diff options
author | Areli, Fuss (af732p) <af732p@att.com> | 2018-05-24 11:24:40 +0300 |
---|---|---|
committer | Areli, Fuss (af732p) <af732p@att.com> | 2018-05-24 13:27:31 +0300 |
commit | f000e1cad7775e37da61b71773d60b40b9254478 (patch) | |
tree | 3f342cb71f58b43c47bcfb1bbbc6e919d17c5806 /ansible/roles/ansible-vvp-templates | |
parent | 61bb1d8b6a20fec9235ca5b5af0174ad1c85aa67 (diff) |
Alignment of VVP devkit
Alignment of VVP devkit
include replacement of the uWsgi
with gunicorn
Change-Id: I9c42783c9965c5f6f005615e88899a301d334e22
Issue-ID: VVP-60
Signed-off-by: Areli, Fuss (af732p) <af732p@att.com>
Diffstat (limited to 'ansible/roles/ansible-vvp-templates')
23 files changed, 253 insertions, 138 deletions
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml index 05c15d2..c0559a2 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml @@ -43,20 +43,13 @@ metadata: name: ci-settings namespace: default data: - uwsgi.ini: | - [uwsgi] - uwsgi-socket = :80 - http = :8282 - plugin = python - chdir = /app - module = web.wsgi:application - master = True - pidfile = /tmp/project-master.pid - vacuum = True - max-requests = 5000 - enable-threads = True - stats = 0.0.0.0:9000 - stats-http = True + gunicorn.ini: | + bind = ":8282" + chdir = '/app' + pidfile = '/tmp/ice-project-master.pid' + backlog = '5000' + errorlog = '-' + loglevel = 'info' __init__.py: | import os from datetime import datetime @@ -68,6 +61,9 @@ data: ICE_ENVIRONMENT = os.environ['ICE_ENVIRONMENT'] PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX'] + SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER'] + PROGRAM_NAME = os.environ['PROGRAM_NAME'] + SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN'] # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/ SECRET_KEY = os.environ["SECRET_KEY"] @@ -290,7 +286,7 @@ data: # ICE-CI Related Configuration ############################# ICE_CONTACT_FROM_ADDRESS = os.getenv('ICE_CONTACT_FROM_ADDRESS') - ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS') + ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS','user@example.com').split(',')) ICE_CI_ENVIRONMENT_NAME = os.getenv('ICE_CI_ENVIRONMENT_NAME', 'Dev') # Dev / Docker / Staging ICE_EM_URL = "{domain}/{prefix}".format(domain=os.environ['ICE_EM_DOMAIN_NAME'], prefix=PROGRAM_NAME_URL_PREFIX) ICE_PORTAL_URL = os.environ['ICE_DOMAIN'] diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml index 4aedece..00541af 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml @@ -43,19 +43,13 @@ metadata: name: cms-settings namespace: default data: - uwsgi.ini: | - [uwsgi] - uwsgi-socket = :80 - plugin = python - chdir = /srv - module = cms.wsgi:application - master = True - pidfile = /tmp/project-master.pid - vacuum = True - max-requests = 5000 - enable-threads = True - stats = 0.0.0.0:9000 - stats-http = True + gunicorn.ini: | + bind = ":80" + chdir = '/srv' + pidfile = '/tmp/ice-project-master.pid' + backlog = '5000' + errorlog = '-' + loglevel = 'info' __init__.py: | from __future__ import absolute_import, unicode_literals import os diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml index 79ad7b2..8068744 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml @@ -43,19 +43,14 @@ metadata: name: em-settings namespace: default data: - uwsgi.ini: | - [uwsgi] - uwsgi-socket = :80 - plugin = python - chdir = /srv - module = vvp.wsgi:application - master = True - pidfile = /tmp/project-master.pid - vacuum = True - max-requests = 5000 - enable-threads = True - stats = 0.0.0.0:9000 - stats-http = True + gunicorn.ini: | + bind = ":80" + chdir = '/srv' + pidfile = '/tmp/ice-project-master.pid' + backlog = '5000' + errorlog = '-' + loglevel = 'info' + __init__.py: | """ Django settings for VVP project. @@ -93,7 +88,10 @@ data: ENVIRONMENT = os.environ['ENVIRONMENT'] PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX'] - + SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER'] + PROGRAM_NAME = os.environ['PROGRAM_NAME'] + SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN'] + # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/ SECRET_KEY = os.environ["SECRET_KEY"] @@ -305,7 +303,7 @@ data: # VVP Related Configuration ############################# CONTACT_FROM_ADDRESS = os.getenv('CONTACT_FROM_ADDRESS', 'dummy@example.com') - CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'dummy@example.com') + CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'user@example.com').split(',') if s] DOMAIN = os.getenv('EM_DOMAIN_NAME') TOKEN_EXPIRATION_IN_HOURS = 48 DAILY_SCHEDULED_JOB_HOUR = 20 diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml new file mode 100644 index 0000000..23c2be8 --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml @@ -0,0 +1,28 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: imagescanner-settings + namespace: default +data: + imagescannerconfig.py: | + import os + from pathlib import Path + from awsauth import S3Auth + # A mapping from host names to Requests Authentication Objects; see + # http://docs.python-requests.org/en/master/user/authentication/ + AUTHS = {} + if 'S3_HOST' in os.environ: + AUTHS[os.environ['S3_HOST']] = S3Auth( + os.environ['AWS_ACCESS_KEY_ID'], + os.environ['AWS_SECRET_ACCESS_KEY'], + service_url='https://%s/' % os.environ['S3_HOST'] + ) + LOGS_PATH = Path(os.environ['IMAGESCANNER_LOGS_PATH']) + STATUSFILE = LOGS_PATH/'status.txt' + # A dict passed as kwargs to jenkins.Jenkins constructor. + JENKINS = { + 'url': 'http://jenkins:8080', + 'username': 'admin', + 'password': os.environ['SECRET_JENKINS_PASSWORD'], + } diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml index 89adf32..638d248 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml @@ -58,8 +58,12 @@ data: client_max_body_size 75M; # adjust to taste location / { - uwsgi_pass cms_upstream; - include /etc/nginx/uwsgi_params; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_redirect off; + + proxy_pass http://cms-uwsgi; } } server { diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml index 0d7b279..52e208e 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml @@ -56,10 +56,14 @@ data: listen 80; charset utf-8; client_max_body_size 75M; # adjust to taste - + location / { - uwsgi_pass em_upstream; - include /etc/nginx/uwsgi_params; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_redirect off; + + proxy_pass http://em_upstream; } } diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml deleted file mode 100644 index 4d0e4e8..0000000 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -*- encoding: utf-8 -*- -# ============LICENSE_START======================================================= -# org.onap.vvp/engagementmgr -# =================================================================== -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# =================================================================== -# -# Unless otherwise specified, all software contained herein is licensed -# under the Apache License, Version 2.0 (the “License”); -# you may not use this software except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# -# -# Unless otherwise specified, all documentation contained herein is licensed -# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); -# you may not use this documentation except in compliance with the License. -# You may obtain a copy of the License at -# -# https://creativecommons.org/licenses/by/4.0/ -# -# Unless required by applicable law or agreed to in writing, documentation -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================ -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: portal-nginx-config - namespace: default -data: - file: | - pid /nginx.pid; - error_log /dev/stdout warn; - - http { - access_log /dev/stdout; - server { - listen 0.0.0.0:8181; - - location / { - include /etc/nginx/mime.types; - root /usr/share/nginx/html/; - } - - } - - } - - events { - worker_connections 4096; - } diff --git a/ansible/roles/ansible-vvp-templates/tasks/render.yml b/ansible/roles/ansible-vvp-templates/tasks/render.yml index ec6900d..aed9593 100644 --- a/ansible/roles/ansible-vvp-templates/tasks/render.yml +++ b/ansible/roles/ansible-vvp-templates/tasks/render.yml @@ -55,7 +55,6 @@ dest: "{{k8_config_dir}}/{{item|dirname|basename}}/{{item|basename|splitext|first}}" with_fileglob: - ../templates/configmaps/* - - ../templates/jobs/* - ../templates/deployments/* - ../templates/secrets/* - ../templates/services/* diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 index 3fd9055..8b9012c 100644 --- a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 @@ -95,7 +95,7 @@ data: frontend portal mode http redirect scheme https if !{ ssl_fc } - acl is_api_call path_beg -i /ice + acl is_api_call path_beg -i /vvp acl is_s3 hdr_beg(host) s3. staging-s3. dev-s3. use_backend api if is_api_call use_backend s3 if is_s3 diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 new file mode 100644 index 0000000..34cc2d3 --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 @@ -0,0 +1,39 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: portal-nginx-config + namespace: default +data: + file: | + pid /nginx.pid; + error_log /dev/stdout warn; + + http { + access_log /dev/stdout; + server { + listen 0.0.0.0:8181; + + location / { + include /etc/nginx/mime.types; + root /usr/share/nginx/html/; + } + + } + + } + + events { + worker_connections 4096; + } + + service_provider.json: | + { + "serviceProvider": { + "name": "{{service_provider}}" + }, + "program": { + "name": "{{program_name}}" + } + } + diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 new file mode 100644 index 0000000..2d56741 --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 @@ -0,0 +1,30 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: site-certificate + namespace: default +data: + site.crt: | + {{ site_pem_cert|indent }} + wrapper.sh: | + #!/bin/sh + # This script is meant to be used as a wrapper, so that it can be easily + # used with docker or kubernetes' container command specification. + # + # Kubernetes' volumeMount creates symlinks for configMapped files at the + # target directory. + # Alpine's update-ca-certificates ignores symlinks. + # So we must contrive to copy the contents of the mounted cert (a symlink) + # into place as a normal file. + dev_cert="${0%/*}/site.crt" + echo >&2 "$0: Checking for site CA certificate at $dev_cert..." + if [ -s "$dev_cert" ]; then + echo >&2 "$0: Updating container CA certificate bundle with site certificate..." + cp -L "$dev_cert" /usr/local/share/ca-certificates/ + update-ca-certificates + else + echo >&2 "$0: No site CA certificate found." + fi + echo >&2 "$0: Launching command: $@" + exec "$@" diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 index 6771b1f..8b14661 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 @@ -48,9 +48,11 @@ spec: labels: run: gitlab spec: + imagePullSecrets: + - name: onapkey containers: - name: gitlab - image: {{container_uri}}rkt-gitlab:{{container_tag}} + image: {{container_uri}}gitlab:{{container_tag}} ports: - containerPort: 80 - containerPort: 22 diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 index e78bfc9..bd5c10f 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 @@ -48,9 +48,11 @@ spec: labels: run: postgresql spec: + imagePullSecrets: + - name: onapkey containers: - name: postgresql - image: {{container_uri}}rkt-postgresql:{{container_tag}} + image: {{container_uri}}postgresql:{{container_tag}} ports: - containerPort: 5432 volumeMounts: diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 index 98a04b5..44e78e1 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 @@ -57,9 +57,11 @@ spec: hostPath: path: /var/devenv/ice-ci/ {% endif %} + imagePullSecrets: + - name: onapkey containers: - name: ci-uwsgi - image: {{container_uri}}rkt-ice-ci:{{container_tag}} + image: {{container_uri}}test-engine:{{container_tag}} ports: - containerPort: 80 - containerPort: 8282 @@ -77,7 +79,13 @@ spec: - name: ICE_ENVIRONMENT value: "{{ice_environment}}" - name: PROGRAM_NAME_URL_PREFIX - value: "ice" + value: "{{program_name_url_prefix}}" + - name: SERVICE_PROVIDER + value: "{{service_provider}}" + - name: PROGRAM_NAME + value: "{{program_name}}" + - name: SERVICE_PROVIDER_DOMAIN + value: "{{service_provider_domain}}" - name: SECRET_KEY valueFrom: secretKeyRef: {name: em-secret, key: key} @@ -158,7 +166,7 @@ spec: initialDelaySeconds: 90 periodSeconds: 15 {% endif %} - command: ["/app/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", "--static-map", "/static=/app/htdocs" {% if devenv is defined %}, "--py-auto-reload" , "3"{% endif %}] + command: ["/app/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "web.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}] metadata: labels: run: ci-uwsgi diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 index 8b601e9..01032d7 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 @@ -44,9 +44,11 @@ metadata: spec: template: spec: + imagePullSecrets: + - name: onapkey containers: - name: cms-uwsgi - image: {{container_uri}}rkt-ice-cms:{{container_tag}} + image: {{container_uri}}cms:{{container_tag}} ports: - containerPort: 80 - containerPort: 9000 @@ -119,7 +121,7 @@ spec: periodSeconds: 15 timeoutSeconds: 10 {% endif %} - command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"] + command: ["/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "cms.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}] volumeMounts: - name: settings mountPath: /opt/configmaps/settings/ diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 index 8cedd29..ceb24c4 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 @@ -56,9 +56,11 @@ spec: - name: em-settings configMap: name: em-settings + imagePullSecrets: + - name: onapkey containers: - name: em-uwsgi - image: {{container_uri}}rkt-engagementmgr:{{container_tag}} + image: {{container_uri}}engagementmgr:{{container_tag}} ports: - containerPort: 80 - containerPort: 9000 @@ -75,7 +77,13 @@ spec: - name: ENVIRONMENT value: "{{ice_environment}}" - name: PROGRAM_NAME_URL_PREFIX - value: "ice" + value: "{{program_name_url_prefix}}" + - name: SERVICE_PROVIDER + value: "{{service_provider}}" + - name: PROGRAM_NAME + value: "{{program_name}}" + - name: SERVICE_PROVIDER_DOMAIN + value: "{{service_provider_domain}}" - name: SECRET_KEY valueFrom: secretKeyRef: {name: em-secret, key: key} @@ -156,7 +164,7 @@ spec: periodSeconds: 15 timeoutSeconds: 10 {% endif %} - command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"] + command: ["/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "vvp.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}] metadata: labels: run: em-uwsgi diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 index 775d341..b8f2f66 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 @@ -44,11 +44,16 @@ metadata: spec: template: spec: + imagePullSecrets: + - name: onapkey containers: - name: imagescanner-worker - image: {{container_uri}}ice-image-scanner:{{container_tag}} - command: ["/usr/local/bin/imagescanner-worker"] + image: {{container_uri}}image-scanner:{{container_tag}} + command: + - "sh" + - "/opt/site-certificate/wrapper.sh" + - "/usr/local/bin/imagescanner-worker" securityContext: privileged: true volumeMounts: @@ -58,9 +63,30 @@ spec: mountPath: /dev - name: logs mountPath: /var/log/imagescanner + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings + - name: site-certificate + mountPath: /opt/site-certificate + env: + - name: PYTHONPATH + value: /opt/imagescanner-settings + - name: S3_HOST + value: "{{s3_dns_name}}" + - name: S3_PORT + value: "443" + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: {name: em-secret, key: aws_access_key_id} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: {name: em-secret, key: aws_secret_access_key} + - name: SECRET_JENKINS_PASSWORD + value: '' + - name: REQUESTS_CA_BUNDLE + value: /etc/ssl/certs/ca-certificates.crt - name: notifications-worker - image: {{container_uri}}ice-image-scanner:{{container_tag}} + image: {{container_uri}}image-scanner:{{container_tag}} command: ["/usr/local/bin/notifications-worker"] securityContext: privileged: true @@ -70,9 +96,17 @@ spec: secretKeyRef: {name: slack-tokens, key: notifications} - name: DOMAIN value: "{{em_internal_dns_name}}" + - name: PYTHONPATH + value: /opt/imagescanner-settings + - name: SECRET_JENKINS_PASSWORD + valueFrom: + secretKeyRef: {name: em-secret, key: jenkins_admin_password} + volumeMounts: + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings - name: imagescanner-frontend - image: {{container_uri}}ice-image-scanner:{{container_tag}} + image: {{container_uri}}image-scanner:{{container_tag}} command: ["/usr/local/bin/imagescanner-frontend"] {# FIXME: No, the frontend does not require a privileged container. @@ -87,9 +121,13 @@ spec: volumeMounts: - name: logs mountPath: /var/log/imagescanner + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings env: - name: DEFAULT_SLACK_CHANNEL value: "#notifications" + - name: SECRET_JENKINS_PASSWORD + value: '' volumes: - name: imagescanner-ssh @@ -101,6 +139,12 @@ spec: path: /dev - name: logs emptyDir: {} + - name: imagescanner-settings + configMap: + name: imagescanner-settings + - name: site-certificate + configMap: + name: site-certificate metadata: labels: diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 index 61504f1..1b4289a 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 @@ -44,9 +44,11 @@ metadata: spec: template: spec: + imagePullSecrets: + - name: onapkey containers: - name: jenkins - image: {{container_uri}}rkt-jenkins:{{container_tag}} + image: {{container_uri}}jenkins:{{container_tag}} ports: - containerPort: 8080 volumeMounts: diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 index f3505e5..5c898d3 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 @@ -48,9 +48,11 @@ spec: labels: run: portal spec: + imagePullSecrets: + - name: onapkey containers: - name: portal - image: {{container_uri}}rkt-ice-portal:{{container_tag}} + image: {{container_uri}}portal:{{container_tag}} ports: - containerPort: 8181 command: ["nginx", "-g", "daemon off;", "-c", "/tmp/nginx.conf"] @@ -68,3 +70,10 @@ spec: items: - key: file path: nginx.conf + - key: service_provider.json + path: service_provider.json +{% if devenv is defined %} + - name: portal-rsync + hostPath: + path: /var/devenv/rkt-ice-portal/d2ice.att.io/app +{% endif %} diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 index 29d1319..41597d6 100644 --- a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 @@ -37,10 +37,11 @@ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. --- -apiVersion: v1 kind: Secret +apiVersion: v1 metadata: name: email-secret + namespace: default type: Opaque data: - password: "{{vault_email_host_password | b64encode }}" + password: "{{vault_email_host_password|b64encode}}" diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 new file mode 100644 index 0000000..f253c3c --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: onapkey + namespace: default +data: + .dockercfg: {{ dockerconfig|to_json|b64encode }} +type: kubernetes.io/dockercfg diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 index f529dcf..1f92c42 100644 --- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 @@ -37,11 +37,12 @@ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. --- -apiVersion: v1 kind: Secret +apiVersion: v1 metadata: name: site-crt + namespace: default type: Opaque data: # the public part of the certificate, not actually a secret. - site.crt: "{{ site_pem_cert | b64encode }}" + site.crt: "{{site_pem_cert|b64encode}}" diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 index d045770..7ed5e26 100644 --- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 @@ -37,10 +37,11 @@ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. --- -apiVersion: v1 kind: Secret +apiVersion: v1 metadata: name: site-pem + namespace: default type: Opaque data: - site.pem: "{{ site_pem | b64encode }}" + site.pem: "{{site_pem|b64encode}}" |