itx_rs_deploy workinggit add .

playbooks/deploy_itx_rs.yml

@@ -0,0 +1,7 @@
+- name: Deploy IBM Transformation
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  any_errors_fatal: true
+  roles:
+    - itx_rs_deploy

roles/itx_rs_deploy/README.md

@@ -1,13 +1,7 @@
-# Role SSP CM
+# Role ITX RS
 
+```bash
+export ITX_RS_NAMESPACE=ibm-itx-rs-dev01
 
-SSP_CM_NAMESPACE
-
-SSP_CM_VERSION: 6.1.0.0.06
-
-
-
-SSP_CM_LICENSETYPE:
- default value: non-prod
-
-suported values: prod or no-prod
+ansible-playbook playbooks/deploy_itx_rs.yml
+```

roles/itx_rs_deploy/defaults/main.yml

@@ -39,7 +39,7 @@ storage_class_matrix:
   redhat:
     rwx: "ocs-storagecluster-cephfs"
     rwx_nogid: "ocs-storagecluster-cephfs"
-    rwo: "ocs-storagecluster-ceph-rbd"
+    rwo: "ocs-storagecluster-cephfs" # "ocs-storagecluster-ceph-rbd"
     rom: ""
     rwop: ""
   aws:

roles/itx_rs_deploy/tasks/02_create_namespace_secrets.yml

@@ -39,15 +39,3 @@
       data:
         .dockerconfigjson: "{{ new_secret | to_json | b64encode }}"
 
-- name: "Generate ITX RS secret '{{ itx_rs_secret }}'"
-  no_log: true
-  kubernetes.core.k8s:
-    definition:
-      apiVersion: v1
-      kind: Secret
-      type: Opaque
-      metadata:
-        name: "{{ itx_rs_secret }}"
-        namespace: "{{ itx_rs_namespace }}"
-      data:
-        sysPassphrase: "{{ itx_rs_sys_passphrase | b64encode }}"

roles/itx_rs_deploy/tasks/03_apply_pod_security.yml

@@ -5,7 +5,7 @@
     state: absent
   with_items:
     - "{{ my_workdir }}/ibm-itx-rs-prod-{{ compatibility_matrix[itx_rs_version].helm_version }}.tgz"
-    - "{{ my_workdir }}/myitx_rs_values.yml"
+    # - "{{ my_workdir }}/myitx_rs_values.yml"
 
 - name: "Download Helm chart"
   ansible.builtin.get_url:
@@ -16,9 +16,68 @@
   until: download_cout is succeeded
   retries: 3
 
+# Check for Kubernetes Resources and APIs
+# -----------------------------------------------------------------------------
+- name: Get Cluster information
+  kubernetes.core.k8s_cluster_info:
+  register: k8s_cl_info
+
+- name: Check for SCC Resource
+  ansible.builtin.set_fact:
+    scc_resource: false
+    scc_apiversion: false
+    psp_resource: false
+    psp_apiversion: false
+
+- name: Check for SCC Resource
+  ansible.builtin.set_fact:
+    scc_resource: true
+  when: "'security.openshift.io/v1' in k8s_cl_info.apis"
+
+- name: Check if SCC API version
+  ansible.builtin.set_fact:
+    scc_apiversion: true
+  when:
+    - scc_resource
+    - "'SecurityContextConstraints' in k8s_cl_info.apis['security.openshift.io/v1']"
+
+- name: Check for PSP Resource
+  ansible.builtin.set_fact:
+    psp_resource: true
+  when: "'policy/v1beta1' in k8s_cl_info.apis"
+
+- name: Check if PSP API version
+  ansible.builtin.set_fact:
+    psp_apiversion: true
+  when:
+    - psp_resource
+    - "'PodSecurityPolicy' in k8s_cl_info.apis['policy/v1beta1']"
+
+# Debug
+# -----------------------------------------------------------------------------
+- name: Debug Apply Pod Security
+  ansible.builtin.debug:
+    msg:
+      - "scc_resource ................. {{ scc_resource }}"
+      - "scc_apiversion ............... {{ scc_apiversion }}"
+      - "psp_resource ................. {{ psp_apiversion }}"
+      - "psp_apiversion ............... {{ psp_apiversion }}"
+
 # Creating Pod Security Policy for Kubernetes Cluster
 # -----------------------------------------------------------------------------
 - name: Creating Security Context Constraints
   kubernetes.core.k8s:
     state: present
-    definition: "{{ lookup('file', 'files/clusterAdministration/ibm-itx-rs-scc.yaml') | from_yaml }}"
+    definition: "{{ lookup('file', 'files/ibm-itx-rs-scc.yaml') | from_yaml }}"
+  when: scc_resource and scc_apiversion
+
+- name: Add SCC to group for target namespace
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: security.openshift.io/v1
+      kind: SecurityContextConstraints
+      metadata:
+        name: ibm-itx-rs-scc
+      groups:
+        - "system:serviceaccounts:{{ itx_rs_namespace }}"

roles/itx_rs_deploy/tasks/05_install_itx_rs.yml

@@ -34,7 +34,7 @@
       - release=s0
     wait: true
     wait_sleep: 30
-    wait_timeout: 300 # 5 mins until we give up waiting for the pod to get into the expected state
+    wait_timeout: 600 # 10 mins until we give up waiting for the pod to get into the expected state
     wait_condition:
       type: Ready
       status: "True"
@@ -49,5 +49,5 @@
     msg:
       - "IBM Sterling ITX RS status ............................ Ready!"
       - "ITX RS namespace ...................................... {{ itx_rs_namespace }}"
-      - "Pod name ........................................... {{ itx_rs_pod_name }}"
-      - "For username and password check secret ............. {{ itx_rs_secret }}'"
+      - "Pod name .............................................. {{ itx_rs_pod_name }}"
+      - "For username and password check secret ................ {{ itx_rs_secret }}'"

roles/itxa_deploy/tasks/03_apply_pod_security.yml

@@ -16,9 +16,69 @@
   until: download_cout is succeeded
   retries: 3
 
+# Check for Kubernetes Resources and APIs
+# -----------------------------------------------------------------------------
+- name: Get Cluster information
+  kubernetes.core.k8s_cluster_info:
+  register: k8s_cl_info
+
+- name: Check for SCC Resource
+  ansible.builtin.set_fact:
+    scc_resource: false
+    scc_apiversion: false
+    psp_resource: false
+    psp_apiversion: false
+
+- name: Check for SCC Resource
+  ansible.builtin.set_fact:
+    scc_resource: true
+  when: "'security.openshift.io/v1' in k8s_cl_info.apis"
+
+- name: Check if SCC API version
+  ansible.builtin.set_fact:
+    scc_apiversion: true
+  when:
+    - scc_resource
+    - "'SecurityContextConstraints' in k8s_cl_info.apis['security.openshift.io/v1']"
+
+- name: Check for PSP Resource
+  ansible.builtin.set_fact:
+    psp_resource: true
+  when: "'policy/v1beta1' in k8s_cl_info.apis"
+
+- name: Check if PSP API version
+  ansible.builtin.set_fact:
+    psp_apiversion: true
+  when:
+    - psp_resource
+    - "'PodSecurityPolicy' in k8s_cl_info.apis['policy/v1beta1']"
+
+# Debug
+# -----------------------------------------------------------------------------
+- name: Debug Apply Pod Security
+  ansible.builtin.debug:
+    msg:
+      - "scc_resource ................. {{ scc_resource }}"
+      - "scc_apiversion ............... {{ scc_apiversion }}"
+      - "psp_resource ................. {{ psp_apiversion }}"
+      - "psp_apiversion ............... {{ psp_apiversion }}"
+
+
 # Creating Pod Security Policy for Kubernetes Cluster
 # -----------------------------------------------------------------------------
 - name: Creating Security Context Constraints
   kubernetes.core.k8s:
     state: present
-    definition: "{{ lookup('file', 'files/clusterAdministration/ibm-itxa-scc.yaml') | from_yaml }}"
+    definition: "{{ lookup('file', 'files/ibm-itxa-scc.yaml') | from_yaml }}"
+  when: scc_resource and scc_apiversion
+
+- name: Add SCC to group for target namespace
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: security.openshift.io/v1
+      kind: SecurityContextConstraints
+      metadata:
+        name: ibm-itx-rs-scc
+      groups:
+        - "system:serviceaccounts:{{ itxa_namespace }}"

roles/ssp_deploy/tasks/06_install_ssp.yml

@@ -62,7 +62,7 @@
   ansible.builtin.set_fact:
     ssp_pod_name: "{{ ssp_pod.resources[0].metadata.name }}"
 
-- name: "IBM Sterling SEAS Summary:"
+- name: "IBM Sterling Secure Proxy Summary:"
   ansible.builtin.debug:
     msg:
       - "IBM Sterling SSP status ............................ Ready!"