Apply Let's Encrypt Certificates to local IdentityManager (#507)

Jim Rigsbee

2019-07-22 0d0d0e99169d9285f46b3fd5fc425843c42fff89

Apply Let's Encrypt Certificates to local IdentityManager (#507)

* Introduced ocp4-workload-projectreaper-operator

* Added GPTE defaults to Project Reaper
1) Added defaults to the role
2) Added new defaults for GPTE to the ProjectTracker template

* Made instance alternate names plural
1) Added loop in the cloudformation template to create multiple Route53 entries for multiple alternate instance names
2) Added python-boto to the list of installed packages on bastion
3) Changed default instance in default env_vars to handle alt_name as array

* Added new ocp4-workload-idm
This workload installs Identity Manager on bastion and makes necessary DNS entries for the OpenShift cluster to reach it

* Introduced the ability to remove workloads on cluster destroy in ocp4-workshop
Some workloads may create infrastructure that must be removed before the cloudformation stack is deleted
Added the remove infrastructure tasks to the ocp4-workload-idm workload

* Added new workload: ocp4-workload-mysql
This workload installs and configures MariaDB (MySQL) on the bastion.

* debugged remove workloads and fixed with some refactoring of playbooks

* WIP: refactor for PR comments

* WIP: issue 484 - make nexus deployment optional

* WIP: Change operator container image version and location

* Successfully tested mysql workload

* Successfully tested refactor of IdM workload

* WIP: issue 484 - make nexus deployment optional

* WIP: Change operator container image version and location

* Default variable to avoid "not defined"

* Moved archived ipa-server role to the correct location in the source tree

* Fix for PR review: use Ansible fact to retrieve bastion IP address

* Updates to nexus operator workload
1) Moved location of nexus-operator container to gpte-devops-automation
2) Added additional permissions needed by nexus-operator
3) Added logic to create a user.info display of the Nexus admin password

* Fixed root account setup in mysql workload

* Refactored instance.alt_name to accept an array of names or a single string for backward compatibility

* Added ocp4-workload-mysql instead of just using an infra-workload because it needs to make a DNS entry for the OpenShift cluster to be able to discover its alias name

* WIP: Refactor lets encrypt to make more reusable

* Added Lets Encrypt certs to local IdM server

* Bump version of Nexus operator to 0.9.0

* Changed Nexus operator version to 0.9

* WIP: issue 484 - make nexus deployment optional

* WIP: Change operator container image version and location

* Updates to nexus operator workload
1) Moved location of nexus-operator container to gpte-devops-automation
2) Added additional permissions needed by nexus-operator
3) Added logic to create a user.info display of the Nexus admin password

* WIP: Refactor lets encrypt to make more reusable

* Added Lets Encrypt certs to local IdM server

* Bump version of Nexus operator to 0.9.0

* Changed Nexus operator version to 0.9

 ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml

@@ -46,4 +46,6 @@
_certbot_force_issue: False

# Internal Variable. Don't change
_certbot_setup_complete: false
_certbot_setup_complete: false

_certbot_cron_job_name: LETS_ENCRYPT_RENEW

 ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml

File was deleted

 ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml

@@ -7,7 +7,7 @@
- name: Verify if AWS Credentials exist on the host
  when: _certbot_dns_provider is match('route53')
  stat:
    path: "{{ _certbot_remote_dir }}/.aws/credentials"
    path: "/home/{{ ansible_user }}/.aws/credentials"
  register: aws_credentials_result

- name: Fail if AWS Credentials are not on the host
@@ -15,7 +15,7 @@
    msg: AWS Credentials are required when requesting certificates for a wildcard domain
  when:
  - _certbot_dns_provider is match('route53')
  - aws_credentials_result.stat.exists == False 
  - aws_credentials_result.stat.exists == False

- name: Set _certbot_wildcard_certs fact
  set_fact:
@@ -74,22 +74,6 @@
      - "{{ _certbot_dir }}/renewal-hooks"
      - "{{ _certbot_dir }}/renewal-hooks/deploy"

    - name: Install redeploy hook scripts
      copy:
        src: ./files/deploy_certs.sh
        dest: "{{ _certbot_dir }}/renewal-hooks/deploy/deploy_certs.sh"
        mode: 0775
        owner: "{{ _certbot_remote_dir_owner }}"
    - name: Install redeploy hook playbook and cert secret template
      copy:
        src: "./files/{{ item }}"
        dest: "{{ _certbot_dir }}/renewal-hooks/deploy/{{ item }}"
        mode: 0664
        owner: "{{ _certbot_remote_dir_owner }}"
      loop:
      - deploy_certs.yml
      - router-certs.j2

    - name: Request Certificates from Let's Encrypt (force or no cache)
      when:
      - _certbot_force_issue|bool or not _certbot_setup_complete|bool
@@ -104,7 +88,7 @@
        debug:
          msg: >-
            About to request certificates using the following command:
            certbot certonly -n --agree-tos --email {{ _certbot_le_email }} 
            certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
            -d {{ _certbot_domain }}
            {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
            {{ (_certbot_production|bool)|ternary('','--test-cert') }}
@@ -117,7 +101,7 @@
      - name: Request API and Wildcard Certificates
        become: False
        shell: >-
          certbot certonly -n --agree-tos --email {{ _certbot_le_email }} 
          certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
          -d {{ _certbot_domain }}
          {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
          {{ (_certbot_production|bool)|ternary('','--test-cert') }}
@@ -177,8 +161,6 @@
  - name: Install crontab to renew certificates when they expire
    become: False
    cron:
      name: LETS_ENCRYPT_RENEW
      name: "{{ _certbot_cron_job_name }}"
      special_time: daily
      job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null"
# --deploy-hook /path/to/deploy-hook-script
# You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory. Assuming your configuration directory is /etc/letsencrypt, any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand. These hooks are run in alphabetical order and are not run for other subcommands. (The order the hooks are run is determined by the byte value of the characters in their filenames and is not dependent on your locale.)

 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh

 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml

New file
@@ -0,0 +1,47 @@
---
# This playbook redeploys Lets Encrypt certificates
# It does not renew the certs, which is done by the certbot cronjob.
#
# Please ensure CA and key have not changed.

- hosts: localhost
  gather_facts: no
  become: no
  vars:
  - _certbot_install_dir: "/home/{{ ansible_user }}/certificates"
  - _certbot_remote_dir: "/home/{{ ansible_user }}"
  - _certbot_dir: "{{ _certbot_remote_dir }}/certbot"
  tasks:
  - name: Determine API server hostname
    shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'"
    register: api_hostname

  - name: Compute domain name
    set_fact:
      _certbot_domain: "{{ api_hostname.stdout }}"

  - name: Install certificates
    copy:
      src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
      dest: "{{ _certbot_install_dir }}/{{ item }}"
      remote_src: yes
    loop:
    - "cert.pem"
    - "fullchain.pem"
    - "chain.pem"
    - "privkey.pem"

  - name: Read Certificate
    slurp:
      src: "$HOME/certificates/fullchain.pem"
    register: server_cert

  - name: Read Key
    slurp:
      src: "$HOME/certificates/privkey.pem"
    register: server_key

  - name: Create Router Certificate
    k8s:
      state: present
      definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}"

 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2

 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml

@@ -45,10 +45,27 @@
    - _certbot_use_cache: True
    - _certbot_force_issue: False
    - _certbot_production: True
    - _certbot_cron_job_name: LETS_ENCRYPT_RENEW
    # production false results in unusable certificates
    # (not possible to login to OCP)
    # - _certbot_production: "{{ lets_encrypt_production|d(False)|bool}}"

  - name: Install redeploy hook scripts
    copy:
      src: ./files/deploy_certs.sh
      dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.sh"
      mode: 0775
      owner: "{{ ansible_user }}"
  - name: Install redeploy hook playbook and cert secret template
    copy:
      src: "./files/{{ item }}"
      dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/{{ item }}"
      mode: 0664
      owner: "{{ ansible_user }}"
    loop:
    - deploy_certs.yml
    - router-certs.j2
    
  - name: Read Certificate
    slurp:
      src: "$HOME/certificates/fullchain.pem"
@@ -73,4 +90,4 @@
- name: workload tasks complete
  debug:
    msg: "Workload Tasks completed successfully."
  when: not silent|bool
  when: not silent|bool

 ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem

New file
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

 ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem

New file
@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

 ansible/roles/ocp4-workload-idm/files/deploy_certs.sh

New file
@@ -0,0 +1,4 @@
#!/bin/bash
ansible-playbook ./deploy_certs.yml \
  -e "_certbot_domain={{ idm_dns_name }}" \
  -e "idm_dm_password={{ idm_dm_password }}"

 ansible/roles/ocp4-workload-idm/files/deploy_certs.yml

New file
@@ -0,0 +1,30 @@
---
# This playbook redeploys Lets Encrypt certificates
# It does not renew the certs, which is done by the certbot cronjob.
#
# Please ensure CA and key have not changed.

- hosts: localhost
  gather_facts: no
  become: no
  vars:
  - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates"
  - _certbot_dir: "/home/{{ ansible_user }}/idm/certbot"
  tasks:

  - name: Install certificates
    copy:
      src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
      dest: "{{ _certbot_install_dir }}/{{ item }}"
      remote_src: yes
    loop:
    - "cert.pem"
    - "fullchain.pem"
    - "chain.pem"
    - "privkey.pem"

  - name: Install IPA Certificate
    shell: |
      ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin=''
      ipactl restart
    become: True

 ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml

@@ -55,6 +55,11 @@
    zone: "{{ cluster_name }}{{ subdomain_base_suffix }}."
    vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}"

- name: Remove Certificate renewal cronjob
  cron:
    name: LETS_ENCRYPT_RENEW_IDM
    state: absent

# Leave this as the last task in the playbook.
- name: remove_workload tasks complete
  debug:

 ansible/roles/ocp4-workload-idm/tasks/workload.yml

@@ -10,6 +10,64 @@
  vars:
    become_override: yes

# /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role
- name: Create Let's Encrypt Certificates
  include_role:
    name: host-lets-encrypt-certs-certbot
  vars:
  - _certbot_domain: "{{ idm_dns_name }}"
  - _certbot_wildcard_domain: "{{cluster_name}}{{subdomain_base_suffix}}"
  - _certbot_dns_provider: "route53"
  - _certbot_remote_dir: "/home/{{ ansible_user }}/idm"
  - _certbot_remote_dir_owner: "{{ ansible_user }}"
  - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates"
  - _certbot_install_dir_owner: "{{ ansible_user }}"
  - _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz"
  - _certbot_renew_automatically: True
  - _certbot_use_cache: True
  - _certbot_force_issue: False
  - _certbot_production: True
  - _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM

- name: Get Root CA
  copy:
    src: ./files/DSTRootCAX3.pem
    dest: /tmp/DSTRootCAX3.pem

- name: Get Intermediate CA
  copy:
    src: ./files/LEAuthX3.pem
    dest: /tmp/LEAuthX3.pem

- name: Install CAs
  shell: |
    echo {{ idm_admin_password }} | kinit admin
    ipa-cert-manage -p {{ idm_dm_password }} install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,,
    ipa-cert-manage -p {{ idm_dm_password }} install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,,
    ipa-certupdate -v
  become: True

- name: Install IPA Certificate
  shell: |
    ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin=''
    ipactl restart
  become: True

- name: Install redeploy hook scripts
  template:
    src: ./files/deploy_certs.sh
    dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/deploy_certs.sh"
    mode: 0775
    owner: "{{ ansible_user }}"
- name: Install redeploy hook ansible components
  copy:
    src: "./files/{{ item }}"
    dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/{{ item }}"
    mode: 0664
    owner: "{{ ansible_user }}"
  loop:
  - deploy_certs.yml

# Find public IP of bastion
- name: Gather VPC facts
  ec2_vpc_net_facts:

 ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml

@@ -12,4 +12,6 @@
_nexus_cpu_request: 1
_nexus_cpu_limit: 2
_nexus_memory_request: 2Gi
_nexus_memory_limit: 2Gi
_nexus_memory_limit: 2Gi

_nexus_deploy_nexus_instance: True 

 ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml

@@ -5,7 +5,8 @@
  k8s:
    state: absent
    definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}"

  when: _nexus_deploy_nexus_instance|bool
  
- name: Wait 15 seconds for the Nexus to disappear
  wait_for: timeout=15
  delegate_to: localhost

 ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml

@@ -19,7 +19,60 @@
  - ./templates/role.j2
  - ./templates/role_binding.j2
  - ./templates/operator.j2
  - ./templates/opentlc-nexus.j2

- name: Deploy default Nexus instance
  when: _nexus_deploy_nexus_instance|bool
  block:
    - name: Create OpenShift Custom Resource for Nexus Instance
      k8s:
        state: present
        merge_type:
        - strategic-merge
        - merge
        definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}"
    - name: Wait for Nexus Pod to start creating
      pause:
        seconds: 10
    - name: Wait for Nexus Pod to start
      k8s:
        api_version: v1
        kind: Pod
        name: "{{ _nexus_name }}"
        namespace: "{{ _nexus_operator_project }}"
      register: nexus_pod
      until:
      - nexus_pod.result is defined
      - nexus_pod.result.status.phase == "Running"
      retries: 50
      delay: 10
      changed_when: false
    - name: Wait for the Nexus Pod to be ready
      k8s:
        api_version: v1
        kind: Pod
        name: "{{ _nexus_name }}"
        namespace: "{{ _nexus_operator_project }}"
      register: nexus_pod
      until:
      - nexus_pod.result.status.containerStatuses[0].ready|d(False)|bool
      retries: 50
      delay: 10
      changed_when: false
    - name: Get Admin password
      k8s:
        api_version: gpte.opentlc.com/v1alpha1
        kind: Nexus
        name: "{{ _nexus_name }}"
        namespace: "{{ _nexus_operator_project }}"
      register: nexus_cr
      until:
      - nexus_cr.result.status.admin_password is defined
      retries: 25
      delay: 5
      changed_when: false
    - name: Display Nexus password
      debug:
        msg: "user.info: Nexus password is {{ nexus_cr.result.status.admin_password }}"

# Leave this as the last task in the playbook.
- name: workload tasks complete

 ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2

@@ -10,4 +10,4 @@
  nexusCpuRequest: "{{ _nexus_cpu_request }}"
  nexusCpuLimit: "{{ _nexus_cpu_limit }}"
  nexusMemoryRequest: "{{ _nexus_memory_request }}"
  nexusMemoryLimit: "{{ _nexus_memory_limit }}"
  nexusMemoryLimit: "{{ _nexus_memory_limit }}"

 ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2

@@ -20,14 +20,14 @@
          - /usr/local/bin/ao-logs
          - /tmp/ansible-operator/runner
          - stdout
          image: quay.io/wkulhanek/nexus-operator:v0.8.1
          image: quay.io/gpte-devops-automation/nexus-operator:v0.9
          imagePullPolicy: Always
          volumeMounts:
          - mountPath: /tmp/ansible-operator/runner
            name: runner
            readOnly: true
        - name: operator
          image: quay.io/wkulhanek/nexus-operator:v0.8.1
          image: quay.io/gpte-devops-automation/nexus-operator:v0.9
          imagePullPolicy: Always
          volumeMounts:
          - mountPath: /tmp/ansible-operator/runner
@@ -43,4 +43,4 @@
              value: "nexus-operator"
      volumes:
        - name: runner
          emptyDir: {}
          emptyDir: {}

 ansible/roles/ocp4-workload-nexus-operator/templates/role.j2

@@ -6,6 +6,12 @@
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  - services
  - endpoints
@@ -26,7 +32,7 @@
  resources:
  - namespaces
  verbs:
  - get  
  - get
- apiGroups:
  - apps
  resources: