aboutsummaryrefslogtreecommitdiffstats
path: root/ansible
diff options
context:
space:
mode:
Diffstat (limited to 'ansible')
-rw-r--r--ansible/library/kubectl_apply_manifest.py2
-rw-r--r--ansible/requirements.yml8
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/README.md38
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/tasks/main.yml12
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j210
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j210
-rw-r--r--ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j278
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml26
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml20
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml28
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml28
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml8
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml10
-rw-r--r--ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml66
-rw-r--r--ansible/roles/ansible-vvp-templates/tasks/render.yml1
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j22
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j239
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j230
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j24
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j24
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j214
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j26
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j214
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j252
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j24
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j211
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j25
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j29
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j25
-rw-r--r--ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j25
30 files changed, 357 insertions, 192 deletions
diff --git a/ansible/library/kubectl_apply_manifest.py b/ansible/library/kubectl_apply_manifest.py
index dce93c6..517fdbf 100644
--- a/ansible/library/kubectl_apply_manifest.py
+++ b/ansible/library/kubectl_apply_manifest.py
@@ -1,6 +1,6 @@
#!/usr/bin/python
# -*- encoding: utf-8 -*-
-# ============LICENSE_START===============================================
+# ============LICENSE_START==========================================
# org.onap.vvp/engagementmgr
# ===================================================================
# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index ea1e8d0..9797b05 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -37,7 +37,7 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
- src: https://github.com/ceph/ansible-ceph-common.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-common
- src: https://github.com/ceph/ansible-ceph-docker-common.git
@@ -45,13 +45,13 @@
name: ceph.ceph-docker-common
- src: https://github.com/ceph/ansible-ceph-rgw.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-rgw
- src: https://github.com/ceph/ansible-ceph-mon.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-mon
- src: https://github.com/ceph/ansible-ceph-osd.git
- version: v2.2.10
+ version: v2.2.12
name: ceph.ceph-osd
diff --git a/ansible/roles/ansible-vvp-bootstrap/README.md b/ansible/roles/ansible-vvp-bootstrap/README.md
new file mode 100644
index 0000000..225dd44
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+ - hosts: servers
+ roles:
+ - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
index 48b545e..81a3f1f 100644
--- a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
@@ -115,6 +115,18 @@
with_items:
- 443
- 80
+
+# dnsmask prereq - Allow ping between all hosts
+- name: Allow Ping from Outside to Inside
+ shell: |
+ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+ iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+- name: Allow Ping from Inside to Outside
+ shell: |
+ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
+ iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
- name: Drop INPUT
shell: iptables -P INPUT DROP
tags:
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
index 2908165..86fa4c5 100644
--- a/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
@@ -53,19 +53,19 @@ dhcp-option=#{{ops_management_interface}},6
enable-tftp
tftp-root=/var/lib/tftpboot
{% if pxe_boot %}
- {% if pxe_chainload %}
+{% if pxe_chainload %}
dhcp-userclass=set:iceundi,ICEPXE
dhcp-boot=tag:coreos,tag:#iceundi,iceundionly.kpxe
- {% else %}
+{% else %}
dhcp-userclass=set:iceundi,iPXE
dhcp-boot=tag:coreos,tag:#iceundi,undionly.kpxe
- {% endif %}
+{% endif %}
dhcp-boot=tag:iceundi,http://{{ops_management_ip}}:8080/boot.ipxe
{% endif %}
{% for host in hosts %}
- {% for config in host.dnsmasq_config %}
+{% for config in host.dnsmasq_config %}
dhcp-host={{config}}
- {% endfor %}
+{% endfor %}
{% endfor %}
dhcp-ignore=tag:#known
log-queries
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
index ff8e0b8..bf01435 100644
--- a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
@@ -182,7 +182,8 @@ systemd:
--pod-manifest-path=/etc/kubernetes/manifests \
--hostname-override={{.domain_name}} \
--cluster_dns={{.k8s_dns_service_ip}} \
- --cluster_domain=cluster.local
+ --cluster_domain=cluster.local \
+ --pod-infra-container-image="docker.io/kubernetes/pause"
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet-pod.uuid
Restart=always
RestartSec=10
@@ -354,13 +355,14 @@ storage:
- --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --runtime-config=extensions/v1beta1/networkpolicies=true
- --anonymous-auth=false
+ - --storage-backend=etcd2
livenessProbe:
httpGet:
host: 127.0.0.1
- port: 8080
+ port: 10253
path: /healthz
- initialDelaySeconds: 15
- timeoutSeconds: 15
+ initialDelaySeconds: 15000
+ timeoutSeconds: 1500
ports:
- containerPort: {{.k8s_controller_port}}
hostPort: {{.k8s_controller_port}}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
index 701559b..e9823c7 100644
--- a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
@@ -1,43 +1,41 @@
-{#
--*- encoding: utf-8 -*-
-============LICENSE_START=======================================================
-org.onap.vvp/engagementmgr
-===================================================================
-Copyright © 2017 AT&T Intellectual Property. All rights reserved.
-===================================================================
-
-Unless otherwise specified, all software contained herein is licensed
-under the Apache License, Version 2.0 (the “License”);
-you may not use this software except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-
-
-Unless otherwise specified, all documentation contained herein is licensed
-under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
-you may not use this documentation except in compliance with the License.
-You may obtain a copy of the License at
-
- https://creativecommons.org/licenses/by/4.0/
-
-Unless required by applicable law or agreed to in writing, documentation
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-============LICENSE_END============================================
-
- ECOMP is a trademark and service mark of AT&T Intellectual Property.
-#}
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
{% raw %}
systemd:
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml
index 05c15d2..c0559a2 100644
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml
@@ -43,20 +43,13 @@ metadata:
name: ci-settings
namespace: default
data:
- uwsgi.ini: |
- [uwsgi]
- uwsgi-socket = :80
- http = :8282
- plugin = python
- chdir = /app
- module = web.wsgi:application
- master = True
- pidfile = /tmp/project-master.pid
- vacuum = True
- max-requests = 5000
- enable-threads = True
- stats = 0.0.0.0:9000
- stats-http = True
+ gunicorn.ini: |
+ bind = ":8282"
+ chdir = '/app'
+ pidfile = '/tmp/ice-project-master.pid'
+ backlog = '5000'
+ errorlog = '-'
+ loglevel = 'info'
__init__.py: |
import os
from datetime import datetime
@@ -68,6 +61,9 @@ data:
ICE_ENVIRONMENT = os.environ['ICE_ENVIRONMENT']
PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX']
+ SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER']
+ PROGRAM_NAME = os.environ['PROGRAM_NAME']
+ SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN']
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
SECRET_KEY = os.environ["SECRET_KEY"]
@@ -290,7 +286,7 @@ data:
# ICE-CI Related Configuration
#############################
ICE_CONTACT_FROM_ADDRESS = os.getenv('ICE_CONTACT_FROM_ADDRESS')
- ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS')
+ ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS','user@example.com').split(','))
ICE_CI_ENVIRONMENT_NAME = os.getenv('ICE_CI_ENVIRONMENT_NAME', 'Dev') # Dev / Docker / Staging
ICE_EM_URL = "{domain}/{prefix}".format(domain=os.environ['ICE_EM_DOMAIN_NAME'], prefix=PROGRAM_NAME_URL_PREFIX)
ICE_PORTAL_URL = os.environ['ICE_DOMAIN']
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml
index 4aedece..00541af 100644
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml
@@ -43,19 +43,13 @@ metadata:
name: cms-settings
namespace: default
data:
- uwsgi.ini: |
- [uwsgi]
- uwsgi-socket = :80
- plugin = python
- chdir = /srv
- module = cms.wsgi:application
- master = True
- pidfile = /tmp/project-master.pid
- vacuum = True
- max-requests = 5000
- enable-threads = True
- stats = 0.0.0.0:9000
- stats-http = True
+ gunicorn.ini: |
+ bind = ":80"
+ chdir = '/srv'
+ pidfile = '/tmp/ice-project-master.pid'
+ backlog = '5000'
+ errorlog = '-'
+ loglevel = 'info'
__init__.py: |
from __future__ import absolute_import, unicode_literals
import os
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml
index 79ad7b2..8068744 100644
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml
@@ -43,19 +43,14 @@ metadata:
name: em-settings
namespace: default
data:
- uwsgi.ini: |
- [uwsgi]
- uwsgi-socket = :80
- plugin = python
- chdir = /srv
- module = vvp.wsgi:application
- master = True
- pidfile = /tmp/project-master.pid
- vacuum = True
- max-requests = 5000
- enable-threads = True
- stats = 0.0.0.0:9000
- stats-http = True
+ gunicorn.ini: |
+ bind = ":80"
+ chdir = '/srv'
+ pidfile = '/tmp/ice-project-master.pid'
+ backlog = '5000'
+ errorlog = '-'
+ loglevel = 'info'
+
__init__.py: |
"""
Django settings for VVP project.
@@ -93,7 +88,10 @@ data:
ENVIRONMENT = os.environ['ENVIRONMENT']
PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX']
-
+ SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER']
+ PROGRAM_NAME = os.environ['PROGRAM_NAME']
+ SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN']
+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
SECRET_KEY = os.environ["SECRET_KEY"]
@@ -305,7 +303,7 @@ data:
# VVP Related Configuration
#############################
CONTACT_FROM_ADDRESS = os.getenv('CONTACT_FROM_ADDRESS', 'dummy@example.com')
- CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'dummy@example.com')
+ CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'user@example.com').split(',') if s]
DOMAIN = os.getenv('EM_DOMAIN_NAME')
TOKEN_EXPIRATION_IN_HOURS = 48
DAILY_SCHEDULED_JOB_HOUR = 20
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml
new file mode 100644
index 0000000..23c2be8
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml
@@ -0,0 +1,28 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: imagescanner-settings
+ namespace: default
+data:
+ imagescannerconfig.py: |
+ import os
+ from pathlib import Path
+ from awsauth import S3Auth
+ # A mapping from host names to Requests Authentication Objects; see
+ # http://docs.python-requests.org/en/master/user/authentication/
+ AUTHS = {}
+ if 'S3_HOST' in os.environ:
+ AUTHS[os.environ['S3_HOST']] = S3Auth(
+ os.environ['AWS_ACCESS_KEY_ID'],
+ os.environ['AWS_SECRET_ACCESS_KEY'],
+ service_url='https://%s/' % os.environ['S3_HOST']
+ )
+ LOGS_PATH = Path(os.environ['IMAGESCANNER_LOGS_PATH'])
+ STATUSFILE = LOGS_PATH/'status.txt'
+ # A dict passed as kwargs to jenkins.Jenkins constructor.
+ JENKINS = {
+ 'url': 'http://jenkins:8080',
+ 'username': 'admin',
+ 'password': os.environ['SECRET_JENKINS_PASSWORD'],
+ }
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml
index 89adf32..638d248 100644
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml
@@ -58,8 +58,12 @@ data:
client_max_body_size 75M; # adjust to taste
location / {
- uwsgi_pass cms_upstream;
- include /etc/nginx/uwsgi_params;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_redirect off;
+
+ proxy_pass http://cms-uwsgi;
}
}
server {
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml
index 0d7b279..52e208e 100644
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml
+++ b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml
@@ -56,10 +56,14 @@ data:
listen 80;
charset utf-8;
client_max_body_size 75M; # adjust to taste
-
+
location / {
- uwsgi_pass em_upstream;
- include /etc/nginx/uwsgi_params;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_redirect off;
+
+ proxy_pass http://em_upstream;
}
}
diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml
deleted file mode 100644
index 4d0e4e8..0000000
--- a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-# -*- encoding: utf-8 -*-
-# ============LICENSE_START=======================================================
-# org.onap.vvp/engagementmgr
-# ===================================================================
-# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
-# ===================================================================
-#
-# Unless otherwise specified, all software contained herein is licensed
-# under the Apache License, Version 2.0 (the “License”);
-# you may not use this software except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-#
-#
-# Unless otherwise specified, all documentation contained herein is licensed
-# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
-# you may not use this documentation except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://creativecommons.org/licenses/by/4.0/
-#
-# Unless required by applicable law or agreed to in writing, documentation
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# ============LICENSE_END============================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
- name: portal-nginx-config
- namespace: default
-data:
- file: |
- pid /nginx.pid;
- error_log /dev/stdout warn;
-
- http {
- access_log /dev/stdout;
- server {
- listen 0.0.0.0:8181;
-
- location / {
- include /etc/nginx/mime.types;
- root /usr/share/nginx/html/;
- }
-
- }
-
- }
-
- events {
- worker_connections 4096;
- }
diff --git a/ansible/roles/ansible-vvp-templates/tasks/render.yml b/ansible/roles/ansible-vvp-templates/tasks/render.yml
index ec6900d..aed9593 100644
--- a/ansible/roles/ansible-vvp-templates/tasks/render.yml
+++ b/ansible/roles/ansible-vvp-templates/tasks/render.yml
@@ -55,7 +55,6 @@
dest: "{{k8_config_dir}}/{{item|dirname|basename}}/{{item|basename|splitext|first}}"
with_fileglob:
- ../templates/configmaps/*
- - ../templates/jobs/*
- ../templates/deployments/*
- ../templates/secrets/*
- ../templates/services/*
diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
index 3fd9055..8b9012c 100644
--- a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
@@ -95,7 +95,7 @@ data:
frontend portal
mode http
redirect scheme https if !{ ssl_fc }
- acl is_api_call path_beg -i /ice
+ acl is_api_call path_beg -i /vvp
acl is_s3 hdr_beg(host) s3. staging-s3. dev-s3.
use_backend api if is_api_call
use_backend s3 if is_s3
diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2
new file mode 100644
index 0000000..34cc2d3
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2
@@ -0,0 +1,39 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: portal-nginx-config
+ namespace: default
+data:
+ file: |
+ pid /nginx.pid;
+ error_log /dev/stdout warn;
+
+ http {
+ access_log /dev/stdout;
+ server {
+ listen 0.0.0.0:8181;
+
+ location / {
+ include /etc/nginx/mime.types;
+ root /usr/share/nginx/html/;
+ }
+
+ }
+
+ }
+
+ events {
+ worker_connections 4096;
+ }
+
+ service_provider.json: |
+ {
+ "serviceProvider": {
+ "name": "{{service_provider}}"
+ },
+ "program": {
+ "name": "{{program_name}}"
+ }
+ }
+
diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2
new file mode 100644
index 0000000..2d56741
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2
@@ -0,0 +1,30 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: site-certificate
+ namespace: default
+data:
+ site.crt: |
+ {{ site_pem_cert|indent }}
+ wrapper.sh: |
+ #!/bin/sh
+ # This script is meant to be used as a wrapper, so that it can be easily
+ # used with docker or kubernetes' container command specification.
+ #
+ # Kubernetes' volumeMount creates symlinks for configMapped files at the
+ # target directory.
+ # Alpine's update-ca-certificates ignores symlinks.
+ # So we must contrive to copy the contents of the mounted cert (a symlink)
+ # into place as a normal file.
+ dev_cert="${0%/*}/site.crt"
+ echo >&2 "$0: Checking for site CA certificate at $dev_cert..."
+ if [ -s "$dev_cert" ]; then
+ echo >&2 "$0: Updating container CA certificate bundle with site certificate..."
+ cp -L "$dev_cert" /usr/local/share/ca-certificates/
+ update-ca-certificates
+ else
+ echo >&2 "$0: No site CA certificate found."
+ fi
+ echo >&2 "$0: Launching command: $@"
+ exec "$@"
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
index 6771b1f..8b14661 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
@@ -48,9 +48,11 @@ spec:
labels:
run: gitlab
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: gitlab
- image: {{container_uri}}rkt-gitlab:{{container_tag}}
+ image: {{container_uri}}gitlab:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 22
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
index e78bfc9..bd5c10f 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
@@ -48,9 +48,11 @@ spec:
labels:
run: postgresql
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: postgresql
- image: {{container_uri}}rkt-postgresql:{{container_tag}}
+ image: {{container_uri}}postgresql:{{container_tag}}
ports:
- containerPort: 5432
volumeMounts:
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
index 98a04b5..44e78e1 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
@@ -57,9 +57,11 @@ spec:
hostPath:
path: /var/devenv/ice-ci/
{% endif %}
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: ci-uwsgi
- image: {{container_uri}}rkt-ice-ci:{{container_tag}}
+ image: {{container_uri}}test-engine:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 8282
@@ -77,7 +79,13 @@ spec:
- name: ICE_ENVIRONMENT
value: "{{ice_environment}}"
- name: PROGRAM_NAME_URL_PREFIX
- value: "ice"
+ value: "{{program_name_url_prefix}}"
+ - name: SERVICE_PROVIDER
+ value: "{{service_provider}}"
+ - name: PROGRAM_NAME
+ value: "{{program_name}}"
+ - name: SERVICE_PROVIDER_DOMAIN
+ value: "{{service_provider_domain}}"
- name: SECRET_KEY
valueFrom:
secretKeyRef: {name: em-secret, key: key}
@@ -158,7 +166,7 @@ spec:
initialDelaySeconds: 90
periodSeconds: 15
{% endif %}
- command: ["/app/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", "--static-map", "/static=/app/htdocs" {% if devenv is defined %}, "--py-auto-reload" , "3"{% endif %}]
+ command: ["/app/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "web.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}]
metadata:
labels:
run: ci-uwsgi
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
index 8b601e9..01032d7 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
@@ -44,9 +44,11 @@ metadata:
spec:
template:
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: cms-uwsgi
- image: {{container_uri}}rkt-ice-cms:{{container_tag}}
+ image: {{container_uri}}cms:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 9000
@@ -119,7 +121,7 @@ spec:
periodSeconds: 15
timeoutSeconds: 10
{% endif %}
- command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"]
+ command: ["/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "cms.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}]
volumeMounts:
- name: settings
mountPath: /opt/configmaps/settings/
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
index 8cedd29..ceb24c4 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
@@ -56,9 +56,11 @@ spec:
- name: em-settings
configMap:
name: em-settings
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: em-uwsgi
- image: {{container_uri}}rkt-engagementmgr:{{container_tag}}
+ image: {{container_uri}}engagementmgr:{{container_tag}}
ports:
- containerPort: 80
- containerPort: 9000
@@ -75,7 +77,13 @@ spec:
- name: ENVIRONMENT
value: "{{ice_environment}}"
- name: PROGRAM_NAME_URL_PREFIX
- value: "ice"
+ value: "{{program_name_url_prefix}}"
+ - name: SERVICE_PROVIDER
+ value: "{{service_provider}}"
+ - name: PROGRAM_NAME
+ value: "{{program_name}}"
+ - name: SERVICE_PROVIDER_DOMAIN
+ value: "{{service_provider_domain}}"
- name: SECRET_KEY
valueFrom:
secretKeyRef: {name: em-secret, key: key}
@@ -156,7 +164,7 @@ spec:
periodSeconds: 15
timeoutSeconds: 10
{% endif %}
- command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"]
+ command: ["/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "vvp.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}]
metadata:
labels:
run: em-uwsgi
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
index 775d341..b8f2f66 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
@@ -44,11 +44,16 @@ metadata:
spec:
template:
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: imagescanner-worker
- image: {{container_uri}}ice-image-scanner:{{container_tag}}
- command: ["/usr/local/bin/imagescanner-worker"]
+ image: {{container_uri}}image-scanner:{{container_tag}}
+ command:
+ - "sh"
+ - "/opt/site-certificate/wrapper.sh"
+ - "/usr/local/bin/imagescanner-worker"
securityContext:
privileged: true
volumeMounts:
@@ -58,9 +63,30 @@ spec:
mountPath: /dev
- name: logs
mountPath: /var/log/imagescanner
+ - name: imagescanner-settings
+ mountPath: /opt/imagescanner-settings
+ - name: site-certificate
+ mountPath: /opt/site-certificate
+ env:
+ - name: PYTHONPATH
+ value: /opt/imagescanner-settings
+ - name: S3_HOST
+ value: "{{s3_dns_name}}"
+ - name: S3_PORT
+ value: "443"
+ - name: AWS_ACCESS_KEY_ID
+ valueFrom:
+ secretKeyRef: {name: em-secret, key: aws_access_key_id}
+ - name: AWS_SECRET_ACCESS_KEY
+ valueFrom:
+ secretKeyRef: {name: em-secret, key: aws_secret_access_key}
+ - name: SECRET_JENKINS_PASSWORD
+ value: ''
+ - name: REQUESTS_CA_BUNDLE
+ value: /etc/ssl/certs/ca-certificates.crt
- name: notifications-worker
- image: {{container_uri}}ice-image-scanner:{{container_tag}}
+ image: {{container_uri}}image-scanner:{{container_tag}}
command: ["/usr/local/bin/notifications-worker"]
securityContext:
privileged: true
@@ -70,9 +96,17 @@ spec:
secretKeyRef: {name: slack-tokens, key: notifications}
- name: DOMAIN
value: "{{em_internal_dns_name}}"
+ - name: PYTHONPATH
+ value: /opt/imagescanner-settings
+ - name: SECRET_JENKINS_PASSWORD
+ valueFrom:
+ secretKeyRef: {name: em-secret, key: jenkins_admin_password}
+ volumeMounts:
+ - name: imagescanner-settings
+ mountPath: /opt/imagescanner-settings
- name: imagescanner-frontend
- image: {{container_uri}}ice-image-scanner:{{container_tag}}
+ image: {{container_uri}}image-scanner:{{container_tag}}
command: ["/usr/local/bin/imagescanner-frontend"]
{#
FIXME: No, the frontend does not require a privileged container.
@@ -87,9 +121,13 @@ spec:
volumeMounts:
- name: logs
mountPath: /var/log/imagescanner
+ - name: imagescanner-settings
+ mountPath: /opt/imagescanner-settings
env:
- name: DEFAULT_SLACK_CHANNEL
value: "#notifications"
+ - name: SECRET_JENKINS_PASSWORD
+ value: ''
volumes:
- name: imagescanner-ssh
@@ -101,6 +139,12 @@ spec:
path: /dev
- name: logs
emptyDir: {}
+ - name: imagescanner-settings
+ configMap:
+ name: imagescanner-settings
+ - name: site-certificate
+ configMap:
+ name: site-certificate
metadata:
labels:
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
index 61504f1..1b4289a 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
@@ -44,9 +44,11 @@ metadata:
spec:
template:
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: jenkins
- image: {{container_uri}}rkt-jenkins:{{container_tag}}
+ image: {{container_uri}}jenkins:{{container_tag}}
ports:
- containerPort: 8080
volumeMounts:
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
index f3505e5..5c898d3 100644
--- a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
@@ -48,9 +48,11 @@ spec:
labels:
run: portal
spec:
+ imagePullSecrets:
+ - name: onapkey
containers:
- name: portal
- image: {{container_uri}}rkt-ice-portal:{{container_tag}}
+ image: {{container_uri}}portal:{{container_tag}}
ports:
- containerPort: 8181
command: ["nginx", "-g", "daemon off;", "-c", "/tmp/nginx.conf"]
@@ -68,3 +70,10 @@ spec:
items:
- key: file
path: nginx.conf
+ - key: service_provider.json
+ path: service_provider.json
+{% if devenv is defined %}
+ - name: portal-rsync
+ hostPath:
+ path: /var/devenv/rkt-ice-portal/d2ice.att.io/app
+{% endif %}
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
index 29d1319..41597d6 100644
--- a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
@@ -37,10 +37,11 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
-apiVersion: v1
kind: Secret
+apiVersion: v1
metadata:
name: email-secret
+ namespace: default
type: Opaque
data:
- password: "{{vault_email_host_password | b64encode }}"
+ password: "{{vault_email_host_password|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2
new file mode 100644
index 0000000..f253c3c
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: onapkey
+ namespace: default
+data:
+ .dockercfg: {{ dockerconfig|to_json|b64encode }}
+type: kubernetes.io/dockercfg
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
index f529dcf..1f92c42 100644
--- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
@@ -37,11 +37,12 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
-apiVersion: v1
kind: Secret
+apiVersion: v1
metadata:
name: site-crt
+ namespace: default
type: Opaque
data:
# the public part of the certificate, not actually a secret.
- site.crt: "{{ site_pem_cert | b64encode }}"
+ site.crt: "{{site_pem_cert|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
index d045770..7ed5e26 100644
--- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
@@ -37,10 +37,11 @@
#
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
---
-apiVersion: v1
kind: Secret
+apiVersion: v1
metadata:
name: site-pem
+ namespace: default
type: Opaque
data:
- site.pem: "{{ site_pem | b64encode }}"
+ site.pem: "{{site_pem|b64encode}}"