From 50ec5aef7363cf69ba55bca250ee1ef421fdf2c9 Mon Sep 17 00:00:00 2001 From: ebasso Date: Sat, 15 Jun 2024 18:23:00 -0300 Subject: [PATCH] itx_rs_deploy workinggit add . --- playbooks/deploy_itx_rs.yml | 7 +++ roles/itx_rs_deploy/README.md | 16 ++--- roles/itx_rs_deploy/defaults/main.yml | 2 +- .../ibm-itx-rs-scc.yaml | 0 .../tasks/02_create_namespace_secrets.yml | 12 ---- .../tasks/03_apply_pod_security.yml | 63 ++++++++++++++++++- .../itx_rs_deploy/tasks/05_install_itx_rs.yml | 6 +- .../tasks/03_apply_pod_security.yml | 62 +++++++++++++++++- roles/ssp_deploy/tasks/06_install_ssp.yml | 2 +- 9 files changed, 139 insertions(+), 31 deletions(-) create mode 100644 playbooks/deploy_itx_rs.yml rename roles/itx_rs_deploy/files/{clusterAdministration => }/ibm-itx-rs-scc.yaml (100%) diff --git a/playbooks/deploy_itx_rs.yml b/playbooks/deploy_itx_rs.yml new file mode 100644 index 0000000..168d2fe --- /dev/null +++ b/playbooks/deploy_itx_rs.yml @@ -0,0 +1,7 @@ +- name: Deploy IBM Transformation + hosts: localhost + connection: local + gather_facts: false + any_errors_fatal: true + roles: + - itx_rs_deploy diff --git a/roles/itx_rs_deploy/README.md b/roles/itx_rs_deploy/README.md index 60e0a16..4841ed3 100644 --- a/roles/itx_rs_deploy/README.md +++ b/roles/itx_rs_deploy/README.md @@ -1,13 +1,7 @@ -# Role SSP CM +# Role ITX RS +```bash +export ITX_RS_NAMESPACE=ibm-itx-rs-dev01 -SSP_CM_NAMESPACE - -SSP_CM_VERSION: 6.1.0.0.06 - - - -SSP_CM_LICENSETYPE: - default value: non-prod - -suported values: prod or no-prod \ No newline at end of file +ansible-playbook playbooks/deploy_itx_rs.yml +``` diff --git a/roles/itx_rs_deploy/defaults/main.yml b/roles/itx_rs_deploy/defaults/main.yml index 9422318..0aef59a 100644 --- a/roles/itx_rs_deploy/defaults/main.yml +++ b/roles/itx_rs_deploy/defaults/main.yml @@ -39,7 +39,7 @@ storage_class_matrix: redhat: rwx: "ocs-storagecluster-cephfs" rwx_nogid: "ocs-storagecluster-cephfs" - rwo: "ocs-storagecluster-ceph-rbd" + rwo: "ocs-storagecluster-cephfs" # "ocs-storagecluster-ceph-rbd" rom: "" rwop: "" aws: diff --git a/roles/itx_rs_deploy/files/clusterAdministration/ibm-itx-rs-scc.yaml b/roles/itx_rs_deploy/files/ibm-itx-rs-scc.yaml similarity index 100% rename from roles/itx_rs_deploy/files/clusterAdministration/ibm-itx-rs-scc.yaml rename to roles/itx_rs_deploy/files/ibm-itx-rs-scc.yaml diff --git a/roles/itx_rs_deploy/tasks/02_create_namespace_secrets.yml b/roles/itx_rs_deploy/tasks/02_create_namespace_secrets.yml index bffe411..be81b9e 100644 --- a/roles/itx_rs_deploy/tasks/02_create_namespace_secrets.yml +++ b/roles/itx_rs_deploy/tasks/02_create_namespace_secrets.yml @@ -39,15 +39,3 @@ data: .dockerconfigjson: "{{ new_secret | to_json | b64encode }}" -- name: "Generate ITX RS secret '{{ itx_rs_secret }}'" - no_log: true - kubernetes.core.k8s: - definition: - apiVersion: v1 - kind: Secret - type: Opaque - metadata: - name: "{{ itx_rs_secret }}" - namespace: "{{ itx_rs_namespace }}" - data: - sysPassphrase: "{{ itx_rs_sys_passphrase | b64encode }}" diff --git a/roles/itx_rs_deploy/tasks/03_apply_pod_security.yml b/roles/itx_rs_deploy/tasks/03_apply_pod_security.yml index 98ee34d..953089c 100644 --- a/roles/itx_rs_deploy/tasks/03_apply_pod_security.yml +++ b/roles/itx_rs_deploy/tasks/03_apply_pod_security.yml @@ -5,7 +5,7 @@ state: absent with_items: - "{{ my_workdir }}/ibm-itx-rs-prod-{{ compatibility_matrix[itx_rs_version].helm_version }}.tgz" - - "{{ my_workdir }}/myitx_rs_values.yml" + # - "{{ my_workdir }}/myitx_rs_values.yml" - name: "Download Helm chart" ansible.builtin.get_url: @@ -16,9 +16,68 @@ until: download_cout is succeeded retries: 3 +# Check for Kubernetes Resources and APIs +# ----------------------------------------------------------------------------- +- name: Get Cluster information + kubernetes.core.k8s_cluster_info: + register: k8s_cl_info + +- name: Check for SCC Resource + ansible.builtin.set_fact: + scc_resource: false + scc_apiversion: false + psp_resource: false + psp_apiversion: false + +- name: Check for SCC Resource + ansible.builtin.set_fact: + scc_resource: true + when: "'security.openshift.io/v1' in k8s_cl_info.apis" + +- name: Check if SCC API version + ansible.builtin.set_fact: + scc_apiversion: true + when: + - scc_resource + - "'SecurityContextConstraints' in k8s_cl_info.apis['security.openshift.io/v1']" + +- name: Check for PSP Resource + ansible.builtin.set_fact: + psp_resource: true + when: "'policy/v1beta1' in k8s_cl_info.apis" + +- name: Check if PSP API version + ansible.builtin.set_fact: + psp_apiversion: true + when: + - psp_resource + - "'PodSecurityPolicy' in k8s_cl_info.apis['policy/v1beta1']" + +# Debug +# ----------------------------------------------------------------------------- +- name: Debug Apply Pod Security + ansible.builtin.debug: + msg: + - "scc_resource ................. {{ scc_resource }}" + - "scc_apiversion ............... {{ scc_apiversion }}" + - "psp_resource ................. {{ psp_apiversion }}" + - "psp_apiversion ............... {{ psp_apiversion }}" + # Creating Pod Security Policy for Kubernetes Cluster # ----------------------------------------------------------------------------- - name: Creating Security Context Constraints kubernetes.core.k8s: state: present - definition: "{{ lookup('file', 'files/clusterAdministration/ibm-itx-rs-scc.yaml') | from_yaml }}" + definition: "{{ lookup('file', 'files/ibm-itx-rs-scc.yaml') | from_yaml }}" + when: scc_resource and scc_apiversion + +- name: Add SCC to group for target namespace + kubernetes.core.k8s: + state: present + definition: + apiVersion: security.openshift.io/v1 + kind: SecurityContextConstraints + metadata: + name: ibm-itx-rs-scc + groups: + - "system:serviceaccounts:{{ itx_rs_namespace }}" diff --git a/roles/itx_rs_deploy/tasks/05_install_itx_rs.yml b/roles/itx_rs_deploy/tasks/05_install_itx_rs.yml index c44c4c2..ca2c799 100644 --- a/roles/itx_rs_deploy/tasks/05_install_itx_rs.yml +++ b/roles/itx_rs_deploy/tasks/05_install_itx_rs.yml @@ -34,7 +34,7 @@ - release=s0 wait: true wait_sleep: 30 - wait_timeout: 300 # 5 mins until we give up waiting for the pod to get into the expected state + wait_timeout: 600 # 10 mins until we give up waiting for the pod to get into the expected state wait_condition: type: Ready status: "True" @@ -49,5 +49,5 @@ msg: - "IBM Sterling ITX RS status ............................ Ready!" - "ITX RS namespace ...................................... {{ itx_rs_namespace }}" - - "Pod name ........................................... {{ itx_rs_pod_name }}" - - "For username and password check secret ............. {{ itx_rs_secret }}'" + - "Pod name .............................................. {{ itx_rs_pod_name }}" + - "For username and password check secret ................ {{ itx_rs_secret }}'" diff --git a/roles/itxa_deploy/tasks/03_apply_pod_security.yml b/roles/itxa_deploy/tasks/03_apply_pod_security.yml index 138a90e..79c57c9 100644 --- a/roles/itxa_deploy/tasks/03_apply_pod_security.yml +++ b/roles/itxa_deploy/tasks/03_apply_pod_security.yml @@ -16,9 +16,69 @@ until: download_cout is succeeded retries: 3 +# Check for Kubernetes Resources and APIs +# ----------------------------------------------------------------------------- +- name: Get Cluster information + kubernetes.core.k8s_cluster_info: + register: k8s_cl_info + +- name: Check for SCC Resource + ansible.builtin.set_fact: + scc_resource: false + scc_apiversion: false + psp_resource: false + psp_apiversion: false + +- name: Check for SCC Resource + ansible.builtin.set_fact: + scc_resource: true + when: "'security.openshift.io/v1' in k8s_cl_info.apis" + +- name: Check if SCC API version + ansible.builtin.set_fact: + scc_apiversion: true + when: + - scc_resource + - "'SecurityContextConstraints' in k8s_cl_info.apis['security.openshift.io/v1']" + +- name: Check for PSP Resource + ansible.builtin.set_fact: + psp_resource: true + when: "'policy/v1beta1' in k8s_cl_info.apis" + +- name: Check if PSP API version + ansible.builtin.set_fact: + psp_apiversion: true + when: + - psp_resource + - "'PodSecurityPolicy' in k8s_cl_info.apis['policy/v1beta1']" + +# Debug +# ----------------------------------------------------------------------------- +- name: Debug Apply Pod Security + ansible.builtin.debug: + msg: + - "scc_resource ................. {{ scc_resource }}" + - "scc_apiversion ............... {{ scc_apiversion }}" + - "psp_resource ................. {{ psp_apiversion }}" + - "psp_apiversion ............... {{ psp_apiversion }}" + + # Creating Pod Security Policy for Kubernetes Cluster # ----------------------------------------------------------------------------- - name: Creating Security Context Constraints kubernetes.core.k8s: state: present - definition: "{{ lookup('file', 'files/clusterAdministration/ibm-itxa-scc.yaml') | from_yaml }}" + definition: "{{ lookup('file', 'files/ibm-itxa-scc.yaml') | from_yaml }}" + when: scc_resource and scc_apiversion + +- name: Add SCC to group for target namespace + kubernetes.core.k8s: + state: present + definition: + apiVersion: security.openshift.io/v1 + kind: SecurityContextConstraints + metadata: + name: ibm-itx-rs-scc + groups: + - "system:serviceaccounts:{{ itxa_namespace }}" diff --git a/roles/ssp_deploy/tasks/06_install_ssp.yml b/roles/ssp_deploy/tasks/06_install_ssp.yml index 6c05b8b..a61b7e2 100644 --- a/roles/ssp_deploy/tasks/06_install_ssp.yml +++ b/roles/ssp_deploy/tasks/06_install_ssp.yml @@ -62,7 +62,7 @@ ansible.builtin.set_fact: ssp_pod_name: "{{ ssp_pod.resources[0].metadata.name }}" -- name: "IBM Sterling SEAS Summary:" +- name: "IBM Sterling Secure Proxy Summary:" ansible.builtin.debug: msg: - "IBM Sterling SSP status ............................ Ready!"