ansible/roles/ocp4-workload-rhsso-foundations/README.adoc
New file @@ -0,0 +1,37 @@ = ocp4-workload-rhsso-foundations Role for GPTE Application Security Foundations course == Role overview === Deploy a Workload with the `ocp-workload` playbook [Mostly for testing] ---- TARGET_HOST="bastion.opentlc.com" OCP_USERNAME="kubeadmin" WORKLOAD="ocp4-workload-rhsso-foundations" # a TARGET_HOST is specified in the command line, without using an inventory file ansible-playbook -i ${TARGET_HOST}, ./configs/ocp-workloads/ocp-workload.yml \ -e"ansible_user=replace-redhat.com" \ -e"ansible_ssh_pass=replace" \ -e"ocp_username=${OCP_USERNAME}" \ -e"ocp_workload=${WORKLOAD}" \ -e"ACTION=create" ---- === To Delete an environment ---- TARGET_HOST="bastion.opentlc.com" OCP_USERNAME="kubeadmin" WORKLOAD="ocp4-workload-summit2020-kogito-lab" # a TARGET_HOST is specified in the command line, without using an inventory file ansible-playbook -i ${TARGET_HOST}, ./configs/ocp-workloads/ocp-workload.yml \ -e"ansible_user=replace-redhat.com" \ -e"ansible_ssh_pass=replace" \ -e"ocp_username=${OCP_USERNAME}" \ -e"ocp_workload=${WORKLOAD}" \ -e"ACTION=remove" ---- ansible/roles/ocp4-workload-rhsso-foundations/defaults/main.yml
New file @@ -0,0 +1,24 @@ --- become_override: False ocp_username: system:admin silent: False ocp_user_needs_quota: True quota_requests_cpu: 8 quota_limits_cpu: 16 quota_requests_memory: '16Gi' quota_limits_memory: '48Gi' quota_configmaps: 6 quota_pods: 16 quota_persistentvolumeclaims: 8 quota_services: 15 quota_secrets: 50 quota_requests_storage: 10Gi limitrange_limit_cpu: 500m limitrange_limit_memory: 512Mi limitrange_request_cpu: 200m limitrange_request_memory: 256Mi ansible/roles/ocp4-workload-rhsso-foundations/tasks/main.yml
New file @@ -0,0 +1,31 @@ --- # Do not modify this file - name: Running Pre Workload Tasks include_tasks: file: ./pre_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Workload Tasks include_tasks: file: ./workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Post Workload Tasks include_tasks: file: ./post_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Workload removal Tasks include_tasks: file: ./remove_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "destroy" or ACTION == "remove" ansible/roles/ocp4-workload-rhsso-foundations/tasks/post_workload.yml
New file @@ -0,0 +1,8 @@ --- # Implement your Post Workload deployment tasks here # Leave this as the last task in the playbook. - name: post_workload tasks complete debug: msg: "Post-Workload Tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-rhsso-foundations/tasks/pre_workload.yml
New file @@ -0,0 +1,12 @@ --- # Implement your Pre Workload deployment tasks here - name: Create user quota - clusterresourcequota k8s: state: present definition: "{{ lookup('template', role_path ~ '/templates/clusterresourcequota.j2' ) | from_yaml }}" # Leave this as the last task in the playbook. - name: pre_workload tasks complete debug: msg: "Pre-Workload tasks completed successfully." ansible/roles/ocp4-workload-rhsso-foundations/tasks/remove_workload.yml
New file @@ -0,0 +1,35 @@ --- # Implement your Workload removal tasks here - name: define ocp project for rhsso set_fact: ocp_project_sso: "rhsso-lab-{{ guid }}" - name: define ocp project for js application set_fact: ocp_project_js: "js-console-{{ guid }}" - name: delete project for user k8s: state: absent name: "{{ item }}" api_version: project.openshift.io/v1 kind: Project loop: - "{{ ocp_project_sso }}" - "{{ ocp_project_js }}" - name: remove user quota - clusterresourcequota k8s: state: absent name: "clusterquota-{{ ocp_username }}-{{ guid }}" kind: ClusterResourceQuota api_version: quota.openshift.io/v1 definition: "{{ lookup('template', role_path ~ '/templates/clusterresourcequota.j2' ) | from_yaml }}" # Leave this as the last task in the playbook. - name: remove_workload tasks complete debug: msg: "Remove Workload tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-rhsso-foundations/tasks/workload.yml
New file @@ -0,0 +1,56 @@ --- # Implement your Workload deployment tasks here - name: define ocp project for rhsso set_fact: ocp_project_sso: "rhsso-lab-{{ guid }}" - name: define ocp project for js application set_fact: ocp_project_js: "js-console-{{ guid }}" - name: create projects for user k8s: state: present definition: "{{ lookup('template', role_path ~ '/templates/namespace.j2' ) | from_yaml }}" vars: ocp_project: "{{ item }}" loop: - "{{ ocp_project_sso }}" - "{{ ocp_project_js }}" - name: delete existing limitrange k8s: state: absent namespace: "{{ item }}" name: "{{ item }}-core-resource-limits" api_version: v1 kind: LimitRange loop: - "{{ ocp_project_sso }}" - "{{ ocp_project_js }}" - name: create limitrange in namespace k8s: state: present namespace: "{{ item }}" definition: "{{ lookup('template', role_path ~ '/templates/limitrange.j2' ) | from_yaml }}" vars: ocp_project: "{{ item }}" loop: - "{{ ocp_project_sso }}" - "{{ ocp_project_js }}" - name: give user admin privileges in namespace k8s: state: present namespace: "{{ item }}" definition: "{{ lookup('template', role_path ~ '/templates/namespace-admin-rb.j2' ) | from_yaml }}" loop: - "{{ ocp_project_sso }}" - "{{ ocp_project_js }}" # Leave this as the last task in the playbook. - name: workload tasks complete debug: msg: "Workload Tasks completed successfully." ansible/roles/ocp4-workload-rhsso-foundations/templates/clusterresourcequota.j2
New file @@ -0,0 +1,26 @@ apiVersion: quota.openshift.io/v1 kind: ClusterResourceQuota metadata: name: clusterquota-{{ ocp_username }}-{{ guid }} labels: workload: ocp4-workload-rhsso-foundations spec: quota: hard: secrets: '{{ quota_secrets }}' persistentvolumeclaims: '{{ quota_persistentvolumeclaims }}' requests.memory: '{{ quota_requests_memory }}' pods: '{{ quota_pods }}' requests.storage: '{{ quota_requests_storage }}' limits.cpu: '{{ quota_limits_cpu }}' limits.memory: '{{ quota_limits_memory }}' configmaps: '{{ quota_configmaps }}' services: '{{ quota_services }}' requests.cpu: '{{ quota_requests_cpu }}' selector: annotations: openshift.io/requester: {{ ocp_username }} labels: matchLabels: workload: ocp4-workload-rhsso-foundations ansible/roles/ocp4-workload-rhsso-foundations/templates/limitrange.j2
New file @@ -0,0 +1,14 @@ --- apiVersion: v1 kind: LimitRange metadata: name: {{ ocp_project }}-core-resource-limits spec: limits: - default: memory: '{{ limitrange_limit_memory }}' cpu: '{{ limitrange_limit_cpu }}' defaultRequest: memory: '{{ limitrange_request_memory }}' cpu: '{{ limitrange_request_cpu }}' type: Container ansible/roles/ocp4-workload-rhsso-foundations/templates/namespace-admin-rb.j2
New file @@ -0,0 +1,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ ocp_username }}-admin subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: {{ ocp_username }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin ansible/roles/ocp4-workload-rhsso-foundations/templates/namespace.j2
New file @@ -0,0 +1,13 @@ apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/description: '' openshift.io/display-name: '' openshift.io/requester: '{{ ocp_username }}' labels: workload: ocp4-workload-rhsso-foundations name: '{{ ocp_project }}' spec: finalizers: - kubernetes