ansible/configs/ocp4-workload-security-compliance-lab/requirements.yml
@@ -1,21 +1,21 @@ --- - src: siamaksade.openshift_common_facts name: openshift_commons_facts name: siamaksade.openshift_commons_facts - src: siamaksade.openshift_sonatype_nexus name: openshift_sonatype_nexus name: siamaksade.openshift_sonatype_nexus - src: siamaksade.openshift_gogs name: openshift_gogs name: siamaksade.openshift_gogs - src: siamaksade.openshift_jenkins name: openshift_jenkins name: siamaksade.openshift_jenkins - src: siamaksade.openshift_workshopper name: openshift_workshopper name: siamaksade.openshift_workshopper - src: siamaksade.openshift_coolstore name: openshift_coolstore name: siamaksade.openshift_coolstore - src: siamaksade.openshift_quay name: openshift_quay name: siamaksade.openshift_quay ansible/roles/ocp4-workload-security-compliance-lab/NOTES.txt
@@ -10,6 +10,7 @@ ansible-playbook install_galaxy_roles.yml -e env_type=ocp-workloads ### SCRIPT START GUID=8828 DOMAIN="cluster-${GUID}.${GUID}.openshiftworkshop.com" @@ -42,12 +43,11 @@ -e"ocp_workload=${WORKLOAD}" \ -e"guid=${GUID}" \ -e"ocp_user_needs_quota=true" \ -e"ocp_master=${MASTER_HOSTNAME}" \ -e"ocp_apps_domain=${APPS_DOMAIN}" \ -e"admin_project=${WORKSHOP_PROJECT}" \ -e"user_count=${NUM_USERS}" \ -e"num_users=${NUM_USERS}" \ -e"user_password=${USER_PASSWORD}" \ -e"gogs_password=${GOGS_PASSWORD}" \ -e"subdomain_base_suffix=${DOMAIN}" -e"ACTION=${ACTION}" ### SCRIPT END ansible/roles/ocp4-workload-security-compliance-lab/defaults/main.yml
@@ -1,12 +1,17 @@ --- # PROVIDED BY THE INFRA # Uncomment and set a value to take effect. Else, will use the defaults admin_project: ocp-security-workshop admin_project: ocp-workshop user_count_start: 1 user_count: 100 num_users: 50 #user_format: user%02d user_format: user%d user_password: "openshift" ocp_bastion: "bastion.{{ guid }}{{ subdomain_base_suffix }}" ocp_master: "master.{{ guid }}{{ subdomain_base_suffix }}" ocp_apps_domain: apps.{{ guid }}{{ subdomain_base_suffix }} ocp_user_needs_quota: "false" user_count: "{{ num_users }}" ## # VALUES SPECIFIC TO THIS WORKLOAD ansible/roles/ocp4-workload-security-compliance-lab/tasks/main.yml
@@ -1,7 +1,8 @@ --- - set_fact: tmp_dir: "/tmp/{{ guid }}" user_count_end: "{{ (user_count_start | int) + (user_count | int) - 1 }}" user_count_end: "{{ (user_count_start | int) + (num_users | int) - 1 }}" - debug: msg: "Using {{tmp_dir}} as temp dir on bastion" @@ -10,6 +11,7 @@ - debug: msg: "Provisioning users from {{user_count_start}} to {{user_count_end}} with format {{user_format}}" - name: Running Pre Workload Tasks import_tasks: ./pre_workload.yml become: true ansible/roles/ocp4-workload-security-compliance-lab/tasks/per_user.yml
@@ -43,7 +43,7 @@ - "{{ my_user }}-prod" - name: Create docker secret for quay command: "{{ openshift_cli }} create secret docker-registry quay --docker-server=quay-secure-quay-enterprise.apps.cluster-{{ guid }}.{{ guid }}.openshiftworkshop.com --docker-username=admin --docker-password=admin123 -n {{ my_user }}" command: "{{ openshift_cli }} create secret docker-registry quay --docker-server=quay-secure-quay-enterprise.{{ ocp_apps_domain }} --docker-username=admin --docker-password=admin123 -n {{ my_user }}" - name: Link secrets to service accounts command: "{{ openshift_cli }} secrets link {{ item }} quay -n {{ my_user }}" @@ -61,13 +61,20 @@ - name: Allow proper formatting of archived html in jenkins and install plugins command: "{{ openshift_cli }} set env dc/jenkins JENKINS_JAVA_OVERRIDES=-Dhudson.model.DirectoryBrowserSupport.CSP= -n {{ my_user }}" - name: Populate buildconfig template template: src: buildconfig.yml.j2 dest: "{{tmp_dir}}/files/buildconfig.yaml" mode: '0644' - name: Create build template command: "{{ openshift_cli }} create -f {{tmp_dir}}/files/buildconfig.yaml -n {{ my_user }}" tags: always ignore_errors: true - name: Create jenkins pipeline command: "{{ openshift_cli }} new-app ecommerce-build-template -p GUID={{ guid }} -p GOGS_USER={{ my_user }} -p SSH_PASSWORD={{ user_password }} -n {{ my_user }}" #command: "{{ openshift_cli }} new-app ecommerce-build-template -p GUID={{ guid }} -p GOGS_USER={{ my_user }} -p SSH_PASSWORD={{ user_password }} -n {{ my_user }}" command: "{{ openshift_cli }} new-app ecommerce-build-template -p BASTION={{ ocp_bastion }} -p APP_DOMAIN={{ ocp_apps_domain }} -p API_ENDPOINT={{ ocp_master }}:6443 -p GUID={{ guid }} -p GOGS_USER={{ my_user }} -p SSH_PASSWORD={{ admin_password }} -n {{ my_user }}" tags: always ignore_errors: true @@ -162,7 +169,7 @@ - name: create user on bastion for openscap user: name: "{{ my_user }}" password: "{{ user_password | password_hash('sha512') }}" password: "{{ admin_password | password_hash('sha512') }}" password_lock: no state: present append: yes ansible/roles/ocp4-workload-security-compliance-lab/templates/buildconfig.yml.j2
File was renamed from ansible/roles/ocp4-workload-security-compliance-lab/files/buildconfig.yaml @@ -24,6 +24,12 @@ value: master - description: SSH Password name: SSH_PASSWORD - description: OCP Application domain name: APP_DOMAIN - description: bastion name: BASTION - description: OCP API Endpoint name: API_ENDPOINT objects: - apiVersion: v1 kind: BuildConfig @@ -40,7 +46,7 @@ runPolicy: Serial source: git: uri: http://gogs-ocp-workshop.apps.cluster-${GUID}.${GUID}.openshiftworkshop.com/${GOGS_USER}/SecurityDemos.git uri: http://gogs-ocp-workshop.{{ ocp_apps_domain }}/${GOGS_USER}/SecurityDemos.git ref: ${GIT_BRANCH} strategy: jenkinsPipelineStrategy: @@ -49,13 +55,19 @@ - name: JENKINS_GIT_BRANCH value: ${GIT_BRANCH} - name: JENKINS_GIT_URL value: http://gogs-ocp-workshop.apps.cluster-${GUID}.${GUID}.openshiftworkshop.com/${GOGS_USER}/SecurityDemos.git value: http://gogs-ocp-workshop.{{ ocp_apps_domain }}/${GOGS_USER}/SecurityDemos.git - name: JENKINS_GUID value: ${GUID} - name: JENKINS_GOGS_USER value: ${GOGS_USER} - name: JENKINS_SSH_PASSWORD value: ${SSH_PASSWORD} - name: JENKINS_BASTION value: ${BASTION} - name: JENKINS_APP_DOMAIN value: ${APP_DOMAIN} - name: JENKINS_OCP_API_ENDPOINT value: ${API_ENDPOINT} triggers: - generic: secret: ${GOGS_USER}-ecommerce-pipeline ansible/roles/ocp4-workload-security-compliance-lab/templates/daemon.json.j2
@@ -1,3 +1,3 @@ { "insecure-registries" : ["image-registry-openshift-image-registry.apps.cluster-{{ guid }}.{{ guid }}.openshiftworkshop.com"] "insecure-registries" : ["image-registry-openshift-image-registry.{{ ocp_apps_domain }}"] }