From 0d0d0e99169d9285f46b3fd5fc425843c42fff89 Mon Sep 17 00:00:00 2001 From: Jim Rigsbee <jimrigsbee@gmail.com> Date: Mon, 22 Jul 2019 20:30:22 +0200 Subject: [PATCH] Apply Let's Encrypt Certificates to local IdentityManager (#507) --- ansible/roles/ocp4-workload-idm/tasks/workload.yml | 58 +++++++++ ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml | 4 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh | 0 ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2 | 6 ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml | 4 ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem | 27 ++++ ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem | 20 +++ ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml | 3 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2 | 0 ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml | 5 ansible/roles/ocp4-workload-idm/files/deploy_certs.sh | 4 /dev/null | 24 ---- ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml | 47 +++++++ ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml | 55 +++++++++ ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2 | 2 ansible/roles/ocp4-workload-nexus-operator/templates/role.j2 | 8 + ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml | 28 --- ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml | 19 +++ ansible/roles/ocp4-workload-idm/files/deploy_certs.yml | 30 +++++ 19 files changed, 287 insertions(+), 57 deletions(-) diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml b/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml index b715211..e0605ce 100644 --- a/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml +++ b/ansible/roles/host-lets-encrypt-certs-certbot/defaults/main.yml @@ -46,4 +46,6 @@ _certbot_force_issue: False # Internal Variable. Don't change -_certbot_setup_complete: false \ No newline at end of file +_certbot_setup_complete: false + +_certbot_cron_job_name: LETS_ENCRYPT_RENEW diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml b/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml deleted file mode 100644 index 6a1a04e..0000000 --- a/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# This playbook redeploys Lets Encrypt certificates -# It does not renew the certs, which is done by the certbot cronjob. -# -# Please ensure CA and key have not changed. - -- hosts: localhost - gather_facts: no - become: no - tasks: - - name: Read Certificate - slurp: - src: "$HOME/certificates/fullchain.pem" - register: server_cert - - - name: Read Key - slurp: - src: "$HOME/certificates/privkey.pem" - register: server_key - - - name: Create Router Certificate - k8s: - state: present - definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}" \ No newline at end of file diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml index aaab94b..9596d8d 100644 --- a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml +++ b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml @@ -7,7 +7,7 @@ - name: Verify if AWS Credentials exist on the host when: _certbot_dns_provider is match('route53') stat: - path: "{{ _certbot_remote_dir }}/.aws/credentials" + path: "/home/{{ ansible_user }}/.aws/credentials" register: aws_credentials_result - name: Fail if AWS Credentials are not on the host @@ -15,7 +15,7 @@ msg: AWS Credentials are required when requesting certificates for a wildcard domain when: - _certbot_dns_provider is match('route53') - - aws_credentials_result.stat.exists == False + - aws_credentials_result.stat.exists == False - name: Set _certbot_wildcard_certs fact set_fact: @@ -74,22 +74,6 @@ - "{{ _certbot_dir }}/renewal-hooks" - "{{ _certbot_dir }}/renewal-hooks/deploy" - - name: Install redeploy hook scripts - copy: - src: ./files/deploy_certs.sh - dest: "{{ _certbot_dir }}/renewal-hooks/deploy/deploy_certs.sh" - mode: 0775 - owner: "{{ _certbot_remote_dir_owner }}" - - name: Install redeploy hook playbook and cert secret template - copy: - src: "./files/{{ item }}" - dest: "{{ _certbot_dir }}/renewal-hooks/deploy/{{ item }}" - mode: 0664 - owner: "{{ _certbot_remote_dir_owner }}" - loop: - - deploy_certs.yml - - router-certs.j2 - - name: Request Certificates from Let's Encrypt (force or no cache) when: - _certbot_force_issue|bool or not _certbot_setup_complete|bool @@ -104,7 +88,7 @@ debug: msg: >- About to request certificates using the following command: - certbot certonly -n --agree-tos --email {{ _certbot_le_email }} + certbot certonly -n --agree-tos --email {{ _certbot_le_email }} -d {{ _certbot_domain }} {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} {{ (_certbot_production|bool)|ternary('','--test-cert') }} @@ -117,7 +101,7 @@ - name: Request API and Wildcard Certificates become: False shell: >- - certbot certonly -n --agree-tos --email {{ _certbot_le_email }} + certbot certonly -n --agree-tos --email {{ _certbot_le_email }} -d {{ _certbot_domain }} {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} {{ (_certbot_production|bool)|ternary('','--test-cert') }} @@ -177,8 +161,6 @@ - name: Install crontab to renew certificates when they expire become: False cron: - name: LETS_ENCRYPT_RENEW + name: "{{ _certbot_cron_job_name }}" special_time: daily job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null" -# --deploy-hook /path/to/deploy-hook-script -# You can also specify hooks by placing files in subdirectories of Certbot���s configuration directory. Assuming your configuration directory is /etc/letsencrypt, any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand. These hooks are run in alphabetical order and are not run for other subcommands. (The order the hooks are run is determined by the byte value of the characters in their filenames and is not dependent on your locale.) diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.sh b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh similarity index 100% rename from ansible/roles/host-lets-encrypt-certs-certbot/files/deploy_certs.sh rename to ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh diff --git a/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml new file mode 100644 index 0000000..45248f9 --- /dev/null +++ b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml @@ -0,0 +1,47 @@ +--- +# This playbook redeploys Lets Encrypt certificates +# It does not renew the certs, which is done by the certbot cronjob. +# +# Please ensure CA and key have not changed. + +- hosts: localhost + gather_facts: no + become: no + vars: + - _certbot_install_dir: "/home/{{ ansible_user }}/certificates" + - _certbot_remote_dir: "/home/{{ ansible_user }}" + - _certbot_dir: "{{ _certbot_remote_dir }}/certbot" + tasks: + - name: Determine API server hostname + shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'" + register: api_hostname + + - name: Compute domain name + set_fact: + _certbot_domain: "{{ api_hostname.stdout }}" + + - name: Install certificates + copy: + src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}" + dest: "{{ _certbot_install_dir }}/{{ item }}" + remote_src: yes + loop: + - "cert.pem" + - "fullchain.pem" + - "chain.pem" + - "privkey.pem" + + - name: Read Certificate + slurp: + src: "$HOME/certificates/fullchain.pem" + register: server_cert + + - name: Read Key + slurp: + src: "$HOME/certificates/privkey.pem" + register: server_key + + - name: Create Router Certificate + k8s: + state: present + definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}" diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/files/router-certs.j2 b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2 similarity index 100% rename from ansible/roles/host-lets-encrypt-certs-certbot/files/router-certs.j2 rename to ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2 diff --git a/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml index 72e8bd0..db80a8a 100644 --- a/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml +++ b/ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml @@ -45,10 +45,27 @@ - _certbot_use_cache: True - _certbot_force_issue: False - _certbot_production: True + - _certbot_cron_job_name: LETS_ENCRYPT_RENEW # production false results in unusable certificates # (not possible to login to OCP) # - _certbot_production: "{{ lets_encrypt_production|d(False)|bool}}" + - name: Install redeploy hook scripts + copy: + src: ./files/deploy_certs.sh + dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.sh" + mode: 0775 + owner: "{{ ansible_user }}" + - name: Install redeploy hook playbook and cert secret template + copy: + src: "./files/{{ item }}" + dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/{{ item }}" + mode: 0664 + owner: "{{ ansible_user }}" + loop: + - deploy_certs.yml + - router-certs.j2 + - name: Read Certificate slurp: src: "$HOME/certificates/fullchain.pem" @@ -73,4 +90,4 @@ - name: workload tasks complete debug: msg: "Workload Tasks completed successfully." - when: not silent|bool \ No newline at end of file + when: not silent|bool diff --git a/ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem b/ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem new file mode 100644 index 0000000..b2e43c9 --- /dev/null +++ b/ansible/roles/ocp4-workload-idm/files/DSTRootCAX3.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- diff --git a/ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem b/ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem new file mode 100644 index 0000000..0002462 --- /dev/null +++ b/ansible/roles/ocp4-workload-idm/files/LEAuthX3.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- diff --git a/ansible/roles/ocp4-workload-idm/files/deploy_certs.sh b/ansible/roles/ocp4-workload-idm/files/deploy_certs.sh new file mode 100644 index 0000000..f760add --- /dev/null +++ b/ansible/roles/ocp4-workload-idm/files/deploy_certs.sh @@ -0,0 +1,4 @@ +#!/bin/bash +ansible-playbook ./deploy_certs.yml \ + -e "_certbot_domain={{ idm_dns_name }}" \ + -e "idm_dm_password={{ idm_dm_password }}" diff --git a/ansible/roles/ocp4-workload-idm/files/deploy_certs.yml b/ansible/roles/ocp4-workload-idm/files/deploy_certs.yml new file mode 100644 index 0000000..b71b315 --- /dev/null +++ b/ansible/roles/ocp4-workload-idm/files/deploy_certs.yml @@ -0,0 +1,30 @@ +--- +# This playbook redeploys Lets Encrypt certificates +# It does not renew the certs, which is done by the certbot cronjob. +# +# Please ensure CA and key have not changed. + +- hosts: localhost + gather_facts: no + become: no + vars: + - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates" + - _certbot_dir: "/home/{{ ansible_user }}/idm/certbot" + tasks: + + - name: Install certificates + copy: + src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}" + dest: "{{ _certbot_install_dir }}/{{ item }}" + remote_src: yes + loop: + - "cert.pem" + - "fullchain.pem" + - "chain.pem" + - "privkey.pem" + + - name: Install IPA Certificate + shell: | + ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin='' + ipactl restart + become: True diff --git a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml index 828b033..1a37780 100644 --- a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml +++ b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml @@ -55,6 +55,11 @@ zone: "{{ cluster_name }}{{ subdomain_base_suffix }}." vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}" +- name: Remove Certificate renewal cronjob + cron: + name: LETS_ENCRYPT_RENEW_IDM + state: absent + # Leave this as the last task in the playbook. - name: remove_workload tasks complete debug: diff --git a/ansible/roles/ocp4-workload-idm/tasks/workload.yml b/ansible/roles/ocp4-workload-idm/tasks/workload.yml index a26b1e0..0f4d660 100644 --- a/ansible/roles/ocp4-workload-idm/tasks/workload.yml +++ b/ansible/roles/ocp4-workload-idm/tasks/workload.yml @@ -10,6 +10,64 @@ vars: become_override: yes +# /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role +- name: Create Let's Encrypt Certificates + include_role: + name: host-lets-encrypt-certs-certbot + vars: + - _certbot_domain: "{{ idm_dns_name }}" + - _certbot_wildcard_domain: "{{cluster_name}}{{subdomain_base_suffix}}" + - _certbot_dns_provider: "route53" + - _certbot_remote_dir: "/home/{{ ansible_user }}/idm" + - _certbot_remote_dir_owner: "{{ ansible_user }}" + - _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates" + - _certbot_install_dir_owner: "{{ ansible_user }}" + - _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz" + - _certbot_renew_automatically: True + - _certbot_use_cache: True + - _certbot_force_issue: False + - _certbot_production: True + - _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM + +- name: Get Root CA + copy: + src: ./files/DSTRootCAX3.pem + dest: /tmp/DSTRootCAX3.pem + +- name: Get Intermediate CA + copy: + src: ./files/LEAuthX3.pem + dest: /tmp/LEAuthX3.pem + +- name: Install CAs + shell: | + echo {{ idm_admin_password }} | kinit admin + ipa-cert-manage -p {{ idm_dm_password }} install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,, + ipa-cert-manage -p {{ idm_dm_password }} install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,, + ipa-certupdate -v + become: True + +- name: Install IPA Certificate + shell: | + ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin='' + ipactl restart + become: True + +- name: Install redeploy hook scripts + template: + src: ./files/deploy_certs.sh + dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/deploy_certs.sh" + mode: 0775 + owner: "{{ ansible_user }}" +- name: Install redeploy hook ansible components + copy: + src: "./files/{{ item }}" + dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/{{ item }}" + mode: 0664 + owner: "{{ ansible_user }}" + loop: + - deploy_certs.yml + # Find public IP of bastion - name: Gather VPC facts ec2_vpc_net_facts: diff --git a/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml b/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml index 83ea521..3bbf1a1 100644 --- a/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml +++ b/ansible/roles/ocp4-workload-nexus-operator/defaults/main.yml @@ -12,4 +12,6 @@ _nexus_cpu_request: 1 _nexus_cpu_limit: 2 _nexus_memory_request: 2Gi -_nexus_memory_limit: 2Gi \ No newline at end of file +_nexus_memory_limit: 2Gi + +_nexus_deploy_nexus_instance: True diff --git a/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml b/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml index 002c079..8d18043 100644 --- a/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml +++ b/ansible/roles/ocp4-workload-nexus-operator/tasks/remove_workload.yml @@ -5,7 +5,8 @@ k8s: state: absent definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}" - + when: _nexus_deploy_nexus_instance|bool + - name: Wait 15 seconds for the Nexus to disappear wait_for: timeout=15 delegate_to: localhost diff --git a/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml b/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml index 42655e1..4314340 100644 --- a/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml +++ b/ansible/roles/ocp4-workload-nexus-operator/tasks/workload.yml @@ -19,7 +19,60 @@ - ./templates/role.j2 - ./templates/role_binding.j2 - ./templates/operator.j2 - - ./templates/opentlc-nexus.j2 + +- name: Deploy default Nexus instance + when: _nexus_deploy_nexus_instance|bool + block: + - name: Create OpenShift Custom Resource for Nexus Instance + k8s: + state: present + merge_type: + - strategic-merge + - merge + definition: "{{ lookup('template', './templates/opentlc-nexus.j2' ) | from_yaml }}" + - name: Wait for Nexus Pod to start creating + pause: + seconds: 10 + - name: Wait for Nexus Pod to start + k8s: + api_version: v1 + kind: Pod + name: "{{ _nexus_name }}" + namespace: "{{ _nexus_operator_project }}" + register: nexus_pod + until: + - nexus_pod.result is defined + - nexus_pod.result.status.phase == "Running" + retries: 50 + delay: 10 + changed_when: false + - name: Wait for the Nexus Pod to be ready + k8s: + api_version: v1 + kind: Pod + name: "{{ _nexus_name }}" + namespace: "{{ _nexus_operator_project }}" + register: nexus_pod + until: + - nexus_pod.result.status.containerStatuses[0].ready|d(False)|bool + retries: 50 + delay: 10 + changed_when: false + - name: Get Admin password + k8s: + api_version: gpte.opentlc.com/v1alpha1 + kind: Nexus + name: "{{ _nexus_name }}" + namespace: "{{ _nexus_operator_project }}" + register: nexus_cr + until: + - nexus_cr.result.status.admin_password is defined + retries: 25 + delay: 5 + changed_when: false + - name: Display Nexus password + debug: + msg: "user.info: Nexus password is {{ nexus_cr.result.status.admin_password }}" # Leave this as the last task in the playbook. - name: workload tasks complete diff --git a/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2 b/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2 index f8db894..63e50a7 100644 --- a/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2 +++ b/ansible/roles/ocp4-workload-nexus-operator/templates/opentlc-nexus.j2 @@ -10,4 +10,4 @@ nexusCpuRequest: "{{ _nexus_cpu_request }}" nexusCpuLimit: "{{ _nexus_cpu_limit }}" nexusMemoryRequest: "{{ _nexus_memory_request }}" - nexusMemoryLimit: "{{ _nexus_memory_limit }}" \ No newline at end of file + nexusMemoryLimit: "{{ _nexus_memory_limit }}" diff --git a/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2 b/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2 index 491cd7e..1d110da 100644 --- a/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2 +++ b/ansible/roles/ocp4-workload-nexus-operator/templates/operator.j2 @@ -20,14 +20,14 @@ - /usr/local/bin/ao-logs - /tmp/ansible-operator/runner - stdout - image: quay.io/wkulhanek/nexus-operator:v0.8.1 + image: quay.io/gpte-devops-automation/nexus-operator:v0.9 imagePullPolicy: Always volumeMounts: - mountPath: /tmp/ansible-operator/runner name: runner readOnly: true - name: operator - image: quay.io/wkulhanek/nexus-operator:v0.8.1 + image: quay.io/gpte-devops-automation/nexus-operator:v0.9 imagePullPolicy: Always volumeMounts: - mountPath: /tmp/ansible-operator/runner @@ -43,4 +43,4 @@ value: "nexus-operator" volumes: - name: runner - emptyDir: {} \ No newline at end of file + emptyDir: {} diff --git a/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2 b/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2 index 245d872..cb22b6f 100644 --- a/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2 +++ b/ansible/roles/ocp4-workload-nexus-operator/templates/role.j2 @@ -6,6 +6,12 @@ - apiGroups: - "" resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: - pods - services - endpoints @@ -26,7 +32,7 @@ resources: - namespaces verbs: - - get + - get - apiGroups: - apps resources: -- Gitblit v1.9.3