| ansible/configs/archive/ocp-demo-lab/post_software.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/configs/archive/ocp-storage-cns_based_on_ocp-workshop/post_software.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/configs/ocp-workshop/post_software.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/configs/rhte-ocp-workshop/post_software.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/host-lets-encrypt-certs/README.md | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/ocp-infra-nexus/README.md | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/ocp-infra-nexus/defaults/main.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/ocp-infra-nexus/files/nexus2-persistent-template.yaml | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/ocp-infra-nexus/files/nexus3-persistent-template.yaml | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/ocp-infra-nexus/tasks/main.yml | ●●●●● patch | view | raw | blame | history |
ansible/configs/archive/ocp-demo-lab/post_software.yml
@@ -129,7 +129,7 @@ - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" run_once: true roles: - { role: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus", desired_project: "{{admin_project}}", nexus_version: "2" } - { role: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus", nexus_project: "{{admin_project}}"} tags: - env-specific - install_nexus ansible/configs/archive/ocp-storage-cns_based_on_ocp-workshop/post_software.yml
@@ -378,7 +378,7 @@ vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" roles: - { role: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus", desired_project: "{{admin_project}}", nexus_version: "3" } - { role: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus", nexus_project: "{{admin_project}}" } tags: - env-specific - install_nexus ansible/configs/ocp-workshop/post_software.yml
@@ -511,8 +511,7 @@ - include_role: name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus" vars: desired_project: "{{admin_project}}" nexus_version: "3" nexus_project: "{{admin_project}}" when: install_nexus|d(False)|bool tags: - env-specific ansible/configs/rhte-ocp-workshop/post_software.yml
@@ -530,8 +530,7 @@ - include_role: name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus" vars: desired_project: "{{admin_project}}" nexus_version: "3" nexus_project: "{{admin_project}}" when: install_nexus|d(False)|bool tags: - env-specific ansible/roles/host-lets-encrypt-certs/README.md
@@ -16,42 +16,21 @@ Role Variables -------------- *acme_domain*: "" domain name for which to request a certificate _Limitation_: Curently only *one* domain name can be requested. *acme_wildcard_domain*: "" Wildcard domain name for which to request a certificate *acme_aws_access_key*: "" AWS Access Key for Route53 (Only for Wildcard Domains) *acme_aws_secret_access_key*: "" AWS Secret Access Key for Route53 (Only for Wildcard Domains) *acme_additional_args*: "" additional arguments for the Acme script *acme_remote_dir*: "/root" The directoroy on the remote host in which to install acme.sh *acme_cache_cert_file*: "/tmp/ssl.cert" *acme_cache_key_file*: "/tmp/ssl.key" *acme_cache_ca_file*: "/tmp/ssl_ca.cer" *acme_archive_file*: /tmp/acme.tar.gz" Local (to the host ansible is running on) cache of certificates Prevents re-requesting certificates for later runs of the playbook when the domains haven't changed. acme.tar.gz will contain the entire .acme.sh directory so that it can be restored for future runs on new machines with the same domain names. *acme_production*: False Use the Production Let's Encrypt Server. Leave to False for testing runs to prevent issues with the Let's Encrypt rate limits *acme_renew_automatically*: False Install a cron job to automatically renew Certificates. Checks once a day. *acme_force_issue*: False Force the creation of new certificates even if there are a) certificates already on the host or b) certificates in the local cache |Variable Name|Required|Default Value|Description |------------ |----------- |-----------|----------- |*acme_domain*|Yes|"" |Domain name for which to request a certificate. _Limitation_: Curently only *one* domain name can be requested. |*acme_wildcard_domain*|No|""|Wildcard domain name for which to request a certificate |*acme_aws_access_key*|No |"" |AWS Access Key for Route53 (Only for Wildcard Domains) |*acme_aws_secret_access_key*|No| "" |AWS Secret Access Key for Route53 (Only for Wildcard Domains) |*acme_additional_args*|No |"" |Additional arguments for the Acme script |*acme_remote_dir*|Yes| "/root"| The directoroy on the remote host in which to install acme.sh |*acme_cache_cert_file*|Yes| "/tmp/ssl.cert"| Local Cache File for Certificate |*acme_cache_key_file*|Yes| "/tmp/ssl.key"|Local Cache File for Key |*acme_cache_ca_file*|Yes| "/tmp/ssl_ca.cer"|Local Cache File for CA Certificate |*acme_archive_file*|Yes| "/tmp/acme.tar.gz"| Local (to the host ansible is running on) cache of certificates. Prevents re-requesting certificates for later runs of the playbook when the domains haven't changed. acme.tar.gz will contain the entire .acme.sh directory so that it can be restored for future runs on new machines with the same domain names. |*acme_production*|Yes|False|Use the Production Let's Encrypt Server. Leave to False for testing runs to prevent issues with the Let's Encrypt rate limits |*acme_renew_automatically*|Yes|False|Install a cron job to automatically renew Certificates. Checks once a day. |*acme_force_issue*|Yes|False|Force the creation of new certificates even if there are certificates already on the host or certificates in the local cache Dependencies @@ -64,6 +43,7 @@ Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: ``` - name: Request Let's Encrypt Static Certificates hosts: server gather_facts: False @@ -119,3 +99,4 @@ - acme_local_cache_ca_file: "/tmp/server_ca.cer" - acme_renew_automatically: False - acme_force_issue: False ``` ansible/roles/ocp-infra-nexus/README.md
@@ -1,38 +1,33 @@ Role Name ocp-infra-nexus ========= A brief description of the role goes here. This role installs a Sonatype Nexus 3 on an OpenShift Cluster. Requirements ------------ Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. Running OpenShift 3.9 or higher Cluster Role Variables -------------- A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. All variables are optional. If a variable is not passed when calling the role the defaults are being used. Dependencies ------------ A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. |Variable Name|Required|Default Value |------------ |----------- |----------- |*nexus_project*|Yes|nexus |*nexus_project_display_name*|Yes|Sonatype Nexus |*nexus_volume_capacity*|Yes|10Gi |*nexus_memory_request*|Yes|2Gi |*nexus_memory_limit*|Yes|6Gi |*nexus_cpu_request*|Yes|1 |*nexus_cpu_limit*|Yes|4 |*nexus_version*|Yes|3.12.1 Example Playbook ---------------- Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - hosts: servers - hosts: masters run_once: true roles: - { role: username.rolename, x: 42 } License ------- BSD Author Information ------------------ An optional section for the role authors to include contact information, or a website (HTML is not allowed). - { role: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus", nexus_project: "sonatype-nexus" } ansible/roles/ocp-infra-nexus/defaults/main.yml
New file @@ -0,0 +1,9 @@ --- nexus_project: "nexus" nexus_project_display_name: "Sonatype Nexus" nexus_volume_capacity: 10Gi nexus_memory_request: 2Gi nexus_memory_limit: 6Gi nexus_cpu_request: "1" nexus_cpu_limit: "4" nexus_version: "3.12.1" ansible/roles/ocp-infra-nexus/files/nexus2-persistent-template.yaml
File was deleted ansible/roles/ocp-infra-nexus/files/nexus3-persistent-template.yaml
@@ -31,12 +31,7 @@ selector: deploymentconfig: ${SERVICE_NAME} strategy: rollingParams: intervalSeconds: 1 maxSurge: 25% maxUnavailable: 0 timeoutSeconds: 600 updatePeriodSeconds: 1 recreateParams: post: failurePolicy: Abort execNewPod: @@ -45,7 +40,7 @@ - "/bin/bash" - "-c" - "curl -o /tmp/nexus-functions -s https://raw.githubusercontent.com/OpenShiftDemos/nexus/master/scripts/nexus-functions; source /tmp/nexus-functions; add_nexus3_redhat_repos admin admin123 http://${SERVICE_NAME}:8081" type: Rolling type: Recreate template: metadata: labels: @@ -83,9 +78,11 @@ timeoutSeconds: 1 resources: limits: memory: ${MAX_MEMORY} memory: ${MEMORY_LIMIT} cpu: ${CPU_LIMIT} requests: memory: 512Mi memory: ${MEMORY_REQUEST} cpu: ${CPU_REQUEST} terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /nexus-data @@ -164,8 +161,23 @@ name: VOLUME_CAPACITY required: true value: 2Gi - description: Max memory allocated to the Nexus pod displayName: Max Memory name: MAX_MEMORY - description: Memory Limit allocated to the Nexus pod displayName: Memory Limit name: MEMORY_LIMIT required: true value: 1Gi value: 3Gi - description: Memory Request allocated to the Nexus pod displayName: Memory Request name: MEMORY_REQUEST required: true value: 1Gi - description: CPU Limit allocated to the Nexus pod displayName: CPU Limit name: CPU_LIMIT required: true value: "2" - description: CPU Request allocated to the Nexus pod displayName: CPU Request name: CPU_REQUEST required: true value: "1" ansible/roles/ocp-infra-nexus/tasks/main.yml
@@ -1,29 +1,39 @@ --- ## Sonatype Nexus Install ## - name: Check if Nexus project exists command: "oc get project {{ nexus_project }}" register: nexus_project_exists ignore_errors: true - name: Create Nexus Project if it doesn't yet exist command: "oc new-project {{ nexus_project }} --display-name='{{ nexus_project_display_name }}'" when: - nexus_project_exists is failed - name: Check if Nexus was already provisioned command: "oc get service nexus -n {{desired_project}}" command: "oc get service nexus -n {{ nexus_project}}" register: nexus_already_installed ignore_errors: true changed_when: false - name: Copy Nexus template to master copy: src: files/nexus{{nexus_version}}-persistent-template.yaml src: files/nexus3-persistent-template.yaml dest: /root/nexus-template.yaml when: nexus_already_installed is failed when: - nexus_already_installed is failed ### We should add a check if a pv is already created (nexus requests a 10Gi pv) - name: Instantiate Nexus from template command: "oc new-app -f /root/nexus-template.yaml --param=VOLUME_CAPACITY=10Gi --param=MAX_MEMORY=8Gi -n {{desired_project}}" command: "oc new-app -f /root/nexus-template.yaml --param=VOLUME_CAPACITY={{ nexus_volume_capacity }} --param=MEMORY_LIMIT={{ nexus_memory_limit }} --param=MEMORY_REQUEST={{ nexus_memory_request }} --param=CPU_LIMIT={{ nexus_cpu_limit }} --param=CPU_REQUEST={{ nexus_cpu_request}} --param=NEXUS_VERSION={{ nexus_version }} -n {{ nexus_project }}" when: nexus_already_installed is failed # looks like we need a better check - it seems we're ready up to several # seconds before the router finds out about us, so we might want another # http check to make sure nexus is responding - name: Wait for Nexus to be running command: "oc get dc/nexus -o yaml -n {{desired_project}}" command: "oc get dc/nexus -o yaml -n {{ nexus_project }}" register: result until: '"availableReplicas: 1" in result.stdout' retries: 5
