From f000e1cad7775e37da61b71773d60b40b9254478 Mon Sep 17 00:00:00 2001 From: "Areli, Fuss (af732p)" Date: Thu, 24 May 2018 11:24:40 +0300 Subject: Alignment of VVP devkit Alignment of VVP devkit include replacement of the uWsgi with gunicorn Change-Id: I9c42783c9965c5f6f005615e88899a301d334e22 Issue-ID: VVP-60 Signed-off-by: Areli, Fuss (af732p) --- ansible/library/kubectl_apply_manifest.py | 2 +- ansible/requirements.yml | 8 +-- ansible/roles/ansible-vvp-bootstrap/README.md | 38 +++++++++++ ansible/roles/ansible-vvp-bootstrap/tasks/main.yml | 12 ++++ .../templates/dnsmasq.conf.j2 | 10 +-- .../templates/ignition/controller.yaml.j2 | 10 +-- .../templates/ignition/worker.yaml.j2 | 78 +++++++++++----------- .../files/configmaps/ci-configmap.yaml | 26 +++----- .../files/configmaps/cms-configmap.yaml | 20 ++---- .../files/configmaps/em-configmap.yaml | 28 ++++---- .../files/configmaps/imagescanner-configmap.yaml | 28 ++++++++ .../files/configmaps/nginx-cms-configmap.yaml | 8 ++- .../files/configmaps/nginx-em-configmap.yaml | 10 ++- .../files/configmaps/portal-nginx-configmap.yaml | 66 ------------------ .../roles/ansible-vvp-templates/tasks/render.yml | 1 - .../configmaps/haproxy-cfg-configmap.yaml.j2 | 2 +- .../configmaps/portal-nginx-configmap.yaml.j2 | 39 +++++++++++ .../configmaps/site-certificate-configmap.yaml.j2 | 30 +++++++++ .../deployments/10-gitlab-deployment.yaml.j2 | 4 +- .../deployments/10-postgresql-deployment.yaml.j2 | 4 +- .../deployments/20-ci-uwsgi-deployment.yaml.j2 | 14 +++- .../deployments/20-cms-uwsgi-deployment.yaml.j2 | 6 +- .../deployments/20-em-uwsgi-deployment.yaml.j2 | 14 +++- .../templates/deployments/20-imagescanner.yaml.j2 | 52 +++++++++++++-- .../deployments/20-jenkins-deployment.yaml.j2 | 4 +- .../deployments/30-portal-deployment.yaml.j2 | 11 ++- .../templates/secrets/email-secret.yaml.j2 | 5 +- .../templates/secrets/onap-secret.yaml.j2 | 9 +++ .../templates/secrets/site-crt-secret.yaml.j2 | 5 +- .../templates/secrets/site-pem-secret.yaml.j2 | 5 +- 30 files changed, 357 insertions(+), 192 deletions(-) create mode 100644 ansible/roles/ansible-vvp-bootstrap/README.md create mode 100644 ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml delete mode 100644 ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml create mode 100644 ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 create mode 100644 ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 create mode 100644 ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 (limited to 'ansible') diff --git a/ansible/library/kubectl_apply_manifest.py b/ansible/library/kubectl_apply_manifest.py index dce93c6..517fdbf 100644 --- a/ansible/library/kubectl_apply_manifest.py +++ b/ansible/library/kubectl_apply_manifest.py @@ -1,6 +1,6 @@ #!/usr/bin/python # -*- encoding: utf-8 -*- -# ============LICENSE_START=============================================== +# ============LICENSE_START========================================== # org.onap.vvp/engagementmgr # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. diff --git a/ansible/requirements.yml b/ansible/requirements.yml index ea1e8d0..9797b05 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -37,7 +37,7 @@ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. - src: https://github.com/ceph/ansible-ceph-common.git - version: v2.2.10 + version: v2.2.12 name: ceph.ceph-common - src: https://github.com/ceph/ansible-ceph-docker-common.git @@ -45,13 +45,13 @@ name: ceph.ceph-docker-common - src: https://github.com/ceph/ansible-ceph-rgw.git - version: v2.2.10 + version: v2.2.12 name: ceph.ceph-rgw - src: https://github.com/ceph/ansible-ceph-mon.git - version: v2.2.10 + version: v2.2.12 name: ceph.ceph-mon - src: https://github.com/ceph/ansible-ceph-osd.git - version: v2.2.10 + version: v2.2.12 name: ceph.ceph-osd diff --git a/ansible/roles/ansible-vvp-bootstrap/README.md b/ansible/roles/ansible-vvp-bootstrap/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible/roles/ansible-vvp-bootstrap/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml index 48b545e..81a3f1f 100644 --- a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml +++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml @@ -115,6 +115,18 @@ with_items: - 443 - 80 + +# dnsmask prereq - Allow ping between all hosts +- name: Allow Ping from Outside to Inside + shell: | + iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT + iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + +- name: Allow Ping from Inside to Outside + shell: | + iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT + iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT + - name: Drop INPUT shell: iptables -P INPUT DROP tags: diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2 index 2908165..86fa4c5 100644 --- a/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2 +++ b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2 @@ -53,19 +53,19 @@ dhcp-option=#{{ops_management_interface}},6 enable-tftp tftp-root=/var/lib/tftpboot {% if pxe_boot %} - {% if pxe_chainload %} +{% if pxe_chainload %} dhcp-userclass=set:iceundi,ICEPXE dhcp-boot=tag:coreos,tag:#iceundi,iceundionly.kpxe - {% else %} +{% else %} dhcp-userclass=set:iceundi,iPXE dhcp-boot=tag:coreos,tag:#iceundi,undionly.kpxe - {% endif %} +{% endif %} dhcp-boot=tag:iceundi,http://{{ops_management_ip}}:8080/boot.ipxe {% endif %} {% for host in hosts %} - {% for config in host.dnsmasq_config %} +{% for config in host.dnsmasq_config %} dhcp-host={{config}} - {% endfor %} +{% endfor %} {% endfor %} dhcp-ignore=tag:#known log-queries diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2 index ff8e0b8..bf01435 100644 --- a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2 +++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2 @@ -182,7 +182,8 @@ systemd: --pod-manifest-path=/etc/kubernetes/manifests \ --hostname-override={{.domain_name}} \ --cluster_dns={{.k8s_dns_service_ip}} \ - --cluster_domain=cluster.local + --cluster_domain=cluster.local \ + --pod-infra-container-image="docker.io/kubernetes/pause" ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet-pod.uuid Restart=always RestartSec=10 @@ -354,13 +355,14 @@ storage: - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem - --runtime-config=extensions/v1beta1/networkpolicies=true - --anonymous-auth=false + - --storage-backend=etcd2 livenessProbe: httpGet: host: 127.0.0.1 - port: 8080 + port: 10253 path: /healthz - initialDelaySeconds: 15 - timeoutSeconds: 15 + initialDelaySeconds: 15000 + timeoutSeconds: 1500 ports: - containerPort: {{.k8s_controller_port}} hostPort: {{.k8s_controller_port}} diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2 index 701559b..e9823c7 100644 --- a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2 +++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2 @@ -1,43 +1,41 @@ -{# --*- encoding: utf-8 -*- -============LICENSE_START======================================================= -org.onap.vvp/engagementmgr -=================================================================== -Copyright © 2017 AT&T Intellectual Property. All rights reserved. -=================================================================== - -Unless otherwise specified, all software contained herein is licensed -under the Apache License, Version 2.0 (the “License”); -you may not use this software except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - - - -Unless otherwise specified, all documentation contained herein is licensed -under the Creative Commons License, Attribution 4.0 Intl. (the “License”); -you may not use this documentation except in compliance with the License. -You may obtain a copy of the License at - - https://creativecommons.org/licenses/by/4.0/ - -Unless required by applicable law or agreed to in writing, documentation -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -============LICENSE_END============================================ - - ECOMP is a trademark and service mark of AT&T Intellectual Property. -#} +# -*- encoding: utf-8 -*- +# ============LICENSE_START======================================================= +# org.onap.vvp/engagementmgr +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. --- {% raw %} systemd: diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml index 05c15d2..c0559a2 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/ci-configmap.yaml @@ -43,20 +43,13 @@ metadata: name: ci-settings namespace: default data: - uwsgi.ini: | - [uwsgi] - uwsgi-socket = :80 - http = :8282 - plugin = python - chdir = /app - module = web.wsgi:application - master = True - pidfile = /tmp/project-master.pid - vacuum = True - max-requests = 5000 - enable-threads = True - stats = 0.0.0.0:9000 - stats-http = True + gunicorn.ini: | + bind = ":8282" + chdir = '/app' + pidfile = '/tmp/ice-project-master.pid' + backlog = '5000' + errorlog = '-' + loglevel = 'info' __init__.py: | import os from datetime import datetime @@ -68,6 +61,9 @@ data: ICE_ENVIRONMENT = os.environ['ICE_ENVIRONMENT'] PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX'] + SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER'] + PROGRAM_NAME = os.environ['PROGRAM_NAME'] + SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN'] # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/ SECRET_KEY = os.environ["SECRET_KEY"] @@ -290,7 +286,7 @@ data: # ICE-CI Related Configuration ############################# ICE_CONTACT_FROM_ADDRESS = os.getenv('ICE_CONTACT_FROM_ADDRESS') - ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS') + ICE_CONTACT_EMAILS = list(os.getenv('ICE_CONTACT_EMAILS','user@example.com').split(',')) ICE_CI_ENVIRONMENT_NAME = os.getenv('ICE_CI_ENVIRONMENT_NAME', 'Dev') # Dev / Docker / Staging ICE_EM_URL = "{domain}/{prefix}".format(domain=os.environ['ICE_EM_DOMAIN_NAME'], prefix=PROGRAM_NAME_URL_PREFIX) ICE_PORTAL_URL = os.environ['ICE_DOMAIN'] diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml index 4aedece..00541af 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/cms-configmap.yaml @@ -43,19 +43,13 @@ metadata: name: cms-settings namespace: default data: - uwsgi.ini: | - [uwsgi] - uwsgi-socket = :80 - plugin = python - chdir = /srv - module = cms.wsgi:application - master = True - pidfile = /tmp/project-master.pid - vacuum = True - max-requests = 5000 - enable-threads = True - stats = 0.0.0.0:9000 - stats-http = True + gunicorn.ini: | + bind = ":80" + chdir = '/srv' + pidfile = '/tmp/ice-project-master.pid' + backlog = '5000' + errorlog = '-' + loglevel = 'info' __init__.py: | from __future__ import absolute_import, unicode_literals import os diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml index 79ad7b2..8068744 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/em-configmap.yaml @@ -43,19 +43,14 @@ metadata: name: em-settings namespace: default data: - uwsgi.ini: | - [uwsgi] - uwsgi-socket = :80 - plugin = python - chdir = /srv - module = vvp.wsgi:application - master = True - pidfile = /tmp/project-master.pid - vacuum = True - max-requests = 5000 - enable-threads = True - stats = 0.0.0.0:9000 - stats-http = True + gunicorn.ini: | + bind = ":80" + chdir = '/srv' + pidfile = '/tmp/ice-project-master.pid' + backlog = '5000' + errorlog = '-' + loglevel = 'info' + __init__.py: | """ Django settings for VVP project. @@ -93,7 +88,10 @@ data: ENVIRONMENT = os.environ['ENVIRONMENT'] PROGRAM_NAME_URL_PREFIX = os.environ['PROGRAM_NAME_URL_PREFIX'] - + SERVICE_PROVIDER = os.environ['SERVICE_PROVIDER'] + PROGRAM_NAME = os.environ['PROGRAM_NAME'] + SERVICE_PROVIDER_DOMAIN = os.environ['SERVICE_PROVIDER_DOMAIN'] + # See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/ SECRET_KEY = os.environ["SECRET_KEY"] @@ -305,7 +303,7 @@ data: # VVP Related Configuration ############################# CONTACT_FROM_ADDRESS = os.getenv('CONTACT_FROM_ADDRESS', 'dummy@example.com') - CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'dummy@example.com') + CONTACT_EMAILS = [s.strip() for s in os.getenv('CONTACT_EMAILS', 'user@example.com').split(',') if s] DOMAIN = os.getenv('EM_DOMAIN_NAME') TOKEN_EXPIRATION_IN_HOURS = 48 DAILY_SCHEDULED_JOB_HOUR = 20 diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml new file mode 100644 index 0000000..23c2be8 --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/imagescanner-configmap.yaml @@ -0,0 +1,28 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: imagescanner-settings + namespace: default +data: + imagescannerconfig.py: | + import os + from pathlib import Path + from awsauth import S3Auth + # A mapping from host names to Requests Authentication Objects; see + # http://docs.python-requests.org/en/master/user/authentication/ + AUTHS = {} + if 'S3_HOST' in os.environ: + AUTHS[os.environ['S3_HOST']] = S3Auth( + os.environ['AWS_ACCESS_KEY_ID'], + os.environ['AWS_SECRET_ACCESS_KEY'], + service_url='https://%s/' % os.environ['S3_HOST'] + ) + LOGS_PATH = Path(os.environ['IMAGESCANNER_LOGS_PATH']) + STATUSFILE = LOGS_PATH/'status.txt' + # A dict passed as kwargs to jenkins.Jenkins constructor. + JENKINS = { + 'url': 'http://jenkins:8080', + 'username': 'admin', + 'password': os.environ['SECRET_JENKINS_PASSWORD'], + } diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml index 89adf32..638d248 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-cms-configmap.yaml @@ -58,8 +58,12 @@ data: client_max_body_size 75M; # adjust to taste location / { - uwsgi_pass cms_upstream; - include /etc/nginx/uwsgi_params; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_redirect off; + + proxy_pass http://cms-uwsgi; } } server { diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml index 0d7b279..52e208e 100644 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml +++ b/ansible/roles/ansible-vvp-templates/files/configmaps/nginx-em-configmap.yaml @@ -56,10 +56,14 @@ data: listen 80; charset utf-8; client_max_body_size 75M; # adjust to taste - + location / { - uwsgi_pass em_upstream; - include /etc/nginx/uwsgi_params; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_redirect off; + + proxy_pass http://em_upstream; } } diff --git a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml b/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml deleted file mode 100644 index 4d0e4e8..0000000 --- a/ansible/roles/ansible-vvp-templates/files/configmaps/portal-nginx-configmap.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -*- encoding: utf-8 -*- -# ============LICENSE_START======================================================= -# org.onap.vvp/engagementmgr -# =================================================================== -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# =================================================================== -# -# Unless otherwise specified, all software contained herein is licensed -# under the Apache License, Version 2.0 (the “License”); -# you may not use this software except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# -# -# Unless otherwise specified, all documentation contained herein is licensed -# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); -# you may not use this documentation except in compliance with the License. -# You may obtain a copy of the License at -# -# https://creativecommons.org/licenses/by/4.0/ -# -# Unless required by applicable law or agreed to in writing, documentation -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================ -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: portal-nginx-config - namespace: default -data: - file: | - pid /nginx.pid; - error_log /dev/stdout warn; - - http { - access_log /dev/stdout; - server { - listen 0.0.0.0:8181; - - location / { - include /etc/nginx/mime.types; - root /usr/share/nginx/html/; - } - - } - - } - - events { - worker_connections 4096; - } diff --git a/ansible/roles/ansible-vvp-templates/tasks/render.yml b/ansible/roles/ansible-vvp-templates/tasks/render.yml index ec6900d..aed9593 100644 --- a/ansible/roles/ansible-vvp-templates/tasks/render.yml +++ b/ansible/roles/ansible-vvp-templates/tasks/render.yml @@ -55,7 +55,6 @@ dest: "{{k8_config_dir}}/{{item|dirname|basename}}/{{item|basename|splitext|first}}" with_fileglob: - ../templates/configmaps/* - - ../templates/jobs/* - ../templates/deployments/* - ../templates/secrets/* - ../templates/services/* diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 index 3fd9055..8b9012c 100644 --- a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 @@ -95,7 +95,7 @@ data: frontend portal mode http redirect scheme https if !{ ssl_fc } - acl is_api_call path_beg -i /ice + acl is_api_call path_beg -i /vvp acl is_s3 hdr_beg(host) s3. staging-s3. dev-s3. use_backend api if is_api_call use_backend s3 if is_s3 diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 new file mode 100644 index 0000000..34cc2d3 --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/portal-nginx-configmap.yaml.j2 @@ -0,0 +1,39 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: portal-nginx-config + namespace: default +data: + file: | + pid /nginx.pid; + error_log /dev/stdout warn; + + http { + access_log /dev/stdout; + server { + listen 0.0.0.0:8181; + + location / { + include /etc/nginx/mime.types; + root /usr/share/nginx/html/; + } + + } + + } + + events { + worker_connections 4096; + } + + service_provider.json: | + { + "serviceProvider": { + "name": "{{service_provider}}" + }, + "program": { + "name": "{{program_name}}" + } + } + diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 new file mode 100644 index 0000000..2d56741 --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/site-certificate-configmap.yaml.j2 @@ -0,0 +1,30 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: site-certificate + namespace: default +data: + site.crt: | + {{ site_pem_cert|indent }} + wrapper.sh: | + #!/bin/sh + # This script is meant to be used as a wrapper, so that it can be easily + # used with docker or kubernetes' container command specification. + # + # Kubernetes' volumeMount creates symlinks for configMapped files at the + # target directory. + # Alpine's update-ca-certificates ignores symlinks. + # So we must contrive to copy the contents of the mounted cert (a symlink) + # into place as a normal file. + dev_cert="${0%/*}/site.crt" + echo >&2 "$0: Checking for site CA certificate at $dev_cert..." + if [ -s "$dev_cert" ]; then + echo >&2 "$0: Updating container CA certificate bundle with site certificate..." + cp -L "$dev_cert" /usr/local/share/ca-certificates/ + update-ca-certificates + else + echo >&2 "$0: No site CA certificate found." + fi + echo >&2 "$0: Launching command: $@" + exec "$@" diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 index 6771b1f..8b14661 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 @@ -48,9 +48,11 @@ spec: labels: run: gitlab spec: + imagePullSecrets: + - name: onapkey containers: - name: gitlab - image: {{container_uri}}rkt-gitlab:{{container_tag}} + image: {{container_uri}}gitlab:{{container_tag}} ports: - containerPort: 80 - containerPort: 22 diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 index e78bfc9..bd5c10f 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 @@ -48,9 +48,11 @@ spec: labels: run: postgresql spec: + imagePullSecrets: + - name: onapkey containers: - name: postgresql - image: {{container_uri}}rkt-postgresql:{{container_tag}} + image: {{container_uri}}postgresql:{{container_tag}} ports: - containerPort: 5432 volumeMounts: diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 index 98a04b5..44e78e1 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 @@ -57,9 +57,11 @@ spec: hostPath: path: /var/devenv/ice-ci/ {% endif %} + imagePullSecrets: + - name: onapkey containers: - name: ci-uwsgi - image: {{container_uri}}rkt-ice-ci:{{container_tag}} + image: {{container_uri}}test-engine:{{container_tag}} ports: - containerPort: 80 - containerPort: 8282 @@ -77,7 +79,13 @@ spec: - name: ICE_ENVIRONMENT value: "{{ice_environment}}" - name: PROGRAM_NAME_URL_PREFIX - value: "ice" + value: "{{program_name_url_prefix}}" + - name: SERVICE_PROVIDER + value: "{{service_provider}}" + - name: PROGRAM_NAME + value: "{{program_name}}" + - name: SERVICE_PROVIDER_DOMAIN + value: "{{service_provider_domain}}" - name: SECRET_KEY valueFrom: secretKeyRef: {name: em-secret, key: key} @@ -158,7 +166,7 @@ spec: initialDelaySeconds: 90 periodSeconds: 15 {% endif %} - command: ["/app/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", "--static-map", "/static=/app/htdocs" {% if devenv is defined %}, "--py-auto-reload" , "3"{% endif %}] + command: ["/app/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "web.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}] metadata: labels: run: ci-uwsgi diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 index 8b601e9..01032d7 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 @@ -44,9 +44,11 @@ metadata: spec: template: spec: + imagePullSecrets: + - name: onapkey containers: - name: cms-uwsgi - image: {{container_uri}}rkt-ice-cms:{{container_tag}} + image: {{container_uri}}cms:{{container_tag}} ports: - containerPort: 80 - containerPort: 9000 @@ -119,7 +121,7 @@ spec: periodSeconds: 15 timeoutSeconds: 10 {% endif %} - command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"] + command: ["/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "cms.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}] volumeMounts: - name: settings mountPath: /opt/configmaps/settings/ diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 index 8cedd29..ceb24c4 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 @@ -56,9 +56,11 @@ spec: - name: em-settings configMap: name: em-settings + imagePullSecrets: + - name: onapkey containers: - name: em-uwsgi - image: {{container_uri}}rkt-engagementmgr:{{container_tag}} + image: {{container_uri}}engagementmgr:{{container_tag}} ports: - containerPort: 80 - containerPort: 9000 @@ -75,7 +77,13 @@ spec: - name: ENVIRONMENT value: "{{ice_environment}}" - name: PROGRAM_NAME_URL_PREFIX - value: "ice" + value: "{{program_name_url_prefix}}" + - name: SERVICE_PROVIDER + value: "{{service_provider}}" + - name: PROGRAM_NAME + value: "{{program_name}}" + - name: SERVICE_PROVIDER_DOMAIN + value: "{{service_provider_domain}}" - name: SECRET_KEY valueFrom: secretKeyRef: {name: em-secret, key: key} @@ -156,7 +164,7 @@ spec: periodSeconds: 15 timeoutSeconds: 10 {% endif %} - command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"] + command: ["/docker-entrypoint.sh", "/usr/local/bin/gunicorn", "-c", "/opt/configmaps/settings/gunicorn.ini", "vvp.wsgi:application", {% if devenv is defined %}"--reload"{% endif %}] metadata: labels: run: em-uwsgi diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 index 775d341..b8f2f66 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 @@ -44,11 +44,16 @@ metadata: spec: template: spec: + imagePullSecrets: + - name: onapkey containers: - name: imagescanner-worker - image: {{container_uri}}ice-image-scanner:{{container_tag}} - command: ["/usr/local/bin/imagescanner-worker"] + image: {{container_uri}}image-scanner:{{container_tag}} + command: + - "sh" + - "/opt/site-certificate/wrapper.sh" + - "/usr/local/bin/imagescanner-worker" securityContext: privileged: true volumeMounts: @@ -58,9 +63,30 @@ spec: mountPath: /dev - name: logs mountPath: /var/log/imagescanner + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings + - name: site-certificate + mountPath: /opt/site-certificate + env: + - name: PYTHONPATH + value: /opt/imagescanner-settings + - name: S3_HOST + value: "{{s3_dns_name}}" + - name: S3_PORT + value: "443" + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: {name: em-secret, key: aws_access_key_id} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: {name: em-secret, key: aws_secret_access_key} + - name: SECRET_JENKINS_PASSWORD + value: '' + - name: REQUESTS_CA_BUNDLE + value: /etc/ssl/certs/ca-certificates.crt - name: notifications-worker - image: {{container_uri}}ice-image-scanner:{{container_tag}} + image: {{container_uri}}image-scanner:{{container_tag}} command: ["/usr/local/bin/notifications-worker"] securityContext: privileged: true @@ -70,9 +96,17 @@ spec: secretKeyRef: {name: slack-tokens, key: notifications} - name: DOMAIN value: "{{em_internal_dns_name}}" + - name: PYTHONPATH + value: /opt/imagescanner-settings + - name: SECRET_JENKINS_PASSWORD + valueFrom: + secretKeyRef: {name: em-secret, key: jenkins_admin_password} + volumeMounts: + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings - name: imagescanner-frontend - image: {{container_uri}}ice-image-scanner:{{container_tag}} + image: {{container_uri}}image-scanner:{{container_tag}} command: ["/usr/local/bin/imagescanner-frontend"] {# FIXME: No, the frontend does not require a privileged container. @@ -87,9 +121,13 @@ spec: volumeMounts: - name: logs mountPath: /var/log/imagescanner + - name: imagescanner-settings + mountPath: /opt/imagescanner-settings env: - name: DEFAULT_SLACK_CHANNEL value: "#notifications" + - name: SECRET_JENKINS_PASSWORD + value: '' volumes: - name: imagescanner-ssh @@ -101,6 +139,12 @@ spec: path: /dev - name: logs emptyDir: {} + - name: imagescanner-settings + configMap: + name: imagescanner-settings + - name: site-certificate + configMap: + name: site-certificate metadata: labels: diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 index 61504f1..1b4289a 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 @@ -44,9 +44,11 @@ metadata: spec: template: spec: + imagePullSecrets: + - name: onapkey containers: - name: jenkins - image: {{container_uri}}rkt-jenkins:{{container_tag}} + image: {{container_uri}}jenkins:{{container_tag}} ports: - containerPort: 8080 volumeMounts: diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 index f3505e5..5c898d3 100644 --- a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 @@ -48,9 +48,11 @@ spec: labels: run: portal spec: + imagePullSecrets: + - name: onapkey containers: - name: portal - image: {{container_uri}}rkt-ice-portal:{{container_tag}} + image: {{container_uri}}portal:{{container_tag}} ports: - containerPort: 8181 command: ["nginx", "-g", "daemon off;", "-c", "/tmp/nginx.conf"] @@ -68,3 +70,10 @@ spec: items: - key: file path: nginx.conf + - key: service_provider.json + path: service_provider.json +{% if devenv is defined %} + - name: portal-rsync + hostPath: + path: /var/devenv/rkt-ice-portal/d2ice.att.io/app +{% endif %} diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 index 29d1319..41597d6 100644 --- a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 @@ -37,10 +37,11 @@ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. --- -apiVersion: v1 kind: Secret +apiVersion: v1 metadata: name: email-secret + namespace: default type: Opaque data: - password: "{{vault_email_host_password | b64encode }}" + password: "{{vault_email_host_password|b64encode}}" diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 new file mode 100644 index 0000000..f253c3c --- /dev/null +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/onap-secret.yaml.j2 @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: onapkey + namespace: default +data: + .dockercfg: {{ dockerconfig|to_json|b64encode }} +type: kubernetes.io/dockercfg diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 index f529dcf..1f92c42 100644 --- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 @@ -37,11 +37,12 @@ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. --- -apiVersion: v1 kind: Secret +apiVersion: v1 metadata: name: site-crt + namespace: default type: Opaque data: # the public part of the certificate, not actually a secret. - site.crt: "{{ site_pem_cert | b64encode }}" + site.crt: "{{site_pem_cert|b64encode}}" diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 index d045770..7ed5e26 100644 --- a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 +++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 @@ -37,10 +37,11 @@ # # ECOMP is a trademark and service mark of AT&T Intellectual Property. --- -apiVersion: v1 kind: Secret +apiVersion: v1 metadata: name: site-pem + namespace: default type: Opaque data: - site.pem: "{{ site_pem | b64encode }}" + site.pem: "{{site_pem|b64encode}}" -- cgit 1.2.3-korg