summaryrefslogtreecommitdiffstats
path: root/ansible
diff options
context:
space:
mode:
Diffstat (limited to 'ansible')
-rw-r--r--ansible/library/kubectl_apply_manifest.py2
-rw-r--r--ansible/requirements.yml8
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/README.md38
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/tasks/main.yml12
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j210
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j210
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j278
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml5
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml7
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml28
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml66
-rw-r--r--ansible/roles/ansible-vvp-templates/tasks/render.yml1
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j22
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j239
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j230
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j24
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j24
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j212
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j24
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j212
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j252
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j24
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j211
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j25
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j29
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j25
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j25
27 files changed, 319 insertions, 144 deletions
diff --git a/ansible/library/kubectl_apply_manifest.py b/ansible/library/kubectl_apply_manifest.py
index dce93c6..517fdbf 100644
--- a/ansible/library/kubectl_apply_manifest.py
+++ b/ansible/library/kubectl_apply_manifest.py
@@ -1,6 +1,6 @@
#!/usr/bin/python
# -*- encoding: utf-8 -*-
-# ============LICENSE_START===============================================
+# ============LICENSE_START==========================================
# org.onap.vvp/engagementmgr
# ===================================================================
# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index ea1e8d0..9797b05 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -37,7 +37,7 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
- src: https://github.com/ceph/ansible-ceph-common.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-common
- src: https://github.com/ceph/ansible-ceph-docker-common.git
@@ -45,13 +45,13 @@
name: ceph.ceph-docker-common
- src: https://github.com/ceph/ansible-ceph-rgw.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-rgw
- src: https://github.com/ceph/ansible-ceph-mon.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-mon
- src: https://github.com/ceph/ansible-ceph-osd.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-osd
diff --git a/ansible/roles/ansible-vvp-bootstrap/README.md b/ansible/roles/ansible-vvp-bootstrap/README.md
new file mode 100644
index 0000000..225dd44
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+ - hosts: servers
+ roles:
+ - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
index 48b545e..81a3f1f 100644
--- a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
@@ -115,6 +115,18 @@
with_items:
- 443
- 80
+
+# dnsmask prereq - Allow ping between all hosts
+- name: Allow Ping from Outside to Inside
+ shell: |
+ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+ iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+- name: Allow Ping from Inside to Outside
+ shell: |
+ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
+ iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
- name: Drop INPUT
shell: iptables -P INPUT DROP
tags:
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
index 2908165..86fa4c5 100644
--- a/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
@@ -53,19 +53,19 @@ dhcp-option=#{{ops_management_interface}},6
enable-tftp
tftp-root=/var/lib/tftpboot
{% if pxe_boot %}
- {% if pxe_chainload %}
+{% if pxe_chainload %}
dhcp-userclass=set:iceundi,ICEPXE
dhcp-boot=tag:coreos,tag:#iceundi,iceundionly.kpxe
- {% else %}
+{% else %}
dhcp-userclass=set:iceundi,iPXE
dhcp-boot=tag:coreos,tag:#iceundi,undionly.kpxe
- {% endif %}
+{% endif %}
dhcp-boot=tag:iceundi,http://{{ops_management_ip}}:8080/boot.ipxe
{% endif %}
{% for host in hosts %}
- {% for config in host.dnsmasq_config %}
+{% for config in host.dnsmasq_config %}
dhcp-host={{config}}
- {% endfor %}
+{% endfor %}
{% endfor %}
dhcp-ignore=tag:#known
log-queries
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
index ff8e0b8..bf01435 100644
--- a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
@@ -182,7 +182,8 @@ systemd:
--pod-manifest-path=/etc/kubernetes/manifests \
--hostname-override={{.domain_name}} \
--cluster_dns={{.k8s_dns_service_ip}} \
- --cluster_domain=cluster.local
+ --cluster_domain=cluster.local \
+ --pod-infra-container-image="docker.io/kubernetes/pause"
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet-pod.uuid
Restart=always
RestartSec=10
@@ -354,13 +355,14 @@ storage:
- --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --runtime-config=extensions/v1beta1/networkpolicies=true
- --anonymous-auth=false
+ - --storage-backend=etcd2
livenessProbe:
httpGet:
host: 127.0.0.1
- port: 8080
+ port: 10253
path: /healthz
- initialDelaySeconds: 15
- timeoutSeconds: 15
+ initialDelaySeconds: 15000
+ timeoutSeconds: 1500
ports:
- containerPort: {{.k8s_controller_port}}
hostPort: {{.k8s_controller_port}}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
index 701559b..e9823c7 100644
--- a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
@@ -1,43 +1,41 @@
-{#
--*- encoding: utf-8 -*-
-============LICENSE_START=======================================================
-org.onap.vvp/engagementmgr
-===================================================================
-Copyright © 2017 AT&T Intellectual Property. All rights reserved.
-===================================================================
-
-Unless otherwise specified, all software contained herein is licensed
-under the Apache License, Version 2.0 (the “License”);
-you may not use this software except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-
-
-Unless otherwise specified, all documentation contained herein is licensed
-under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
-you may not use this documentation except in compliance with the License.
-You may obtain a copy of the License at
-
- https://creativecommons.org/licenses/by/4.0/
-
-Unless required by applicable law or agreed to in writing, documentation
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-============LICENSE_END============================================
-
- ECOMP is a trademark and service mark of AT&T Intellectual Property.
-#}
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
{% raw %}
systemd:
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml
index 05c15d2..c7ea86d 100644
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml
@@ -68,6 +68,9 @@ data:
ICE_ENVIRONMENT = os.environ['ICE_ENVIRONMENT']
PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX']
+ SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER']
+ PROGRAM_NAME = os.environ['PROGRAM_NAME']
+ SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN']
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
SECRET_KEY = os.environ["SECRET_KEY"]
@@ -290,7 +293,7 @@ data:
# ICE-CI Related Configuration
#############################
ICE_CONTACT_FROM_ADDRESS = os.getenv('ICE_CONTACT_FROM_ADDRESS')
- ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS')
+ ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS','user@example.com').split(','))
ICE_CI_ENVIRONMENT_NAME = os.getenv('ICE_CI_ENVIRONMENT_NAME', 'Dev') # Dev / Docker / Staging
ICE_EM_URL = "{domain}/{prefix}".format(domain=os.environ['ICE_EM_DOMAIN_NAME'], prefix=PROGRAM_NAME_URL_PREFIX)
ICE_PORTAL_URL = os.environ['ICE_DOMAIN']
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml
index 79ad7b2..467d219 100644
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml
@@ -93,7 +93,10 @@ data:
ENVIRONMENT = os.environ['ENVIRONMENT']
PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX']
-
+ SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER']
+ PROGRAM_NAME = os.environ['PROGRAM_NAME']
+ SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN']
+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
SECRET_KEY = os.environ["SECRET_KEY"]
@@ -305,7 +308,7 @@ data:
# VVP Related Configuration
#############################
CONTACT_FROM_ADDRESS = os.getenv('CONTACT_FROM_ADDRESS', 'dummy@example.com')
- CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'dummy@example.com')
+ CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'user@example.com').split(',') if s]
DOMAIN = os.getenv('EM_DOMAIN_NAME')
TOKEN_EXPIRATION_IN_HOURS = 48
DAILY_SCHEDULED_JOB_HOUR = 20
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml
new file mode 100644
index 0000000..23c2be8
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml
@@ -0,0 +1,28 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: imagescanner-settings
+ namespace: default
+data:
+ imagescannerconfig.py: |
+ import os
+ from pathlib import Path
+ from awsauth import S3Auth
+ # A mapping from host names to Requests Authentication Objects; see
+ # http://docs.python-requests.org/en/master/user/authentication/
+ AUTHS = {}
+ if 'S3_HOST' in os.environ:
+ AUTHS[os.environ['S3_HOST']] = S3Auth(
+ os.environ['AWS_ACCESS_KEY_ID'],
+ os.environ['AWS_SECRET_ACCESS_KEY'],
+ service_url='https://%s/' % os.environ['S3_HOST']
+ )
+ LOGS_PATH = Path(os.environ['IMAGESCANNER_LOGS_PATH'])
+ STATUSFILE = LOGS_PATH/'status.txt'
+ # A dict passed as kwargs to jenkins.Jenkins constructor.
+ JENKINS = {
+ 'url': 'http://jenkins:8080',
+ 'username': 'admin',
+ 'password': os.environ['SECRET_JENKINS_PASSWORD'],
+ }
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml
deleted file mode 100644
index 4d0e4e8..0000000
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-# -*- encoding: utf-8 -*-
-# ============LICENSE_START=======================================================
-# org.onap.vvp/engagementmgr
-# ===================================================================
-# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
-# ===================================================================
-#
-# Unless otherwise specified, all software contained herein is licensed
-# under the Apache License, Version 2.0 (the “License”);
-# you may not use this software except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-#
-#
-# Unless otherwise specified, all documentation contained herein is licensed
-# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
-# you may not use this documentation except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://creativecommons.org/licenses/by/4.0/
-#
-# Unless required by applicable law or agreed to in writing, documentation
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# ============LICENSE_END============================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
- name: portal-nginx-config
- namespace: default
-data:
- file: |
- pid /nginx.pid;
- error_log /dev/stdout warn;
-
- http {
- access_log /dev/stdout;
- server {
- listen 0.0.0.0:8181;
-
- location / {
- include /etc/nginx/mime.types;
- root /usr/share/nginx/html/;
- }
-
- }
-
- }
-
- events {
- worker_connections 4096;
- }
diff --git a/ansible/roles/ansible-vvp-templates/tasks/render.yml b/ansible/roles/ansible-vvp-templates/tasks/render.yml
index ec6900d..aed9593 100644
--- a/ansible/roles/ansible-vvp-templates/tasks/render.yml
+++ b/ansible/roles/ansible-vvp-templates/tasks/render.yml
@@ -55,7 +55,6 @@
dest: "{{k8_config_dir}}/{{item|dirname|basename}}/{{item|basename|splitext|first}}"
with_fileglob:
- ../templates/configmaps/*
- - ../templates/jobs/*
- ../templates/deployments/*
- ../templates/secrets/*
- ../templates/services/*
diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
index 3fd9055..8b9012c 100644
--- a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
@@ -95,7 +95,7 @@ data:
frontend portal
mode http
redirect scheme https if !{ ssl_fc }
- acl is_api_call path_beg -i /ice
+ acl is_api_call path_beg -i /vvp
acl is_s3 hdr_beg(host) s3. staging-s3. dev-s3.
use_backend api if is_api_call
use_backend s3 if is_s3
diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2
new file mode 100644
index 0000000..34cc2d3
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2
@@ -0,0 +1,39 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: portal-nginx-config
+ namespace: default
+data:
+ file: |
+ pid /nginx.pid;
+ error_log /dev/stdout warn;
+
+ http {
+ access_log /dev/stdout;
+ server {
+ listen 0.0.0.0:8181;
+
+ location / {
+ include /etc/nginx/mime.types;
+ root /usr/share/nginx/html/;
+ }
+
+ }
+
+ }
+
+ events {
+ worker_connections 4096;
+ }
+
+ service_provider.json: |
+ {
+ "serviceProvider": {
+ "name": "{{service_provider}}"
+ },
+ "program": {
+ "name": "{{program_name}}"
+ }
+ }
+
diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2
new file mode 100644
index 0000000..2d56741
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2
@@ -0,0 +1,30 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: site-certificate
+ namespace: default
+data:
+ site.crt: |
+ {{ site_pem_cert|indent }}
+ wrapper.sh: |
+ #!/bin/sh
+ # This script is meant to be used as a wrapper, so that it can be easily
+ # used with docker or kubernetes' container command specification.
+ #
+ # Kubernetes' volumeMount creates symlinks for configMapped files at the
+ # target directory.
+ # Alpine's update-ca-certificates ignores symlinks.
+ # So we must contrive to copy the contents of the mounted cert (a symlink)
+ # into place as a normal file.
+ dev_cert="${0%/*}/site.crt"
+ echo >&2 "$0: Checking for site CA certificate at $dev_cert..."
+ if [ -s "$dev_cert" ]; then
+ echo >&2 "$0: Updating container CA certificate bundle with site certificate..."
+ cp -L "$dev_cert" /usr/local/share/ca-certificates/
+ update-ca-certificates
+ else
+ echo >&2 "$0: No site CA certificate found."
+ fi
+ echo >&2 "$0: Launching command: $@"
+ exec "$@"
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
index 6771b1f..8b14661 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
@@ -48,9 +48,11 @@ spec:
labels:
run: gitlab
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: gitlab
- image: {{container_uri}}rkt-gitlab:{{container_tag}}
+ image: {{container_uri}}gitlab:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 22
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
index e78bfc9..bd5c10f 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
@@ -48,9 +48,11 @@ spec:
labels:
run: postgresql
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: postgresql
- image: {{container_uri}}rkt-postgresql:{{container_tag}}
+ image: {{container_uri}}postgresql:{{container_tag}}
ports:
- containerPort: 5432
volumeMounts:
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
index 98a04b5..1846ad5 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
@@ -57,9 +57,11 @@ spec:
hostPath:
path: /var/devenv/ice-ci/
{% endif %}
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: ci-uwsgi
- image: {{container_uri}}rkt-ice-ci:{{container_tag}}
+ image: {{container_uri}}test-engine:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 8282
@@ -77,7 +79,13 @@ spec:
- name: ICE_ENVIRONMENT
value: "{{ice_environment}}"
- name: PROGRAM_NAME_URL_PREFIX
- value: "ice"
+ value: "{{program_name_url_prefix}}"
+ - name: SERVICE_PROVIDER
+ value: "{{service_provider}}"
+ - name: PROGRAM_NAME
+ value: "{{program_name}}"
+ - name: SERVICE_PROVIDER_DOMAIN
+ value: "{{service_provider_domain}}"
- name: SECRET_KEY
valueFrom:
secretKeyRef: {name: em-secret, key: key}
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
index 8b601e9..6217054 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
@@ -44,9 +44,11 @@ metadata:
spec:
template:
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: cms-uwsgi
- image: {{container_uri}}rkt-ice-cms:{{container_tag}}
+ image: {{container_uri}}cms:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 9000
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
index 8cedd29..a97bcc7 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
@@ -56,9 +56,11 @@ spec:
- name: em-settings
configMap:
name: em-settings
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: em-uwsgi
- image: {{container_uri}}rkt-engagementmgr:{{container_tag}}
+ image: {{container_uri}}engagementmgr:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 9000
@@ -75,7 +77,13 @@ spec:
- name: ENVIRONMENT
value: "{{ice_environment}}"
- name: PROGRAM_NAME_URL_PREFIX
- value: "ice"
+ value: "{{program_name_url_prefix}}"
+ - name: SERVICE_PROVIDER
+ value: "{{service_provider}}"
+ - name: PROGRAM_NAME
+ value: "{{program_name}}"
+ - name: SERVICE_PROVIDER_DOMAIN
+ value: "{{service_provider_domain}}"
- name: SECRET_KEY
valueFrom:
secretKeyRef: {name: em-secret, key: key}
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
index 775d341..b8f2f66 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
@@ -44,11 +44,16 @@ metadata:
spec:
template:
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: imagescanner-worker
- image: {{container_uri}}ice-image-scanner:{{container_tag}}
- command: ["/usr/local/bin/imagescanner-worker"]
+ image: {{container_uri}}image-scanner:{{container_tag}}
+ command:
+ - "sh"
+ - "/opt/site-certificate/wrapper.sh"
+ - "/usr/local/bin/imagescanner-worker"
securityContext:
privileged: true
volumeMounts:
@@ -58,9 +63,30 @@ spec:
mountPath: /dev
- name: logs
mountPath: /var/log/imagescanner
+ - name: imagescanner-settings
+ mountPath: /opt/imagescanner-settings
+ - name: site-certificate
+ mountPath: /opt/site-certificate
+ env:
+ - name: PYTHONPATH
+ value: /opt/imagescanner-settings
+ - name: S3_HOST
+ value: "{{s3_dns_name}}"
+ - name: S3_PORT
+ value: "443"
+ - name: AWS_ACCESS_KEY_ID
+ valueFrom:
+ secretKeyRef: {name: em-secret, key: aws_access_key_id}
+ - name: AWS_SECRET_ACCESS_KEY
+ valueFrom:
+ secretKeyRef: {name: em-secret, key: aws_secret_access_key}
+ - name: SECRET_JENKINS_PASSWORD
+ value: ''
+ - name: REQUESTS_CA_BUNDLE
+ value: /etc/ssl/certs/ca-certificates.crt
- name: notifications-worker
- image: {{container_uri}}ice-image-scanner:{{container_tag}}
+ image: {{container_uri}}image-scanner:{{container_tag}}
command: ["/usr/local/bin/notifications-worker"]
securityContext:
privileged: true
@@ -70,9 +96,17 @@ spec:
secretKeyRef: {name: slack-tokens, key: notifications}
- name: DOMAIN
value: "{{em_internal_dns_name}}"
+ - name: PYTHONPATH
+ value: /opt/imagescanner-settings
+ - name: SECRET_JENKINS_PASSWORD
+ valueFrom:
+ secretKeyRef: {name: em-secret, key: jenkins_admin_password}
+ volumeMounts:
+ - name: imagescanner-settings
+ mountPath: /opt/imagescanner-settings
- name: imagescanner-frontend
- image: {{container_uri}}ice-image-scanner:{{container_tag}}
+ image: {{container_uri}}image-scanner:{{container_tag}}
command: ["/usr/local/bin/imagescanner-frontend"]
{#
FIXME: No, the frontend does not require a privileged container.
@@ -87,9 +121,13 @@ spec:
volumeMounts:
- name: logs
mountPath: /var/log/imagescanner
+ - name: imagescanner-settings
+ mountPath: /opt/imagescanner-settings
env:
- name: DEFAULT_SLACK_CHANNEL
value: "#notifications"
+ - name: SECRET_JENKINS_PASSWORD
+ value: ''
volumes:
- name: imagescanner-ssh
@@ -101,6 +139,12 @@ spec:
path: /dev
- name: logs
emptyDir: {}
+ - name: imagescanner-settings
+ configMap:
+ name: imagescanner-settings
+ - name: site-certificate
+ configMap:
+ name: site-certificate
metadata:
labels:
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
index 61504f1..1b4289a 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
@@ -44,9 +44,11 @@ metadata:
spec:
template:
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: jenkins
- image: {{container_uri}}rkt-jenkins:{{container_tag}}
+ image: {{container_uri}}jenkins:{{container_tag}}
ports:
- containerPort: 8080
volumeMounts:
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
index f3505e5..5c898d3 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
@@ -48,9 +48,11 @@ spec:
labels:
run: portal
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: portal
- image: {{container_uri}}rkt-ice-portal:{{container_tag}}
+ image: {{container_uri}}portal:{{container_tag}}
ports:
- containerPort: 8181
command: ["nginx", "-g", "daemon off;", "-c", "/tmp/nginx.conf"]
@@ -68,3 +70,10 @@ spec:
items:
- key: file
path: nginx.conf
+ - key: service_provider.json
+ path: service_provider.json
+{% if devenv is defined %}
+ - name: portal-rsync
+ hostPath:
+ path: /var/devenv/rkt-ice-portal/d2ice.att.io/app
+{% endif %}
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
index 29d1319..41597d6 100644
--- a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
@@ -37,10 +37,11 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
-apiVersion: v1
kind: Secret
+apiVersion: v1
metadata:
name: email-secret
+ namespace: default
type: Opaque
data:
- password: "{{vault_email_host_password | b64encode }}"
+ password: "{{vault_email_host_password|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2
new file mode 100644
index 0000000..f253c3c
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: onapkey
+ namespace: default
+data:
+ .dockercfg: {{ dockerconfig|to_json|b64encode }}
+type: kubernetes.io/dockercfg
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
index f529dcf..1f92c42 100644
--- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
@@ -37,11 +37,12 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
-apiVersion: v1
kind: Secret
+apiVersion: v1
metadata:
name: site-crt
+ namespace: default
type: Opaque
data:
# the public part of the certificate, not actually a secret.
- site.crt: "{{ site_pem_cert | b64encode }}"
+ site.crt: "{{site_pem_cert|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
index d045770..7ed5e26 100644
--- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
@@ -37,10 +37,11 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
-apiVersion: v1
kind: Secret
+apiVersion: v1
metadata:
name: site-pem
+ namespace: default
type: Opaque
data:
- site.pem: "{{ site_pem | b64encode }}"
+ site.pem: "{{site_pem|b64encode}}"