ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/defaults/main.yml
@@ -5,4 +5,7 @@ tmp_dir: /tmp/ocp4-workload-pam-fraudmanagement-workshop _retry: 180 _delay: 10 _user_login_password: openshift ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/tasks/workload_per_project_amqstreams.yml
New file @@ -0,0 +1,16 @@ --- - name: Wait until KafkaCluster has Ready condition command: > oc get kafka/{{ _namespace }}-cluster -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' -n "{{ _namespace }}" register: kafka retries: "{{ _retry }}" delay: "{{ _delay }}" until: kafka.stdout == "True" - name: Wait until KafkaTopic block-account has Ready condition command: > oc get KafkaTopic/block-account -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' -n "{{ _namespace }}" register: blocktopic retries: "{{ _retry }}" delay: "{{ _delay }}" until: blocktopic.stdout == "True" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/tasks/workload_per_project_businessautomation.yml
New file @@ -0,0 +1,16 @@ --- - name: Wait until KieApp has Deployed condition command: > oc get kieapp/rhpam-authoring -o jsonpath='{.status.conditions[?(@.type=="Deployed")].status}' -n "{{ _namespace }}" register: kieapp retries: "{{ _retry }}" delay: "{{ _delay }}" until: kieapp.stdout == "True" - name: Check KieServer is running command: > oc rollout status DeploymentConfig/rhpam-authoring-kieserver --watch=true -n "{{ _namespace }}" - name: Check BusinessCentral is running command: > oc rollout status DeploymentConfig/rhpam-authoring-rhpamcentr --watch=true -n "{{ _namespace }}" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/tasks/workload_per_project_datagrid.yml
New file @@ -0,0 +1,8 @@ --- - name: Wait until Infinispan is Deployed command: > oc get infinispan/example-infinispan -o jsonpath='{.status.conditions[?(@.type=="wellFormed")].status}' -n "{{ _namespace }}" register: infinispan retries: "{{ _retry }}" delay: "{{ _delay }}" until: infinispan.stdout == "True" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/tasks/workload_per_project_fuseworkload.yml
New file @@ -0,0 +1,4 @@ --- - name: Check Fuse workload is running command: > oc rollout status DeploymentConfig/pam-fraudmanagement-fuse --watch=true -n {{ _namespace }} ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/tasks/workload_per_project_grafana.yml
New file @@ -0,0 +1,31 @@ --- - name: Wait until Grafana is phase 3 command: > oc get grafana/grafana -o jsonpath='{.status.phase}' -n "{{ _namespace }}" register: grafana retries: "{{ _retry }}" delay: "{{ _delay }}" until: grafana.stdout == "3" - name: Check Grafana is running command: > oc rollout status Deployment/grafana-deployment --watch=true -n "{{ _namespace }}" - name: Get Grafana route host command: > oc get route/grafana-route -o jsonpath='{.spec.host}' -n "{{ _namespace }}" register: grafana_route retries: "{{ _retry }}" delay: "{{ _delay }}" until: grafana_route.stdout != "" - name: Wait for Grafana route to respond with 200 uri: url: "https://{{ grafana_route.stdout }}" method: GET validate_certs: false follow_redirects: yes register: grafanaresult retries: "{{ _retry }}" delay: "{{ _delay }}" until: grafanaresult.status == 200 ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/tasks/workload_per_project_prometheus.yml
New file @@ -0,0 +1,23 @@ --- - name: Check Prometheus is running command: > oc rollout status StatefulSet/prometheus-prom --watch=true -n "{{ _namespace }}" - name: Get Prometheus route host command: > oc get route/prometheus-prom -o jsonpath='{.spec.host}' -n "{{ _namespace }}" register: prom_route retries: "{{ _retry }}" delay: "{{ _delay }}" until: prom_route.stdout != "" - name: Wait for Prometheus route to respond with 200 uri: url: "https://{{ prom_route.stdout }}" method: GET validate_certs: false follow_redirects: yes register: promresult retries: "{{ _retry }}" delay: "{{ _delay }}" until: promresult.status == 200 ansible/roles/ocp4-workload-pam-fraudmanagement-workshop-verification/tasks/workload_project.yml
@@ -6,5 +6,20 @@ - name: Check user{{ user_num }} can login command: "oc login --username=user{{ user_num }} --password={{ _user_login_password }} {{ ocwhoami.stdout }} -n {{ _namespace }} --insecure-skip-tls-verify=true --config={{ tmp_dir }}.kube/{{ _namespace }}-config" - name: Check Fuse workload is running command: "oc rollout status DeploymentConfig/pam-fraudmanagement-fuse --watch=true -n {{ _namespace }} --config={{ tmp_dir }}.kube/{{ _namespace }}-config" - name: AMQ Streams for {{ _namespace }} include_tasks: workload_per_project_amqstreams.yml - name: DataGrid for {{ _namespace }} include_tasks: workload_per_project_datagrid.yml - name: Business Automation for {{ _namespace }} include_tasks: workload_per_project_businessautomation.yml - name: Prometheus for {{ _namespace }} include_tasks: workload_per_project_prometheus.yml - name: Grafana for {{ _namespace }} include_tasks: workload_per_project_grafana.yml - name: Fuse workdload for {{ _namespace }} include_tasks: workload_per_project_fuseworkload.yml ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/businessautomation/operator/crd.yml
New file @@ -0,0 +1,1716 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: kieapps.app.kiegroup.org spec: group: app.kiegroup.org version: v2 names: plural: kieapps singular: kieapp kind: KieApp listKind: KieAppList scope: Namespaced versions: - name: v2 served: true storage: true schema: openAPIV3Schema: required: - spec properties: apiVersion: description: >- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type: string metadata: type: object spec: type: object required: - environment properties: auth: description: Authentication integration configuration type: object properties: ldap: description: LDAP integration configuration type: object required: - url properties: baseCtxDN: description: >- LDAP Base DN of the top-level context to begin the user search. type: string roleAttributeID: description: Name of the attribute containing the user roles. type: string usernameBeginString: description: >- Defines the String which is to be removed from the start of the DN to reveal the username. This option is used together with usernameEndString and only taken into account if parseUsername is set to true. type: string searchTimeLimit: description: >- The timeout in milliseconds for user or role searches. type: integer format: int32 bindDN: description: Bind DN used for authentication type: string parseRoleNameFromDN: description: >- A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameAttributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries. type: boolean parseUsername: description: >- A flag indicating if the DN is to be parsed for the username. If set to true, the DN is parsed for the username. If set to false the DN is not parsed for the username. This option is used together with usernameBeginString and usernameEndString. type: boolean baseFilter: description: >- DAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}). type: string searchScope: description: The search scope to use. type: string enum: - SUBTREE_SCOPE - OBJECT_SCOPE - ONELEVEL_SCOPE roleRecursion: description: >- The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0. type: integer format: int16 jaasSecurityDomain: description: >- The JMX ObjectName of the JaasSecurityDomain used to decrypt the password. type: string distinguishedNameAttribute: description: >- The name of the attribute in the user entry that contains the DN of the user. This may be necessary if the DN of the user itself contains special characters, backslash for example, that prevent correct user mapping. If the attribute does not exist, the entry’s DN is used. type: string roleFilter: description: >- A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}). type: string url: description: LDAP Endpoint to connect for authentication type: string rolesCtxDN: description: >- The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is. type: string bindCredential: description: LDAP Credentials used for authentication type: string format: password usernameEndString: description: >- Defines the String which is to be removed from the end of the DN to reveal the username. This option is used together with usernameBeginString and only taken into account if parseUsername is set to true. type: string roleNameAttributeID: description: >- Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object’s name attribute. type: string defaultRole: description: A role included for all authenticated users type: string roleAttributeIsDN: description: >- Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true. type: boolean referralUserAttributeIDToCheck: description: >- If you are not using referrals, you can ignore this option. When using referrals, this option denotes the attribute name which contains users defined for a certain role, for example member, if the role object is inside the referral. Users are checked against the content of this attribute name. If this option is not set, the check will always fail, so role objects cannot be stored in a referral tree. type: string roleMapper: description: >- When present, the RoleMapping Login Module will be configured. type: object required: - rolesProperties properties: from: description: >- The reference to a namespaced object containing the roleMapping file. The object must exist beforehand. type: object required: - kind - name properties: kind: description: Namespaced object kind type: string enum: - ConfigMap - Secret name: description: Namespaced object name type: string replaceRole: description: >- Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true. type: boolean rolesProperties: description: >- The RoleMapping Login Module will be configured to use the provided file. This property defines the fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=role1,role2,role3 type: string sso: description: RH-SSO integration configuration type: object required: - url - realm properties: adminPassword: description: >- RH-SSO Realm Admin Password used to create the Client type: string format: password adminUser: description: >- RH-SSO Realm Admin Username used to create the Client if it doesn't exist type: string disableSSLCertValidation: description: RH-SSO Disable SSL Certificate Validation type: boolean principalAttribute: description: RH-SSO Principal Attribute to use as username type: string realm: description: RH-SSO Realm name type: string url: description: RH-SSO URL type: string commonConfig: description: Configuration of the RHPAM components type: object properties: amqPassword: description: The password to use for amq user. type: string mavenPassword: description: The password to use for the mavenUser. type: string adminPassword: description: The password to use for the adminUser. type: string amqClusterPassword: description: The password to use for amq cluster user. type: string controllerPassword: description: The password to use for the controllerUser. type: string dbPassword: description: The password to use for databases. type: string adminUser: description: The user to use for the admin. type: string applicationName: description: The name of the application deployment. type: string keyStorePassword: description: The password to use for keystore generation. type: string serverPassword: description: The password to use for the executionUser. type: string imageTag: description: The tag to use for the application images. type: string environment: description: The name of the environment used as a baseline type: string enum: - rhdm-authoring-ha - rhdm-authoring - rhdm-production-immutable - rhdm-trial - rhpam-authoring-ha - rhpam-authoring - rhpam-production-immutable - rhpam-production - rhpam-trial imageRegistry: description: >- If required imagestreams are missing in both the 'openshift' and local namespaces, the operator will create said imagestreams locally using the registry specified here. type: object properties: insecure: description: >- A flag used to indicate the specified registry is insecure. Defaults to 'false'. type: boolean registry: description: >- Image registry's base 'url:port'. e.g. registry.example.com:5000. Defaults to 'registry.redhat.io'. type: string objects: description: Configuration of the RHPAM components type: object properties: console: description: Configuration of the RHPAM workbench type: object properties: env: type: array items: type: object required: - name oneOf: - required: - value - required: - valueFrom properties: name: description: Name of an environment variable type: string value: description: Value for that environment variable type: string valueFrom: description: Source for the environment variable's value type: object gitHooks: description: GitHooks configuration object type: object properties: from: description: >- Object reference containing the GitHooks in case they are not included in the base image. type: object required: - kind - name properties: kind: description: Reference Kind for the GitHooks type: string enum: - ConfigMap - Secret - PersistentVolumeClaim name: description: Reference object Name for the GitHooks type: string mountPath: description: >- Absolute path where the gitHooks folder will be mounted. type: string image: description: The image to use for console. type: string imageTag: description: The image tag to use for console. type: string keystoreSecret: description: Keystore secret name type: string replicas: description: Replicas to set for the DeploymentConfig type: integer format: int32 resources: type: object properties: limits: type: object requests: type: object ssoClient: description: >- Client definitions used for creating the RH-SSO clients in the specified Realm type: object properties: hostnameHTTP: description: Hostname to set as redirect URL type: string hostnameHTTPS: description: Secure hostname to set as redirect URL type: string name: description: Client name type: string secret: description: Client secret type: string format: password servers: description: Configuration of the each individual KIE server type: array minItems: 1 items: description: KIE Server configuration type: object properties: resources: type: object properties: limits: type: object requests: type: object from: description: Image definition to use for all the servers type: object required: - kind - name properties: kind: description: Object kind type: string enum: - ImageStreamTag - DockerImage name: description: Object name type: string namespace: description: Namespace where the object is located type: string name: description: Server name type: string env: type: array items: type: object required: - name oneOf: - required: - value - required: - valueFrom properties: name: description: Name of an environment variable type: string value: description: Value for that environment variable type: string valueFrom: description: Source for the environment variable's value type: object deployments: description: Number of Server sets that will be deployed type: integer format: int build: description: >- Configuration of build configs for immutable KIE servers type: object required: - kieServerContainerDeployment - gitSource properties: artifactDir: description: >- List of directories from which archives will be copied into the deployment folder. If unspecified, all archives in /target will be copied. type: string from: description: Image definition to use for all the servers type: object required: - kind - name properties: kind: description: Object kind. e.g. ImageStreamTag type: string enum: - ImageStreamTag - DockerImage name: description: Object name type: string namespace: description: Namespace where the object is located type: string gitSource: type: object required: - uri - reference properties: contextDir: description: >- Context/subdirectory where the code is located, relatively to repo root type: string reference: description: Branch to use in the git repository type: string uri: description: Git URI for the s2i source type: string kieServerContainerDeployment: description: >- The Maven GAV to deploy, e.g., rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.5.0-SNAPSHOT type: string mavenMirrorURL: description: Maven mirror to use for S2I builds type: string webhooks: type: array minItems: 1 items: description: WebHook secretes for build configs type: object required: - type - secret properties: secret: description: Secret value for webhook type: string type: description: 'WebHook type, either GitHub or Generic' type: string enum: - GitHub - Generic jms: description: Configuration for JMS integration with KIE Server. type: object required: - enableIntegration properties: amqSecretName: description: >- The name of a secret containing AMQ SSL related files. type: string amqKeystorePassword: description: >- The password for the AMQ keystore and certificate. type: string queueExecutor: description: >- JNDI name of executor queue for JMS, example queue/CUSTOM.KIE.SERVER.EXECUTOR, default is queue/KIE.SERVER.EXECUTOR. type: string auditTransacted: description: >- Determines if JMS session is transacted or not - default true. type: boolean amqEnableSSL: description: >- Not intended to be set by the user, if will be set to true if all required SSL parameters are set. type: boolean amqQueues: description: >- AMQ broker broker comma separated queues, if empty the values from default queues will be used. type: string amqTruststorePassword: description: The password for the AMQ Trust Store. type: string queueAudit: description: >- JNDI name of audit logging queue for JMS, example queue/CUSTOM.KIE.SERVER.AUDIT, default is queue/KIE.SERVER.AUDIT. type: string enableSignal: description: >- Enable the Signal configuration through JMS. Default is false. type: boolean enableIntegration: description: >- When set to true will configure the KIE Server with JMS integration, if no configuration is added, the default will be used. type: boolean queueResponse: description: >- JNDI name of response queue for JMS, example queue/CUSTOM.KIE.SERVER.RESPONSE, default is queue/KIE.SERVER.RESPONSE. type: string amqKeystoreName: description: The name of the AMQ keystore file. type: string executor: description: >- Set false to disable the JMS executor, it is enabled by default. type: boolean username: description: >- AMQ broker username to connect do the AMQ, generated if empty. type: string enableAudit: description: >- Enable the Audit logging through JMS. Default is false. type: boolean amqTruststoreName: description: The name of the AMQ SSL Trust Store file. type: string queueSignal: description: >- JNDI name of signal queue for JMS, example queue/CUSTOM.KIE.SERVER.SIGNAL, default is queue/KIE.SERVER.SIGNAL. type: string password: description: >- AMQ broker password to connect do the AMQ, generated if empty. type: string executorTransacted: description: >- Enable transactions for JMS executor, disabled by default. type: boolean queueRequest: description: >- JNDI name of request queue for JMS, example queue/CUSTOM.KIE.SERVER.REQUEST, default is queue/KIE.SERVER.REQUEST. type: string keystoreSecret: description: Keystore secret name type: string ssoClient: description: >- Client definitions used for creating the RH-SSO clients in the specified Realm type: object properties: hostnameHTTP: description: Hostname to set as redirect URL type: string hostnameHTTPS: description: Secure hostname to set as redirect URL type: string name: description: Client name type: string secret: description: Client secret type: string format: password id: description: Server ID type: string image: description: The image to use for server. type: string database: type: object required: - type properties: externalConfig: description: External Database configuration type: object required: - driver - dialect - username - password oneOf: - required: - name - host - required: - jdbcURL properties: port: description: 'Database Port. For example, 3306' type: string maxPoolSize: description: >- Sets xa-pool/max-pool-size for the configured datasource. type: string dialect: description: >- Hibernate dialect class to use. For example, org.hibernate.dialect.MySQL57Dialect type: string backgroundValidation: description: >- Sets the sql validation method to background-validation, if set to false the validate-on-match method will be used. type: string driver: description: 'Driver name to use. For example, mysql' type: string host: description: >- Database Host. For example, mydb.example.com type: string name: description: 'Database Name. For example, rhpam' type: string backgroundValidationMillis: description: >- Defines the interval for the background-validation check for the jdbc connections. type: string minPoolSize: description: >- Sets xa-pool/min-pool-size for the configured datasource. type: string jdbcURL: description: >- Database JDBC URL. For example, jdbc:mysql:mydb.example.com:3306/rhpam type: string username: description: External database username type: string nonXA: description: >- Sets the datasources type. It can be XA or NONXA. For non XA set it to true. Default value is false. type: string connectionChecker: description: >- An org.jboss.jca.adapters.jdbc.ValidConnectionChecker that provides a SQLException isValidConnection(Connection e) method to validate if a connection is valid. type: string exceptionSorter: description: >- An org.jboss.jca.adapters.jdbc.ExceptionSorter that provides a boolean isExceptionFatal(SQLException e) method to validate if an exception should be broadcast to all javax.resource.spi.ConnectionEventListener as a connectionErrorOccurred. type: string password: description: External database password type: string size: description: >- Size of the PersistentVolumeClaim to create. For example, 100Gi type: string type: description: Database type to use type: string enum: - mysql - postgresql - external - h2 replicas: description: Replicas to set for the DeploymentConfig type: integer format: int32 imageTag: description: The image tag to use for server. type: string smartRouter: description: Configuration of the RHPAM smart router type: object properties: env: type: array items: type: object required: - name oneOf: - required: - value - required: - valueFrom properties: name: description: Name of an environment variable type: string value: description: Value for that environment variable type: string valueFrom: description: Source for the environment variable's value type: object image: description: The image to use for smart router. type: string imageTag: description: The image tag to use for smart router. type: string keystoreSecret: description: Keystore secret name type: string protocol: description: >- Smart Router protocol, if no value is provided, http is the default protocol. type: string enum: - http - https replicas: description: Replicas to set for the DeploymentConfig type: integer format: int32 resources: type: object properties: limits: type: object requests: type: object useExternalRoute: description: >- If enabled, Busineses Central will use the external smartrouter route to communicate with it. Note that, valid SSL certificates should be used. type: boolean upgrades: description: >- Specify the level of upgrade that should be allowed when an older product version is detected type: object properties: enabled: description: >- Set true to enable automatic micro version product upgrades, it is disabled by default. type: boolean minor: description: >- Set true to enable automatic minor product version upgrades, it is disabled by default. Requires spec.upgrades.enabled to be true. type: boolean version: description: The version of the application deployment. type: string status: type: object - name: v1 served: true storage: false schema: openAPIV3Schema: required: - spec properties: apiVersion: description: >- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources type: string kind: description: >- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type: string metadata: type: object spec: type: object required: - environment properties: auth: description: Authentication integration configuration type: object properties: ldap: description: LDAP integration configuration type: object required: - url properties: baseCtxDN: description: >- LDAP Base DN of the top-level context to begin the user search. type: string roleAttributeID: description: Name of the attribute containing the user roles. type: string usernameBeginString: description: >- Defines the String which is to be removed from the start of the DN to reveal the username. This option is used together with usernameEndString and only taken into account if parseUsername is set to true. type: string searchTimeLimit: description: >- The timeout in milliseconds for user or role searches. type: integer format: int32 bindDN: description: Bind DN used for authentication type: string parseRoleNameFromDN: description: >- A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameAttributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries. type: boolean parseUsername: description: >- A flag indicating if the DN is to be parsed for the username. If set to true, the DN is parsed for the username. If set to false the DN is not parsed for the username. This option is used together with usernameBeginString and usernameEndString. type: boolean baseFilter: description: >- DAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}). type: string searchScope: description: The search scope to use. type: string enum: - SUBTREE_SCOPE - OBJECT_SCOPE - ONELEVEL_SCOPE roleRecursion: description: >- The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0. type: integer format: int16 jaasSecurityDomain: description: >- The JMX ObjectName of the JaasSecurityDomain used to decrypt the password. type: string distinguishedNameAttribute: description: >- The name of the attribute in the user entry that contains the DN of the user. This may be necessary if the DN of the user itself contains special characters, backslash for example, that prevent correct user mapping. If the attribute does not exist, the entry’s DN is used. type: string roleFilter: description: >- A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}). type: string url: description: LDAP Endpoint to connect for authentication type: string rolesCtxDN: description: >- The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is. type: string bindCredential: description: LDAP Credentials used for authentication type: string format: password usernameEndString: description: >- Defines the String which is to be removed from the end of the DN to reveal the username. This option is used together with usernameBeginString and only taken into account if parseUsername is set to true. type: string roleNameAttributeID: description: >- Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object’s name attribute. type: string defaultRole: description: A role included for all authenticated users type: string roleAttributeIsDN: description: >- Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true. type: boolean referralUserAttributeIDToCheck: description: >- If you are not using referrals, you can ignore this option. When using referrals, this option denotes the attribute name which contains users defined for a certain role, for example member, if the role object is inside the referral. Users are checked against the content of this attribute name. If this option is not set, the check will always fail, so role objects cannot be stored in a referral tree. type: string roleMapper: description: RoleMapper configuration type: object required: - rolesProperties properties: replaceRole: description: >- Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true. type: boolean rolesProperties: description: >- When present, the RoleMapping Login Module will be configured to use the provided file. This property defines the fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=role1,role2,role3 type: string sso: description: RH-SSO integration configuration type: object required: - url - realm properties: adminPassword: description: >- RH-SSO Realm Admin Password used to create the Client type: string format: password adminUser: description: >- RH-SSO Realm Admin Username used to create the Client if it doesn't exist type: string disableSSLCertValidation: description: RH-SSO Disable SSL Certificate Validation type: boolean principalAttribute: description: RH-SSO Principal Attribute to use as username type: string realm: description: RH-SSO Realm name type: string url: description: RH-SSO URL type: string commonConfig: description: Configuration of the RHPAM components type: object properties: amqPassword: description: The password to use for amq user. type: string mavenPassword: description: The password to use for the mavenUser. type: string adminPassword: description: The password to use for the adminUser. type: string amqClusterPassword: description: The password to use for amq cluster user. type: string controllerPassword: description: The password to use for the controllerUser. type: string version: description: The version of the application deployment. type: string dbPassword: description: The password to use for databases. type: string adminUser: description: The user to use for the admin. type: string applicationName: description: The name of the application deployment. type: string keyStorePassword: description: The password to use for keystore generation. type: string serverPassword: description: The password to use for the executionUser. type: string imageTag: description: The tag to use for the application images. type: string environment: description: The name of the environment used as a baseline type: string enum: - rhdm-authoring-ha - rhdm-authoring - rhdm-production-immutable - rhdm-trial - rhpam-authoring-ha - rhpam-authoring - rhpam-production-immutable - rhpam-production - rhpam-trial imageRegistry: description: >- If required imagestreams are missing in both the 'openshift' and local namespaces, the operator will create said imagestreams locally using the registry specified here. type: object properties: insecure: description: >- A flag used to indicate the specified registry is insecure. Defaults to 'false'. type: boolean registry: description: >- Image registry's base 'url:port'. e.g. registry.example.com:5000. Defaults to 'registry.redhat.io'. type: string objects: description: Configuration of the RHPAM components type: object properties: console: description: Configuration of the RHPAM workbench type: object properties: env: type: array items: type: object required: - name oneOf: - required: - value - required: - valueFrom properties: name: description: Name of an environment variable type: string value: description: Value for that environment variable type: string valueFrom: description: Source for the environment variable's value type: object keystoreSecret: description: Keystore secret name type: string replicas: description: Replicas to set for the DeploymentConfig type: integer format: int32 resources: type: object properties: limits: type: object requests: type: object ssoClient: description: >- Client definitions used for creating the RH-SSO clients in the specified Realm type: object properties: hostnameHTTP: description: Hostname to set as redirect URL type: string hostnameHTTPS: description: Secure hostname to set as redirect URL type: string name: description: Client name type: string secret: description: Client secret type: string format: password servers: description: Configuration of the each individual KIE server type: array minItems: 1 items: description: KIE Server configuration type: object properties: resources: type: object properties: limits: type: object requests: type: object from: description: Image definition to use for all the servers type: object required: - kind - name properties: kind: description: Object kind type: string enum: - ImageStreamTag - DockerImage name: description: Object name type: string namespace: description: Namespace where the object is located type: string name: description: Server name type: string env: type: array items: type: object required: - name oneOf: - required: - value - required: - valueFrom properties: name: description: Name of an environment variable type: string value: description: Value for that environment variable type: string valueFrom: description: Source for the environment variable's value type: object deployments: description: Number of Server sets that will be deployed type: integer format: int build: description: >- Configuration of build configs for immutable KIE servers type: object required: - kieServerContainerDeployment - gitSource properties: artifactDir: description: >- List of directories from which archives will be copied into the deployment folder. If unspecified, all archives in /target will be copied. type: string from: description: Image definition to use for all the servers type: object required: - kind - name properties: kind: description: Object kind. e.g. ImageStreamTag type: string enum: - ImageStreamTag - DockerImage name: description: Object name type: string namespace: description: Namespace where the object is located type: string gitSource: type: object required: - uri - reference properties: contextDir: description: >- Context/subdirectory where the code is located, relatively to repo root type: string reference: description: Branch to use in the git repository type: string uri: description: Git URI for the s2i source type: string kieServerContainerDeployment: description: >- The Maven GAV to deploy, e.g., rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.5.0-SNAPSHOT type: string mavenMirrorURL: description: Maven mirror to use for S2I builds type: string webhooks: type: array minItems: 1 items: description: WebHook secretes for build configs type: object required: - type - secret properties: secret: description: Secret value for webhook type: string type: description: 'WebHook type, either GitHub or Generic' type: string enum: - GitHub - Generic jms: description: Configuration for JMS integration with KIE Server. type: object required: - enableIntegration properties: queueExecutor: description: >- JNDI name of executor queue for JMS, example queue/CUSTOM.KIE.SERVER.EXECUTOR, default is queue/KIE.SERVER.EXECUTOR. type: string auditTransacted: description: >- Determines if JMS session is transacted or not - default true. type: boolean amqQueues: description: >- AMQ broker broker comma separated queues, if empty the values from default queues will be used. type: string queueAudit: description: >- JNDI name of audit logging queue for JMS, example queue/CUSTOM.KIE.SERVER.AUDIT, default is queue/KIE.SERVER.AUDIT. type: string enableSignal: description: >- Enable the Signal configuration through JMS. Default is false. type: boolean enableIntegration: description: >- When set to true will configure the KIE Server with JMS integration, if no configuration is added, the default will be used. type: boolean queueResponse: description: >- JNDI name of response queue for JMS, example queue/CUSTOM.KIE.SERVER.RESPONSE, default is queue/KIE.SERVER.RESPONSE. type: string executor: description: >- Set false to disable the JMS executor, it is enabled by default. type: boolean username: description: >- AMQ broker username to connect do the AMQ, generated if empty. type: string enableAudit: description: >- Enable the Audit logging through JMS. Default is false. type: boolean queueSignal: description: >- JNDI name of signal queue for JMS, example queue/CUSTOM.KIE.SERVER.SIGNAL, default is queue/KIE.SERVER.SIGNAL. type: string password: description: >- AMQ broker password to connect do the AMQ, generated if empty. type: string executorTransacted: description: >- Enable transactions for JMS executor, disabled by default. type: boolean queueRequest: description: >- JNDI name of request queue for JMS, example queue/CUSTOM.KIE.SERVER.REQUEST, default is queue/KIE.SERVER.REQUEST. type: string keystoreSecret: description: Keystore secret name type: string ssoClient: description: >- Client definitions used for creating the RH-SSO clients in the specified Realm type: object properties: hostnameHTTP: description: Hostname to set as redirect URL type: string hostnameHTTPS: description: Secure hostname to set as redirect URL type: string name: description: Client name type: string secret: description: Client secret type: string format: password id: description: Server ID type: string database: type: object required: - type properties: externalConfig: description: External Database configuration type: object required: - driver - dialect - username - password oneOf: - required: - name - host - required: - jdbcURL properties: port: description: 'Database Port. For example, 3306' type: string maxPoolSize: description: >- Sets xa-pool/max-pool-size for the configured datasource. type: string dialect: description: >- Hibernate dialect class to use. For example, org.hibernate.dialect.MySQL57Dialect type: string backgroundValidation: description: >- Sets the sql validation method to background-validation, if set to false the validate-on-match method will be used. type: string driver: description: 'Driver name to use. For example, mysql' type: string host: description: >- Database Host. For example, mydb.example.com type: string name: description: 'Database Name. For example, rhpam' type: string backgroundValidationMillis: description: >- Defines the interval for the background-validation check for the jdbc connections. type: string minPoolSize: description: >- Sets xa-pool/min-pool-size for the configured datasource. type: string jdbcURL: description: >- Database JDBC URL. For example, jdbc:mysql:mydb.example.com:3306/rhpam type: string username: description: External database username type: string nonXA: description: >- Sets the datasources type. It can be XA or NONXA. For non XA set it to true. Default value is false. type: string connectionChecker: description: >- An org.jboss.jca.adapters.jdbc.ValidConnectionChecker that provides a SQLException isValidConnection(Connection e) method to validate if a connection is valid. type: string exceptionSorter: description: >- An org.jboss.jca.adapters.jdbc.ExceptionSorter that provides a boolean isExceptionFatal(SQLException e) method to validate if an exception should be broadcast to all javax.resource.spi.ConnectionEventListener as a connectionErrorOccurred. type: string password: description: External database password type: string size: description: >- Size of the PersistentVolumeClaim to create. For example, 100Gi type: string type: description: Database type to use type: string enum: - mysql - postgresql - external - h2 replicas: description: Replicas to set for the DeploymentConfig type: integer format: int32 smartRouter: description: Configuration of the RHPAM smart router type: object properties: env: type: array items: type: object required: - name oneOf: - required: - value - required: - valueFrom properties: name: description: Name of an environment variable type: string value: description: Value for that environment variable type: string valueFrom: description: Source for the environment variable's value type: object keystoreSecret: description: Keystore secret name type: string protocol: description: >- Smart Router protocol, if no value is provided, http is the default protocol. type: string enum: - http - https replicas: description: Replicas to set for the DeploymentConfig type: integer format: int32 resources: type: object properties: limits: type: object requests: type: object useExternalRoute: description: >- If enabled, Busineses Central will use the external smartrouter route to communicate with it. Note that, valid SSL certificates should be used. type: boolean upgrades: description: >- Specify the level of upgrade that should be allowed when an older product version is detected type: object properties: minor: description: >- Set true to enable automatic product minor version upgrades, it is disabled by default. type: boolean patch: description: >- Set false to disable automatic product patch version upgrades, it is enabled by default. type: boolean status: type: object conversion: strategy: None preserveUnknownFields: true ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/businessautomation/operator/role.yml
New file @@ -0,0 +1,39 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: businessautomation-operator.1.3.0-v2fxv rules: - verbs: - '*' apiGroups: - '' - apps - apps.openshift.io - rbac.authorization.k8s.io - route.openshift.io - build.openshift.io - image.openshift.io - app.kiegroup.org resources: - '*' - verbs: - get - create apiGroups: - monitoring.coreos.com resources: - servicemonitors - verbs: - '*' apiGroups: - operators.coreos.com resources: - clusterserviceversions - verbs: - update apiGroups: - apps resources: - deployments/finalizers resourceNames: - business-automation-operator ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/businessautomation/operator/sa.yml
New file @@ -0,0 +1,4 @@ kind: ServiceAccount apiVersion: v1 metadata: name: business-automation-operator ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/datagrid/operator/crd.yml
New file @@ -0,0 +1,22 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: infinispans.infinispan.org spec: group: infinispan.org version: v1 names: plural: infinispans singular: infinispan kind: Infinispan listKind: InfinispanList scope: Namespaced subresources: status: {} versions: - name: v1 served: true storage: true conversion: strategy: None preserveUnknownFields: true ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/datagrid/operator/role.yml
New file @@ -0,0 +1,51 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: datagrid-operator.v1.0.0-4x52z rules: - verbs: - '*' apiGroups: - '' resources: - pods - services - endpoints - persistentvolumeclaims - events - configmaps - secrets - verbs: - create apiGroups: - '' resources: - pods/exec - verbs: - get apiGroups: - '' resources: - namespaces - verbs: - '*' apiGroups: - apps resources: - deployments - daemonsets - replicasets - statefulsets - verbs: - get - create apiGroups: - monitoring.coreos.com resources: - servicemonitors - verbs: - '*' apiGroups: - infinispan.org resources: - '*' ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/datagrid/operator/sa.yml
New file @@ -0,0 +1,4 @@ kind: ServiceAccount apiVersion: v1 metadata: name: infinispan-operator ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/grafana/operator/crd-dashboard.yml
New file @@ -0,0 +1,41 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: grafanadashboards.integreatly.org spec: group: integreatly.org version: v1alpha1 names: plural: grafanadashboards singular: grafanadashboard kind: GrafanaDashboard listKind: GrafanaDashboardList scope: Namespaced validation: openAPIV3Schema: properties: spec: properties: json: type: string name: type: string plugins: type: array items: description: Grafana Plugin Object type: object status: properties: messages: type: array items: description: Dashboard Status Message type: object versions: - name: v1alpha1 served: true storage: true conversion: strategy: None preserveUnknownFields: true ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/grafana/operator/crd-datasource.yml
New file @@ -0,0 +1,44 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: grafanadatasources.integreatly.org spec: group: integreatly.org version: v1alpha1 names: plural: grafanadatasources singular: grafanadatasource kind: GrafanaDataSource listKind: GrafanaDataSourceList scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: type: string kind: type: string metadata: type: object spec: required: - datasources - name properties: datasources: type: array items: description: Grafana Datasource Object type: object name: type: string minimum: 1 status: type: object versions: - name: v1alpha1 served: true storage: true conversion: strategy: None preserveUnknownFields: true ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/grafana/operator/crd-grafana.yml
New file @@ -0,0 +1,101 @@ kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: grafanas.integreatly.org spec: group: integreatly.org version: v1alpha1 names: plural: grafanas singular: grafana kind: Grafana listKind: GrafanaList scope: Namespaced validation: openAPIV3Schema: required: - spec properties: spec: properties: logLevel: description: 'Log level of the grafana instance, defaults to info' type: string config: description: Grafana config type: object secrets: type: array items: description: Secret to be mounted as volume into the grafana deployment type: string disableLoginForm: description: Disable login form type: boolean disableSignoutMenu: description: Disable signout menu type: boolean adminPassword: description: Default admin password type: string anonymous: description: Anonymous auth enabled type: boolean containers: type: array items: description: Additional container to add to the grafana pod type: object dashboardLabelSelectors: type: array items: description: Label selector or match expressions type: object ingress: type: object properties: annotations: description: Additional annotations for the ingress / route type: object enabled: description: Create an ingress / route type: boolean hostname: description: The hostname of the ingress / route type: string labels: description: Additional labels for the ingress / route type: object path: description: Ingress path type: string service: type: object properties: annotations: description: Additional annotations for the service type: object labels: description: Additional labels for the service type: object type: description: 'Service type (NodePort, ClusterIP or LoadBalancer)' type: string basicAuth: description: Basic auth enabled type: boolean configMaps: type: array items: description: Config map to be mounted as volume into the grafana deployment type: string adminUser: description: Default admin user name type: string versions: - name: v1alpha1 served: true storage: true conversion: strategy: None preserveUnknownFields: true ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/grafana/operator/role.yml
New file @@ -0,0 +1,57 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: grafana-operator.v2.0.0-vjr68 rules: - verbs: - '*' apiGroups: - '' resources: - pods - services - endpoints - persistentvolumeclaims - events - configmaps - secrets - serviceaccounts - verbs: - '*' apiGroups: - apps resources: - deployments - daemonsets - replicasets - statefulsets - verbs: - '*' apiGroups: - route.openshift.io resources: - routes - verbs: - get - create apiGroups: - monitoring.coreos.com resources: - servicemonitors - verbs: - '*' apiGroups: - extensions resources: - ingresses - verbs: - '*' apiGroups: - integreatly.org resources: - grafanas - grafanadashboards - grafanadatasources - grafanas/finalizers - grafanadashboards/finalizers - grafanadatasources/finalizers ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/grafana/operator/sa.yml
New file @@ -0,0 +1,4 @@ kind: ServiceAccount apiVersion: v1 metadata: name: grafana-operator ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/namespace-limits.yml
@@ -6,8 +6,6 @@ limits: - default: memory: 2048Mi cpu: 2000m defaultRequest: memory: 512Mi cpu: 500m memory: 128Mi type: Container ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/namespace-quota.yml
@@ -4,7 +4,5 @@ name: quota spec: hard: requests.cpu: '20' requests.memory: 20Gi limits.cpu: '50' limits.memory: 50Gi limits.memory: 60Gi ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/prometheus/operator/k8s-sa.yml
New file @@ -0,0 +1,4 @@ kind: ServiceAccount apiVersion: v1 metadata: name: prometheus-k8s ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/prometheus/operator/role.yml
New file @@ -0,0 +1,60 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: prometheusoperator.0.32.0-bhpxn rules: - verbs: - '*' apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions - verbs: - '*' apiGroups: - monitoring.coreos.com resources: - alertmanagers - prometheuses - prometheuses/finalizers - alertmanagers/finalizers - servicemonitors - podmonitors - prometheusrules - verbs: - '*' apiGroups: - apps resources: - statefulsets - verbs: - '*' apiGroups: - '' resources: - configmaps - secrets - verbs: - list - delete apiGroups: - '' resources: - pods - verbs: - get - create - update - delete apiGroups: - '' resources: - services - services/finalizers - endpoints - verbs: - get apiGroups: - '' resources: - namespaces ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/prometheus/operator/role2.yml
New file @@ -0,0 +1,22 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: prometheusoperator.0.32.0-tgc4f rules: - verbs: - get - list - watch apiGroups: - '' resources: - nodes - services - endpoints - pods - verbs: - get apiGroups: - '' resources: - configmaps ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/files/prometheus/operator/sa.yml
New file @@ -0,0 +1,4 @@ kind: ServiceAccount apiVersion: v1 metadata: name: prometheus-operator ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/tasks/workload_per_project_amqstreams.yml
@@ -5,29 +5,8 @@ namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/templates/amq-streams/cluster.j2' ) | from_yaml }}" - name: Wait until KafkaCluster has Ready condition command: > oc get kafka/{{ _namespace }}-cluster -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' -n "{{ _namespace }}" register: kafka retries: "{{ _retry }}" delay: "{{ _delay }}" until: kafka.stdout == "True" - name: Create Kafka Topic k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/templates/amq-streams/topic.j2' ) | from_yaml }}" - name: Wait until KafkaTopic block-account has Ready condition command: > oc get KafkaTopic/block-account -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' -n "{{ _namespace }}" register: blocktopic retries: "{{ _retry }}" delay: "{{ _delay }}" until: blocktopic.stdout == "True" - name: Get Kafka client service address command: > oc get svc/{{ _namespace }}-cluster-kafka-brokers -o jsonpath='{.metadata.name}{":"}{.spec.ports[?(@.name=="clients")].port}' -n "{{ _namespace }}" register: kafka_clients definition: "{{ lookup('template', role_path ~ '/templates/amq-streams/topic.j2' ) | from_yaml }}" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/tasks/workload_per_project_businessautomation.yml
@@ -1,36 +1,29 @@ --- - name: Create operator - name: Create operator resource files k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('file', role_path ~ '/files/businessautomation/operator.yml' ) | from_yaml }}" definition: "{{ lookup('file', role_path ~ '/files/businessautomation/operator/{{ item }}.yml' ) | from_yaml }}" with_items: - crd - role - sa - name: Wait until csv/{{ _businessautomation_csv_version }} is Succeeded - name: Create operator resource templates k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/templates/businessautomation/operator/{{ item }}.j2' ) | from_yaml }}" with_items: - rolebinding - deployment - name: Wait until business-automation-operator is running command: > oc get csv/{{ _businessautomation_csv_version }} -o jsonpath='{.status.phase}' -n "{{ _namespace }}" register: bizscsv retries: "{{ _retry }}" delay: "{{ _delay }}" until: bizscsv.stdout == "Succeeded" oc rollout status Deployment/business-automation-operator --watch=true -n "{{ _namespace }}" - name: Create Kie App k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('file', role_path ~ '/files/businessautomation/kie.yml' ) | from_yaml }}" - name: Wait until KieApp has Deployed condition command: > oc get kieapp/rhpam-authoring -o jsonpath='{.status.conditions[?(@.type=="Deployed")].status}' -n "{{ _namespace }}" register: kieapp retries: "{{ _retry }}" delay: "{{ _delay }}" until: kieapp.stdout == "True" - name: Check KieServer is running command: > oc rollout status DeploymentConfig/rhpam-authoring-kieserver --watch=true -n "{{ _namespace }}" - name: Check BusinessCentral is running command: > oc rollout status DeploymentConfig/rhpam-authoring-rhpamcentr --watch=true -n "{{ _namespace }}" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/tasks/workload_per_project_datagrid.yml
@@ -1,33 +1,29 @@ --- - name: Create operator - name: Create operator resource files k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('file', role_path ~ '/files/datagrid/operator.yml' ) | from_yaml }}" definition: "{{ lookup('file', role_path ~ '/files/datagrid/operator/{{ item }}.yml' ) | from_yaml }}" with_items: - crd - role - sa - name: Wait until csv/{{ _datagrid_csv_version }} is Succeeded - name: Create operator resource templates k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/templates/datagrid/operator/{{ item }}.j2' ) | from_yaml }}" with_items: - rolebinding - deployment - name: Wait until infinispan-operator is running command: > oc get csv/{{ _datagrid_csv_version }} -o jsonpath='{.status.phase}' -n "{{ _namespace }}" register: datagridcsv retries: "{{ _retry }}" delay: "{{ _delay }}" until: datagridcsv.stdout == "Succeeded" oc rollout status Deployment/infinispan-operator --watch=true -n "{{ _namespace }}" - name: Create Infinispan k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/files/datagrid/cluster.yml' ) | from_yaml }}" - name: Wait until Infinispan is Deployed command: > oc get infinispan/example-infinispan -o jsonpath='{.status.conditions[?(@.type=="wellFormed")].status}' -n "{{ _namespace }}" register: infinispan retries: "{{ _retry }}" delay: "{{ _delay }}" until: infinispan.stdout == "True" - name: Get Infinispan hotrod service address command: > oc get svc/example-infinispan -o jsonpath='{.metadata.name}{":"}{.spec.ports[?(@.name=="hotrod")].port}' -n "{{ _namespace }}" register: hotrod_clients definition: "{{ lookup('template', role_path ~ '/files/datagrid/cluster.yml' ) | from_yaml }}" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/tasks/workload_per_project_grafana.yml
@@ -1,55 +1,27 @@ --- - name: Create operator - name: Create operator resource files k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('file', role_path ~ '/files/grafana/operator.yml' ) | from_yaml }}" definition: "{{ lookup('file', role_path ~ '/files/grafana/operator/{{ item }}.yml' ) | from_yaml }}" with_items: - crd-dashboard - crd-datasource - crd-grafana - role - sa - name: Wait until csv/{{ _grafana_csv_version }} is Succeeded command: > oc get csv/{{ _grafana_csv_version }} -o jsonpath='{.status.phase}' -n "{{ _namespace }}" register: grafanacsv retries: "{{ _retry }}" delay: "{{ _delay }}" until: grafanacsv.stdout == "Succeeded" - name: Create operator resource templates k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/templates/grafana/operator/{{ item }}.j2' ) | from_yaml }}" with_items: - rolebinding - deployment - name: Create Grafana k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('file', role_path ~ '/files/grafana/instance.yml' ) | from_yaml }}" - name: Wait until Grafana is phase 3 command: > oc get grafana/grafana -o jsonpath='{.status.phase}' -n "{{ _namespace }}" register: grafana retries: "{{ _retry }}" delay: "{{ _delay }}" until: grafana.stdout == "3" - name: Check Grafana is running command: > oc rollout status Deployment/grafana-deployment --watch=true -n "{{ _namespace }}" - name: Get Grafana route host command: > oc get route/grafana-route -o jsonpath='{.spec.host}' -n "{{ _namespace }}" register: grafana_route retries: "{{ _retry }}" delay: "{{ _delay }}" until: grafana_route.stdout != "" - name: Wait for Grafana route to respond with 200 uri: url: "https://{{ grafana_route.stdout }}" method: GET validate_certs: false follow_redirects: yes register: grafanaresult retries: "{{ _retry }}" delay: "{{ _delay }}" until: grafanaresult.status == 200 - name: todo debug: msg: "TODO: Create a dashboard for whatever we need to show" definition: "{{ lookup('file', role_path ~ '/files/grafana/instance.yml' ) | from_yaml }}" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/tasks/workload_per_project_prometheus.yml
@@ -1,17 +1,28 @@ --- - name: Create operator - name: Create operator resource files k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('file', role_path ~ '/files/prometheus/operator.yml' ) | from_yaml }}" definition: "{{ lookup('file', role_path ~ '/files/prometheus/operator/{{ item }}.yml' ) | from_yaml }}" with_items: - role - role2 - sa - k8s-sa - name: Wait until csv/{{ _prometheus_csv_version }} is Succeeded - name: Create operator resource templates k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/templates/prometheus/operator/{{ item }}.j2' ) | from_yaml }}" with_items: - rolebinding - rolebinding2 - deployment - name: Wait until prometheus-operator is running command: > oc get csv/{{ _prometheus_csv_version }} -o jsonpath='{.status.phase}' -n "{{ _namespace }}" register: promcsv retries: "{{ _retry }}" delay: "{{ _delay }}" until: promcsv.stdout == "Succeeded" oc rollout status Deployment/prometheus-operator --watch=true -n "{{ _namespace }}" - name: Create Prometheus k8s: @@ -35,27 +46,4 @@ k8s: state: present namespace: "{{ _namespace }}" definition: "{{ lookup('template', role_path ~ '/files/prometheus/servicemonitor.yml' ) | from_yaml }}" - name: Check Prometheus is running command: > oc rollout status StatefulSet/prometheus-prom --watch=true -n "{{ _namespace }}" - name: Get Prometheus route host command: > oc get route/prometheus-prom -o jsonpath='{.spec.host}' -n "{{ _namespace }}" register: prom_route retries: "{{ _retry }}" delay: "{{ _delay }}" until: prom_route.stdout != "" - name: Wait for Prometheus route to respond with 200 uri: url: "https://{{ prom_route.stdout }}" method: GET validate_certs: false follow_redirects: yes register: promresult retries: "{{ _retry }}" delay: "{{ _delay }}" until: promresult.status == 200 definition: "{{ lookup('template', role_path ~ '/files/prometheus/servicemonitor.yml' ) | from_yaml }}" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/tasks/workload_project.yml
@@ -46,7 +46,7 @@ - name: Gitea for {{ _namespace }} include_tasks: workload_per_project_gitea.yml - name: CoreReadyWorkspaces for {{ _namespace }} - name: CodeReadyWorkspaces for {{ _namespace }} include_tasks: workload_per_project_codereadyworkspaces.yml - name: Prometheus for {{ _namespace }} @@ -63,11 +63,6 @@ msg: "{{ item }}" with_items: - "user.info: {{ _namespace }} ->" - "user.info: Clients:" - "user.info: - Kafka: {{ kafka_clients.stdout }}" - "user.info: - Infinispan hotrod: {{ hotrod_clients.stdout }}" - "user.info: Tools:" - "user.info: DevTools:" - "user.info: - Code Ready Workspaces (u: {{ _namespace }}, p: {{ _account_password }}): http://{{ che_route.stdout }}" - "user.info: - Gitea (u: {{ _namespace }}, p: {{ _account_password }}): https://{{ gitea_route.stdout }}" - "user.info: - Prometheus: https://{{ prom_route.stdout }}" - "user.info: - Grafana: https://{{ grafana_route.stdout }}" - "user.info: - Gitea (u: {{ _namespace }}, p: {{ _account_password }}): https://{{ gitea_route.stdout }}" ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/businessautomation/operator/deployment.j2
New file @@ -0,0 +1,75 @@ kind: Deployment apiVersion: apps/v1 metadata: name: business-automation-operator spec: replicas: 1 selector: matchLabels: name: business-automation-operator template: metadata: creationTimestamp: null labels: name: business-automation-operator annotations: tectonic-visibility: ocs certified: 'true' olm.targetNamespaces: {{ _namespace }} repository: 'https://github.com/kiegroup/kie-cloud-operator' support: 'Red Hat, Inc.' alm-examples: >- [{"apiVersion":"app.kiegroup.org/v2","kind":"KieApp","metadata":{"name":"rhpam-trial"},"spec":{"environment":"rhpam-trial"}}] capabilities: Seamless Upgrades olm.operatorNamespace: {{ _namespace }} containerImage: 'registry.redhat.io/rhpam-7/rhpam-rhel8-operator:7.6.0' createdAt: '2019-12-04 13:33:08' categories: Integration & Delivery description: >- Business Automation Operator for deployment and management of RHPAM/RHDM environments. olm.operatorGroup: {{ _namespace }} spec: containers: - name: business-automation-operator image: 'registry.redhat.io/rhpam-7/rhpam-rhel8-operator:7.6.0' command: - kie-cloud-operator env: - name: OPERATOR_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: 'metadata.labels[''name'']' - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: WATCH_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: OPERATOR_UI value: 'true' - name: DEBUG value: 'false' resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File imagePullPolicy: Always restartPolicy: Always terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirst serviceAccountName: business-automation-operator serviceAccount: business-automation-operator securityContext: {} schedulerName: default-scheduler strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1 revisionHistoryLimit: 10 progressDeadlineSeconds: 600 ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/businessautomation/operator/rolebinding.j2
New file @@ -0,0 +1,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: businessautomation-operator.1.3.0-v2fxv-business-automatiovjcsz subjects: - kind: ServiceAccount name: business-automation-operator namespace: {{ _namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: businessautomation-operator.1.3.0-v2fxv ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/datagrid/operator/deployment.j2
New file @@ -0,0 +1,123 @@ kind: Deployment apiVersion: apps/v1 metadata: name: infinispan-operator spec: replicas: 1 selector: matchLabels: name: infinispan-operator-alm-owned template: metadata: name: infinispan-operator-alm-owned creationTimestamp: null labels: name: infinispan-operator-alm-owned annotations: tectonic-visibility: ocs certified: 'false' olm.targetNamespaces: {{ _namespace }} repository: 'https://github.com/infinispan/infinispan-operator' support: 'Red Hat, Inc.' alm-examples: | [ { "apiVersion": "infinispan.org/v1", "kind": "Infinispan", "metadata": { "name": "example-infinispan" }, "spec": { "replicas": 1 } } ] capabilities: Basic Install olm.operatorNamespace: {{ _namespace }} containerImage: 'registry.redhat.io/jboss-datagrid-7-tech-preview/datagrid-operator:1.0' createdAt: '2019-07-16 10:30:00' categories: Database description: Create and manage Red Hat Data Grid clusters. olm.operatorGroup: {{ _namespace }} spec: containers: - resources: {} terminationMessagePath: /dev/termination-log name: infinispan-operator command: - infinispan-operator env: - name: WATCH_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: 'metadata.annotations[''olm.targetNamespaces'']' - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: OPERATOR_NAME value: infinispan-operator - name: DEFAULT_IMAGE value: 'registry.redhat.io/jboss-datagrid-7/datagrid73-openshift:latest' - name: APP_USER value: USERNAME - name: APP_PASS value: PASSWORD - name: MGMT_USER value: ADMIN_USERNAME - name: MGMT_PASS value: ADMIN_PASSWORD - name: ENTRY_POINT_ARGS value: '[]' - name: PROBES value: >- {"readiness": "/opt/datagrid/bin/readinessProbe.sh", "liveness": "/opt/datagrid/bin/livenessProbe.sh"} - name: ADDITIONAL_VARS value: '["IMAGE","NUMBER_OF_INSTANCE", "HOTROD_AUTHENTICATION"]' - name: VOLUME_MOUNTS value: >- [{"MountPath": "/opt/datagrid/standalone/data", "Name": "srv-data"},{"MountPath": "/var/run/secrets/java.io/keystores", "Name": "keystore-volume"},{"MountPath": "/var/run/secrets/openshift.io/serviceaccount", "Name": "services-certs"}] - name: VOLUME_KEYSTORE_NAME value: keystore-volume - name: VOLUME_SECRET_NAME value: service-certs - name: VOLUME_CLAIMS value: >- [{"metadata": {"Name": "srv-data"}, "Spec":{"AccessModes": ["ReadWriteOnce"], "Resources": {"Requests": {"storage": "1Gi"}}}}] - name: IMAGE value: 'registry.redhat.io/jboss-datagrid-7/datagrid73-openshift:latest' - name: CLI_CMD value: /opt/datagrid/bin/cli.sh - name: HOTROD_AUTHENTICATION value: 'true' ports: - name: metrics containerPort: 60000 protocol: TCP imagePullPolicy: IfNotPresent terminationMessagePolicy: File image: >- registry.redhat.io/jboss-datagrid-7-tech-preview/datagrid-operator:1.0 restartPolicy: Always terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirst serviceAccountName: infinispan-operator serviceAccount: infinispan-operator securityContext: {} schedulerName: default-scheduler strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 25% maxSurge: 25% revisionHistoryLimit: 10 progressDeadlineSeconds: 600 ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/datagrid/operator/rolebinding.j2
New file @@ -0,0 +1,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: datagrid-operator.v1.0.0-4x52z-infinispan-operator-d4rlh subjects: - kind: ServiceAccount name: infinispan-operator namespace: {{ _namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: datagrid-operator.v1.0.0-4x52z ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/grafana/operator/deployment.j2
New file @@ -0,0 +1,166 @@ kind: Deployment apiVersion: apps/v1 metadata: name: grafana-operator spec: replicas: 1 selector: matchLabels: name: grafana-operator template: metadata: creationTimestamp: null labels: name: grafana-operator annotations: certified: 'False' olm.targetNamespaces: {{ _namespace }} repository: 'https://github.com/integr8ly/grafana-operator' support: Red Hat alm-examples: |- [ { "apiVersion": "integreatly.org/v1alpha1", "kind": "Grafana", "metadata": { "name": "example-grafana" }, "spec": { "ingress": { "enabled": true }, "config": { "auth": { "disable_signout_menu": true }, "auth.anonymous": { "enabled": true }, "log": { "level": "warn", "mode": "console" }, "security": { "admin_password": "secret", "admin_user": "root" } }, "dashboardLabelSelector": [ { "matchExpressions": [ { "key": "app", "operator": "In", "values": [ "grafana" ] } ] } ] } }, { "apiVersion": "integreatly.org/v1alpha1", "kind": "GrafanaDashboard", "metadata": { "labels": { "app": "grafana" }, "name": "simple-dashboard" }, "spec": { "json": "{\n \"id\": null,\n \"title\": \"Simple Dashboard\",\n \"tags\": [],\n \"style\": \"dark\",\n \"timezone\": \"browser\",\n \"editable\": true,\n \"hideControls\": false,\n \"graphTooltip\": 1,\n \"panels\": [],\n \"time\": {\n \"from\": \"now-6h\",\n \"to\": \"now\"\n },\n \"timepicker\": {\n \"time_options\": [],\n \"refresh_intervals\": []\n },\n \"templating\": {\n \"list\": []\n },\n \"annotations\": {\n \"list\": []\n },\n \"refresh\": \"5s\",\n \"schemaVersion\": 17,\n \"version\": 0,\n \"links\": []\n}\n", "name": "simple-dashboard.json" } }, { "apiVersion": "integreatly.org/v1alpha1", "kind": "GrafanaDataSource", "metadata": { "name": "example-grafanadatasource" }, "spec": { "datasources": [ { "access": "proxy", "editable": true, "isDefault": true, "jsonData": { "timeInterval": "5s" }, "name": "Prometheus", "type": "prometheus", "url": "http://prometheus-service:9090", "version": 1 } ], "name": "example-datasources.yaml" } } ] capabilities: Basic Install olm.operatorNamespace: {{ _namespace }} containerImage: 'quay.io/integreatly/grafana-operator:v2.0.0' createdAt: '2019-07-23 00:00:00' categories: Monitoring description: >- An Operator for managing Grafana instances, dashboards and data sources olm.operatorGroup: {{ _namespace }} spec: containers: - resources: {} readinessProbe: exec: command: - stat - /tmp/operator-sdk-ready initialDelaySeconds: 4 timeoutSeconds: 1 periodSeconds: 10 successThreshold: 1 failureThreshold: 1 terminationMessagePath: /dev/termination-log name: grafana-operator command: - grafana-operator env: - name: TEMPLATE_PATH value: /usr/local/bin/templates - name: WATCH_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: OPERATOR_NAME value: grafana-operator ports: - name: metrics containerPort: 60000 protocol: TCP imagePullPolicy: Always terminationMessagePolicy: File image: 'quay.io/integreatly/grafana-operator:v2.0.0' args: - '--grafana-image=quay.io/openshift/origin-grafana' - '--grafana-image-tag=4.2' restartPolicy: Always terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirst serviceAccountName: grafana-operator serviceAccount: grafana-operator securityContext: {} schedulerName: default-scheduler strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 25% maxSurge: 25% revisionHistoryLimit: 10 progressDeadlineSeconds: 600 ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/grafana/operator/rolebinding.j2
New file @@ -0,0 +1,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: grafana-operator.v2.0.0-vjr68-grafana-operator-pfbx4 subjects: - kind: ServiceAccount name: grafana-operator namespace: {{ _namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: grafana-operator.v2.0.0-vjr68 ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/prometheus/operator/deployment.j2
New file @@ -0,0 +1,86 @@ kind: Deployment apiVersion: apps/v1 metadata: name: prometheus-operator spec: replicas: 1 selector: matchLabels: k8s-app: prometheus-operator template: metadata: creationTimestamp: null labels: k8s-app: prometheus-operator annotations: certified: 'false' olm.targetNamespaces: {{ _namespace }} repository: 'https://github.com/coreos/prometheus-operator' support: Frederic Branczyk alm-examples: >- [{"apiVersion":"monitoring.coreos.com/v1","kind":"Prometheus","metadata":{"name":"example","labels":{"prometheus":"k8s"}},"spec":{"replicas":2,"serviceAccountName":"prometheus-k8s","securityContext": {}, "serviceMonitorSelector":{},"ruleSelector":{},"alerting":{"alertmanagers":[{"namespace":"openshift-monitoring","name":"alertmanager-main","port":"web"}]}}},{"apiVersion":"monitoring.coreos.com/v1","kind":"ServiceMonitor","metadata":{"name":"example","labels":{"k8s-app":"prometheus"}},"spec":{"selector":{"matchLabels":{"k8s-app":"prometheus"}},"endpoints":[{"port":"web","interval":"30s"}]}},{"apiVersion":"monitoring.coreos.com/v1","kind":"PodMonitor","metadata":{"name":"example","labels":{"k8s-app":"prometheus"}},"spec":{"selector":{"matchLabels":{"k8s-app":"prometheus"}},"podMetricsEndpoints":[{"port":"web","interval":"30s"}]}},{"apiVersion":"monitoring.coreos.com/v1","kind":"Alertmanager","metadata":{"name":"alertmanager-main"},"spec":{"replicas":3, "securityContext": {}}},{"apiVersion":"monitoring.coreos.com/v1","kind":"PrometheusRule","metadata":{"creationTimestamp":null,"labels":{"prometheus":"example","role":"alert-rules"},"name":"prometheus-example-rules"},"spec":{"groups":[{"name":"./example.rules","rules":[{"alert":"ExampleAlert","expr":"vector(1)"}]}]}}] capabilities: Deep Insights olm.operatorNamespace: {{ _namespace }} containerImage: 'quay.io/coreos/prometheus-operator:v0.32.0' createdAt: '2019-09-04 12:00:00' categories: Monitoring description: >- Manage the full lifecycle of configuring and managing Prometheus and Alertmanager servers. olm.operatorGroup: {{ _namespace }} spec: nodeSelector: beta.kubernetes.io/os: linux restartPolicy: Always serviceAccountName: prometheus-operator schedulerName: default-scheduler terminationGracePeriodSeconds: 30 securityContext: {} containers: - resources: limits: cpu: 200m memory: 100Mi requests: cpu: 100m memory: 50Mi terminationMessagePath: /dev/termination-log name: prometheus-operator env: - name: NAMESPACES valueFrom: fieldRef: apiVersion: v1 fieldPath: 'metadata.annotations[''olm.targetNamespaces'']' securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false ports: - name: http containerPort: 8080 protocol: TCP imagePullPolicy: IfNotPresent terminationMessagePolicy: File image: >- quay.io/coreos/prometheus-operator@sha256:ed3ec0597c2d5b7102a7f62c661a23d8e4b34d910693fc23fd40bfb1d9404dcf args: - '-namespaces=$(NAMESPACES)' - '-manage-crds=false' - '-logtostderr=true' - >- --config-reloader-image=quay.io/coreos/configmap-reload@sha256:e2fd60ff0ae4500a75b80ebaa30e0e7deba9ad107833e8ca53f0047c42c5a057 - >- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader@sha256:f1e57817dcfdb2c76e8a154b39180c6c8f3f16b990fe9cc41bee34cca0784a64 serviceAccount: prometheus-operator dnsPolicy: ClusterFirst strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 25% maxSurge: 25% revisionHistoryLimit: 10 progressDeadlineSeconds: 600 ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/prometheus/operator/rolebinding.j2
New file @@ -0,0 +1,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: prometheusoperator.0.32.0-bhpxn-prometheus-operator-nqj8j subjects: - kind: ServiceAccount name: prometheus-operator namespace: {{ _namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: prometheusoperator.0.32.0-bhpxn ansible/roles/ocp4-workload-pam-fraudmanagement-workshop/templates/prometheus/operator/rolebinding2.j2
New file @@ -0,0 +1,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: prometheusoperator.0.32.0-tgc4f-prometheus-k8s-rgm68 subjects: - kind: ServiceAccount name: prometheus-k8s namespace: {{ _namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: prometheusoperator.0.32.0-tgc4f
