apache httpd Max RAM Limit
+ required: true
+ description: Maximum amount of memory the httpd container can consume.
+ value: 8192Mi
diff --git a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml
index 3bc6c5813..5c757b6c2 100644
--- a/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml
+++ b/roles/openshift_examples/files/examples/v3.7/cfme-templates/cfme-template.yaml
@@ -5,17 +5,308 @@ labels:
metadata:
name: cloudforms
annotations:
- description: "CloudForms appliance with persistent storage"
- tags: "instant-app,cloudforms,cfme"
- iconClass: "icon-rails"
+ description: CloudForms appliance with persistent storage
+ tags: instant-app,cloudforms,cfme
+ iconClass: icon-rails
objects:
- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-orchestrator
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-anyuid
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-privileged
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-httpd
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${NAME}-secrets"
+ stringData:
+ pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
+ database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+ v2-key: "${V2_KEY}"
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ stringData:
+ rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+ secret-key: "${ANSIBLE_SECRET_KEY}"
+ admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${DATABASE_SERVICE_NAME}-configs"
+ data:
+ 01_miq_overrides.conf: |
+ #------------------------------------------------------------------------------
+ # CONNECTIONS AND AUTHENTICATION
+ #------------------------------------------------------------------------------
+
+ tcp_keepalives_count = 9
+ tcp_keepalives_idle = 3
+ tcp_keepalives_interval = 75
+
+ #------------------------------------------------------------------------------
+ # RESOURCE USAGE (except WAL)
+ #------------------------------------------------------------------------------
+
+ shared_preload_libraries = 'pglogical,repmgr_funcs'
+ max_worker_processes = 10
+
+ #------------------------------------------------------------------------------
+ # WRITE AHEAD LOG
+ #------------------------------------------------------------------------------
+
+ wal_level = 'logical'
+ wal_log_hints = on
+ wal_buffers = 16MB
+ checkpoint_completion_target = 0.9
+
+ #------------------------------------------------------------------------------
+ # REPLICATION
+ #------------------------------------------------------------------------------
+
+ max_wal_senders = 10
+ wal_sender_timeout = 0
+ max_replication_slots = 10
+ hot_standby = on
+
+ #------------------------------------------------------------------------------
+ # ERROR REPORTING AND LOGGING
+ #------------------------------------------------------------------------------
+
+ log_filename = 'postgresql.log'
+ log_rotation_age = 0
+ log_min_duration_statement = 5000
+ log_connections = on
+ log_disconnections = on
+ log_line_prefix = '%t:%r:%c:%u@%d:[%p]:'
+ log_lock_waits = on
+
+ #------------------------------------------------------------------------------
+ # AUTOVACUUM PARAMETERS
+ #------------------------------------------------------------------------------
+
+ log_autovacuum_min_duration = 0
+ autovacuum_naptime = 5min
+ autovacuum_vacuum_threshold = 500
+ autovacuum_analyze_threshold = 500
+ autovacuum_vacuum_scale_factor = 0.05
+
+ #------------------------------------------------------------------------------
+ # LOCK MANAGEMENT
+ #------------------------------------------------------------------------------
+
+ deadlock_timeout = 5s
+
+ #------------------------------------------------------------------------------
+ # VERSION/PLATFORM COMPATIBILITY
+ #------------------------------------------------------------------------------
+
+ escape_string_warning = off
+ standard_conforming_strings = off
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ data:
+ application.conf: |
+ # Timeout: The number of seconds before receives and sends time out.
+ Timeout 120
+
+ RewriteEngine On
+ Options SymLinksIfOwnerMatch
+
+ <VirtualHost *:80>
+ KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
+ ProxyPreserveHost on
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
+ ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
+ </VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ data:
+ auth-type: internal
+ auth-kerberos-realms: undefined
+ auth-configuration.conf: |
+ # External Authentication Configuration File
+ #
+ # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
kind: Service
metadata:
annotations:
- description: "Exposes and load balances CloudForms pods"
+ description: Exposes and load balances CloudForms pods
service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
- name: ${NAME}
+ name: "${NAME}"
spec:
clusterIP: None
ports:
@@ -23,141 +314,97 @@ objects:
port: 80
protocol: TCP
targetPort: 80
- - name: https
- port: 443
- protocol: TCP
- targetPort: 443
selector:
- name: ${NAME}
+ name: "${NAME}"
- apiVersion: v1
kind: Route
metadata:
- name: ${NAME}
+ name: "${HTTPD_SERVICE_NAME}"
spec:
- host: ${APPLICATION_DOMAIN}
+ host: "${APPLICATION_DOMAIN}"
port:
- targetPort: https
+ targetPort: http
tls:
- termination: passthrough
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
- name: ${NAME}
-- apiVersion: v1
- kind: ImageStream
- metadata:
- name: cfme-openshift-app
- annotations:
- description: "Keeps track of changes in the CloudForms app image"
- spec:
- dockerImageRepository: "${APPLICATION_IMG_NAME}"
-- apiVersion: v1
- kind: ImageStream
- metadata:
- name: cfme-openshift-postgresql
- annotations:
- description: "Keeps track of changes in the CloudForms postgresql image"
- spec:
- dockerImageRepository: "${POSTGRESQL_IMG_NAME}"
-- apiVersion: v1
- kind: ImageStream
- metadata:
- name: cfme-openshift-memcached
- annotations:
- description: "Keeps track of changes in the CloudForms memcached image"
- spec:
- dockerImageRepository: "${MEMCACHED_IMG_NAME}"
+ name: "${HTTPD_SERVICE_NAME}"
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "${NAME}-${DATABASE_SERVICE_NAME}"
spec:
accessModes:
- - ReadWriteOnce
+ - ReadWriteOnce
resources:
requests:
- storage: ${DATABASE_VOLUME_CAPACITY}
-- apiVersion: v1
- kind: PersistentVolumeClaim
- metadata:
- name: "${NAME}-region"
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: ${APPLICATION_REGION_VOLUME_CAPACITY}
+ storage: "${DATABASE_VOLUME_CAPACITY}"
- apiVersion: apps/v1beta1
- kind: "StatefulSet"
+ kind: StatefulSet
metadata:
- name: ${NAME}
+ name: "${NAME}"
annotations:
- description: "Defines how to deploy the CloudForms appliance"
+ description: Defines how to deploy the CloudForms appliance
spec:
serviceName: "${NAME}"
- replicas: 1
+ replicas: "${APPLICATION_REPLICA_COUNT}"
template:
metadata:
labels:
- name: ${NAME}
- name: ${NAME}
+ name: "${NAME}"
+ name: "${NAME}"
spec:
containers:
- name: cloudforms
- image: "${APPLICATION_IMG_NAME}:${APPLICATION_IMG_TAG}"
+ image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
- tcpSocket:
- port: 443
+ exec:
+ command:
+ - pidof
+ - MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
- httpGet:
- path: /
- port: 443
- scheme: HTTPS
+ tcpSocket:
+ port: 80
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
- containerPort: 80
protocol: TCP
- - containerPort: 443
- protocol: TCP
- securityContext:
- privileged: true
volumeMounts:
- -
- name: "${NAME}-server"
- mountPath: "/persistent"
- -
- name: "${NAME}-region"
- mountPath: "/persistent-region"
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
env:
- -
- name: "APPLICATION_INIT_DELAY"
- value: "${APPLICATION_INIT_DELAY}"
- -
- name: "DATABASE_SERVICE_NAME"
- value: "${DATABASE_SERVICE_NAME}"
- -
- name: "DATABASE_REGION"
- value: "${DATABASE_REGION}"
- -
- name: "MEMCACHED_SERVICE_NAME"
- value: "${MEMCACHED_SERVICE_NAME}"
- -
- name: "POSTGRESQL_USER"
- value: "${DATABASE_USER}"
- -
- name: "POSTGRESQL_PASSWORD"
- value: "${DATABASE_PASSWORD}"
- -
- name: "POSTGRESQL_DATABASE"
- value: "${DATABASE_NAME}"
- -
- name: "POSTGRESQL_MAX_CONNECTIONS"
- value: "${POSTGRESQL_MAX_CONNECTIONS}"
- -
- name: "POSTGRESQL_SHARED_BUFFERS"
- value: "${POSTGRESQL_SHARED_BUFFERS}"
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_REGION
+ value: "${DATABASE_REGION}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
resources:
requests:
memory: "${APPLICATION_MEM_REQ}"
@@ -168,59 +415,128 @@ objects:
preStop:
exec:
command:
- - /opt/rh/cfme-container-scripts/sync-pv-data
- volumes:
- -
- name: "${NAME}-region"
- persistentVolumeClaim:
- claimName: ${NAME}-region
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
volumeClaimTemplates:
- - metadata:
- name: "${NAME}-server"
- annotations:
- # Uncomment this if using dynamic volume provisioning.
- # https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html
- # volume.alpha.kubernetes.io/storage-class: anything
- spec:
- accessModes: [ ReadWriteOnce ]
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Headless service for CloudForms backend pods
+ name: "${NAME}-backend"
+ spec:
+ clusterIP: None
+ selector:
+ name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+ kind: StatefulSet
+ metadata:
+ name: "${NAME}-backend"
+ annotations:
+ description: Defines how to deploy the CloudForms appliance
+ spec:
+ serviceName: "${NAME}-backend"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${NAME}-backend"
+ name: "${NAME}-backend"
+ spec:
+ containers:
+ - name: cloudforms
+ image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - MIQ Server
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
+ env:
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: MIQ_SERVER_DEFAULT_ROLES
+ value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+ - name: FRONTEND_SERVICE_NAME
+ value: "${NAME}"
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
resources:
requests:
- storage: "${APPLICATION_VOLUME_CAPACITY}"
+ memory: "${APPLICATION_MEM_REQ}"
+ cpu: "${APPLICATION_CPU_REQ}"
+ limits:
+ memory: "${APPLICATION_MEM_LIMIT}"
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
+ volumeClaimTemplates:
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
- apiVersion: v1
- kind: "Service"
+ kind: Service
metadata:
name: "${MEMCACHED_SERVICE_NAME}"
annotations:
- description: "Exposes the memcached server"
+ description: Exposes the memcached server
spec:
ports:
- -
- name: "memcached"
- port: 11211
- targetPort: 11211
+ - name: memcached
+ port: 11211
+ targetPort: 11211
selector:
name: "${MEMCACHED_SERVICE_NAME}"
- apiVersion: v1
- kind: "DeploymentConfig"
+ kind: DeploymentConfig
metadata:
name: "${MEMCACHED_SERVICE_NAME}"
annotations:
- description: "Defines how to deploy memcached"
+ description: Defines how to deploy memcached
spec:
strategy:
- type: "Recreate"
+ type: Recreate
triggers:
- -
- type: "ImageChange"
- imageChangeParams:
- automatic: true
- containerNames:
- - "memcached"
- from:
- kind: "ImageStreamTag"
- name: "cfme-openshift-memcached:${MEMCACHED_IMG_TAG}"
- -
- type: "ConfigChange"
+ - type: ConfigChange
replicas: 1
selector:
name: "${MEMCACHED_SERVICE_NAME}"
@@ -232,74 +548,58 @@ objects:
spec:
volumes: []
containers:
- -
- name: "memcached"
- image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
- ports:
- -
- containerPort: 11211
- readinessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 5
- tcpSocket:
- port: 11211
- livenessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 30
- tcpSocket:
- port: 11211
- volumeMounts: []
- env:
- -
- name: "MEMCACHED_MAX_MEMORY"
- value: "${MEMCACHED_MAX_MEMORY}"
- -
- name: "MEMCACHED_MAX_CONNECTIONS"
- value: "${MEMCACHED_MAX_CONNECTIONS}"
- -
- name: "MEMCACHED_SLAB_PAGE_SIZE"
- value: "${MEMCACHED_SLAB_PAGE_SIZE}"
- resources:
- requests:
- memory: "${MEMCACHED_MEM_REQ}"
- cpu: "${MEMCACHED_CPU_REQ}"
- limits:
- memory: "${MEMCACHED_MEM_LIMIT}"
+ - name: memcached
+ image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+ ports:
+ - containerPort: 11211
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 5
+ tcpSocket:
+ port: 11211
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 30
+ tcpSocket:
+ port: 11211
+ volumeMounts: []
+ env:
+ - name: MEMCACHED_MAX_MEMORY
+ value: "${MEMCACHED_MAX_MEMORY}"
+ - name: MEMCACHED_MAX_CONNECTIONS
+ value: "${MEMCACHED_MAX_CONNECTIONS}"
+ - name: MEMCACHED_SLAB_PAGE_SIZE
+ value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+ resources:
+ requests:
+ memory: "${MEMCACHED_MEM_REQ}"
+ cpu: "${MEMCACHED_CPU_REQ}"
+ limits:
+ memory: "${MEMCACHED_MEM_LIMIT}"
- apiVersion: v1
- kind: "Service"
+ kind: Service
metadata:
name: "${DATABASE_SERVICE_NAME}"
annotations:
- description: "Exposes the database server"
+ description: Exposes the database server
spec:
ports:
- -
- name: "postgresql"
- port: 5432
- targetPort: 5432
+ - name: postgresql
+ port: 5432
+ targetPort: 5432
selector:
name: "${DATABASE_SERVICE_NAME}"
- apiVersion: v1
- kind: "DeploymentConfig"
+ kind: DeploymentConfig
metadata:
name: "${DATABASE_SERVICE_NAME}"
annotations:
- description: "Defines how to deploy the database"
+ description: Defines how to deploy the database
spec:
strategy:
- type: "Recreate"
+ type: Recreate
triggers:
- -
- type: "ImageChange"
- imageChangeParams:
- automatic: true
- containerNames:
- - "postgresql"
- from:
- kind: "ImageStreamTag"
- name: "cfme-openshift-postgresql:${POSTGRESQL_IMG_TAG}"
- -
- type: "ConfigChange"
+ - type: ConfigChange
replicas: 1
selector:
name: "${DATABASE_SERVICE_NAME}"
@@ -310,236 +610,524 @@ objects:
name: "${DATABASE_SERVICE_NAME}"
spec:
volumes:
- -
- name: "cfme-pgdb-volume"
- persistentVolumeClaim:
- claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
+ - name: cfme-pgdb-volume
+ persistentVolumeClaim:
+ claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
+ - name: cfme-pg-configs
+ configMap:
+ name: "${DATABASE_SERVICE_NAME}-configs"
containers:
- -
- name: "postgresql"
- image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
- ports:
- -
- containerPort: 5432
- readinessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 15
+ - name: postgresql
+ image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
+ ports:
+ - containerPort: 5432
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 15
+ exec:
+ command:
+ - "/bin/sh"
+ - "-i"
+ - "-c"
+ - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 60
+ tcpSocket:
+ port: 5432
+ volumeMounts:
+ - name: cfme-pgdb-volume
+ mountPath: "/var/lib/pgsql/data"
+ - name: cfme-pg-configs
+ mountPath: "${POSTGRESQL_CONFIG_DIR}"
+ env:
+ - name: POSTGRESQL_USER
+ value: "${DATABASE_USER}"
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: pg-password
+ - name: POSTGRESQL_DATABASE
+ value: "${DATABASE_NAME}"
+ - name: POSTGRESQL_MAX_CONNECTIONS
+ value: "${POSTGRESQL_MAX_CONNECTIONS}"
+ - name: POSTGRESQL_SHARED_BUFFERS
+ value: "${POSTGRESQL_SHARED_BUFFERS}"
+ - name: POSTGRESQL_CONFIG_DIR
+ value: "${POSTGRESQL_CONFIG_DIR}"
+ resources:
+ requests:
+ memory: "${POSTGRESQL_MEM_REQ}"
+ cpu: "${POSTGRESQL_CPU_REQ}"
+ limits:
+ memory: "${POSTGRESQL_MEM_LIMIT}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes and load balances Ansible pods
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 443
+ selector:
+ name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy the Ansible appliance
+ spec:
+ strategy:
+ type: Recreate
+ serviceName: "${ANSIBLE_SERVICE_NAME}"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ containers:
+ - name: ansible
+ image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+ livenessProbe:
+ tcpSocket:
+ port: 443
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ readinessProbe:
+ httpGet:
+ path: "/"
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 200
+ timeoutSeconds: 3
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 443
+ protocol: TCP
+ securityContext:
+ privileged: true
+ env:
+ - name: ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ - name: RABBITMQ_USER_NAME
+ value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+ - name: RABBITMQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: rabbit-password
+ - name: ANSIBLE_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: secret-key
+ - name: DATABASE_SERVICE_NAME
+ value: "${DATABASE_SERVICE_NAME}"
+ - name: POSTGRESQL_USER
+ value: "${DATABASE_USER}"
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: pg-password
+ - name: POSTGRESQL_DATABASE
+ value: "${ANSIBLE_DATABASE_NAME}"
+ resources:
+ requests:
+ memory: "${ANSIBLE_MEM_REQ}"
+ cpu: "${ANSIBLE_CPU_REQ}"
+ limits:
+ memory: "${ANSIBLE_MEM_LIMIT}"
+ serviceAccount: cfme-privileged
+ serviceAccountName: cfme-privileged
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http
+ port: 80
+ targetPort: 80
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy httpd
+ spec:
+ strategy:
+ type: Recreate
+ recreateParams:
+ timeoutSeconds: 1200
+ triggers:
+ - type: ConfigChange
+ replicas: 1
+ selector:
+ name: "${HTTPD_SERVICE_NAME}"
+ template:
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ labels:
+ name: "${HTTPD_SERVICE_NAME}"
+ spec:
+ volumes:
+ - name: httpd-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ - name: httpd-auth-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ containers:
+ - name: httpd
+ image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - httpd
+ initialDelaySeconds: 15
+ timeoutSeconds: 3
+ readinessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 10
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: httpd-config
+ mountPath: "${HTTPD_CONFIG_DIR}"
+ - name: httpd-auth-config
+ mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+ resources:
+ requests:
+ memory: "${HTTPD_MEM_REQ}"
+ cpu: "${HTTPD_CPU_REQ}"
+ limits:
+ memory: "${HTTPD_MEM_LIMIT}"
+ env:
+ - name: HTTPD_AUTH_TYPE
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
+ lifecycle:
+ postStart:
exec:
command:
- - "/bin/sh"
- - "-i"
- - "-c"
- - "psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'"
- livenessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 60
- tcpSocket:
- port: 5432
- volumeMounts:
- -
- name: "cfme-pgdb-volume"
- mountPath: "/var/lib/pgsql/data"
- env:
- -
- name: "POSTGRESQL_USER"
- value: "${DATABASE_USER}"
- -
- name: "POSTGRESQL_PASSWORD"
- value: "${DATABASE_PASSWORD}"
- -
- name: "POSTGRESQL_DATABASE"
- value: "${DATABASE_NAME}"
- -
- name: "POSTGRESQL_MAX_CONNECTIONS"
- value: "${POSTGRESQL_MAX_CONNECTIONS}"
- -
- name: "POSTGRESQL_SHARED_BUFFERS"
- value: "${POSTGRESQL_SHARED_BUFFERS}"
- resources:
- requests:
- memory: "${POSTGRESQL_MEM_REQ}"
- cpu: "${POSTGRESQL_CPU_REQ}"
- limits:
- memory: "${POSTGRESQL_MEM_LIMIT}"
-
+ - "/usr/bin/save-container-environment"
+ serviceAccount: cfme-httpd
+ serviceAccountName: cfme-httpd
parameters:
- -
- name: "NAME"
- displayName: Name
- required: true
- description: "The name assigned to all of the frontend objects defined in this template."
- value: cloudforms
- -
- name: "DATABASE_SERVICE_NAME"
- displayName: "PostgreSQL Service Name"
- required: true
- description: "The name of the OpenShift Service exposed for the PostgreSQL container."
- value: "postgresql"
- -
- name: "DATABASE_USER"
- displayName: "PostgreSQL User"
- required: true
- description: "PostgreSQL user that will access the database."
- value: "root"
- -
- name: "DATABASE_PASSWORD"
- displayName: "PostgreSQL Password"
- required: true
- description: "Password for the PostgreSQL user."
- value: "smartvm"
- -
- name: "DATABASE_NAME"
- required: true
- displayName: "PostgreSQL Database Name"
- description: "Name of the PostgreSQL database accessed."
- value: "vmdb_production"
- -
- name: "DATABASE_REGION"
- required: true
- displayName: "Application Database Region"
- description: "Database region that will be used for application."
- value: "0"
- -
- name: "MEMCACHED_SERVICE_NAME"
- required: true
- displayName: "Memcached Service Name"
- description: "The name of the OpenShift Service exposed for the Memcached container."
- value: "memcached"
- -
- name: "MEMCACHED_MAX_MEMORY"
- displayName: "Memcached Max Memory"
- description: "Memcached maximum memory for memcached object storage in MB."
- value: "64"
- -
- name: "MEMCACHED_MAX_CONNECTIONS"
- displayName: "Memcached Max Connections"
- description: "Memcached maximum number of connections allowed."
- value: "1024"
- -
- name: "MEMCACHED_SLAB_PAGE_SIZE"
- displayName: "Memcached Slab Page Size"
- description: "Memcached size of each slab page."
- value: "1m"
- -
- name: "POSTGRESQL_MAX_CONNECTIONS"
- displayName: "PostgreSQL Max Connections"
- description: "PostgreSQL maximum number of database connections allowed."
- value: "100"
- -
- name: "POSTGRESQL_SHARED_BUFFERS"
- displayName: "PostgreSQL Shared Buffer Amount"
- description: "Amount of memory dedicated for PostgreSQL shared memory buffers."
- value: "256MB"
- -
- name: "APPLICATION_CPU_REQ"
- displayName: "Application Min CPU Requested"
- required: true
- description: "Minimum amount of CPU time the Application container will need (expressed in millicores)."
- value: "1000m"
- -
- name: "POSTGRESQL_CPU_REQ"
- displayName: "PostgreSQL Min CPU Requested"
- required: true
- description: "Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores)."
- value: "500m"
- -
- name: "MEMCACHED_CPU_REQ"
- displayName: "Memcached Min CPU Requested"
- required: true
- description: "Minimum amount of CPU time the Memcached container will need (expressed in millicores)."
- value: "200m"
- -
- name: "APPLICATION_MEM_REQ"
- displayName: "Application Min RAM Requested"
- required: true
- description: "Minimum amount of memory the Application container will need."
- value: "6144Mi"
- -
- name: "POSTGRESQL_MEM_REQ"
- displayName: "PostgreSQL Min RAM Requested"
- required: true
- description: "Minimum amount of memory the PostgreSQL container will need."
- value: "1024Mi"
- -
- name: "MEMCACHED_MEM_REQ"
- displayName: "Memcached Min RAM Requested"
- required: true
- description: "Minimum amount of memory the Memcached container will need."
- value: "64Mi"
- -
- name: "APPLICATION_MEM_LIMIT"
- displayName: "Application Max RAM Limit"
- required: true
- description: "Maximum amount of memory the Application container can consume."
- value: "16384Mi"
- -
- name: "POSTGRESQL_MEM_LIMIT"
- displayName: "PostgreSQL Max RAM Limit"
- required: true
- description: "Maximum amount of memory the PostgreSQL container can consume."
- value: "8192Mi"
- -
- name: "MEMCACHED_MEM_LIMIT"
- displayName: "Memcached Max RAM Limit"
- required: true
- description: "Maximum amount of memory the Memcached container can consume."
- value: "256Mi"
- -
- name: "POSTGRESQL_IMG_NAME"
- displayName: "PostgreSQL Image Name"
- description: "This is the PostgreSQL image name requested to deploy."
- value: "registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql"
- -
- name: "POSTGRESQL_IMG_TAG"
- displayName: "PostgreSQL Image Tag"
- description: "This is the PostgreSQL image tag/version requested to deploy."
- value: "latest"
- -
- name: "MEMCACHED_IMG_NAME"
- displayName: "Memcached Image Name"
- description: "This is the Memcached image name requested to deploy."
- value: "registry.access.redhat.com/cloudforms45/cfme-openshift-memcached"
- -
- name: "MEMCACHED_IMG_TAG"
- displayName: "Memcached Image Tag"
- description: "This is the Memcached image tag/version requested to deploy."
- value: "latest"
- -
- name: "APPLICATION_IMG_NAME"
- displayName: "Application Image Name"
- description: "This is the Application image name requested to deploy."
- value: "registry.access.redhat.com/cloudforms45/cfme-openshift-app"
- -
- name: "APPLICATION_IMG_TAG"
- displayName: "Application Image Tag"
- description: "This is the Application image tag/version requested to deploy."
- value: "latest"
- -
- name: "APPLICATION_DOMAIN"
- displayName: "Application Hostname"
- description: "The exposed hostname that will route to the application service, if left blank a value will be defaulted."
- value: ""
- -
- name: "APPLICATION_INIT_DELAY"
- displayName: "Application Init Delay"
- required: true
- description: "Delay in seconds before we attempt to initialize the application."
- value: "15"
- -
- name: "APPLICATION_VOLUME_CAPACITY"
- displayName: "Application Volume Capacity"
- required: true
- description: "Volume space available for application data."
- value: "5Gi"
- -
- name: "APPLICATION_REGION_VOLUME_CAPACITY"
- displayName: "Application Region Volume Capacity"
- required: true
- description: "Volume space available for region application data."
- value: "5Gi"
- -
- name: "DATABASE_VOLUME_CAPACITY"
- displayName: "Database Volume Capacity"
- required: true
- description: "Volume space available for database."
- value: "15Gi"
+- name: NAME
+ displayName: Name
+ required: true
+ description: The name assigned to all of the frontend objects defined in this template.
+ value: cloudforms
+- name: V2_KEY
+ displayName: CloudForms Encryption Key
+ required: true
+ description: Encryption Key for CloudForms Passwords
+ from: "[a-zA-Z0-9]{43}"
+ generate: expression
+- name: DATABASE_SERVICE_NAME
+ displayName: PostgreSQL Service Name
+ required: true
+ description: The name of the OpenShift Service exposed for the PostgreSQL container.
+ value: postgresql
+- name: DATABASE_USER
+ displayName: PostgreSQL User
+ required: true
+ description: PostgreSQL user that will access the database.
+ value: root
+- name: DATABASE_PASSWORD
+ displayName: PostgreSQL Password
+ required: true
+ description: Password for the PostgreSQL user.
+ from: "[a-zA-Z0-9]{8}"
+ generate: expression
+- name: DATABASE_NAME
+ required: true
+ displayName: PostgreSQL Database Name
+ description: Name of the PostgreSQL database accessed.
+ value: vmdb_production
+- name: DATABASE_REGION
+ required: true
+ displayName: Application Database Region
+ description: Database region that will be used for application.
+ value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
+- name: ANSIBLE_DATABASE_NAME
+ displayName: Ansible PostgreSQL database name
+ required: true
+ description: The database to be used by the Ansible continer
+ value: awx
+- name: MEMCACHED_SERVICE_NAME
+ required: true
+ displayName: Memcached Service Name
+ description: The name of the OpenShift Service exposed for the Memcached container.
+ value: memcached
+- name: MEMCACHED_MAX_MEMORY
+ displayName: Memcached Max Memory
+ description: Memcached maximum memory for memcached object storage in MB.
+ value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+ displayName: Memcached Max Connections
+ description: Memcached maximum number of connections allowed.
+ value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+ displayName: Memcached Slab Page Size
+ description: Memcached size of each slab page.
+ value: 1m
+- name: POSTGRESQL_CONFIG_DIR
+ displayName: PostgreSQL Configuration Overrides
+ description: Directory used to store PostgreSQL configuration overrides.
+ value: "/var/lib/pgsql/conf.d"
+- name: POSTGRESQL_MAX_CONNECTIONS
+ displayName: PostgreSQL Max Connections
+ description: PostgreSQL maximum number of database connections allowed.
+ value: '1000'
+- name: POSTGRESQL_SHARED_BUFFERS
+ displayName: PostgreSQL Shared Buffer Amount
+ description: Amount of memory dedicated for PostgreSQL shared memory buffers.
+ value: 1GB
+- name: ANSIBLE_SERVICE_NAME
+ displayName: Ansible Service Name
+ description: The name of the OpenShift Service exposed for the Ansible container.
+ value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+ displayName: Ansible admin User password
+ required: true
+ description: The password for the Ansible container admin user
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: ANSIBLE_SECRET_KEY
+ displayName: Ansible Secret Key
+ required: true
+ description: Encryption key for the Ansible container
+ from: "[a-f0-9]{32}"
+ generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+ displayName: RabbitMQ Username
+ required: true
+ description: Username for the Ansible RabbitMQ Server
+ value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+ displayName: RabbitMQ Server Password
+ required: true
+ description: Password for the Ansible RabbitMQ Server
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: APPLICATION_CPU_REQ
+ displayName: Application Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+ value: 1000m
+- name: POSTGRESQL_CPU_REQ
+ displayName: PostgreSQL Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores).
+ value: 500m
+- name: MEMCACHED_CPU_REQ
+ displayName: Memcached Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+ value: 200m
+- name: ANSIBLE_CPU_REQ
+ displayName: Ansible Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+ value: 1000m
+- name: APPLICATION_MEM_REQ
+ displayName: Application Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Application container will need.
+ value: 6144Mi
+- name: POSTGRESQL_MEM_REQ
+ displayName: PostgreSQL Min RAM Requested
+ required: true
+ description: Minimum amount of memory the PostgreSQL container will need.
+ value: 4Gi
+- name: MEMCACHED_MEM_REQ
+ displayName: Memcached Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Memcached container will need.
+ value: 64Mi
+- name: ANSIBLE_MEM_REQ
+ displayName: Ansible Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Ansible container will need.
+ value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+ displayName: Application Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Application container can consume.
+ value: 16384Mi
+- name: POSTGRESQL_MEM_LIMIT
+ displayName: PostgreSQL Max RAM Limit
+ required: true
+ description: Maximum amount of memory the PostgreSQL container can consume.
+ value: 8Gi
+- name: MEMCACHED_MEM_LIMIT
+ displayName: Memcached Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Memcached container can consume.
+ value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+ displayName: Ansible Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Ansible container can consume.
+ value: 8096Mi
+- name: POSTGRESQL_IMG_NAME
+ displayName: PostgreSQL Image Name
+ description: This is the PostgreSQL image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql
+- name: POSTGRESQL_IMG_TAG
+ displayName: PostgreSQL Image Tag
+ description: This is the PostgreSQL image tag/version requested to deploy.
+ value: latest
+- name: MEMCACHED_IMG_NAME
+ displayName: Memcached Image Name
+ description: This is the Memcached image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+ displayName: Memcached Image Tag
+ description: This is the Memcached image tag/version requested to deploy.
+ value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+ displayName: Frontend Application Image Name
+ description: This is the Frontend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+ displayName: Backend Application Image Name
+ description: This is the Backend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+ displayName: Front end Application Image Tag
+ description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+ value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+ displayName: Back end Application Image Tag
+ description: This is the CloudForms Backend Application image tag/version requested to deploy.
+ value: latest
+- name: ANSIBLE_IMG_NAME
+ displayName: Ansible Image Name
+ description: This is the Ansible image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+ displayName: Ansible Image Tag
+ description: This is the Ansible image tag/version requested to deploy.
+ value: latest
+- name: APPLICATION_DOMAIN
+ displayName: Application Hostname
+ description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+ value: ''
+- name: APPLICATION_REPLICA_COUNT
+ displayName: Application Replica Count
+ description: This is the number of Application replicas requested to deploy.
+ value: '1'
+- name: APPLICATION_INIT_DELAY
+ displayName: Application Init Delay
+ required: true
+ description: Delay in seconds before we attempt to initialize the application.
+ value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+ displayName: Application Volume Capacity
+ required: true
+ description: Volume space available for application data.
+ value: 5Gi
+- name: DATABASE_VOLUME_CAPACITY
+ displayName: Database Volume Capacity
+ required: true
+ description: Volume space available for database.
+ value: 15Gi
+- name: HTTPD_SERVICE_NAME
+ required: true
+ displayName: Apache httpd Service Name
+ description: The name of the OpenShift Service exposed for the httpd container.
+ value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
+- name: HTTPD_IMG_NAME
+ displayName: Apache httpd Image Name
+ description: This is the httpd image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+ displayName: Apache httpd Image Tag
+ description: This is the httpd image tag/version requested to deploy.
+ value: latest
+- name: HTTPD_CONFIG_DIR
+ displayName: Apache Configuration Directory
+ description: Directory used to store the Apache configuration files.
+ value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+ displayName: External Authentication Configuration Directory
+ description: Directory used to store the external authentication configuration files.
+ value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+ displayName: Apache httpd Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+ value: 500m
+- name: HTTPD_MEM_REQ
+ displayName: Apache httpd Min RAM Requested
+ required: true
+ description: Minimum amount of memory the httpd container will need.
+ value: 512Mi
+- name: HTTPD_MEM_LIMIT
+ displayName: Apache httpd Max RAM Limit
+ required: true
+ description: Maximum amount of memory the httpd container can consume.
+ value: 8192Mi
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-job.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-job.yaml
new file mode 100644
index 000000000..48d1d4e26
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-job.yaml
@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cloudforms-backup
+spec:
+ template:
+ metadata:
+ name: cloudforms-backup
+ spec:
+ containers:
+ - name: postgresql
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
+ command:
+ - "/opt/rh/cfme-container-scripts/backup_db"
+ env:
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: cloudforms-secrets
+ key: database-url
+ volumeMounts:
+ - name: cfme-backup-vol
+ mountPath: "/backups"
+ volumes:
+ - name: cfme-backup-vol
+ persistentVolumeClaim:
+ claimName: cloudforms-backup
+ restartPolicy: Never
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-pvc.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-pvc.yaml
new file mode 100644
index 000000000..92598ce82
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-backup-pvc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: cloudforms-backup
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 15Gi
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-backup-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-backup-example.yaml
new file mode 100644
index 000000000..4fe349897
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-backup-example.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+ name: cfme-pv03
+spec:
+ capacity:
+ storage: 15Gi
+ accessModes:
+ - ReadWriteOnce
+ nfs:
+ path: "/exports/cfme-pv03"
+ server: "<your-nfs-host-here>"
+ persistentVolumeReclaimPolicy: Retain
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml
index 250a99b8d..0cdd821b5 100644
--- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-db-example.yaml
@@ -1,13 +1,38 @@
apiVersion: v1
-kind: PersistentVolume
+kind: Template
+labels:
+ template: cloudforms-db-pv
metadata:
- name: cfme-pv01
-spec:
- capacity:
- storage: 15Gi
- accessModes:
+ name: cloudforms-db-pv
+ annotations:
+ description: PV Template for CFME PostgreSQL DB
+ tags: PVS, CFME
+objects:
+- apiVersion: v1
+ kind: PersistentVolume
+ metadata:
+ name: cfme-db
+ spec:
+ capacity:
+ storage: "${PV_SIZE}"
+ accessModes:
- ReadWriteOnce
- nfs:
- path: /exports/cfme-pv01
- server: <your-nfs-host-here>
- persistentVolumeReclaimPolicy: Retain
+ nfs:
+ path: "${BASE_PATH}/cfme-db"
+ server: "${NFS_HOST}"
+ persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+ displayName: PV Size for DB
+ required: true
+ description: The size of the CFME DB PV given in Gi
+ value: 15Gi
+- name: BASE_PATH
+ displayName: Exports Directory Base Path
+ required: true
+ description: The parent directory of your NFS exports
+ value: "/exports"
+- name: NFS_HOST
+ displayName: NFS Server Hostname
+ required: true
+ description: The hostname or IP address of the NFS server
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-region-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-region-example.yaml
deleted file mode 100644
index cba9bbe35..000000000
--- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-region-example.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
- name: cfme-pv02
-spec:
- capacity:
- storage: 5Gi
- accessModes:
- - ReadWriteOnce
- nfs:
- path: /exports/cfme-pv02
- server: <your-nfs-host-here>
- persistentVolumeReclaimPolicy: Retain
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml
index c08c21265..527090ae8 100644
--- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-pv-server-example.yaml
@@ -1,13 +1,38 @@
apiVersion: v1
-kind: PersistentVolume
+kind: Template
+labels:
+ template: cloudforms-app-pv
metadata:
- name: cfme-pv03
-spec:
- capacity:
- storage: 5Gi
- accessModes:
+ name: cloudforms-app-pv
+ annotations:
+ description: PV Template for CFME Server
+ tags: PVS, CFME
+objects:
+- apiVersion: v1
+ kind: PersistentVolume
+ metadata:
+ name: cfme-app
+ spec:
+ capacity:
+ storage: "${PV_SIZE}"
+ accessModes:
- ReadWriteOnce
- nfs:
- path: /exports/cfme-pv03
- server: <your-nfs-host-here>
- persistentVolumeReclaimPolicy: Retain
+ nfs:
+ path: "${BASE_PATH}/cfme-app"
+ server: "${NFS_HOST}"
+ persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+ displayName: PV Size for App
+ required: true
+ description: The size of the CFME APP PV given in Gi
+ value: 5Gi
+- name: BASE_PATH
+ displayName: Exports Directory Base Path
+ required: true
+ description: The parent directory of your NFS exports
+ value: "/exports"
+- name: NFS_HOST
+ displayName: NFS Server Hostname
+ required: true
+ description: The hostname or IP address of the NFS server
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-restore-job.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-restore-job.yaml
new file mode 100644
index 000000000..7fd4fc2e1
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-restore-job.yaml
@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cloudforms-restore
+spec:
+ template:
+ metadata:
+ name: cloudforms-restore
+ spec:
+ containers:
+ - name: postgresql
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
+ command:
+ - "/opt/rh/cfme-container-scripts/restore_db"
+ env:
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: cloudforms-secrets
+ key: database-url
+ - name: BACKUP_VERSION
+ value: latest
+ volumeMounts:
+ - name: cfme-backup-vol
+ mountPath: "/backups"
+ - name: cfme-prod-vol
+ mountPath: "/restore"
+ volumes:
+ - name: cfme-backup-vol
+ persistentVolumeClaim:
+ claimName: cloudforms-backup
+ - name: cfme-prod-vol
+ persistentVolumeClaim:
+ claimName: cloudforms-postgresql
+ restartPolicy: Never
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-scc-sysadmin.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-scc-sysadmin.yaml
new file mode 100644
index 000000000..d2ece9298
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-scc-sysadmin.yaml
@@ -0,0 +1,38 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+apiVersion: v1
+defaultAddCapabilities:
+- SYS_ADMIN
+fsGroup:
+ type: RunAsAny
+groups:
+- system:cluster-admins
+kind: SecurityContextConstraints
+metadata:
+ annotations:
+ kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus.
+ creationTimestamp:
+ name: cfme-sysadmin
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+- SYS_CHROOT
+runAsUser:
+ type: RunAsAny
+seLinuxContext:
+ type: MustRunAs
+supplementalGroups:
+ type: RunAsAny
+users:
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- secret
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template-ext-db.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template-ext-db.yaml
new file mode 100644
index 000000000..9866c29c3
--- /dev/null
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template-ext-db.yaml
@@ -0,0 +1,956 @@
+apiVersion: v1
+kind: Template
+labels:
+ template: cloudforms-ext-db
+metadata:
+ name: cloudforms-ext-db
+ annotations:
+ description: CloudForms appliance with persistent storage using a external DB host
+ tags: instant-app,cloudforms,cfme
+ iconClass: icon-rails
+objects:
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-orchestrator
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-anyuid
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-privileged
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-httpd
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${NAME}-secrets"
+ stringData:
+ pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
+ database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+ v2-key: "${V2_KEY}"
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ stringData:
+ rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+ secret-key: "${ANSIBLE_SECRET_KEY}"
+ admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes and load balances CloudForms pods
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+ name: "${NAME}"
+ spec:
+ clusterIP: None
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ selector:
+ name: "${NAME}"
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ spec:
+ host: "${APPLICATION_DOMAIN}"
+ port:
+ targetPort: http
+ tls:
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
+ to:
+ kind: Service
+ name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: apps/v1beta1
+ kind: StatefulSet
+ metadata:
+ name: "${NAME}"
+ annotations:
+ description: Defines how to deploy the CloudForms appliance
+ spec:
+ serviceName: "${NAME}"
+ replicas: "${APPLICATION_REPLICA_COUNT}"
+ template:
+ metadata:
+ labels:
+ name: "${NAME}"
+ name: "${NAME}"
+ spec:
+ containers:
+ - name: cloudforms
+ image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - MIQ Server
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ readinessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 200
+ timeoutSeconds: 3
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ volumeMounts:
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
+ env:
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_REGION
+ value: "${DATABASE_REGION}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ resources:
+ requests:
+ memory: "${APPLICATION_MEM_REQ}"
+ cpu: "${APPLICATION_CPU_REQ}"
+ limits:
+ memory: "${APPLICATION_MEM_LIMIT}"
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
+ volumeClaimTemplates:
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Headless service for CloudForms backend pods
+ name: "${NAME}-backend"
+ spec:
+ clusterIP: None
+ selector:
+ name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+ kind: StatefulSet
+ metadata:
+ name: "${NAME}-backend"
+ annotations:
+ description: Defines how to deploy the CloudForms appliance
+ spec:
+ serviceName: "${NAME}-backend"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${NAME}-backend"
+ name: "${NAME}-backend"
+ spec:
+ containers:
+ - name: cloudforms
+ image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - MIQ Server
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
+ env:
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: MIQ_SERVER_DEFAULT_ROLES
+ value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+ - name: FRONTEND_SERVICE_NAME
+ value: "${NAME}"
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ resources:
+ requests:
+ memory: "${APPLICATION_MEM_REQ}"
+ cpu: "${APPLICATION_CPU_REQ}"
+ limits:
+ memory: "${APPLICATION_MEM_LIMIT}"
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
+ volumeClaimTemplates:
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ annotations:
+ description: Exposes the memcached server
+ spec:
+ ports:
+ - name: memcached
+ port: 11211
+ targetPort: 11211
+ selector:
+ name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy memcached
+ spec:
+ strategy:
+ type: Recreate
+ triggers:
+ - type: ConfigChange
+ replicas: 1
+ selector:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ template:
+ metadata:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ labels:
+ name: "${MEMCACHED_SERVICE_NAME}"
+ spec:
+ volumes: []
+ containers:
+ - name: memcached
+ image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+ ports:
+ - containerPort: 11211
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 5
+ tcpSocket:
+ port: 11211
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 30
+ tcpSocket:
+ port: 11211
+ volumeMounts: []
+ env:
+ - name: MEMCACHED_MAX_MEMORY
+ value: "${MEMCACHED_MAX_MEMORY}"
+ - name: MEMCACHED_MAX_CONNECTIONS
+ value: "${MEMCACHED_MAX_CONNECTIONS}"
+ - name: MEMCACHED_SLAB_PAGE_SIZE
+ value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+ resources:
+ requests:
+ memory: "${MEMCACHED_MEM_REQ}"
+ cpu: "${MEMCACHED_CPU_REQ}"
+ limits:
+ memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${DATABASE_SERVICE_NAME}"
+ annotations:
+ description: Remote database service
+ spec:
+ ports:
+ - name: postgresql
+ port: 5432
+ targetPort: "${{DATABASE_PORT}}"
+ selector: {}
+- apiVersion: v1
+ kind: Endpoints
+ metadata:
+ name: "${DATABASE_SERVICE_NAME}"
+ subsets:
+ - addresses:
+ - ip: "${DATABASE_IP}"
+ ports:
+ - port: "${{DATABASE_PORT}}"
+ name: postgresql
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes and load balances Ansible pods
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 443
+ selector:
+ name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy the Ansible appliance
+ spec:
+ strategy:
+ type: Recreate
+ serviceName: "${ANSIBLE_SERVICE_NAME}"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ containers:
+ - name: ansible
+ image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+ livenessProbe:
+ tcpSocket:
+ port: 443
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ readinessProbe:
+ httpGet:
+ path: "/"
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 200
+ timeoutSeconds: 3
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 443
+ protocol: TCP
+ securityContext:
+ privileged: true
+ env:
+ - name: ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ - name: RABBITMQ_USER_NAME
+ value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+ - name: RABBITMQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: rabbit-password
+ - name: ANSIBLE_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: secret-key
+ - name: DATABASE_SERVICE_NAME
+ value: "${DATABASE_SERVICE_NAME}"
+ - name: POSTGRESQL_USER
+ value: "${DATABASE_USER}"
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: pg-password
+ - name: POSTGRESQL_DATABASE
+ value: "${ANSIBLE_DATABASE_NAME}"
+ resources:
+ requests:
+ memory: "${ANSIBLE_MEM_REQ}"
+ cpu: "${ANSIBLE_CPU_REQ}"
+ limits:
+ memory: "${ANSIBLE_MEM_LIMIT}"
+ serviceAccount: cfme-privileged
+ serviceAccountName: cfme-privileged
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ data:
+ application.conf: |
+ # Timeout: The number of seconds before receives and sends time out.
+ Timeout 120
+
+ RewriteEngine On
+ Options SymLinksIfOwnerMatch
+
+ <VirtualHost *:80>
+ KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
+ ProxyPreserveHost on
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
+ ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
+ </VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ data:
+ auth-type: internal
+ auth-kerberos-realms: undefined
+ auth-configuration.conf: |
+ # External Authentication Configuration File
+ #
+ # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http
+ port: 80
+ targetPort: 80
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy httpd
+ spec:
+ strategy:
+ type: Recreate
+ recreateParams:
+ timeoutSeconds: 1200
+ triggers:
+ - type: ConfigChange
+ replicas: 1
+ selector:
+ name: "${HTTPD_SERVICE_NAME}"
+ template:
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ labels:
+ name: "${HTTPD_SERVICE_NAME}"
+ spec:
+ volumes:
+ - name: httpd-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ - name: httpd-auth-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ containers:
+ - name: httpd
+ image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - httpd
+ initialDelaySeconds: 15
+ timeoutSeconds: 3
+ readinessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 10
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: httpd-config
+ mountPath: "${HTTPD_CONFIG_DIR}"
+ - name: httpd-auth-config
+ mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+ resources:
+ requests:
+ memory: "${HTTPD_MEM_REQ}"
+ cpu: "${HTTPD_CPU_REQ}"
+ limits:
+ memory: "${HTTPD_MEM_LIMIT}"
+ env:
+ - name: HTTPD_AUTH_TYPE
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - "/usr/bin/save-container-environment"
+ serviceAccount: cfme-httpd
+ serviceAccountName: cfme-httpd
+parameters:
+- name: NAME
+ displayName: Name
+ required: true
+ description: The name assigned to all of the frontend objects defined in this template.
+ value: cloudforms
+- name: V2_KEY
+ displayName: CloudForms Encryption Key
+ required: true
+ description: Encryption Key for CloudForms Passwords
+ from: "[a-zA-Z0-9]{43}"
+ generate: expression
+- name: DATABASE_SERVICE_NAME
+ displayName: PostgreSQL Service Name
+ required: true
+ description: The name of the OpenShift Service exposed for the PostgreSQL container.
+ value: postgresql
+- name: DATABASE_USER
+ displayName: PostgreSQL User
+ required: true
+ description: PostgreSQL user that will access the database.
+ value: root
+- name: DATABASE_PASSWORD
+ displayName: PostgreSQL Password
+ required: true
+ description: Password for the PostgreSQL user.
+ from: "[a-zA-Z0-9]{8}"
+ generate: expression
+- name: DATABASE_IP
+ displayName: PostgreSQL Server IP
+ required: true
+ description: PostgreSQL external server IP used to configure service.
+ value: ''
+- name: DATABASE_PORT
+ displayName: PostgreSQL Server Port
+ required: true
+ description: PostgreSQL external server port used to configure service.
+ value: '5432'
+- name: DATABASE_NAME
+ required: true
+ displayName: PostgreSQL Database Name
+ description: Name of the PostgreSQL database accessed.
+ value: vmdb_production
+- name: DATABASE_REGION
+ required: true
+ displayName: Application Database Region
+ description: Database region that will be used for application.
+ value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
+- name: ANSIBLE_DATABASE_NAME
+ displayName: Ansible PostgreSQL database name
+ required: true
+ description: The database to be used by the Ansible continer
+ value: awx
+- name: MEMCACHED_SERVICE_NAME
+ required: true
+ displayName: Memcached Service Name
+ description: The name of the OpenShift Service exposed for the Memcached container.
+ value: memcached
+- name: MEMCACHED_MAX_MEMORY
+ displayName: Memcached Max Memory
+ description: Memcached maximum memory for memcached object storage in MB.
+ value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+ displayName: Memcached Max Connections
+ description: Memcached maximum number of connections allowed.
+ value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+ displayName: Memcached Slab Page Size
+ description: Memcached size of each slab page.
+ value: 1m
+- name: ANSIBLE_SERVICE_NAME
+ displayName: Ansible Service Name
+ description: The name of the OpenShift Service exposed for the Ansible container.
+ value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+ displayName: Ansible admin User password
+ required: true
+ description: The password for the Ansible container admin user
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: ANSIBLE_SECRET_KEY
+ displayName: Ansible Secret Key
+ required: true
+ description: Encryption key for the Ansible container
+ from: "[a-f0-9]{32}"
+ generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+ displayName: RabbitMQ Username
+ required: true
+ description: Username for the Ansible RabbitMQ Server
+ value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+ displayName: RabbitMQ Server Password
+ required: true
+ description: Password for the Ansible RabbitMQ Server
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: APPLICATION_CPU_REQ
+ displayName: Application Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+ value: 1000m
+- name: MEMCACHED_CPU_REQ
+ displayName: Memcached Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+ value: 200m
+- name: ANSIBLE_CPU_REQ
+ displayName: Ansible Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+ value: 1000m
+- name: APPLICATION_MEM_REQ
+ displayName: Application Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Application container will need.
+ value: 6144Mi
+- name: MEMCACHED_MEM_REQ
+ displayName: Memcached Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Memcached container will need.
+ value: 64Mi
+- name: ANSIBLE_MEM_REQ
+ displayName: Ansible Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Ansible container will need.
+ value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+ displayName: Application Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Application container can consume.
+ value: 16384Mi
+- name: MEMCACHED_MEM_LIMIT
+ displayName: Memcached Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Memcached container can consume.
+ value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+ displayName: Ansible Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Ansible container can consume.
+ value: 8096Mi
+- name: MEMCACHED_IMG_NAME
+ displayName: Memcached Image Name
+ description: This is the Memcached image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+ displayName: Memcached Image Tag
+ description: This is the Memcached image tag/version requested to deploy.
+ value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+ displayName: Frontend Application Image Name
+ description: This is the Frontend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+ displayName: Backend Application Image Name
+ description: This is the Backend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+ displayName: Front end Application Image Tag
+ description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+ value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+ displayName: Back end Application Image Tag
+ description: This is the CloudForms Backend Application image tag/version requested to deploy.
+ value: latest
+- name: ANSIBLE_IMG_NAME
+ displayName: Ansible Image Name
+ description: This is the Ansible image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+ displayName: Ansible Image Tag
+ description: This is the Ansible image tag/version requested to deploy.
+ value: latest
+- name: APPLICATION_DOMAIN
+ displayName: Application Hostname
+ description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+ value: ''
+- name: APPLICATION_REPLICA_COUNT
+ displayName: Application Replica Count
+ description: This is the number of Application replicas requested to deploy.
+ value: '1'
+- name: APPLICATION_INIT_DELAY
+ displayName: Application Init Delay
+ required: true
+ description: Delay in seconds before we attempt to initialize the application.
+ value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+ displayName: Application Volume Capacity
+ required: true
+ description: Volume space available for application data.
+ value: 5Gi
+- name: HTTPD_SERVICE_NAME
+ required: true
+ displayName: Apache httpd Service Name
+ description: The name of the OpenShift Service exposed for the httpd container.
+ value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
+- name: HTTPD_IMG_NAME
+ displayName: Apache httpd Image Name
+ description: This is the httpd image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+ displayName: Apache httpd Image Tag
+ description: This is the httpd image tag/version requested to deploy.
+ value: latest
+- name: HTTPD_CONFIG_DIR
+ displayName: Apache httpd Configuration Directory
+ description: Directory used to store the Apache configuration files.
+ value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+ displayName: External Authentication Configuration Directory
+ description: Directory used to store the external authentication configuration files.
+ value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+ displayName: Apache httpd Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+ value: 500m
+- name: HTTPD_MEM_REQ
+ displayName: Apache httpd Min RAM Requested
+ required: true
+ description: Minimum amount of memory the httpd container will need.
+ value: 512Mi
+- name: HTTPD_MEM_LIMIT
+ displayName: Apache httpd Max RAM Limit
+ required: true
+ description: Maximum amount of memory the httpd container can consume.
+ value: 8192Mi
diff --git a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml
index 3bc6c5813..5c757b6c2 100644
--- a/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml
+++ b/roles/openshift_examples/files/examples/v3.9/cfme-templates/cfme-template.yaml
@@ -5,17 +5,308 @@ labels:
metadata:
name: cloudforms
annotations:
- description: "CloudForms appliance with persistent storage"
- tags: "instant-app,cloudforms,cfme"
- iconClass: "icon-rails"
+ description: CloudForms appliance with persistent storage
+ tags: instant-app,cloudforms,cfme
+ iconClass: icon-rails
objects:
- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-orchestrator
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-anyuid
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-privileged
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: cfme-httpd
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${NAME}-secrets"
+ stringData:
+ pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
+ database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+ v2-key: "${V2_KEY}"
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ stringData:
+ rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+ secret-key: "${ANSIBLE_SECRET_KEY}"
+ admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${DATABASE_SERVICE_NAME}-configs"
+ data:
+ 01_miq_overrides.conf: |
+ #------------------------------------------------------------------------------
+ # CONNECTIONS AND AUTHENTICATION
+ #------------------------------------------------------------------------------
+
+ tcp_keepalives_count = 9
+ tcp_keepalives_idle = 3
+ tcp_keepalives_interval = 75
+
+ #------------------------------------------------------------------------------
+ # RESOURCE USAGE (except WAL)
+ #------------------------------------------------------------------------------
+
+ shared_preload_libraries = 'pglogical,repmgr_funcs'
+ max_worker_processes = 10
+
+ #------------------------------------------------------------------------------
+ # WRITE AHEAD LOG
+ #------------------------------------------------------------------------------
+
+ wal_level = 'logical'
+ wal_log_hints = on
+ wal_buffers = 16MB
+ checkpoint_completion_target = 0.9
+
+ #------------------------------------------------------------------------------
+ # REPLICATION
+ #------------------------------------------------------------------------------
+
+ max_wal_senders = 10
+ wal_sender_timeout = 0
+ max_replication_slots = 10
+ hot_standby = on
+
+ #------------------------------------------------------------------------------
+ # ERROR REPORTING AND LOGGING
+ #------------------------------------------------------------------------------
+
+ log_filename = 'postgresql.log'
+ log_rotation_age = 0
+ log_min_duration_statement = 5000
+ log_connections = on
+ log_disconnections = on
+ log_line_prefix = '%t:%r:%c:%u@%d:[%p]:'
+ log_lock_waits = on
+
+ #------------------------------------------------------------------------------
+ # AUTOVACUUM PARAMETERS
+ #------------------------------------------------------------------------------
+
+ log_autovacuum_min_duration = 0
+ autovacuum_naptime = 5min
+ autovacuum_vacuum_threshold = 500
+ autovacuum_analyze_threshold = 500
+ autovacuum_vacuum_scale_factor = 0.05
+
+ #------------------------------------------------------------------------------
+ # LOCK MANAGEMENT
+ #------------------------------------------------------------------------------
+
+ deadlock_timeout = 5s
+
+ #------------------------------------------------------------------------------
+ # VERSION/PLATFORM COMPATIBILITY
+ #------------------------------------------------------------------------------
+
+ escape_string_warning = off
+ standard_conforming_strings = off
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ data:
+ application.conf: |
+ # Timeout: The number of seconds before receives and sends time out.
+ Timeout 120
+
+ RewriteEngine On
+ Options SymLinksIfOwnerMatch
+
+ <VirtualHost *:80>
+ KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
+ ProxyPreserveHost on
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
+ ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
+ </VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ data:
+ auth-type: internal
+ auth-kerberos-realms: undefined
+ auth-configuration.conf: |
+ # External Authentication Configuration File
+ #
+ # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
kind: Service
metadata:
annotations:
- description: "Exposes and load balances CloudForms pods"
+ description: Exposes and load balances CloudForms pods
service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
- name: ${NAME}
+ name: "${NAME}"
spec:
clusterIP: None
ports:
@@ -23,141 +314,97 @@ objects:
port: 80
protocol: TCP
targetPort: 80
- - name: https
- port: 443
- protocol: TCP
- targetPort: 443
selector:
- name: ${NAME}
+ name: "${NAME}"
- apiVersion: v1
kind: Route
metadata:
- name: ${NAME}
+ name: "${HTTPD_SERVICE_NAME}"
spec:
- host: ${APPLICATION_DOMAIN}
+ host: "${APPLICATION_DOMAIN}"
port:
- targetPort: https
+ targetPort: http
tls:
- termination: passthrough
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
- name: ${NAME}
-- apiVersion: v1
- kind: ImageStream
- metadata:
- name: cfme-openshift-app
- annotations:
- description: "Keeps track of changes in the CloudForms app image"
- spec:
- dockerImageRepository: "${APPLICATION_IMG_NAME}"
-- apiVersion: v1
- kind: ImageStream
- metadata:
- name: cfme-openshift-postgresql
- annotations:
- description: "Keeps track of changes in the CloudForms postgresql image"
- spec:
- dockerImageRepository: "${POSTGRESQL_IMG_NAME}"
-- apiVersion: v1
- kind: ImageStream
- metadata:
- name: cfme-openshift-memcached
- annotations:
- description: "Keeps track of changes in the CloudForms memcached image"
- spec:
- dockerImageRepository: "${MEMCACHED_IMG_NAME}"
+ name: "${HTTPD_SERVICE_NAME}"
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "${NAME}-${DATABASE_SERVICE_NAME}"
spec:
accessModes:
- - ReadWriteOnce
+ - ReadWriteOnce
resources:
requests:
- storage: ${DATABASE_VOLUME_CAPACITY}
-- apiVersion: v1
- kind: PersistentVolumeClaim
- metadata:
- name: "${NAME}-region"
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: ${APPLICATION_REGION_VOLUME_CAPACITY}
+ storage: "${DATABASE_VOLUME_CAPACITY}"
- apiVersion: apps/v1beta1
- kind: "StatefulSet"
+ kind: StatefulSet
metadata:
- name: ${NAME}
+ name: "${NAME}"
annotations:
- description: "Defines how to deploy the CloudForms appliance"
+ description: Defines how to deploy the CloudForms appliance
spec:
serviceName: "${NAME}"
- replicas: 1
+ replicas: "${APPLICATION_REPLICA_COUNT}"
template:
metadata:
labels:
- name: ${NAME}
- name: ${NAME}
+ name: "${NAME}"
+ name: "${NAME}"
spec:
containers:
- name: cloudforms
- image: "${APPLICATION_IMG_NAME}:${APPLICATION_IMG_TAG}"
+ image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
- tcpSocket:
- port: 443
+ exec:
+ command:
+ - pidof
+ - MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
- httpGet:
- path: /
- port: 443
- scheme: HTTPS
+ tcpSocket:
+ port: 80
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
- containerPort: 80
protocol: TCP
- - containerPort: 443
- protocol: TCP
- securityContext:
- privileged: true
volumeMounts:
- -
- name: "${NAME}-server"
- mountPath: "/persistent"
- -
- name: "${NAME}-region"
- mountPath: "/persistent-region"
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
env:
- -
- name: "APPLICATION_INIT_DELAY"
- value: "${APPLICATION_INIT_DELAY}"
- -
- name: "DATABASE_SERVICE_NAME"
- value: "${DATABASE_SERVICE_NAME}"
- -
- name: "DATABASE_REGION"
- value: "${DATABASE_REGION}"
- -
- name: "MEMCACHED_SERVICE_NAME"
- value: "${MEMCACHED_SERVICE_NAME}"
- -
- name: "POSTGRESQL_USER"
- value: "${DATABASE_USER}"
- -
- name: "POSTGRESQL_PASSWORD"
- value: "${DATABASE_PASSWORD}"
- -
- name: "POSTGRESQL_DATABASE"
- value: "${DATABASE_NAME}"
- -
- name: "POSTGRESQL_MAX_CONNECTIONS"
- value: "${POSTGRESQL_MAX_CONNECTIONS}"
- -
- name: "POSTGRESQL_SHARED_BUFFERS"
- value: "${POSTGRESQL_SHARED_BUFFERS}"
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_REGION
+ value: "${DATABASE_REGION}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
resources:
requests:
memory: "${APPLICATION_MEM_REQ}"
@@ -168,59 +415,128 @@ objects:
preStop:
exec:
command:
- - /opt/rh/cfme-container-scripts/sync-pv-data
- volumes:
- -
- name: "${NAME}-region"
- persistentVolumeClaim:
- claimName: ${NAME}-region
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
volumeClaimTemplates:
- - metadata:
- name: "${NAME}-server"
- annotations:
- # Uncomment this if using dynamic volume provisioning.
- # https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html
- # volume.alpha.kubernetes.io/storage-class: anything
- spec:
- accessModes: [ ReadWriteOnce ]
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Headless service for CloudForms backend pods
+ name: "${NAME}-backend"
+ spec:
+ clusterIP: None
+ selector:
+ name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+ kind: StatefulSet
+ metadata:
+ name: "${NAME}-backend"
+ annotations:
+ description: Defines how to deploy the CloudForms appliance
+ spec:
+ serviceName: "${NAME}-backend"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${NAME}-backend"
+ name: "${NAME}-backend"
+ spec:
+ containers:
+ - name: cloudforms
+ image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - MIQ Server
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: "${NAME}-server"
+ mountPath: "/persistent"
+ env:
+ - name: APPLICATION_INIT_DELAY
+ value: "${APPLICATION_INIT_DELAY}"
+ - name: DATABASE_URL
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: database-url
+ - name: MIQ_SERVER_DEFAULT_ROLES
+ value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+ - name: FRONTEND_SERVICE_NAME
+ value: "${NAME}"
+ - name: V2_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: v2-key
+ - name: ANSIBLE_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
resources:
requests:
- storage: "${APPLICATION_VOLUME_CAPACITY}"
+ memory: "${APPLICATION_MEM_REQ}"
+ cpu: "${APPLICATION_CPU_REQ}"
+ limits:
+ memory: "${APPLICATION_MEM_LIMIT}"
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
+ serviceAccount: cfme-orchestrator
+ serviceAccountName: cfme-orchestrator
+ terminationGracePeriodSeconds: 90
+ volumeClaimTemplates:
+ - metadata:
+ name: "${NAME}-server"
+ annotations:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
- apiVersion: v1
- kind: "Service"
+ kind: Service
metadata:
name: "${MEMCACHED_SERVICE_NAME}"
annotations:
- description: "Exposes the memcached server"
+ description: Exposes the memcached server
spec:
ports:
- -
- name: "memcached"
- port: 11211
- targetPort: 11211
+ - name: memcached
+ port: 11211
+ targetPort: 11211
selector:
name: "${MEMCACHED_SERVICE_NAME}"
- apiVersion: v1
- kind: "DeploymentConfig"
+ kind: DeploymentConfig
metadata:
name: "${MEMCACHED_SERVICE_NAME}"
annotations:
- description: "Defines how to deploy memcached"
+ description: Defines how to deploy memcached
spec:
strategy:
- type: "Recreate"
+ type: Recreate
triggers:
- -
- type: "ImageChange"
- imageChangeParams:
- automatic: true
- containerNames:
- - "memcached"
- from:
- kind: "ImageStreamTag"
- name: "cfme-openshift-memcached:${MEMCACHED_IMG_TAG}"
- -
- type: "ConfigChange"
+ - type: ConfigChange
replicas: 1
selector:
name: "${MEMCACHED_SERVICE_NAME}"
@@ -232,74 +548,58 @@ objects:
spec:
volumes: []
containers:
- -
- name: "memcached"
- image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
- ports:
- -
- containerPort: 11211
- readinessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 5
- tcpSocket:
- port: 11211
- livenessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 30
- tcpSocket:
- port: 11211
- volumeMounts: []
- env:
- -
- name: "MEMCACHED_MAX_MEMORY"
- value: "${MEMCACHED_MAX_MEMORY}"
- -
- name: "MEMCACHED_MAX_CONNECTIONS"
- value: "${MEMCACHED_MAX_CONNECTIONS}"
- -
- name: "MEMCACHED_SLAB_PAGE_SIZE"
- value: "${MEMCACHED_SLAB_PAGE_SIZE}"
- resources:
- requests:
- memory: "${MEMCACHED_MEM_REQ}"
- cpu: "${MEMCACHED_CPU_REQ}"
- limits:
- memory: "${MEMCACHED_MEM_LIMIT}"
+ - name: memcached
+ image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+ ports:
+ - containerPort: 11211
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 5
+ tcpSocket:
+ port: 11211
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 30
+ tcpSocket:
+ port: 11211
+ volumeMounts: []
+ env:
+ - name: MEMCACHED_MAX_MEMORY
+ value: "${MEMCACHED_MAX_MEMORY}"
+ - name: MEMCACHED_MAX_CONNECTIONS
+ value: "${MEMCACHED_MAX_CONNECTIONS}"
+ - name: MEMCACHED_SLAB_PAGE_SIZE
+ value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+ resources:
+ requests:
+ memory: "${MEMCACHED_MEM_REQ}"
+ cpu: "${MEMCACHED_CPU_REQ}"
+ limits:
+ memory: "${MEMCACHED_MEM_LIMIT}"
- apiVersion: v1
- kind: "Service"
+ kind: Service
metadata:
name: "${DATABASE_SERVICE_NAME}"
annotations:
- description: "Exposes the database server"
+ description: Exposes the database server
spec:
ports:
- -
- name: "postgresql"
- port: 5432
- targetPort: 5432
+ - name: postgresql
+ port: 5432
+ targetPort: 5432
selector:
name: "${DATABASE_SERVICE_NAME}"
- apiVersion: v1
- kind: "DeploymentConfig"
+ kind: DeploymentConfig
metadata:
name: "${DATABASE_SERVICE_NAME}"
annotations:
- description: "Defines how to deploy the database"
+ description: Defines how to deploy the database
spec:
strategy:
- type: "Recreate"
+ type: Recreate
triggers:
- -
- type: "ImageChange"
- imageChangeParams:
- automatic: true
- containerNames:
- - "postgresql"
- from:
- kind: "ImageStreamTag"
- name: "cfme-openshift-postgresql:${POSTGRESQL_IMG_TAG}"
- -
- type: "ConfigChange"
+ - type: ConfigChange
replicas: 1
selector:
name: "${DATABASE_SERVICE_NAME}"
@@ -310,236 +610,524 @@ objects:
name: "${DATABASE_SERVICE_NAME}"
spec:
volumes:
- -
- name: "cfme-pgdb-volume"
- persistentVolumeClaim:
- claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
+ - name: cfme-pgdb-volume
+ persistentVolumeClaim:
+ claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
+ - name: cfme-pg-configs
+ configMap:
+ name: "${DATABASE_SERVICE_NAME}-configs"
containers:
- -
- name: "postgresql"
- image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
- ports:
- -
- containerPort: 5432
- readinessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 15
+ - name: postgresql
+ image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
+ ports:
+ - containerPort: 5432
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 15
+ exec:
+ command:
+ - "/bin/sh"
+ - "-i"
+ - "-c"
+ - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 60
+ tcpSocket:
+ port: 5432
+ volumeMounts:
+ - name: cfme-pgdb-volume
+ mountPath: "/var/lib/pgsql/data"
+ - name: cfme-pg-configs
+ mountPath: "${POSTGRESQL_CONFIG_DIR}"
+ env:
+ - name: POSTGRESQL_USER
+ value: "${DATABASE_USER}"
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: pg-password
+ - name: POSTGRESQL_DATABASE
+ value: "${DATABASE_NAME}"
+ - name: POSTGRESQL_MAX_CONNECTIONS
+ value: "${POSTGRESQL_MAX_CONNECTIONS}"
+ - name: POSTGRESQL_SHARED_BUFFERS
+ value: "${POSTGRESQL_SHARED_BUFFERS}"
+ - name: POSTGRESQL_CONFIG_DIR
+ value: "${POSTGRESQL_CONFIG_DIR}"
+ resources:
+ requests:
+ memory: "${POSTGRESQL_MEM_REQ}"
+ cpu: "${POSTGRESQL_CPU_REQ}"
+ limits:
+ memory: "${POSTGRESQL_MEM_LIMIT}"
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes and load balances Ansible pods
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 443
+ selector:
+ name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy the Ansible appliance
+ spec:
+ strategy:
+ type: Recreate
+ serviceName: "${ANSIBLE_SERVICE_NAME}"
+ replicas: 0
+ template:
+ metadata:
+ labels:
+ name: "${ANSIBLE_SERVICE_NAME}"
+ name: "${ANSIBLE_SERVICE_NAME}"
+ spec:
+ containers:
+ - name: ansible
+ image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+ livenessProbe:
+ tcpSocket:
+ port: 443
+ initialDelaySeconds: 480
+ timeoutSeconds: 3
+ readinessProbe:
+ httpGet:
+ path: "/"
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 200
+ timeoutSeconds: 3
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 443
+ protocol: TCP
+ securityContext:
+ privileged: true
+ env:
+ - name: ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: admin-password
+ - name: RABBITMQ_USER_NAME
+ value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+ - name: RABBITMQ_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: rabbit-password
+ - name: ANSIBLE_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
+ key: secret-key
+ - name: DATABASE_SERVICE_NAME
+ value: "${DATABASE_SERVICE_NAME}"
+ - name: POSTGRESQL_USER
+ value: "${DATABASE_USER}"
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: pg-password
+ - name: POSTGRESQL_DATABASE
+ value: "${ANSIBLE_DATABASE_NAME}"
+ resources:
+ requests:
+ memory: "${ANSIBLE_MEM_REQ}"
+ cpu: "${ANSIBLE_CPU_REQ}"
+ limits:
+ memory: "${ANSIBLE_MEM_LIMIT}"
+ serviceAccount: cfme-privileged
+ serviceAccountName: cfme-privileged
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http
+ port: 80
+ targetPort: 80
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ annotations:
+ description: Defines how to deploy httpd
+ spec:
+ strategy:
+ type: Recreate
+ recreateParams:
+ timeoutSeconds: 1200
+ triggers:
+ - type: ConfigChange
+ replicas: 1
+ selector:
+ name: "${HTTPD_SERVICE_NAME}"
+ template:
+ metadata:
+ name: "${HTTPD_SERVICE_NAME}"
+ labels:
+ name: "${HTTPD_SERVICE_NAME}"
+ spec:
+ volumes:
+ - name: httpd-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-configs"
+ - name: httpd-auth-config
+ configMap:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ containers:
+ - name: httpd
+ image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ livenessProbe:
+ exec:
+ command:
+ - pidof
+ - httpd
+ initialDelaySeconds: 15
+ timeoutSeconds: 3
+ readinessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 10
+ timeoutSeconds: 3
+ volumeMounts:
+ - name: httpd-config
+ mountPath: "${HTTPD_CONFIG_DIR}"
+ - name: httpd-auth-config
+ mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+ resources:
+ requests:
+ memory: "${HTTPD_MEM_REQ}"
+ cpu: "${HTTPD_CPU_REQ}"
+ limits:
+ memory: "${HTTPD_MEM_LIMIT}"
+ env:
+ - name: HTTPD_AUTH_TYPE
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
+ lifecycle:
+ postStart:
exec:
command:
- - "/bin/sh"
- - "-i"
- - "-c"
- - "psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'"
- livenessProbe:
- timeoutSeconds: 1
- initialDelaySeconds: 60
- tcpSocket:
- port: 5432
- volumeMounts:
- -
- name: "cfme-pgdb-volume"
- mountPath: "/var/lib/pgsql/data"
- env:
- -
- name: "POSTGRESQL_USER"
- value: "${DATABASE_USER}"
- -
- name: "POSTGRESQL_PASSWORD"
- value: "${DATABASE_PASSWORD}"
- -
- name: "POSTGRESQL_DATABASE"
- value: "${DATABASE_NAME}"
- -
- name: "POSTGRESQL_MAX_CONNECTIONS"
- value: "${POSTGRESQL_MAX_CONNECTIONS}"
- -
- name: "POSTGRESQL_SHARED_BUFFERS"
- value: "${POSTGRESQL_SHARED_BUFFERS}"
- resources:
- requests:
- memory: "${POSTGRESQL_MEM_REQ}"
- cpu: "${POSTGRESQL_CPU_REQ}"
- limits:
- memory: "${POSTGRESQL_MEM_LIMIT}"
-
+ - "/usr/bin/save-container-environment"
+ serviceAccount: cfme-httpd
+ serviceAccountName: cfme-httpd
parameters:
- -
- name: "NAME"
- displayName: Name
- required: true
- description: "The name assigned to all of the frontend objects defined in this template."
- value: cloudforms
- -
- name: "DATABASE_SERVICE_NAME"
- displayName: "PostgreSQL Service Name"
- required: true
- description: "The name of the OpenShift Service exposed for the PostgreSQL container."
- value: "postgresql"
- -
- name: "DATABASE_USER"
- displayName: "PostgreSQL User"
- required: true
- description: "PostgreSQL user that will access the database."
- value: "root"
- -
- name: "DATABASE_PASSWORD"
- displayName: "PostgreSQL Password"
- required: true
- description: "Password for the PostgreSQL user."
- value: "smartvm"
- -
- name: "DATABASE_NAME"
- required: true
- displayName: "PostgreSQL Database Name"
- description: "Name of the PostgreSQL database accessed."
- value: "vmdb_production"
- -
- name: "DATABASE_REGION"
- required: true
- displayName: "Application Database Region"
- description: "Database region that will be used for application."
- value: "0"
- -
- name: "MEMCACHED_SERVICE_NAME"
- required: true
- displayName: "Memcached Service Name"
- description: "The name of the OpenShift Service exposed for the Memcached container."
- value: "memcached"
- -
- name: "MEMCACHED_MAX_MEMORY"
- displayName: "Memcached Max Memory"
- description: "Memcached maximum memory for memcached object storage in MB."
- value: "64"
- -
- name: "MEMCACHED_MAX_CONNECTIONS"
- displayName: "Memcached Max Connections"
- description: "Memcached maximum number of connections allowed."
- value: "1024"
- -
- name: "MEMCACHED_SLAB_PAGE_SIZE"
- displayName: "Memcached Slab Page Size"
- description: "Memcached size of each slab page."
- value: "1m"
- -
- name: "POSTGRESQL_MAX_CONNECTIONS"
- displayName: "PostgreSQL Max Connections"
- description: "PostgreSQL maximum number of database connections allowed."
- value: "100"
- -
- name: "POSTGRESQL_SHARED_BUFFERS"
- displayName: "PostgreSQL Shared Buffer Amount"
- description: "Amount of memory dedicated for PostgreSQL shared memory buffers."
- value: "256MB"
- -
- name: "APPLICATION_CPU_REQ"
- displayName: "Application Min CPU Requested"
- required: true
- description: "Minimum amount of CPU time the Application container will need (expressed in millicores)."
- value: "1000m"
- -
- name: "POSTGRESQL_CPU_REQ"
- displayName: "PostgreSQL Min CPU Requested"
- required: true
- description: "Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores)."
- value: "500m"
- -
- name: "MEMCACHED_CPU_REQ"
- displayName: "Memcached Min CPU Requested"
- required: true
- description: "Minimum amount of CPU time the Memcached container will need (expressed in millicores)."
- value: "200m"
- -
- name: "APPLICATION_MEM_REQ"
- displayName: "Application Min RAM Requested"
- required: true
- description: "Minimum amount of memory the Application container will need."
- value: "6144Mi"
- -
- name: "POSTGRESQL_MEM_REQ"
- displayName: "PostgreSQL Min RAM Requested"
- required: true
- description: "Minimum amount of memory the PostgreSQL container will need."
- value: "1024Mi"
- -
- name: "MEMCACHED_MEM_REQ"
- displayName: "Memcached Min RAM Requested"
- required: true
- description: "Minimum amount of memory the Memcached container will need."
- value: "64Mi"
- -
- name: "APPLICATION_MEM_LIMIT"
- displayName: "Application Max RAM Limit"
- required: true
- description: "Maximum amount of memory the Application container can consume."
- value: "16384Mi"
- -
- name: "POSTGRESQL_MEM_LIMIT"
- displayName: "PostgreSQL Max RAM Limit"
- required: true
- description: "Maximum amount of memory the PostgreSQL container can consume."
- value: "8192Mi"
- -
- name: "MEMCACHED_MEM_LIMIT"
- displayName: "Memcached Max RAM Limit"
- required: true
- description: "Maximum amount of memory the Memcached container can consume."
- value: "256Mi"
- -
- name: "POSTGRESQL_IMG_NAME"
- displayName: "PostgreSQL Image Name"
- description: "This is the PostgreSQL image name requested to deploy."
- value: "registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql"
- -
- name: "POSTGRESQL_IMG_TAG"
- displayName: "PostgreSQL Image Tag"
- description: "This is the PostgreSQL image tag/version requested to deploy."
- value: "latest"
- -
- name: "MEMCACHED_IMG_NAME"
- displayName: "Memcached Image Name"
- description: "This is the Memcached image name requested to deploy."
- value: "registry.access.redhat.com/cloudforms45/cfme-openshift-memcached"
- -
- name: "MEMCACHED_IMG_TAG"
- displayName: "Memcached Image Tag"
- description: "This is the Memcached image tag/version requested to deploy."
- value: "latest"
- -
- name: "APPLICATION_IMG_NAME"
- displayName: "Application Image Name"
- description: "This is the Application image name requested to deploy."
- value: "registry.access.redhat.com/cloudforms45/cfme-openshift-app"
- -
- name: "APPLICATION_IMG_TAG"
- displayName: "Application Image Tag"
- description: "This is the Application image tag/version requested to deploy."
- value: "latest"
- -
- name: "APPLICATION_DOMAIN"
- displayName: "Application Hostname"
- description: "The exposed hostname that will route to the application service, if left blank a value will be defaulted."
- value: ""
- -
- name: "APPLICATION_INIT_DELAY"
- displayName: "Application Init Delay"
- required: true
- description: "Delay in seconds before we attempt to initialize the application."
- value: "15"
- -
- name: "APPLICATION_VOLUME_CAPACITY"
- displayName: "Application Volume Capacity"
- required: true
- description: "Volume space available for application data."
- value: "5Gi"
- -
- name: "APPLICATION_REGION_VOLUME_CAPACITY"
- displayName: "Application Region Volume Capacity"
- required: true
- description: "Volume space available for region application data."
- value: "5Gi"
- -
- name: "DATABASE_VOLUME_CAPACITY"
- displayName: "Database Volume Capacity"
- required: true
- description: "Volume space available for database."
- value: "15Gi"
+- name: NAME
+ displayName: Name
+ required: true
+ description: The name assigned to all of the frontend objects defined in this template.
+ value: cloudforms
+- name: V2_KEY
+ displayName: CloudForms Encryption Key
+ required: true
+ description: Encryption Key for CloudForms Passwords
+ from: "[a-zA-Z0-9]{43}"
+ generate: expression
+- name: DATABASE_SERVICE_NAME
+ displayName: PostgreSQL Service Name
+ required: true
+ description: The name of the OpenShift Service exposed for the PostgreSQL container.
+ value: postgresql
+- name: DATABASE_USER
+ displayName: PostgreSQL User
+ required: true
+ description: PostgreSQL user that will access the database.
+ value: root
+- name: DATABASE_PASSWORD
+ displayName: PostgreSQL Password
+ required: true
+ description: Password for the PostgreSQL user.
+ from: "[a-zA-Z0-9]{8}"
+ generate: expression
+- name: DATABASE_NAME
+ required: true
+ displayName: PostgreSQL Database Name
+ description: Name of the PostgreSQL database accessed.
+ value: vmdb_production
+- name: DATABASE_REGION
+ required: true
+ displayName: Application Database Region
+ description: Database region that will be used for application.
+ value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
+- name: ANSIBLE_DATABASE_NAME
+ displayName: Ansible PostgreSQL database name
+ required: true
+ description: The database to be used by the Ansible continer
+ value: awx
+- name: MEMCACHED_SERVICE_NAME
+ required: true
+ displayName: Memcached Service Name
+ description: The name of the OpenShift Service exposed for the Memcached container.
+ value: memcached
+- name: MEMCACHED_MAX_MEMORY
+ displayName: Memcached Max Memory
+ description: Memcached maximum memory for memcached object storage in MB.
+ value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+ displayName: Memcached Max Connections
+ description: Memcached maximum number of connections allowed.
+ value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+ displayName: Memcached Slab Page Size
+ description: Memcached size of each slab page.
+ value: 1m
+- name: POSTGRESQL_CONFIG_DIR
+ displayName: PostgreSQL Configuration Overrides
+ description: Directory used to store PostgreSQL configuration overrides.
+ value: "/var/lib/pgsql/conf.d"
+- name: POSTGRESQL_MAX_CONNECTIONS
+ displayName: PostgreSQL Max Connections
+ description: PostgreSQL maximum number of database connections allowed.
+ value: '1000'
+- name: POSTGRESQL_SHARED_BUFFERS
+ displayName: PostgreSQL Shared Buffer Amount
+ description: Amount of memory dedicated for PostgreSQL shared memory buffers.
+ value: 1GB
+- name: ANSIBLE_SERVICE_NAME
+ displayName: Ansible Service Name
+ description: The name of the OpenShift Service exposed for the Ansible container.
+ value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+ displayName: Ansible admin User password
+ required: true
+ description: The password for the Ansible container admin user
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: ANSIBLE_SECRET_KEY
+ displayName: Ansible Secret Key
+ required: true
+ description: Encryption key for the Ansible container
+ from: "[a-f0-9]{32}"
+ generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+ displayName: RabbitMQ Username
+ required: true
+ description: Username for the Ansible RabbitMQ Server
+ value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+ displayName: RabbitMQ Server Password
+ required: true
+ description: Password for the Ansible RabbitMQ Server
+ from: "[a-zA-Z0-9]{32}"
+ generate: expression
+- name: APPLICATION_CPU_REQ
+ displayName: Application Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+ value: 1000m
+- name: POSTGRESQL_CPU_REQ
+ displayName: PostgreSQL Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores).
+ value: 500m
+- name: MEMCACHED_CPU_REQ
+ displayName: Memcached Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+ value: 200m
+- name: ANSIBLE_CPU_REQ
+ displayName: Ansible Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+ value: 1000m
+- name: APPLICATION_MEM_REQ
+ displayName: Application Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Application container will need.
+ value: 6144Mi
+- name: POSTGRESQL_MEM_REQ
+ displayName: PostgreSQL Min RAM Requested
+ required: true
+ description: Minimum amount of memory the PostgreSQL container will need.
+ value: 4Gi
+- name: MEMCACHED_MEM_REQ
+ displayName: Memcached Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Memcached container will need.
+ value: 64Mi
+- name: ANSIBLE_MEM_REQ
+ displayName: Ansible Min RAM Requested
+ required: true
+ description: Minimum amount of memory the Ansible container will need.
+ value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+ displayName: Application Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Application container can consume.
+ value: 16384Mi
+- name: POSTGRESQL_MEM_LIMIT
+ displayName: PostgreSQL Max RAM Limit
+ required: true
+ description: Maximum amount of memory the PostgreSQL container can consume.
+ value: 8Gi
+- name: MEMCACHED_MEM_LIMIT
+ displayName: Memcached Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Memcached container can consume.
+ value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+ displayName: Ansible Max RAM Limit
+ required: true
+ description: Maximum amount of memory the Ansible container can consume.
+ value: 8096Mi
+- name: POSTGRESQL_IMG_NAME
+ displayName: PostgreSQL Image Name
+ description: This is the PostgreSQL image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql
+- name: POSTGRESQL_IMG_TAG
+ displayName: PostgreSQL Image Tag
+ description: This is the PostgreSQL image tag/version requested to deploy.
+ value: latest
+- name: MEMCACHED_IMG_NAME
+ displayName: Memcached Image Name
+ description: This is the Memcached image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+ displayName: Memcached Image Tag
+ description: This is the Memcached image tag/version requested to deploy.
+ value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+ displayName: Frontend Application Image Name
+ description: This is the Frontend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+ displayName: Backend Application Image Name
+ description: This is the Backend Application image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+ displayName: Front end Application Image Tag
+ description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+ value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+ displayName: Back end Application Image Tag
+ description: This is the CloudForms Backend Application image tag/version requested to deploy.
+ value: latest
+- name: ANSIBLE_IMG_NAME
+ displayName: Ansible Image Name
+ description: This is the Ansible image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+ displayName: Ansible Image Tag
+ description: This is the Ansible image tag/version requested to deploy.
+ value: latest
+- name: APPLICATION_DOMAIN
+ displayName: Application Hostname
+ description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+ value: ''
+- name: APPLICATION_REPLICA_COUNT
+ displayName: Application Replica Count
+ description: This is the number of Application replicas requested to deploy.
+ value: '1'
+- name: APPLICATION_INIT_DELAY
+ displayName: Application Init Delay
+ required: true
+ description: Delay in seconds before we attempt to initialize the application.
+ value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+ displayName: Application Volume Capacity
+ required: true
+ description: Volume space available for application data.
+ value: 5Gi
+- name: DATABASE_VOLUME_CAPACITY
+ displayName: Database Volume Capacity
+ required: true
+ description: Volume space available for database.
+ value: 15Gi
+- name: HTTPD_SERVICE_NAME
+ required: true
+ displayName: Apache httpd Service Name
+ description: The name of the OpenShift Service exposed for the httpd container.
+ value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
+- name: HTTPD_IMG_NAME
+ displayName: Apache httpd Image Name
+ description: This is the httpd image name requested to deploy.
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+ displayName: Apache httpd Image Tag
+ description: This is the httpd image tag/version requested to deploy.
+ value: latest
+- name: HTTPD_CONFIG_DIR
+ displayName: Apache Configuration Directory
+ description: Directory used to store the Apache configuration files.
+ value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+ displayName: External Authentication Configuration Directory
+ description: Directory used to store the external authentication configuration files.
+ value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+ displayName: Apache httpd Min CPU Requested
+ required: true
+ description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+ value: 500m
+- name: HTTPD_MEM_REQ
+ displayName: Apache httpd Min RAM Requested
+ required: true
+ description: Minimum amount of memory the httpd container will need.
+ value: 512Mi
+- name: HTTPD_MEM_LIMIT
+ displayName: Apache httpd Max RAM Limit
+ required: true
+ description: Maximum amount of memory the httpd container can consume.
+ value: 8192Mi
diff --git a/roles/openshift_hosted/tasks/registry.yml b/roles/openshift_hosted/tasks/registry.yml
index 22294e3d4..bc4d81eb7 100644
--- a/roles/openshift_hosted/tasks/registry.yml
+++ b/roles/openshift_hosted/tasks/registry.yml
@@ -43,7 +43,7 @@
- name: Update registry environment variables when pushing via dns
set_fact:
- openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine({'OPENSHIFT_DEFAULT_REGISTRY':'docker-registry.default.svc:5000'}) }}"
+ openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine({'REGISTRY_OPENSHIFT_SERVER_ADDR':'docker-registry.default.svc:5000'}) }}"
when: openshift_push_via_dns | bool
- name: Update registry proxy settings for dc/docker-registry
diff --git a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2 b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
index de5a8d7c2..823f012af 100644
--- a/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
+++ b/roles/openshift_loadbalancer/templates/haproxy.cfg.j2
@@ -38,7 +38,8 @@ defaults
timeout check 10s
maxconn {{ openshift_loadbalancer_default_maxconn | default(20000) }}
-listen stats :9000
+listen stats
+ bind :9000
mode http
stats enable
stats uri /
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml
index c3bc1d20c..48d1d4e26 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml
@@ -9,7 +9,7 @@ spec:
spec:
containers:
- name: postgresql
- image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
command:
- "/opt/rh/cfme-container-scripts/backup_db"
env:
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml
index 8b23f8a33..7fd4fc2e1 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml
@@ -9,7 +9,7 @@ spec:
spec:
containers:
- name: postgresql
- image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
command:
- "/opt/rh/cfme-container-scripts/restore_db"
env:
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml
index 4a04f3372..9866c29c3 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml
@@ -31,6 +31,7 @@ objects:
name: "${NAME}-secrets"
stringData:
pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
v2-key: "${V2_KEY}"
- apiVersion: v1
@@ -90,15 +91,15 @@ objects:
- name: cloudforms
image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
- tcpSocket:
- port: 80
+ exec:
+ command:
+ - pidof
+ - MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
- httpGet:
- path: "/"
+ tcpSocket:
port: 80
- scheme: HTTP
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
@@ -126,6 +127,11 @@ objects:
secretKeyRef:
name: "${NAME}-secrets"
key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
- name: ANSIBLE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
@@ -433,18 +439,173 @@ objects:
<VirtualHost *:80>
KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
ProxyPreserveHost on
- ProxyPass /ws/ ws://${NAME}/ws/
- ProxyPassReverse /ws/ ws://${NAME}/ws/
- ProxyPass / http://${NAME}/
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
</VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
data:
auth-type: internal
+ auth-kerberos-realms: undefined
auth-configuration.conf: |
# External Authentication Configuration File
#
@@ -464,6 +625,20 @@ objects:
selector:
name: httpd
- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${HTTPD_SERVICE_NAME}"
@@ -497,6 +672,9 @@ objects:
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
ports:
- containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
livenessProbe:
exec:
command:
@@ -526,6 +704,11 @@ objects:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
lifecycle:
postStart:
exec:
@@ -581,6 +764,11 @@ parameters:
displayName: Application Database Region
description: Database region that will be used for application.
value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
- name: ANSIBLE_DATABASE_NAME
displayName: Ansible PostgreSQL database name
required: true
@@ -678,7 +866,7 @@ parameters:
- name: MEMCACHED_IMG_NAME
displayName: Memcached Image Name
description: This is the Memcached image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
- name: MEMCACHED_IMG_TAG
displayName: Memcached Image Tag
description: This is the Memcached image tag/version requested to deploy.
@@ -686,11 +874,11 @@ parameters:
- name: FRONTEND_APPLICATION_IMG_NAME
displayName: Frontend Application Image Name
description: This is the Frontend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
- name: BACKEND_APPLICATION_IMG_NAME
displayName: Backend Application Image Name
description: This is the Backend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
- name: FRONTEND_APPLICATION_IMG_TAG
displayName: Front end Application Image Tag
description: This is the CloudForms Frontend Application image tag/version requested to deploy.
@@ -702,7 +890,7 @@ parameters:
- name: ANSIBLE_IMG_NAME
displayName: Ansible Image Name
description: This is the Ansible image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
- name: ANSIBLE_IMG_TAG
displayName: Ansible Image Tag
description: This is the Ansible image tag/version requested to deploy.
@@ -730,10 +918,15 @@ parameters:
displayName: Apache httpd Service Name
description: The name of the OpenShift Service exposed for the httpd container.
value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
- name: HTTPD_IMG_NAME
displayName: Apache httpd Image Name
description: This is the httpd image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
- name: HTTPD_IMG_TAG
displayName: Apache httpd Image Tag
description: This is the httpd image tag/version requested to deploy.
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml
index d7c9f5af7..5c757b6c2 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml
@@ -31,6 +31,7 @@ objects:
name: "${NAME}-secrets"
stringData:
pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
v2-key: "${V2_KEY}"
- apiVersion: v1
@@ -128,18 +129,173 @@ objects:
<VirtualHost *:80>
KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
ProxyPreserveHost on
- ProxyPass /ws/ ws://${NAME}/ws/
- ProxyPassReverse /ws/ ws://${NAME}/ws/
- ProxyPass / http://${NAME}/
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
</VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
data:
auth-type: internal
+ auth-kerberos-realms: undefined
auth-configuration.conf: |
# External Authentication Configuration File
#
@@ -203,15 +359,15 @@ objects:
- name: cloudforms
image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
- tcpSocket:
- port: 80
+ exec:
+ command:
+ - pidof
+ - MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
- httpGet:
- path: "/"
+ tcpSocket:
port: 80
- scheme: HTTP
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
@@ -239,6 +395,11 @@ objects:
secretKeyRef:
name: "${NAME}-secrets"
key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
- name: ANSIBLE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
@@ -611,6 +772,20 @@ objects:
selector:
name: httpd
- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${HTTPD_SERVICE_NAME}"
@@ -644,6 +819,9 @@ objects:
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
ports:
- containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
livenessProbe:
exec:
command:
@@ -673,6 +851,11 @@ objects:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
lifecycle:
postStart:
exec:
@@ -718,6 +901,11 @@ parameters:
displayName: Application Database Region
description: Database region that will be used for application.
value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
- name: ANSIBLE_DATABASE_NAME
displayName: Ansible PostgreSQL database name
required: true
@@ -842,7 +1030,7 @@ parameters:
- name: POSTGRESQL_IMG_NAME
displayName: PostgreSQL Image Name
description: This is the PostgreSQL image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql
- name: POSTGRESQL_IMG_TAG
displayName: PostgreSQL Image Tag
description: This is the PostgreSQL image tag/version requested to deploy.
@@ -850,7 +1038,7 @@ parameters:
- name: MEMCACHED_IMG_NAME
displayName: Memcached Image Name
description: This is the Memcached image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
- name: MEMCACHED_IMG_TAG
displayName: Memcached Image Tag
description: This is the Memcached image tag/version requested to deploy.
@@ -858,11 +1046,11 @@ parameters:
- name: FRONTEND_APPLICATION_IMG_NAME
displayName: Frontend Application Image Name
description: This is the Frontend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
- name: BACKEND_APPLICATION_IMG_NAME
displayName: Backend Application Image Name
description: This is the Backend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
- name: FRONTEND_APPLICATION_IMG_TAG
displayName: Front end Application Image Tag
description: This is the CloudForms Frontend Application image tag/version requested to deploy.
@@ -874,7 +1062,7 @@ parameters:
- name: ANSIBLE_IMG_NAME
displayName: Ansible Image Name
description: This is the Ansible image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
- name: ANSIBLE_IMG_TAG
displayName: Ansible Image Tag
description: This is the Ansible image tag/version requested to deploy.
@@ -907,10 +1095,15 @@ parameters:
displayName: Apache httpd Service Name
description: The name of the OpenShift Service exposed for the httpd container.
value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
- name: HTTPD_IMG_NAME
displayName: Apache httpd Image Name
description: This is the httpd image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
- name: HTTPD_IMG_TAG
displayName: Apache httpd Image Tag
description: This is the httpd image tag/version requested to deploy.
diff --git a/roles/openshift_metrics/tasks/oc_apply.yaml b/roles/openshift_metrics/tasks/oc_apply.yaml
index 057963c1a..30fdde94c 100644
--- a/roles/openshift_metrics/tasks/oc_apply.yaml
+++ b/roles/openshift_metrics/tasks/oc_apply.yaml
@@ -16,9 +16,7 @@
apply -f {{ file_name }}
-n {{namespace}}
register: generation_apply
- failed_when:
- - "'error' in generation_apply.stderr"
- - "generation_apply.rc != 0"
+ failed_when: "'error' in generation_apply.stderr or (generation_apply.rc | int != 0)"
changed_when: no
- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}}
@@ -30,7 +28,5 @@
register: version_changed
vars:
init_version: "{{ (generation_init is defined) | ternary(generation_init.stdout, '0') }}"
- failed_when:
- - "'error' in version_changed.stderr"
- - "version_changed.rc != 0"
+ failed_when: "'error' in version_changed.stderr or version_changed.rc | int != 0"
changed_when: version_changed.stdout | int > init_version | int
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 754ecacaf..f56f24e12 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -14,33 +14,11 @@
#### Disable SWAP #####
# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
-- name: Check for swap usage
- command: grep "^[^#].*swap" /etc/fstab
- # grep: match any lines which don't begin with '#' and contain 'swap'
- changed_when: false
- failed_when: false
- register: swap_result
-
-- when:
- - swap_result.stdout_lines | length > 0
- - openshift_disable_swap | default(true) | bool
- block:
- - name: Disable swap
- command: swapoff --all
-
- - name: Remove swap entries from /etc/fstab
- replace:
- dest: /etc/fstab
- regexp: '(^[^#].*swap.*)'
- replace: '# \1'
- backup: yes
-
- - name: Add notice about disabling swap
- lineinfile:
- dest: /etc/fstab
- line: '# OpenShift-Ansible Installer disabled swap per overcommit guidelines'
- state: present
-#### End Disable Swap Block ####
+# swapoff is a custom module in lib_utils that comments out swap entries in
+# /etc/fstab and runs swapoff -a, if necessary.
+- name: Disable swap
+ swapoff: {}
+ when: openshift_disable_swap | default(true) | bool
- name: include node installer
include_tasks: install.yml
diff --git a/roles/openshift_node/tasks/upgrade/config_changes.yml b/roles/openshift_node/tasks/upgrade/config_changes.yml
index dd9183382..15ac76f7d 100644
--- a/roles/openshift_node/tasks/upgrade/config_changes.yml
+++ b/roles/openshift_node/tasks/upgrade/config_changes.yml
@@ -27,28 +27,12 @@
path: "/var/lib/cni/networks/openshift-sdn/"
state: absent
-# Disable Swap Block (pre)
-- block:
- - name: Remove swap entries from /etc/fstab
- replace:
- dest: /etc/fstab
- regexp: '(^[^#].*swap.*)'
- replace: '# \1'
- backup: yes
-
- - name: Add notice about disabling swap
- lineinfile:
- dest: /etc/fstab
- line: '# OpenShift-Ansible Installer disabled swap per overcommit guidelines'
- state: present
-
- - name: Disable swap
- command: swapoff --all
-
- when:
- - openshift_node_upgrade_swap_result | default(False) | bool
- - openshift_disable_swap | default(true) | bool
-# End Disable Swap Block
+# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
+# swapoff is a custom module in lib_utils that comments out swap entries in
+# /etc/fstab and runs swapoff -a, if necessary.
+- name: Disable swap
+ swapoff: {}
+ when: openshift_disable_swap | default(true) | bool
- name: Apply 3.6 dns config changes
yedit:
diff --git a/roles/openshift_node/tasks/upgrade_pre.yml b/roles/openshift_node/tasks/upgrade_pre.yml
index 3ae7dc6b6..aa1a75100 100644
--- a/roles/openshift_node/tasks/upgrade_pre.yml
+++ b/roles/openshift_node/tasks/upgrade_pre.yml
@@ -41,16 +41,3 @@
vars:
openshift_version: "{{ openshift_pkg_version | default('') }}"
when: not openshift_is_containerized | bool
-
-# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
-- name: Check for swap usage
- command: grep "^[^#].*swap" /etc/fstab
- # grep: match any lines which don't begin with '#' and contain 'swap'
- changed_when: false
- failed_when: false
- register: swap_result
-
-# Set this fact here so we can use it during the next play, which is serial.
-- name: set_fact swap_result
- set_fact:
- openshift_node_upgrade_swap_result: "{{ swap_result.stdout_lines | length > 0 | bool }}"
diff --git a/roles/openshift_node/templates/node.service.j2 b/roles/openshift_node/templates/node.service.j2
index 777f4a449..7405cfd73 100644
--- a/roles/openshift_node/templates/node.service.j2
+++ b/roles/openshift_node/templates/node.service.j2
@@ -6,7 +6,7 @@ After=ovsdb-server.service
After=ovs-vswitchd.service
Wants={{ openshift_docker_service_name }}.service
Documentation=https://github.com/openshift/origin
-Requires=dnsmasq.service
+Wants=dnsmasq.service
After=dnsmasq.service
{% if openshift_use_crio | bool %}Wants=cri-o.service{% endif %}
diff --git a/roles/openshift_node/templates/openshift.docker.node.service b/roles/openshift_node/templates/openshift.docker.node.service
index ae7b147a6..23823e3e5 100644
--- a/roles/openshift_node/templates/openshift.docker.node.service
+++ b/roles/openshift_node/templates/openshift.docker.node.service
@@ -13,7 +13,7 @@ After=ovs-vswitchd.service
Wants={{ openshift_service_type }}-master.service
Requires={{ openshift_service_type }}-node-dep.service
After={{ openshift_service_type }}-node-dep.service
-Requires=dnsmasq.service
+Wants=dnsmasq.service
After=dnsmasq.service
[Service]
diff --git a/roles/openshift_provisioners/tasks/oc_apply.yaml b/roles/openshift_provisioners/tasks/oc_apply.yaml
index 239e1f1cc..27c8a4b81 100644
--- a/roles/openshift_provisioners/tasks/oc_apply.yaml
+++ b/roles/openshift_provisioners/tasks/oc_apply.yaml
@@ -15,9 +15,7 @@
apply -f {{ file_name }}
-n {{ namespace }}
register: generation_apply
- failed_when:
- - "'error' in generation_apply.stderr"
- - "generation_apply.rc != 0"
+ failed_when: "'error' in generation_apply.stderr or generation_apply.rc != 0"
changed_when: no
- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}}
@@ -38,9 +36,7 @@
delete -f {{ file_name }}
-n {{ namespace }}
register: generation_delete
- failed_when:
- - "'error' in generation_delete.stderr"
- - "generation_delete.rc != 0"
+ failed_when: "'error' in generation_delete.stderr or generation_delete.rc != 0"
changed_when: generation_delete.rc == 0
when: generation_apply.rc != 0
@@ -50,8 +46,6 @@
apply -f {{ file_name }}
-n {{ namespace }}
register: generation_apply
- failed_when:
- - "'error' in generation_apply.stderr"
- - "generation_apply.rc != 0"
+ failed_when: "'error' in generation_apply.stderr or generation_apply.rc | int != 0"
changed_when: generation_apply.rc == 0
when: generation_apply.rc != 0
diff --git a/roles/openshift_service_catalog/templates/api_server.j2 b/roles/openshift_service_catalog/templates/api_server.j2
index e345df32c..a18d29ef0 100644
--- a/roles/openshift_service_catalog/templates/api_server.j2
+++ b/roles/openshift_service_catalog/templates/api_server.j2
@@ -49,7 +49,7 @@ spec:
- OriginatingIdentity=true
image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }}
command: ["/usr/bin/service-catalog"]
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
name: apiserver
ports:
- containerPort: 6443
diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2
index c61e05f73..6d3ee7d01 100644
--- a/roles/openshift_service_catalog/templates/controller_manager.j2
+++ b/roles/openshift_service_catalog/templates/controller_manager.j2
@@ -44,7 +44,7 @@ spec:
{% endif %}
image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }}
command: ["/usr/bin/service-catalog"]
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
name: controller-manager
ports:
- containerPort: 8080
diff --git a/roles/openshift_storage_nfs/templates/exports.j2 b/roles/openshift_storage_nfs/templates/exports.j2
index 2ec8db019..13bd5370c 100644
--- a/roles/openshift_storage_nfs/templates/exports.j2
+++ b/roles/openshift_storage_nfs/templates/exports.j2
@@ -1,8 +1,8 @@
-{{ openshift_hosted_registry_storage_nfs_directory }}/{{ openshift_hosted_registry_storage_volume_name }} {{ openshift_hosted_registry_storage_nfs_options }}
-{{ openshift_metrics_storage_nfs_directory }}/{{ openshift_metrics_storage_volume_name }} {{ openshift_metrics_storage_nfs_options }}
-{{ openshift_logging_storage_nfs_directory }}/{{ openshift_logging_storage_volume_name }} {{ openshift_logging_storage_nfs_options }}
-{{ openshift_loggingops_storage_nfs_directory }}/{{ openshift_loggingops_storage_volume_name }} {{ openshift_loggingops_storage_nfs_options }}
-{{ openshift_hosted_etcd_storage_nfs_directory }}/{{ openshift_hosted_etcd_storage_volume_name }} {{ openshift_hosted_etcd_storage_nfs_options }}
-{{ openshift_prometheus_storage_nfs_directory }}/{{ openshift_prometheus_storage_volume_name }} {{ openshift_prometheus_storage_nfs_options }}
-{{ openshift_prometheus_alertmanager_storage_nfs_directory }}/{{ openshift_prometheus_alertmanager_storage_volume_name }} {{ openshift_prometheus_alertmanager_storage_nfs_options }}
-{{ openshift_prometheus_alertbuffer_storage_nfs_directory }}/{{ openshift_prometheus_alertbuffer_storage_volume_name }} {{ openshift_prometheus_alertbuffer_storage_nfs_options }}
+"{{ openshift_hosted_registry_storage_nfs_directory }}/{{ openshift_hosted_registry_storage_volume_name }}" {{ openshift_hosted_registry_storage_nfs_options }}
+"{{ openshift_metrics_storage_nfs_directory }}/{{ openshift_metrics_storage_volume_name }}" {{ openshift_metrics_storage_nfs_options }}
+"{{ openshift_logging_storage_nfs_directory }}/{{ openshift_logging_storage_volume_name }}" {{ openshift_logging_storage_nfs_options }}
+"{{ openshift_loggingops_storage_nfs_directory }}/{{ openshift_loggingops_storage_volume_name }}" {{ openshift_loggingops_storage_nfs_options }}
+"{{ openshift_hosted_etcd_storage_nfs_directory }}/{{ openshift_hosted_etcd_storage_volume_name }}" {{ openshift_hosted_etcd_storage_nfs_options }}
+"{{ openshift_prometheus_storage_nfs_directory }}/{{ openshift_prometheus_storage_volume_name }}" {{ openshift_prometheus_storage_nfs_options }}
+"{{ openshift_prometheus_alertmanager_storage_nfs_directory }}/{{ openshift_prometheus_alertmanager_storage_volume_name }}" {{ openshift_prometheus_alertmanager_storage_nfs_options }}
+"{{ openshift_prometheus_alertbuffer_storage_nfs_directory }}/{{ openshift_prometheus_alertbuffer_storage_volume_name }}" {{ openshift_prometheus_alertbuffer_storage_nfs_options }}