From 4a4e66566d8915ae2d38768aa3efc1ab177c6124 Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Fri, 24 Nov 2023 15:18:47 +0000 Subject: [PATCH 1/8] [patch] add new parameter for predict CPD_WOS_DATAMART_ID this parameter is needed for correct setup of IBM Watson OpenScale instance --- docs/playbooks/oneclick-predict.md | 1 + ibm/mas_devops/roles/suite_app_config/defaults/main.yml | 3 +++ .../roles/suite_app_config/vars/defaultspecs/predict.yml | 3 +++ 3 files changed, 7 insertions(+) diff --git a/docs/playbooks/oneclick-predict.md b/docs/playbooks/oneclick-predict.md index 99d16221f..477815ea8 100644 --- a/docs/playbooks/oneclick-predict.md +++ b/docs/playbooks/oneclick-predict.md @@ -56,6 +56,7 @@ As of MAS 8.10, predict 8.8.0 will start to support SPSS Modeler, to install SPS - `CPD_INSTALL_SPARK` True/False - If you HAVE Spark already installed in your cluster you can skip this variable as `False` is set default - `CPD_INSTALL_OPENSCALE` True/False - If you HAVE Openscale already installed in your cluster you can skip this variable as `False` is set default - `CPD_INSTALL_SPSS` True/False - If you HAVE SPSS Modeler already installed in your cluster you can skip this variable as `False` is set default +- `CPD_WOS_DATAMART_ID` - Ensure a Datamart ID Text box has a valid IBM Watson OpenScale instance database schema in following format `00000000-0000-0000-0000-1692782854779995` ## Usage diff --git a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml index d03ea6049..71dba7ba9 100644 --- a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml +++ b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml @@ -34,3 +34,6 @@ cpd_wsl_project_name: "{{ lookup('env', 'CPD_WSL_PROJECT_NAME') | default('wsl-m # Watson Machine Learning (Predict) cpd_wml_instance_id: "{{ lookup('env', 'CPD_WML_INSTANCE_ID') | default('openshift', true) }}" cpd_wml_url: "{{ lookup('env', 'CPD_WML_URL') | default('https://internal-nginx-svc.ibm-cpd.svc:12443', true) }}" + +# Monitoring and Testing Service (Predict) +cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" diff --git a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml index 1f49e1d51..6685e8ead 100644 --- a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml +++ b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml @@ -5,6 +5,9 @@ mas_appws_spec: jdbc: "{{ mas_appws_bindings_jdbc | default( 'system' , true) }}" watsonstudio: system settings: + mat: + datamartid: "{{ cpd_wos_datamart_id }}" + install: true watsonstudio: projectid: "{{ cpd_wsl_project_id }}" wml: From cc09d627ff9841ccb82410e77f6b2551f01b3f00 Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Mon, 27 Nov 2023 10:23:08 +0000 Subject: [PATCH 2/8] [patch] update description for cpd_wos_datamart_id --- ibm/mas_devops/roles/suite_app_config/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml index 71dba7ba9..3649a1c7a 100644 --- a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml +++ b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml @@ -35,5 +35,5 @@ cpd_wsl_project_name: "{{ lookup('env', 'CPD_WSL_PROJECT_NAME') | default('wsl-m cpd_wml_instance_id: "{{ lookup('env', 'CPD_WML_INSTANCE_ID') | default('openshift', true) }}" cpd_wml_url: "{{ lookup('env', 'CPD_WML_URL') | default('https://internal-nginx-svc.ibm-cpd.svc:12443', true) }}" -# Monitoring and Testing Service (Predict) +# Watson OpenScale (Predict) cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" From a0e5cf4a85200dc223f0203ee29f17125381ace6 Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Mon, 15 Jan 2024 13:33:36 +0000 Subject: [PATCH 3/8] Squashed commit of the following: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 5206e1b183ed168c7baba87aadfcb26c849f332b Author: Conrad Kao Date: Fri Jan 12 12:35:57 2024 -0600 [patch] add licensing sync cronjob sync frequency in slscfg (#1167) commit b1c657982cac3ed799639777f2a8e5f1d20efaa7 Author: David Parker Date: Sun Jan 7 21:05:26 2024 +0000 [patch] Disable logging of docker credentials from mirror_ocp role (#1160) commit 81cb38fde8c37e96314e49514df6258a8ad42a3b Author: David Parker Date: Sun Jan 7 11:33:09 2024 +0000 Revert "[minor] Added failure handling for Maxinst setup script in suite_db2_setup_for_manage role (#1121)" This reverts commit b88d557c31b82ac30c9913fd3595c972263acb11. Refer to MASISMIG-49684 commit b88d557c31b82ac30c9913fd3595c972263acb11 Author: Sachin Balagopalan Date: Fri Jan 5 04:01:44 2024 -0500 [minor] Added failure handling for Maxinst setup script in suite_db2_setup_for_manage role (#1121) Co-authored-by: Alexandre Quinteiro commit 04a32fc3a4bc65e7bdaf1305b2bc6c6749f361be Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Wed Jan 3 12:28:57 2024 -0300 [patch] Fix condition that sets cert_manager_cluster_resource_namespace (#1156) commit d890dd656ad51cdaa3c8d5ee6b7d1466f2e8d260 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Tue Jan 2 07:57:47 2024 -0300 [minor] Add support for Red Hat Certificate Manager (#1153) Co-authored-by: David Parker commit 0d04acde978447753b2c9c7b47289420df03358d Author: Sanjay Prabhakar Date: Thu Dec 28 17:50:57 2023 +0000 [minor] Support December Catalog Update (#1148) Co-authored-by: Sanjay Prabhakar commit 0d136472aba7d79fa79e82abdc2e4902c89677f2 Author: Sanjay Prabhakar Date: Wed Dec 20 14:30:03 2023 +0000 [minor] Add support mongo 5.0.23 and 6.0.12 (#1144) Co-authored-by: Sanjay Prabhakar commit 017a0ad822d223a8e93d1dd8f539b6d4f718c635 Author: David Parker Date: Wed Dec 20 12:59:43 2023 +0000 [patch] Include default channels in ImageSetConfiguration (#1150) commit d5c96fcd2b3e012855275ff9ad45f8af34441114 Author: David Parker Date: Wed Dec 20 10:34:32 2023 +0000 Default to patch version bump when no commit prefix provided (#1149) commit b4e06f02cd867be4124fe1cb35d2d1a26db48d86 Author: HariPalleti Date: Mon Dec 18 17:44:59 2023 -0600 [patch] add install in the DRO_ACTION list (#1146) commit 21c7b3313813a97b982deaab7fd27b505c66cd5b Author: Lokesh <110647904+lokesh-sreedhara@users.noreply.github.com> Date: Mon Dec 18 21:10:40 2023 +0530 [patch] fix dro_action assert error (#1145) Co-authored-by: Yuvraj Vansure Co-authored-by: yuvraj-vansure <81155309+yuvraj-vansure@users.noreply.github.com> commit 49b254669b5f86bf3459c74c0c06d4ea468af174 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Mon Dec 18 07:33:21 2023 -0300 [minor] Support MVI integration with Object Storage in oneclick_add_visualinspection (#1125) Co-authored-by: David Parker commit 2e3718494b465d99ee8c474f8d10b681b5f1922c Author: yuvraj-vansure <81155309+yuvraj-vansure@users.noreply.github.com> Date: Mon Dec 18 15:59:30 2023 +0530 [patch] Install DRO using DRO_STORAGE_CLASS and PVC (#1129) Co-authored-by: Yuvraj Vansure Co-authored-by: lokesh-sreedhara Co-authored-by: Lokesh <110647904+lokesh-sreedhara@users.noreply.github.com> commit fb7e3e0f5163f7e2408b4c534e3389abb9340dd8 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Thu Dec 14 06:40:24 2023 -0300 [patch] Fix ocp_ingress_tls_secret_name support for Azure (#1141) Co-authored-by: David Parker commit 7ffce37c630e7a75b95b275f9311e1d90045d5ad Author: Sanjay Prabhakar Date: Thu Dec 14 09:39:15 2023 +0000 [patch] Support for apply-db2cfg-settings.sh script in newer db2 operators (#1142) Co-authored-by: Sanjay Prabhakar commit ca3da8e0beb0c10821751d24dc69a9d037d31e96 Author: yuvraj-vansure <81155309+yuvraj-vansure@users.noreply.github.com> Date: Wed Dec 13 16:02:15 2023 +0530 [patch] Include DRO in ImageSetConfig & ImageContentSourcePolicy (#1127) Co-authored-by: David Parker commit f928af8b65450126b106489cd17aa97bfa3d28d1 Author: chriscochran <140204950+chriscochran@users.noreply.github.com> Date: Wed Dec 13 04:22:11 2023 -0600 [patch] Exclude Maximo IT from mirror manifest by default (#1128) Co-authored-by: David Parker Co-authored-by: André Marcelino <31037381+andrercm@users.noreply.github.com> Co-authored-by: Sanjay Prabhakar Co-authored-by: Sanjay Prabhakar commit 229e299c5b1b1de18592eba81f22b343e76bf80a Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Tue Dec 12 10:41:46 2023 -0300 [patch] Fix cert content from string (#1137) Co-authored-by: David Parker commit efd77d2a1454820fe0c23a0210f859f50644fcf8 Author: David Parker Date: Tue Dec 12 13:00:08 2023 +0000 [patch] Allow FYRE provision without storage configuration (#1138) commit e1473bf9cea42f90e19bb06eddb161d81dc26c13 Author: Sanjay Prabhakar Date: Sat Dec 9 02:38:32 2023 +0000 [patch] get db2u version from db2u-release configmap instead of secret (#1135) Co-authored-by: Sanjay Prabhakar commit 41c0e98f34a7505cce3320afedd61a5eaa26a5ac Author: David Parker Date: Thu Dec 7 12:45:11 2023 +0000 [patch] Ensure cluster_ingress_tls_crt_remove_it is defined (#1133) commit 9c9342e802a32e3925f14d709d71a5528de7e200 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Wed Dec 6 17:38:36 2023 -0300 [patch] Filter DST X3 Root certificate part from the cluster's ingress chain (#1130) commit a0800053b70523a66b41428d26c7a66924aa746d Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Wed Dec 6 07:24:36 2023 -0300 [patch] Fix "jdbc_tls_crt is undefined" (#1126) commit 0d5e0168222c293242190bfc756a8d22420b2034 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Fri Dec 1 16:55:46 2023 -0300 [patch] fix bad indentation for BasCfg when podTemplates is set (#1124) commit b45e7fd0538be75d6173a1db8ea0bd5173d45ea6 Author: David Parker Date: Fri Dec 1 18:16:17 2023 +0000 [patch] Clean up remnants of manual upgrade support (#1123) commit 803bcc3731f963311d3a639013a26f54713ebc76 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Wed Nov 29 21:46:15 2023 -0300 [patch] Adding cluster's ingress in DNS record list for Route53 hosted zone (#1118) commit 75925427c615eaf7a3408a0e4e1ffae5b31c2af8 Author: Sanjay Prabhakar Date: Wed Nov 29 17:16:31 2023 +0000 [patch] update nov catalog digest and amlen 1.0.2 extras (#1120) Co-authored-by: Sanjay Prabhakar commit c75455a301a1509ca329dd3482de0165337e6d06 Author: Sanjay Prabhakar Date: Wed Nov 29 12:16:00 2023 +0000 [minor] Update v8-231128-amd64 catalog casebundle (#1117) Co-authored-by: Sanjay Prabhakar commit c8fe880e9e2063eb1571d27f17648cc1c4827b50 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Mon Nov 27 14:08:02 2023 -0300 [patch] Improvements to handling of files with multiple certificates (#1097) Co-authored-by: David Parker commit 3f5a8c45c2086fd76bc8b242af689f0289431423 Author: André Marcelino <31037381+andrercm@users.noreply.github.com> Date: Mon Nov 27 13:57:47 2023 -0300 [patch] Fix playbook defaults and suite_dns default handling (#1114) Co-authored-by: David Parker commit 9d798d2c791a1fee03e7550591f2c5b37f9c2d05 Author: Sanjay Prabhakar Date: Mon Nov 27 16:50:51 2023 +0000 [minor] Support November Catalog Update (#1103) Co-authored-by: Andre Ricardo De Campos Marcelino Co-authored-by: Terence Quinn Co-authored-by: Sanjay Prabhakar commit acacf77fce357095d147a3bd78bf91ef5e8fca4d Author: David Parker Date: Fri Nov 24 19:13:14 2023 +0000 [patch] Fixes and tweaks for better Red Hat content mirroring (#1115) commit 017d57971f9d9326fbba264b18dc4213a8ee5802 Author: Sanjay Prabhakar Date: Fri Nov 24 19:04:32 2023 +0000 [minor] Re-issue October 04 and 31 catalog (#1113) Co-authored-by: Sanjay Prabhakar --- build/bin/initbuild.sh | 17 +- docs/playbooks/oneclick-update.md | 2 +- docs/playbooks/oneclick-visualinspection.md | 5 + .../common_tasks/detect_cert_manager.yml | 65 +++++++ .../common_tasks/get_ingress_cert.yml | 17 +- .../common_tasks/get_signed_ingress_cert.yml | 40 +++- .../common_tasks/pod_templates/main.yml | 2 +- .../casebundles/v8-231004-amd64.yml | 4 +- .../casebundles/v8-231031-amd64.yml | 4 +- .../casebundles/v8-231128-amd64.yml | 97 ++++++++++ .../casebundles/v8-231228-amd64.yml | 97 ++++++++++ .../playbooks/mirror_add_assist.yml | 4 +- .../playbooks/mirror_add_hputilities.yml | 4 +- ibm/mas_devops/playbooks/mirror_add_iot.yml | 4 +- .../playbooks/mirror_add_manage.yml | 6 +- .../playbooks/mirror_add_monitor.yml | 4 +- .../playbooks/mirror_add_optimizer.yml | 4 +- .../playbooks/mirror_add_predict.yml | 4 +- .../playbooks/mirror_add_visualinspection.yml | 4 +- ibm/mas_devops/playbooks/mirror_core.yml | 4 +- .../playbooks/mirror_dependencies.yml | 4 +- .../playbooks/ocp_fyre_provision.yml | 13 +- .../playbooks/oneclick_add_assist.yml | 4 +- ibm/mas_devops/playbooks/oneclick_add_iot.yml | 2 +- .../playbooks/oneclick_add_manage.yml | 2 +- .../playbooks/oneclick_add_monitor.yml | 2 +- .../playbooks/oneclick_add_optimizer.yml | 2 +- .../playbooks/oneclick_add_predict.yml | 4 +- .../oneclick_add_visualinspection.yml | 45 ++++- ibm/mas_devops/playbooks/oneclick_update.yml | 2 +- ibm/mas_devops/roles/cert_manager/README.md | 37 +++- .../roles/cert_manager/defaults/main.yml | 22 +++ .../roles/cert_manager/meta/main.yml | 2 +- .../roles/cert_manager/tasks/main.yml | 11 +- .../cert_manager/tasks/prereqs-migration.yml | 49 +++++ .../{actions => provider/ibm}/install.yml | 22 +-- .../{actions => provider/ibm}/uninstall.yml | 19 +- .../tasks/provider/redhat/install.yml | 181 ++++++++++++++++++ .../tasks/provider/redhat/uninstall.yml | 21 ++ .../ibm-cert-manager-common-service.yml | 0 .../templates/{ => ibm}/ibm-cert-manager.yml | 0 .../redhat/cert-manager-cluster.yml.j2 | 20 ++ .../cert-manager-webhook-ibm-cis-crb.yml.j2 | 16 ++ .../templates/redhat/ibm-cpp-configmap.yml.j2 | 8 + .../templates/redhat/namespace.yml.j2 | 5 + .../templates/redhat/subscription.yml.j2 | 23 +++ .../common_services/tasks/actions/install.yml | 6 + .../templates/namespace.yml.j2 | 5 + .../templates/subscription.yml.j2 | 5 - ibm/mas_devops/roles/convert_to_olm/README.md | 8 +- .../roles/convert_to_olm/defaults/main.yml | 1 - .../roles/convert_to_olm/tasks/main.yml | 52 +---- .../templates/subscription.yml.j2 | 2 +- ibm/mas_devops/roles/cos/README.md | 6 + ibm/mas_devops/roles/cos/defaults/main.yml | 3 +- .../cos/tasks/providers/ocs/provision.yml | 27 ++- .../cos/templates/ocs/objectstoragecfg.yml.j2 | 15 +- .../roles/cos/templates/ocs/ocs-certs.yml.j2 | 5 + ibm/mas_devops/roles/db2/README.md | 2 +- .../roles/db2/tasks/install/main.yml | 23 +-- .../upgrade/run-db2-instances-upgrade.yml | 23 +-- ibm/mas_devops/roles/dro/README.md | 34 +++- ibm/mas_devops/roles/dro/defaults/main.yml | 2 +- .../roles/dro/tasks/gencfg/main.yml | 10 +- .../install-dro/determine-storage-classes.yml | 19 +- .../roles/dro/tasks/install-dro/main.yml | 23 ++- ibm/mas_devops/roles/dro/tasks/main.yml | 7 +- .../roles/dro/tasks/uninstall/main.yml | 25 +++ .../roles/dro/templates/bascfg.yml.j2 | 17 +- .../roles/dro/templates/dro-certs.yml.j2 | 5 + .../roles/dro/templates/dro-pvc.yml.j2 | 44 +++++ .../roles/gencfg_jdbc/tasks/main.yml | 18 +- .../gencfg_jdbc/templates/jdbc-certs.yml.j2 | 5 + .../gencfg_jdbc/templates/jdbccfg.yml.j2 | 9 +- .../roles/gencfg_mongo/tasks/main.yml | 13 +- .../gencfg_mongo/templates/mongo-certs.yml.j2 | 5 + .../templates/suite_mongocfg.yml.j2 | 8 +- .../redhat/run-kafka-instances-upgrade.yml | 2 +- .../tasks/prepare-released.yml | 38 ++-- .../vars/amlen_1.0.2.yml | 11 ++ .../mirror_extras_prepare/vars/db2u_1.0.3.yml | 31 +++ .../vars/mongoce_5.0.23.yml | 26 +++ .../vars/mongoce_6.0.12.yml | 26 +++ .../mirror_extras_prepare/vars/uds_1.5.0.yml | 11 ++ .../mirror_extras_prepare/vars/wd_1.0.2.yml | 126 ++++++++++++ ibm/mas_devops/roles/mirror_ocp/README.md | 32 ++-- .../tasks/actions/to-filesystem.yml | 2 +- .../roles/mirror_ocp/tasks/main.yml | 1 + .../templates/imagesetconfiguration.yml.j2 | 40 ++-- ibm/mas_devops/roles/mongodb/README.md | 9 +- .../roles/mongodb/defaults/main.yml | 3 +- .../tasks/determine-ibmcatalog-tag.yml | 105 ++++++++++ .../community/check-mongo-exists.yml | 20 ++ .../providers/community/install-mongo.yml | 79 +------- .../providers/community/validate-upgrade.yml | 8 + ibm/mas_devops/roles/nvidia_gpu/README.md | 2 +- .../templates/redhat-catalogs.yml.j2 | 58 ++++-- ibm/mas_devops/roles/sls/README.md | 7 + ibm/mas_devops/roles/sls/defaults/main.yml | 1 + .../roles/sls/templates/slscfg.yml.j2 | 1 + .../roles/suite_app_install/defaults/main.yml | 3 + .../roles/suite_app_install/tasks/iot.yml | 4 +- .../tasks/visualinspection.yml | 9 +- .../vars/customspecs/visualinspection.yml.j2 | 10 + .../roles/suite_certs/defaults/main.yml | 4 +- .../tasks/apply-db2-config-settings.yml | 4 +- .../roles/suite_dns/defaults/main.yaml | 5 +- .../tasks/providers/cis/cis_webhook.yml | 2 +- .../tasks/providers/route53/create-cnames.yml | 18 +- .../tasks/providers/route53/main.yml | 8 - ibm/mas_devops/roles/suite_dns/tasks/run.yml | 17 +- .../templates/cis/webhook/apiservice.yml.j2 | 2 +- .../templates/route53/create-cnames.json.j2 | 12 ++ ibm/mas_devops/roles/suite_install/README.md | 6 +- .../roles/suite_install/defaults/main.yml | 21 +- .../tasks/detect-cert-manager.yml | 35 ---- .../tasks/ibm-common-services.yml | 63 ------ .../roles/suite_install/tasks/main.yml | 44 +---- .../templates/core_v1_suite.yml.j2 | 2 +- .../templates/subscription.yml.j2 | 2 +- ibm/mas_devops/roles/uds/README.md | 7 + ibm/mas_devops/roles/uds/defaults/main.yml | 1 + .../roles/uds/tasks/gencfg/main.yml | 11 +- .../roles/uds/tasks/install/main.yml | 16 +- .../roles/uds/tasks/install/udscfg.yml | 2 +- ibm/mas_devops/roles/uds/tasks/main.yml | 2 - .../roles/uds/templates/bas-certs.yml.j2 | 5 + .../roles/uds/templates/bascfg.yml.j2 | 17 +- 128 files changed, 1666 insertions(+), 636 deletions(-) create mode 100644 ibm/mas_devops/common_tasks/detect_cert_manager.yml create mode 100644 ibm/mas_devops/common_vars/casebundles/v8-231128-amd64.yml create mode 100644 ibm/mas_devops/common_vars/casebundles/v8-231228-amd64.yml create mode 100644 ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml rename ibm/mas_devops/roles/cert_manager/tasks/{actions => provider/ibm}/install.yml (77%) rename ibm/mas_devops/roles/cert_manager/tasks/{actions => provider/ibm}/uninstall.yml (78%) create mode 100644 ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml create mode 100644 ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/uninstall.yml rename ibm/mas_devops/roles/cert_manager/templates/{ => ibm}/ibm-cert-manager-common-service.yml (100%) rename ibm/mas_devops/roles/cert_manager/templates/{ => ibm}/ibm-cert-manager.yml (100%) create mode 100644 ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-cluster.yml.j2 create mode 100644 ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-webhook-ibm-cis-crb.yml.j2 create mode 100644 ibm/mas_devops/roles/cert_manager/templates/redhat/ibm-cpp-configmap.yml.j2 create mode 100644 ibm/mas_devops/roles/cert_manager/templates/redhat/namespace.yml.j2 create mode 100644 ibm/mas_devops/roles/cert_manager/templates/redhat/subscription.yml.j2 create mode 100644 ibm/mas_devops/roles/common_services/templates/namespace.yml.j2 create mode 100644 ibm/mas_devops/roles/cos/templates/ocs/ocs-certs.yml.j2 create mode 100644 ibm/mas_devops/roles/dro/templates/dro-certs.yml.j2 create mode 100644 ibm/mas_devops/roles/dro/templates/dro-pvc.yml.j2 create mode 100644 ibm/mas_devops/roles/gencfg_jdbc/templates/jdbc-certs.yml.j2 create mode 100644 ibm/mas_devops/roles/gencfg_mongo/templates/mongo-certs.yml.j2 create mode 100644 ibm/mas_devops/roles/mirror_extras_prepare/vars/amlen_1.0.2.yml create mode 100644 ibm/mas_devops/roles/mirror_extras_prepare/vars/db2u_1.0.3.yml create mode 100644 ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_5.0.23.yml create mode 100644 ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_6.0.12.yml create mode 100644 ibm/mas_devops/roles/mirror_extras_prepare/vars/uds_1.5.0.yml create mode 100644 ibm/mas_devops/roles/mirror_extras_prepare/vars/wd_1.0.2.yml create mode 100644 ibm/mas_devops/roles/mongodb/tasks/determine-ibmcatalog-tag.yml create mode 100644 ibm/mas_devops/roles/suite_app_install/vars/customspecs/visualinspection.yml.j2 delete mode 100644 ibm/mas_devops/roles/suite_install/tasks/detect-cert-manager.yml delete mode 100644 ibm/mas_devops/roles/suite_install/tasks/ibm-common-services.yml create mode 100644 ibm/mas_devops/roles/uds/templates/bas-certs.yml.j2 diff --git a/build/bin/initbuild.sh b/build/bin/initbuild.sh index 110178f1c..b091d0d8b 100755 --- a/build/bin/initbuild.sh +++ b/build/bin/initbuild.sh @@ -61,14 +61,14 @@ else PATCH_COUNT=`grep -ciF '[patch]' $GITHUB_WORKSPACE/.changelog` echo "Patch commits : ${PATCH_COUNT}" - fi - if [ "$MAJOR_COUNT" -gt "0" ]; then - SEMVER_RELEASE_LEVEL="major" - elif [ "$MINOR_COUNT" -gt "0" ]; then - SEMVER_RELEASE_LEVEL="minor" - elif [ "$PATCH_COUNT" -gt "0" ]; then - SEMVER_RELEASE_LEVEL="patch" + if [ "$MAJOR_COUNT" -gt "0" ]; then + SEMVER_RELEASE_LEVEL="major" + elif [ "$MINOR_COUNT" -gt "0" ]; then + SEMVER_RELEASE_LEVEL="minor" + elif [ "$PATCH_COUNT" -gt "0" ]; then + SEMVER_RELEASE_LEVEL="patch" + fi fi echo "RELEASE LEVEL = ${SEMVER_RELEASE_LEVEL}" @@ -82,7 +82,8 @@ else semver bump ${SEMVER_RELEASE_LEVEL} ${SEMVER_LAST_TAG} > $VERSION_FILE echo "Configuring semver for ${SEMVER_RELEASE_LEVEL} bump from ${SEMVER_LAST_TAG} to $(cat $VERSION_FILE)" else - semver bump build build.$GITHUB_RUN_ID > $VERSION_FILE + # Default to a patch revision + semver bump patch ${SEMVER_LAST_TAG} > $VERSION_FILE echo "Configuring semver for rebuild of ${SEMVER_LAST_TAG}: $(cat $VERSION_FILE)" fi fi diff --git a/docs/playbooks/oneclick-update.md b/docs/playbooks/oneclick-update.md index e2b57ae6f..10d728cc7 100644 --- a/docs/playbooks/oneclick-update.md +++ b/docs/playbooks/oneclick-update.md @@ -35,7 +35,7 @@ Usage Only one parameter is required, the new tag of the IBM Maximo Operator Catalog that you wish to use: ```bash -export MAS_CATALOG_VERSION=v8-231031-amd64 +export MAS_CATALOG_VERSION=v8-231228-amd64 oc login --token=xxxx --server=https://myocpserver ansible-playbook ibm.mas_devops.oneclick_update ``` diff --git a/docs/playbooks/oneclick-visualinspection.md b/docs/playbooks/oneclick-visualinspection.md index 04ed72910..e44c71392 100644 --- a/docs/playbooks/oneclick-visualinspection.md +++ b/docs/playbooks/oneclick-visualinspection.md @@ -24,6 +24,11 @@ All timings are estimates, see the individual pages for each of these playbooks ## Optional environment variables - `MAS_APP_SETTINGS_VISUALINSPECTION_STORAGE_CLASS` Defines a custom file storage class for Visual Inspection application. If none provided, then a default storage class will be auto defined accordingly to your cluster's availability i.e `ibmc-file-gold` for IBM Cloud or `azurefiles-premium` for Azure clusters. - `MAS_APP_SETTINGS_VISUALINSPECTION_STORAGE_SIZE` Defines persistent storage size for Visual Inspection application. If not provided, default is `100Gi`. +- `MAS_APP_SETTINGS_VISUALINSPECTION_OBJECT_STORAGE_ENABLED` If set to `true`, enables [Object Storage integration with Visual Inspection](https://www.ibm.com/docs/en/mas-cd/maximo-vi/continuous-delivery?topic=managing-object-storage). +- `MAS_APP_SETTINGS_VISUALINSPECTION_OBJECT_STORAGE_WORKSPACE` Defines the Object Storage bucket name to be used for Visual Inspection integration. +- `CONFIGURE_COS` If set to `true`, an Object Storage instance will be configured as MAS system scope configuration which will be used for Visual Inspection integration. See [cos](https://ibm-mas.github.io/ansible-devops/roles/cos/) role documentation for detailed information. +- `CONFIGURE_COS_BUCKET` If set to `true`, an Object Storage bucket will be configured to be used for Visual Inspection application. See [cos_bucket](https://ibm-mas.github.io/ansible-devops/roles/cos_bucket/) role documentation for detailed information. + ## Usage ```bash diff --git a/ibm/mas_devops/common_tasks/detect_cert_manager.yml b/ibm/mas_devops/common_tasks/detect_cert_manager.yml new file mode 100644 index 000000000..00215f282 --- /dev/null +++ b/ibm/mas_devops/common_tasks/detect_cert_manager.yml @@ -0,0 +1,65 @@ +--- +# This task is currently being used by the following roles: +# +# - suite-dns (to lookup which namespace Certificate Manager is installed so that CIS webhook is installed in the same namespace) +# - suite_install (to lookup which namespace Certificate Manager is installed so that Suite CR is set to point to the same namespace) +# +# 1. Check if and where Certificate Manager is installed +# ----------------------------------------------------------------------------- +# oc get pods -A | grep cert-manager-cainjector| awk '{print $1}' should return the namespace where the cert-manager instance is running i.e cert-manager-operator +- name: Lookup Certificate Manager installations + shell: oc get pods -A | grep cert-manager-cainjector | awk '{print $1}' + register: cert_manager_webhook_lookup + +- name: Assert Certificate Manager is installed + assert: + that: cert_manager_webhook_lookup.stdout_lines | length > 0 + fail_msg: "Certificate Manager was not found in the cluster. Make sure you install it by running 'cert_manager' role before trying to setup Maximo Application Suite instance." + +- name: Assert there is just one Certificate Manager running + assert: + that: cert_manager_webhook_lookup.stdout_lines | length == 1 + fail_msg: + - "There are multiple instances of Certificate Manager running in the cluster." + - "Make sure you just have one Certificate Manager instance running." + - "Certificate Manager namespaces identified: {{ cert_manager_webhook_lookup.stdout_lines }}" + +# 2. Check if Certificate Manager Cluster Resource Namespace is defined +# ----------------------------------------------------------------------------- +# Namespace to setup ClusterIssuers when referencing a secret via the secretName field +# ClusterIssuers' secrets will be looked for in the Cluster Resource Namespace defined +- name: "Lookup CertManager CR" + kubernetes.core.k8s_info: + api_version: operator.openshift.io/v1alpha1 + name: cluster + kind: CertManager + register: certmanager_cr + +- set_fact: + cert_manager_args: "{{ certmanager_cr.resources[0].spec.unsupportedConfigOverrides.controller.args }}" + when: certmanager_cr.resources[0].spec.unsupportedConfigOverrides.controller.args is defined + +- name: Set cert_manager_cluster_resource_namespace from CertManager CR + when: cert_manager_args is defined and item | regex_search(regex) + vars: + regex: '(?<=\--cluster-resource-namespace=).*' + set_fact: + cert_manager_cluster_resource_namespace: "{{ item | regex_search(regex) }}" + with_items: "{{ cert_manager_args }}" + +# 3. Set Certificate Manager variables +# ----------------------------------------------------------------------------- +- name: Set Certificate Manager namespace + set_fact: + cert_manager_namespace: "{{ cert_manager_webhook_lookup.stdout }}" + +# If 'cert_manager_cluster_resource_namespace' is not yet defined then set it to same value as 'cert_manager_namespace' +- name: Set Certificate Manager Cluster Resource namespace (if not set) + set_fact: + cert_manager_cluster_resource_namespace: "{{ cert_manager_namespace }}" + when: cert_manager_cluster_resource_namespace is not defined or cert_manager_cluster_resource_namespace == '' + +- debug: + msg: + - "Certificate Manager namespace ............................... {{ cert_manager_namespace }}" + - "Certificate Manager cluster resource namespace .............. {{ cert_manager_cluster_resource_namespace }}" diff --git a/ibm/mas_devops/common_tasks/get_ingress_cert.yml b/ibm/mas_devops/common_tasks/get_ingress_cert.yml index 122b31d23..fdd1f28de 100644 --- a/ibm/mas_devops/common_tasks/get_ingress_cert.yml +++ b/ibm/mas_devops/common_tasks/get_ingress_cert.yml @@ -4,6 +4,7 @@ - name: Clear private_root_ca_name fact ansible.builtin.set_fact: private_root_ca_name: "" + include_cluster_ingress_cert_chain: "{{ lookup('env', 'INCLUDE_CLUSTER_INGRESS_CERT_CHAIN') | default('false', True) | bool }}" - name: "Lookup Proxy: cluster" kubernetes.core.k8s_info: @@ -55,7 +56,19 @@ ansible.builtin.set_fact: cluster_ingress_tls_crt_full: "{{ private_root_ca_bundle_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}" - # We only want the first part of this certificate, I don't know why, but this is what works + # We only want the first part of this certificate, I don't know why, but this is what works - if needed, set include_cluster_ingress_cert_chain == true to have entire cert chain - name: "Get private ingress certificate" ansible.builtin.set_fact: - cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt_full[0] }}" + cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt_full if (include_cluster_ingress_cert_chain) else cluster_ingress_tls_crt_full[0] }}" + + # When the certificate content is retrieved as a list, need to ensure its content is not treated as a list of characters + - name: "Format all certificates in the chain (from list)" + ansible.builtin.set_fact: + cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | join('') }}" + when: cluster_ingress_tls_crt and cluster_ingress_tls_crt | type_debug == 'list' and cluster_ingress_tls_crt | length > 0 + + # When the certificate content is retrieved as a string, need to filter its content into valid certificates and map them into a list + - name: "Format all certificates in the chain (from text/string)" + ansible.builtin.set_fact: + cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}" + when: cluster_ingress_tls_crt and cluster_ingress_tls_crt | type_debug != 'list' diff --git a/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml b/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml index 627668367..749d267aa 100644 --- a/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml +++ b/ibm/mas_devops/common_tasks/get_signed_ingress_cert.yml @@ -4,8 +4,7 @@ - name: set ocp ingress tls secret set_fact: ocp_ingress_tls_secret_name: "{{ lookup('env', 'OCP_INGRESS_TLS_SECRET_NAME') | default('router-certs-default', True) }}" - when: - ocp_ingress_tls_secret_name is not defined + when: ocp_ingress_tls_secret_name is not defined - name: "Lookup for {{ ocp_ingress_tls_secret_name }} secret" no_log: true @@ -25,7 +24,6 @@ cluster_ingress_secret_name: "{{ ocp_ingress_tls_secret_name }}" cluster_ingress_tls_crt: "{{ router_certs_default_secret.resources[0].data['tls.crt'] | b64decode }}" - # 2. Lookup for secret named after cluster ingress # ----------------------------------------------------------------------------- - name: Get cluster subdomain @@ -59,7 +57,6 @@ cluster_ingress_secret_name: "{{ cluster_subdomain.resources[0].spec.domain | regex_search('[^.]*') }}" cluster_ingress_tls_crt: "{{ cluster_ingress_secret.resources[0].data['tls.crt'] | b64decode }}" - # 3. Lookup for secret based on the cluster name # ----------------------------------------------------------------------------- # ROSA, TechZone, and some IPI Installs use this convention @@ -75,6 +72,10 @@ - type=kubernetes.io/tls register: cluster_primary_secrets +# This will lookup for cluster's ingress secret name that matches a given label +# Depending on the cluster's provider, it will try to use substrings to find the +# exact secret's name i.e for ARO clusters, the cluster's ingress secret name +# will end with '-ingress' - name: "Find Cluster Primary Secret" when: - found_router_default_secret is not defined @@ -83,6 +84,7 @@ - cluster_primary_secrets.resources is defined - cluster_primary_secrets.resources | length > 0 - (item.metadata.name.endswith("-primary-cert-bundle-secret")) or + (item.metadata.name.endswith("-ingress")) or (item.metadata.name == "letsencrypt-certs") set_fact: found_cluster_primary_secret: true @@ -93,6 +95,35 @@ loop_control: label: "{{ item.metadata.name }}" +# Break up the certificate into an array +- name: "Extract certificate chain into a variable" + set_fact: + cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}" + +# Filter out of date DST Root CA X3 issuer certificate if present +# This is a known problem in IBMCloud ROKS clusters, where an expired +# root certificate is included in the chain, the inclusion of this +# certificate in our truststore prevents MAS being able to connect +# to IBM User Data Services because it's an invalid certificate. +- name: "Check if DST Root CA X3 issuer certificate is present" + vars: + dst_root_x3: "Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5" + no_log: true + set_fact: + cluster_ingress_tls_crt_remove_it: "{{ cluster_ingress_tls_crt_remove_it|default([]) + [item] }}" + when: + - (dst_root_x3 in item) + with_items: + - "{{ cluster_ingress_tls_crt }}" + +- name: "Filter DST Root CA X3 issuer certificate if present" + no_log: true + set_fact: + cluster_ingress_tls_crt: "{{ cluster_ingress_tls_crt | difference(cluster_ingress_tls_crt_remove_it) | list }}" + when: + - cluster_ingress_tls_crt_remove_it is defined + - cluster_ingress_tls_crt is defined + - cluster_ingress_tls_crt | length > 0 # 4. Log which (if any) secret was found # ----------------------------------------------------------------------------- @@ -108,7 +139,6 @@ - "Cluster Ingress Cert Secret Name ...... {{ cluster_ingress_secret_name | default('missing', True) }}" - "Cluster Ingress Cert .................. {{ cluster_ingress_tls_crt | default('missing', True) }}" - # COS and UDS roles both require one of these secrets ... can we fix it so that # they don't, not sure why they can't create their own certs and need to # piggyback off the cluster cert tbh. diff --git a/ibm/mas_devops/common_tasks/pod_templates/main.yml b/ibm/mas_devops/common_tasks/pod_templates/main.yml index f9794c086..e142aa642 100644 --- a/ibm/mas_devops/common_tasks/pod_templates/main.yml +++ b/ibm/mas_devops/common_tasks/pod_templates/main.yml @@ -30,7 +30,7 @@ block: - name: Get and combine podTemplates ansible.builtin.set_fact: - merged_pod_templates_list: "{{ merged_pod_templates_list | default([]) + item_list }}" + merged_pod_templates_list: "{{ merged_pod_templates_list | default([]) + item_list }}" vars: item_name: "{{ item | splitext | first | replace('-', '_') }}_pod_templates" item_list: "{{ lookup('ansible.builtin.vars', item_name, default='') | default([], true) }}" diff --git a/ibm/mas_devops/common_vars/casebundles/v8-231004-amd64.yml b/ibm/mas_devops/common_vars/casebundles/v8-231004-amd64.yml index 4d872e963..7028a4566 100644 --- a/ibm/mas_devops/common_vars/casebundles/v8-231004-amd64.yml +++ b/ibm/mas_devops/common_vars/casebundles/v8-231004-amd64.yml @@ -1,11 +1,11 @@ --- -# Case bundle configuration for IBM Maximo Operator Catalog v230926 +# Case bundle configuration for IBM Maximo Operator Catalog v231004 # ----------------------------------------------------------------------------- # In the future this won't be necessary as we'll be able to mirror from the # catalog itself, but not everything in the catalog supports this yet (including MAS) # so we need to use the CASE bundle mirror process still. -catalog_digest: sha256:57dfc24fe5c87a0304b4fb9c283a9b0b753e41acfffe61ffac5ca1359a579bdf +catalog_digest: sha256:32b28d56327215dcab58664f10987b3e961c0ee9630744b9f66b710e9d879dca # Dependencies # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/common_vars/casebundles/v8-231031-amd64.yml b/ibm/mas_devops/common_vars/casebundles/v8-231031-amd64.yml index 119d6291a..93904b9ef 100644 --- a/ibm/mas_devops/common_vars/casebundles/v8-231031-amd64.yml +++ b/ibm/mas_devops/common_vars/casebundles/v8-231031-amd64.yml @@ -1,11 +1,11 @@ --- -# Case bundle configuration for IBM Maximo Operator Catalog v230926 +# Case bundle configuration for IBM Maximo Operator Catalog v231031 # ----------------------------------------------------------------------------- # In the future this won't be necessary as we'll be able to mirror from the # catalog itself, but not everything in the catalog supports this yet (including MAS) # so we need to use the CASE bundle mirror process still. -catalog_digest: sha256:709606362f60456afdb117606dafecc3133118de42d26236f9f2c8bbdcc7721f +catalog_digest: sha256:31f0f52a55cc97e7d6c80b844c1d13791efa303eeca87b41954dd2ab67d75378 # Dependencies # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/common_vars/casebundles/v8-231128-amd64.yml b/ibm/mas_devops/common_vars/casebundles/v8-231128-amd64.yml new file mode 100644 index 000000000..773887087 --- /dev/null +++ b/ibm/mas_devops/common_vars/casebundles/v8-231128-amd64.yml @@ -0,0 +1,97 @@ +--- +# Case bundle configuration for IBM Maximo Operator Catalog v231128 +# ----------------------------------------------------------------------------- +# In the future this won't be necessary as we'll be able to mirror from the +# catalog itself, but not everything in the catalog supports this yet (including MAS) +# so we need to use the CASE bundle mirror process still. + +catalog_digest: sha256:e9f2439166ee18b540b8fc4484e3df5235bfaf7293dadd181b5755c3c79c602a + +# Dependencies +# ----------------------------------------------------------------------------- +common_svcs_version: 1.19.4 # Operator version 3.23.4 (https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cp-common-services) +db2u_version: 5.1.4 # Operator version 110508.0.2 (https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-db2uoperator) +events_version: 4.6.1 # Operator version 4.6.1 (https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-events-operator) +uds_version: 2.0.12 # Operator version 2.0.12 +sls_version: 3.8.1 # Operator version 3.8.1 +tsm_version: 1.5.1 # Operator version 1.5.1 +dd_version: 1.1.5 # Operator version 1.1.5 +appconnect_version: 6.2.0 # Operator version 6.2.0 +cp4d_platform_version: 2.9.0+20230524.165553 # Operator version 3.8.0 +wsl_version: 6.5.0 # Operator version 6.5.0 +wml_version: 6.5.0 # Operator version 3.5.0 +spark_version: 6.5.0 # Operator version 3.5.0 + +# Watson discovery and its dependencies +# Match corresponding case version for default versions in the catalog source +# ----------------------------------------------------------------------------- +wd_version: 5.5.0 # Operator version 4.6.5 +model_train_version: 1.2.7 # Operator version 1.1.9 +elasticsearch_version: 1.1.1541 # Operator version 1.1.1541 +couchdb_version: 1.0.13 # Operator version 2.2.1 + + +# Maximo Application Suite +# ----------------------------------------------------------------------------- +mas_core_version: + 8.10.x: 8.10.7 # Updated + 8.11.x: 8.11.3 # Updated + 8.9.x: 8.9.10 # No Update +mas_assist_version: + 8.10.x: 8.7.2 # No Update + 8.11.x: 8.8.1 # No Update + 8.9.x: 8.6.5 # No Update +mas_hputilities_version: + 8.10.x: 8.6.2 # No Update + 8.11.x: "" # Not Supported + 8.9.x: 8.5.3 # No Update +mas_iot_version: + 8.10.x: 8.7.6 # Updated + 8.11.x: 8.8.2 # Updated + 8.9.x: 8.6.9 # No Update +mas_manage_version: + 8.10.x: 8.6.7 # Updated + 8.11.x: 8.7.2 # Updated + 8.9.x: 8.5.9 # No Update +mas_monitor_version: + 8.10.x: 8.10.6 # Updated + 8.11.x: 8.11.2 # Updated + 8.9.x: 8.9.6 # No Update +mas_optimizer_version: + 8.10.x: 8.4.1 # No Update + 8.11.x: 8.5.0 # No Update + 8.9.x: 8.3.3 # No Update +mas_predict_version: + 8.10.x: 8.8.2 # No Update + 8.11.x: 8.9.0 # No Update + 8.9.x: 8.7.2 # No Update +mas_visualinspection_version: + 8.10.x: 8.8.1 # No Update + 8.11.x: 8.9.0 # No Update + 8.9.x: 8.7.1 # No Update + +# Extra Images for UDS +# ------------------------------------------------------------------------------ +uds_extras_version: 1.4.0 + +# Extra Images for Mongo +# ------------------------------------------------------------------------------ +mongo_extras_version_default: 5.0.21 +mongo_extras_version: "{{ lookup('env', 'MONGODB_VERSION') | default(mongo_extras_version_default, True) }}" + +# Variables used to mirror additional mongo image versions +mongo_extras_version_4: 4.4.21 +mongo_extras_version_5: 5.0.21 +mongo_extras_version_6: 6.0.10 + +# Extra Images for Db2u +# ------------------------------------------------------------------------------ +db2u_extras_version: 1.0.2 + +# Extra Images for IBM Watson Discovery +# ------------------------------------------------------------------------------ +wd_extras_version: 1.0.1 + +# Extra Images for Amlen +# ------------------------------------------------------------------------------ +amlen_extras_version: 1.0.2 diff --git a/ibm/mas_devops/common_vars/casebundles/v8-231228-amd64.yml b/ibm/mas_devops/common_vars/casebundles/v8-231228-amd64.yml new file mode 100644 index 000000000..78ccf5fe7 --- /dev/null +++ b/ibm/mas_devops/common_vars/casebundles/v8-231228-amd64.yml @@ -0,0 +1,97 @@ +--- +# Case bundle configuration for IBM Maximo Operator Catalog v231228 +# ----------------------------------------------------------------------------- +# In the future this won't be necessary as we'll be able to mirror from the +# catalog itself, but not everything in the catalog supports this yet (including MAS) +# so we need to use the CASE bundle mirror process still. + +catalog_digest: sha256:431656fe80e0d565d9b130bb53e6ef12ec0370e3422975f6f4ddbfe95f728cda + +# Dependencies +# ----------------------------------------------------------------------------- +common_svcs_version: 1.19.10 # Operator version 3.23.10 (https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cp-common-services) +db2u_version: 5.4.2 # Operator version 110508.0.3 (https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-db2uoperator) +events_version: 4.9.0 # Operator version 4.9.0 (https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-events-operator) +uds_version: 2.0.12 # Operator version 2.0.12 +sls_version: 3.8.1 # Operator version 3.8.1 +tsm_version: 1.5.1 # Operator version 1.5.1 +dd_version: 1.1.5 # Operator version 1.1.5 +appconnect_version: 6.2.0 # Operator version 6.2.0 +cp4d_platform_version: 2.9.0+20230524.165553 # Operator version 3.8.0 +wsl_version: 6.5.0 # Operator version 6.5.0 +wml_version: 6.5.0 # Operator version 3.5.0 +spark_version: 6.5.0 # Operator version 3.5.0 + +# Watson discovery and its dependencies +# Match corresponding case version for default versions in the catalog source +# ----------------------------------------------------------------------------- +wd_version: 5.5.0 # Operator version 4.6.5 +model_train_version: 1.2.10 # Operator version 1.1.12 +elasticsearch_version: 1.1.1807 # Operator version 1.1.1807 +couchdb_version: 1.0.13 # Operator version 2.2.1 + + +# Maximo Application Suite +# ----------------------------------------------------------------------------- +mas_core_version: + 8.10.x: 8.10.8 # Updated + 8.11.x: 8.11.5 # Updated + 8.9.x: 8.9.10 # No Update +mas_assist_version: + 8.10.x: 8.7.2 # No Update + 8.11.x: 8.8.1 # No Update + 8.9.x: 8.6.5 # No Update +mas_hputilities_version: + 8.10.x: 8.6.2 # No Update + 8.11.x: "" # Not Supported + 8.9.x: 8.5.3 # No Update +mas_iot_version: + 8.10.x: 8.7.7 # Updated + 8.11.x: 8.8.3 # Updated + 8.9.x: 8.6.9 # No Update +mas_manage_version: + 8.10.x: 8.6.8 # Updated + 8.11.x: 8.7.3 # Updated + 8.9.x: 8.5.9 # No Update +mas_monitor_version: + 8.10.x: 8.10.6 # No Update + 8.11.x: 8.11.2 # No Update + 8.9.x: 8.9.6 # No Update +mas_optimizer_version: + 8.10.x: 8.4.2 # Updated + 8.11.x: 8.5.1 # Updated + 8.9.x: 8.3.3 # No Update +mas_predict_version: + 8.10.x: 8.8.2 # No Update + 8.11.x: 8.9.0 # No Update + 8.9.x: 8.7.2 # No Update +mas_visualinspection_version: + 8.10.x: 8.8.1 # No Update + 8.11.x: 8.9.0 # No Update + 8.9.x: 8.7.1 # No Update + +# Extra Images for UDS +# ------------------------------------------------------------------------------ +uds_extras_version: 1.5.0 + +# Extra Images for Mongo +# ------------------------------------------------------------------------------ +mongo_extras_version_default: 5.0.23 +mongo_extras_version: "{{ lookup('env', 'MONGODB_VERSION') | default(mongo_extras_version_default, True) }}" + +# Variables used to mirror additional mongo image versions +mongo_extras_version_4: 4.4.21 +mongo_extras_version_5: 5.0.23 +mongo_extras_version_6: 6.0.12 + +# Extra Images for Db2u +# ------------------------------------------------------------------------------ +db2u_extras_version: 1.0.3 + +# Extra Images for IBM Watson Discovery +# ------------------------------------------------------------------------------ +wd_extras_version: 1.0.2 + +# Extra Images for Amlen +# ------------------------------------------------------------------------------ +amlen_extras_version: 1.0.2 diff --git a/ibm/mas_devops/playbooks/mirror_add_assist.yml b/ibm/mas_devops/playbooks/mirror_add_assist.yml index 1a3c692bd..c0abfa2af 100644 --- a/ibm/mas_devops/playbooks/mirror_add_assist.yml +++ b/ibm/mas_devops/playbooks/mirror_add_assist.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -15,7 +15,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_add_hputilities.yml b/ibm/mas_devops/playbooks/mirror_add_hputilities.yml index 6c656cfc6..851384064 100644 --- a/ibm/mas_devops/playbooks/mirror_add_hputilities.yml +++ b/ibm/mas_devops/playbooks/mirror_add_hputilities.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.10.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -15,7 +15,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_add_iot.yml b/ibm/mas_devops/playbooks/mirror_add_iot.yml index 3a356a006..961a3edbf 100644 --- a/ibm/mas_devops/playbooks/mirror_add_iot.yml +++ b/ibm/mas_devops/playbooks/mirror_add_iot.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -15,7 +15,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_add_manage.yml b/ibm/mas_devops/playbooks/mirror_add_manage.yml index 577f7c9d2..977f8f7c1 100644 --- a/ibm/mas_devops/playbooks/mirror_add_manage.yml +++ b/ibm/mas_devops/playbooks/mirror_add_manage.yml @@ -3,9 +3,10 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" + mirror_icd: "{{ lookup('env', 'MIRROR_MAS_ICD') }}" pre_tasks: - name: "Get stats for the catalog file" @@ -15,7 +16,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: @@ -30,6 +31,7 @@ case_name: ibm-mas-manage case_version: "{{ lookup('env', 'MAS_MANAGE_VERSION') | default (mas_manage_version[mas_channel], True) }}" exclude_images: [] + image_group_filter: "{{ (mirror_icd == 'true') | ternary ('ibmmasManage,ibmMasManage,ibmmasMaximoIT', 'ibmmasManage,ibmMasManage') }}" - name: ibm.mas_devops.mirror_images vars: diff --git a/ibm/mas_devops/playbooks/mirror_add_monitor.yml b/ibm/mas_devops/playbooks/mirror_add_monitor.yml index ae2dfb1c9..062fea4bc 100644 --- a/ibm/mas_devops/playbooks/mirror_add_monitor.yml +++ b/ibm/mas_devops/playbooks/mirror_add_monitor.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -15,7 +15,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_add_optimizer.yml b/ibm/mas_devops/playbooks/mirror_add_optimizer.yml index 6fad4fdfd..c17e9577a 100644 --- a/ibm/mas_devops/playbooks/mirror_add_optimizer.yml +++ b/ibm/mas_devops/playbooks/mirror_add_optimizer.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -15,7 +15,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_add_predict.yml b/ibm/mas_devops/playbooks/mirror_add_predict.yml index ab9a31186..db3553657 100644 --- a/ibm/mas_devops/playbooks/mirror_add_predict.yml +++ b/ibm/mas_devops/playbooks/mirror_add_predict.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -15,7 +15,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_add_visualinspection.yml b/ibm/mas_devops/playbooks/mirror_add_visualinspection.yml index 28ae95c8d..ad854c848 100644 --- a/ibm/mas_devops/playbooks/mirror_add_visualinspection.yml +++ b/ibm/mas_devops/playbooks/mirror_add_visualinspection.yml @@ -9,7 +9,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -21,7 +21,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_core.yml b/ibm/mas_devops/playbooks/mirror_core.yml index 33bfdc479..09541e2af 100644 --- a/ibm/mas_devops/playbooks/mirror_core.yml +++ b/ibm/mas_devops/playbooks/mirror_core.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mas_channel: "{{ lookup('env', 'MAS_CHANNEL') | default ('8.11.x', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" @@ -15,7 +15,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/mirror_dependencies.yml b/ibm/mas_devops/playbooks/mirror_dependencies.yml index eb7d03b46..1136b7201 100644 --- a/ibm/mas_devops/playbooks/mirror_dependencies.yml +++ b/ibm/mas_devops/playbooks/mirror_dependencies.yml @@ -3,7 +3,7 @@ any_errors_fatal: true vars: - catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231031-amd64', True) }}" + catalog_tag: "{{ lookup('env', 'MAS_CATALOG_VERSION') | default ('v8-231228-amd64', True) }}" mirror_mode: "{{ lookup('env', 'MIRROR_MODE') | default ('direct', True) }}" # 1. Catalog @@ -69,7 +69,7 @@ - name: "Debug stats if the digest image map file exists" ansible.builtin.set_fact: - file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231031-amd64') }}" + file_catalog_tag: "{{ (catalog_file_stats.stat.exists|bool) | ternary(catalog_tag, 'v8-231228-amd64') }}" - name: Load CASE bundle versions include_vars: diff --git a/ibm/mas_devops/playbooks/ocp_fyre_provision.yml b/ibm/mas_devops/playbooks/ocp_fyre_provision.yml index 9311bfa4c..a9dd525d6 100644 --- a/ibm/mas_devops/playbooks/ocp_fyre_provision.yml +++ b/ibm/mas_devops/playbooks/ocp_fyre_provision.yml @@ -8,6 +8,8 @@ # requires for FIPS clusters ocp_update_ciphers_for_semeru: True + fyre_config_storage: "{{ lookup('env', 'FYRE_CONFIG_STORAGE') | default('true', True) | bool }}" + pre_tasks: # For the full set of supported environment variables refer to the playbook documentation - name: Check for required environment variables @@ -21,14 +23,15 @@ roles: # 1. Provision the FYRE cluster - - ibm.mas_devops.ocp_provision + - name: ibm.mas_devops.ocp_provision # 2. Login and verify the cluster is ready - - ibm.mas_devops.ocp_login - - ibm.mas_devops.ocp_verify + - name: ibm.mas_devops.ocp_login + - name: ibm.mas_devops.ocp_verify # 3. Update the APIServer to custom for FIPS compatibility - - ibm.mas_devops.ocp_config + - name: ibm.mas_devops.ocp_config # 4. Install OpenShift Container Storage - - ibm.mas_devops.ocs + - name: ibm.mas_devops.ocs + when: fyre_config_storage diff --git a/ibm/mas_devops/playbooks/oneclick_add_assist.yml b/ibm/mas_devops/playbooks/oneclick_add_assist.yml index bdd6f1c4d..f99770762 100644 --- a/ibm/mas_devops/playbooks/oneclick_add_assist.yml +++ b/ibm/mas_devops/playbooks/oneclick_add_assist.yml @@ -11,11 +11,11 @@ # Application Dependencies cos_type: ibm cpd_service_name: wd - cpd_product_version: "{{ lookup('env', 'CPD_PRODUCT_VERSION') | default('4.5.0', true) }}" + cpd_product_version: "{{ lookup('env', 'CPD_PRODUCT_VERSION') | default('4.6.6', true) }}" # Application Installation mas_app_id: assist - mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.7.x', true) }}" + mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.8.x', true) }}" mas_app_spec: bindings: diff --git a/ibm/mas_devops/playbooks/oneclick_add_iot.yml b/ibm/mas_devops/playbooks/oneclick_add_iot.yml index 7ff85efd4..0b7cdc510 100644 --- a/ibm/mas_devops/playbooks/oneclick_add_iot.yml +++ b/ibm/mas_devops/playbooks/oneclick_add_iot.yml @@ -13,7 +13,7 @@ # Application Installation mas_app_id: iot - mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.7.x', true) }}" + mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.8.x', true) }}" # Application Configuration mas_workspace_id: "{{ lookup('env', 'MAS_WORKSPACE_ID') | default('masdev', true) }}" diff --git a/ibm/mas_devops/playbooks/oneclick_add_manage.yml b/ibm/mas_devops/playbooks/oneclick_add_manage.yml index 4bdc3c4d7..63879382d 100644 --- a/ibm/mas_devops/playbooks/oneclick_add_manage.yml +++ b/ibm/mas_devops/playbooks/oneclick_add_manage.yml @@ -14,7 +14,7 @@ # Application Installation # mas_app_id can be set to "health" to install manage in the "Health standalone" mode from this same playbook. mas_app_id: "{{ lookup('env', 'MAS_APP_ID') | default('manage', true) }}" - mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.6.x', true) }}" + mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.7.x', true) }}" # Application Configuration mas_workspace_id: "{{ lookup('env', 'MAS_WORKSPACE_ID') | default('masdev', true) }}" diff --git a/ibm/mas_devops/playbooks/oneclick_add_monitor.yml b/ibm/mas_devops/playbooks/oneclick_add_monitor.yml index a6708898b..60b193464 100644 --- a/ibm/mas_devops/playbooks/oneclick_add_monitor.yml +++ b/ibm/mas_devops/playbooks/oneclick_add_monitor.yml @@ -13,7 +13,7 @@ vars: # Application Installation mas_app_id: monitor - mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.10.x', true) }}" + mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.11.x', true) }}" # Application Configuration mas_workspace_id: "{{ lookup('env', 'MAS_WORKSPACE_ID') | default('masdev', true) }}" diff --git a/ibm/mas_devops/playbooks/oneclick_add_optimizer.yml b/ibm/mas_devops/playbooks/oneclick_add_optimizer.yml index 05ea113ff..cbc262da5 100644 --- a/ibm/mas_devops/playbooks/oneclick_add_optimizer.yml +++ b/ibm/mas_devops/playbooks/oneclick_add_optimizer.yml @@ -9,7 +9,7 @@ vars: # Application Installation - mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.4.x', true) }}" + mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.5.x', true) }}" mas_app_id: optimizer # Application Configuration diff --git a/ibm/mas_devops/playbooks/oneclick_add_predict.yml b/ibm/mas_devops/playbooks/oneclick_add_predict.yml index a9cff8720..8d9c250ef 100644 --- a/ibm/mas_devops/playbooks/oneclick_add_predict.yml +++ b/ibm/mas_devops/playbooks/oneclick_add_predict.yml @@ -16,7 +16,7 @@ # Application Installation # ------------------------------------------------------------------------- mas_app_id: predict - mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.8.x', true) }}" + mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.9.x', true) }}" # Application Configuration # ------------------------------------------------------------------------- @@ -24,7 +24,7 @@ # Cloud Pak for Data Configuration # ------------------------------------------------------------------------- - cpd_product_version: "{{ lookup('env', 'CPD_PRODUCT_VERSION') | default('4.5.0', true) }}" + cpd_product_version: "{{ lookup('env', 'CPD_PRODUCT_VERSION') | default('4.6.6', true) }}" # these vars will be set by cp4d playbook, if it did not run (eg install_cp4d_platform=false), it will be set by the environment vars. cpd_url: "{{ lookup('env', 'CPD_URL') }}" diff --git a/ibm/mas_devops/playbooks/oneclick_add_visualinspection.yml b/ibm/mas_devops/playbooks/oneclick_add_visualinspection.yml index 85802a106..583edb230 100644 --- a/ibm/mas_devops/playbooks/oneclick_add_visualinspection.yml +++ b/ibm/mas_devops/playbooks/oneclick_add_visualinspection.yml @@ -1,5 +1,5 @@ --- -# Add (MVI) Maximo Visual Inspection 8.8.x application to an existing MAS Core installation +# Add (MVI) Maximo Visual Inspection application to an existing MAS Core installation # # Dependencies: # - ansible-playbook ibm.mas_devops.oneclick_core @@ -9,13 +9,20 @@ vars: # Application Installation - # mas_app_id can be set to "health" to install manage in the "Health standalone" mode from this same playbook. mas_app_id: visualinspection - mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.8.x', true) }}" + mas_app_channel: "{{ lookup('env', 'MAS_APP_CHANNEL') | default('8.9.x', true) }}" # Application Configuration mas_workspace_id: "{{ lookup('env', 'MAS_WORKSPACE_ID') | default('masdev', true) }}" + # Additional Condfiguration - Object Storage + configure_cos: "{{ lookup('env', 'CONFIGURE_COS') | default('false', true) | bool }}" + configure_cos_bucket: "{{ lookup('env', 'CONFIGURE_COS_BUCKET') | default('false', true) | bool }}" + cos_type: "{{ lookup('env', 'COS_TYPE') }}" + mas_app_settings_visualinspection_object_storage_enabled: "{{ lookup('env', 'MAS_APP_SETTINGS_VISUALINSPECTION_OBJECT_STORAGE_ENABLED') | default('false', true) | bool }}" + mas_app_settings_visualinspection_object_storage_bucket_default: 'mvi-bucket-{{ mas_instance_id }}-{{ mas_workspace_id }}' + mas_app_settings_visualinspection_object_storage_workspace: "{{ lookup('env', 'MAS_APP_SETTINGS_VISUALINSPECTION_OBJECT_STORAGE_WORKSPACE') | default(mas_app_settings_visualinspection_object_storage_bucket_default, true) }}" + pre_tasks: # For the full set of supported environment variables refer to the playbook documentation - name: Check for required environment variables @@ -25,8 +32,36 @@ - lookup('env', 'MAS_CONFIG_DIR') != "" - lookup('env', 'IBM_ENTITLEMENT_KEY') != "" fail_msg: "One or more required environment variables are not defined" - + - include_role: + # Configure Object Storage (15 min) + # With this we are allowing options for users to also provision Object Storage instance if they don't have one setup yet + # While using cos role, users will be able to configure either OCS/ODF or IBM Cloud Object Storage instances to be used + # This will also generate the ObjectStorageCfg file that will be used to configure the target Object Storage instance + # into the target MAS instance. + name: ibm.mas_devops.cos + when: + - mas_app_settings_visualinspection_object_storage_enabled + - configure_cos + - cos_type in ['ibm','ocs'] + - include_role: + # Configure COS bucket in IBM Cloud Object Storage or AWS (10 min) + # While using the cos_bucket role, users will be able to create a bucket within the IBM cloud object storage instance + # or in AWS users can allocate an S3 bucket (no need of a instance created, s3 buckets are directly created in the AWS account) + name: ibm.mas_devops.cos_bucket + when: + - mas_app_settings_visualinspection_object_storage_enabled + - mas_app_settings_visualinspection_object_storage_workspace + - configure_cos_bucket + - cos_type in ['ibm','aws'] + vars: + ibmcos_bucket_name: "{{ mas_app_settings_visualinspection_object_storage_workspace }}" + aws_bucket_name: "{{ mas_app_settings_visualinspection_object_storage_workspace }}" roles: + # Install Nvidia Operator (~15 Minutes) - ibm.mas_devops.nvidia_gpu - - ibm.mas_devops.suite_app_install + # Apply MAS configurations related to Object Storage (~5 Minutes) + - ibm.mas_devops.suite_config + # Deploy Visual Inspection (~15 Minutes) + - name: ibm.mas_devops.suite_app_install + # Activate Visual Inspection in workspace (~15 Minutes) - ibm.mas_devops.suite_app_config diff --git a/ibm/mas_devops/playbooks/oneclick_update.yml b/ibm/mas_devops/playbooks/oneclick_update.yml index a35588681..337815f7c 100644 --- a/ibm/mas_devops/playbooks/oneclick_update.yml +++ b/ibm/mas_devops/playbooks/oneclick_update.yml @@ -5,7 +5,7 @@ - name: Check for required environment variables assert: that: lookup('env', 'MAS_CATALOG_VERSION') != "" - fail_msg: "You must provide the catalog version to update to (e.g. 'v8-230829-amd64', 'v8-231031-amd64')" + fail_msg: "You must provide the catalog version to update to (e.g. 'v8-230829-amd64', 'v8-231228-amd64')" roles: - ibm.mas_devops.ibm_catalogs diff --git a/ibm/mas_devops/roles/cert_manager/README.md b/ibm/mas_devops/roles/cert_manager/README.md index 52f66e049..ce143af0b 100644 --- a/ibm/mas_devops/roles/cert_manager/README.md +++ b/ibm/mas_devops/roles/cert_manager/README.md @@ -1,35 +1,66 @@ cert_manager =============================================================================== -Deploy the **IBM Certificate Manager Operator** into the target OCP cluster in the `ibm-common-services` namespace. +Deploy **IBM Certificate Manager Operator** or ****Red Hat Certificate Manager Operator** into the target OCP cluster. + +- IBM Certificate Manager Operator and Operand will be installed into the `ibm-common-services` namespace +- Red Hat Certificate Manager Operatos will be installed into the `cert-manager-operator` namespace and the Operand will be created in the `cert-manager` namespace. + +The role supports migrtation from an existing IBM Certificate Manager install to the Red Hat Certificate Manager, and will configure the cluster resources namespace to `ibm-common-services` in this case to ensure compatibility with all existing `ClusterIssuers`. Prerequisites ------------------------------------------------------------------------------- -To run this role successfully you must have already installed a CatalogSource that contains IBM Certificate Manager and installed the **IBM Cloud Pak Foundational Services Operator**. These tasks can be achieved using the [ibm_catalogs](ibm_catalogs.md) and [common_services](common_services.md) roles in this collection. +### IBM Certificate Manager +You must have already installed a CatalogSource that contains IBM Certificate Manager and installed the **IBM Cloud Pak Foundational Services Operator**. These tasks can be achieved using the [ibm_catalogs](ibm_catalogs.md) and [common_services](common_services.md) roles in this collection. + + +### Red Hat Certificate Manager +You must have already installed the **Red Hat Operators** CatalogSource. Role Variables ------------------------------------------------------------------------------- ### cert_manager_action -Inform the role whether to perform an install or an uninstall of IBM Certificate Manager. +Inform the role whether to perform an `install` or an `uninstall` the Certificate Manager service, action can also be set to `none` to instruct the role to take no action. - Optional - Environment Variable: `CERT_MANAGER_ACTION` - Default: `install` +### cert_manager_provider +Choose which flavour of Certificate Manager to install; IBM (`ibm`), or Red Hat (`redhat`) + +- Optional +- Environment Variable: `CERT_MANAGER_PROVIDER` +- Default: `ibm` + Example Playbook ------------------------------------------------------------------------------- After installing the Ansible Collection you can include this role in your own custom playbooks. +### IBM Certificate Manager ```yaml - hosts: localhost + vars: + - cert_manager_action: install + - cert_manager_provider: ibm roles: - ibm.mas_devops.ibm_catalogs - ibm.mas_devops.common_services - ibm.mas_devops.cert_manager ``` +### Red Hat Certificate Manager +```yaml +- hosts: localhost + vars: + - cert_manager_action: install + - cert_manager_provider: redhat + roles: + - ibm.mas_devops.cert_manager +``` + Run Role Playbook ------------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/cert_manager/defaults/main.yml b/ibm/mas_devops/roles/cert_manager/defaults/main.yml index c347e71b1..6080524e8 100644 --- a/ibm/mas_devops/roles/cert_manager/defaults/main.yml +++ b/ibm/mas_devops/roles/cert_manager/defaults/main.yml @@ -1,2 +1,24 @@ --- +# Certificate Manager variables cert_manager_action: "{{ lookup('env', 'CERT_MANAGER_ACTION') | default('install', true) }}" +cert_manager_provider: "{{ lookup('env', 'CERT_MANAGER_PROVIDER') | default('ibm', true) }}" + +cert_manager_defaults: + redhat: + channel: "{{ lookup('env', 'REDHAT_CERT_MANAGER_CHANNEL') | default('stable-v1', true) }}" + operator_namespace: "cert-manager-operator" + operand_namespace: "cert-manager" + ibm: + channel: "Automatically defined by IBM Cloud Pak Foundational Services" + operator_namespace: "ibm-common-services" + operand_namespace: "ibm-common-services" + +cert_manager_operator_namespace: "{{ cert_manager_defaults[cert_manager_provider].operator_namespace }}" +cert_manager_namespace: "{{ cert_manager_defaults[cert_manager_provider].operand_namespace }}" +cert_manager_channel: "{{ cert_manager_defaults[cert_manager_provider].channel }}" + +# Namespace to setup ClusterIssuers when referencing a secret via the secretName field +# ClusterIssuers' secrets will be looked for in the Cluster Resource Namespace defined +# Default value is the namespace where cert-manager is running which is automatically detected (thus default is empty) +# https://cert-manager.io/docs/configuration/ +cert_manager_cluster_resource_namespace: "" diff --git a/ibm/mas_devops/roles/cert_manager/meta/main.yml b/ibm/mas_devops/roles/cert_manager/meta/main.yml index b9198512e..c665c8b8e 100644 --- a/ibm/mas_devops/roles/cert_manager/meta/main.yml +++ b/ibm/mas_devops/roles/cert_manager/meta/main.yml @@ -1,5 +1,5 @@ galaxy_info: - author: David Parker (@durera) + author: David Parker (@durera) & André Marcelino (@andrercm) description: Deploy cert-manager operator company: IBM diff --git a/ibm/mas_devops/roles/cert_manager/tasks/main.yml b/ibm/mas_devops/roles/cert_manager/tasks/main.yml index e841f0dfe..b5fdbae57 100644 --- a/ibm/mas_devops/roles/cert_manager/tasks/main.yml +++ b/ibm/mas_devops/roles/cert_manager/tasks/main.yml @@ -1,4 +1,13 @@ --- +- name: Debug Certificate Manager + debug: + msg: + - "Action ................................... {{ cert_manager_action }}" + - "Provider ................................. {{ cert_manager_provider }}" + - "Operator Namespace ....................... {{ cert_manager_operator_namespace }}" + - "Operand Namespace ........................ {{ cert_manager_namespace }}" + - "Channel .................................. {{ cert_manager_channel }}" + - name: "Execute the chosen action" - include_tasks: "tasks/actions/{{ cert_manager_action }}.yml" + include_tasks: "tasks/provider/{{ cert_manager_provider }}/{{ cert_manager_action }}.yml" when: cert_manager_action != "none" diff --git a/ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml b/ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml new file mode 100644 index 000000000..89d739754 --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml @@ -0,0 +1,49 @@ +--- +# 1. If IBM Certificate Manager is installed, store configmap know that migration to Red Hat Cert Manager is needed +# This will help if something fails in the middle of the migration and need to rerun the automation +# but IBM Certificate Manager might have been gone already +# ----------------------------------------------------------------------------- +- name: "prereqs-migration: Patch mas-rh-cert-manager-config to define migration is needed" + kubernetes.core.k8s: + merge_type: merge + api_version: v1 + kind: ConfigMap + name: mas-rh-cert-manager-config + namespace: ibm-common-services + definition: + data: + cert_manager_cluster_resource_namespace: ibm-common-services + +# 2. Delete IBM Certificate Manager resources - OperandRequest +# ----------------------------------------------------------------------------- +- name: "prereqs-migration: Delete IBM Cert-Manager OperandRequest" + kubernetes.core.k8s: + state: absent + template: "templates/ibm/ibm-cert-manager.yml" + wait: yes + wait_timeout: 600 + +# 3. Delete IBM Certificate Manager resources - Default custom resource +# This will delete all IBM Certificate Manager pods but will keep the ibm-cert-manager-operator (still going to be needed to delegate requests to Red Hat Certificate Manager) +# ----------------------------------------------------------------------------- +- name: "prereqs-migration: Delete the IBM Cert-Manager default Custom Resource" + kubernetes.core.k8s: + state: absent + api_version: "operator.ibm.com/v1alpha1" + kind: "CertManager" + name: "default" + wait: true + wait_timeout: 600 # 10 minutes + +- name: "prereqs-migration: Wait for cert-manager-webhook deployment to be terminated" + kubernetes.core.k8s_info: + api_version: apps/v1 + name: cert-manager-webhook + namespace: ibm-common-services + kind: Deployment + register: certmanager_webhook_deployment + until: + - certmanager_webhook_deployment.resources is defined + - certmanager_webhook_deployment.resources | length == 0 + retries: 10 + delay: 30 # seconds diff --git a/ibm/mas_devops/roles/cert_manager/tasks/actions/install.yml b/ibm/mas_devops/roles/cert_manager/tasks/provider/ibm/install.yml similarity index 77% rename from ibm/mas_devops/roles/cert_manager/tasks/actions/install.yml rename to ibm/mas_devops/roles/cert_manager/tasks/provider/ibm/install.yml index a50a8a329..188635991 100644 --- a/ibm/mas_devops/roles/cert_manager/tasks/actions/install.yml +++ b/ibm/mas_devops/roles/cert_manager/tasks/provider/ibm/install.yml @@ -2,32 +2,30 @@ # This will result in the following operators being installed in the ibm-common-services namespace # - IBM Cert Manager -# 1. Check whether JetStack cert-manager is installed +# 1. Check whether Certificate Manager is installed # ----------------------------------------------------------------------------- -- name: Check if Cert Manager is already installed +- name: Check if Certificate Manager is already installed kubernetes.core.k8s_info: api_version: v1 name: cert-manager namespace: "cert-manager" kind: Deployment - register: jetstack_lookup + register: certmanager_lookup - -# 2. Prevent installation of IBM Certificate Manager if JetStack installed +# 2. Prevent installation of IBM Certificate Manager if already installed # ----------------------------------------------------------------------------- -- name: "Check that JetStack Cert Manager is not installed" +- name: "Check that Certificate Manager not installed" assert: that: - - jetstack_lookup.resources is defined - - jetstack_lookup.resources | length == 0 - fail_msg: "JetStack Certificate Manager is already installed in the cert-manager namespace. Installing IBM Certificate Manager on the same cluster will create a conflict" - + - certmanager_lookup.resources is defined + - certmanager_lookup.resources | length == 0 + fail_msg: "Certificate Manager is already installed in the cert-manager namespace. Installing IBM Certificate Manager on the same cluster will create a conflict" # 3. Install IBM Certificate Manager # ----------------------------------------------------------------------------- - name: Install Foundation Services ibm-cert-manager operand request kubernetes.core.k8s: - template: 'templates/ibm-cert-manager.yml' + template: "templates/{{ cert_manager_provider }}/ibm-cert-manager.yml" wait: yes wait_timeout: 120 @@ -67,6 +65,6 @@ - name: Increase common service cpu limit to account for increased cert privateKey sizings kubernetes.core.k8s: - template: 'templates/ibm-cert-manager-common-service.yml' + template: "templates/{{ cert_manager_provider }}/ibm-cert-manager-common-service.yml" wait: yes wait_timeout: 120 diff --git a/ibm/mas_devops/roles/cert_manager/tasks/actions/uninstall.yml b/ibm/mas_devops/roles/cert_manager/tasks/provider/ibm/uninstall.yml similarity index 78% rename from ibm/mas_devops/roles/cert_manager/tasks/actions/uninstall.yml rename to ibm/mas_devops/roles/cert_manager/tasks/provider/ibm/uninstall.yml index 87763fb3d..b712f20cb 100644 --- a/ibm/mas_devops/roles/cert_manager/tasks/actions/uninstall.yml +++ b/ibm/mas_devops/roles/cert_manager/tasks/provider/ibm/uninstall.yml @@ -1,24 +1,10 @@ --- - -# 1. Delete the cs-ca-certificate Certificate -# ----------------------------------------------------------------------------- -- name: "uninstall : Delete cs-ca-certificate Certificate" - kubernetes.core.k8s: - state: absent - api_version: cert-manager.io/v1 - kind: Certificate - name: cs-ca-certificate - namespace: ibm-common-services - wait: yes - wait_timeout: 600 - - -# 2. Delete the Cert-Manager OperandRequest +# 1. Delete the Cert-Manager OperandRequest # ----------------------------------------------------------------------------- - name: "uninstall : Delete Cert-Manager OperandRequest" kubernetes.core.k8s: state: absent - template: "templates/ibm-cert-manager.yml" + template: "templates/{{ cert_manager_provider }}/ibm-cert-manager.yml" wait: yes wait_timeout: 600 @@ -48,7 +34,6 @@ retries: 10 delay: 30 # seconds - # 3. Delete the cs-ca and cs ss Issuers # ----------------------------------------------------------------------------- # We have to delete these after deleting the operator, otherwise they are diff --git a/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml b/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml new file mode 100644 index 000000000..00429ed70 --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml @@ -0,0 +1,181 @@ +--- +# The following Red Hat Certificate subscription/operator will be installed in the 'cert-manager-operator' namespace: +# - cert-manager-operator-controller-manager +# +# The following Red Hat Certificate deployment and pods will be installed in the 'cert-manager' namespace: +# - cert-manager +# - cert-manager-cainjector +# - cert-manager-webhook + +# 1. Check whether IBM Certificate Manager cert-manager is installed +# ----------------------------------------------------------------------------- +- name: "install: Check if IBM Certificate Manager is already installed" + kubernetes.core.k8s_info: + api_version: operator.ibm.com/v1alpha1 + name: common-service + namespace: "ibm-common-services" + kind: OperandRequest + register: cs_operand_lookup + +- set_fact: + cpfs_cm_installed: "{{ cs_operand_lookup.resources[0].spec.requests[0].operands[0].name == 'ibm-cert-manager-operator'}}" + when: + - cs_operand_lookup.resources[0].spec.requests[0].operands[0].name is defined + +- debug: + msg: "IBM Certificate Manager installed .................... {{ cpfs_cm_installed | default(false, true) | bool }}" + +# 2. Disable IBM Cert Manager OperandRequest +# ----------------------------------------------------------------------------- +# This step will configure ibm-cert-manager-operator to make use of a +# self managed CNCF cert-manager, so that no additional operands are installed. +# Add deployCSCertManagerOperands: "false" to the data. +# Using 'merge' just in case the configmap is already present +- name: "install: Disable IBM Cert Manager OperandRequest via ibm-ccp-config" + kubernetes.core.k8s: + merge_type: merge + template: "templates/{{ cert_manager_provider }}/ibm-cpp-configmap.yml.j2" + wait: yes + wait_timeout: 120 # 2 minutes + +# 3. If IBM Certificate Manager is installed, run pre-requisite steps to migrate to Red Hat Certificate Manager +# - Set 'cert_manager_cluster_resource_namespace: ibm-common-services' in CertManager CR +# - Delete IBM Certificate Manager OperandRequest +# - Delete IBM Certificate Manager Custom Resource +# - Wait IBM Certificate Manager deployment to be gone +# ----------------------------------------------------------------------------- +- name: "install: Prepare migration to Red Hat Certificate Manager" + include_tasks: prereqs-migration.yml + when: + - cpfs_cm_installed is defined + - cpfs_cm_installed is true + +# 4. Install Red Hat Certificate Manager +# ----------------------------------------------------------------------------- +- name: "install: Check if operator group is present in {{ cert_manager_operator_namespace }} already" + kubernetes.core.k8s_info: + namespace: "{{ cert_manager_operator_namespace }}" + kind: OperatorGroup + register: og_info + +- name: "install: Create Red Hat Certificate Manager operator namespace" + kubernetes.core.k8s: + template: "templates/redhat/namespace.yml.j2" + wait: yes + wait_timeout: 120 + +- name: "install: Install Red Hat Certificate Manager subscription" + kubernetes.core.k8s: + template: "templates/redhat/subscription.yml.j2" + wait: yes + wait_timeout: 120 + +- name: "install: Wait for Red Hat cert-manager-operator-controller-manager to be ready (60s delay)" + kubernetes.core.k8s_info: + api_version: apps/v1 + name: cert-manager-operator-controller-manager + namespace: "{{ cert_manager_operator_namespace }}" + kind: Deployment + register: certmanager_deployment + until: + - certmanager_deployment.resources is defined + - certmanager_deployment.resources | length > 0 + - certmanager_deployment.resources[0].status is defined + - certmanager_deployment.resources[0].status.replicas is defined + - certmanager_deployment.resources[0].status.readyReplicas is defined + - certmanager_deployment.resources[0].status.readyReplicas == certmanager_deployment.resources[0].status.replicas + retries: 30 # Approximately 1/2 hour before we give up + delay: 60 # 1 minute + +- name: "install: Wait for CertManager Cluster Custom Resource to be created" + kubernetes.core.k8s_info: + api_version: operator.openshift.io/v1alpha1 + name: cluster + kind: CertManager + register: certmanager_cluster_cr + until: + - certmanager_cluster_cr.resources is defined + - certmanager_cluster_cr.resources | length > 0 + retries: 10 # Approximately 5 minutes before we give up + delay: 30 # 30 seconds + +- name: "install: Lookup mas-rh-cert-manager-config configmap" + kubernetes.core.k8s_info: + api_version: v1 + name: mas-rh-cert-manager-config + namespace: ibm-common-services + kind: ConfigMap + register: configmap_output + +- name: "install: Set Certificate Manager Cluster Resource Namespace from ibm-ccp-config configmap data" + set_fact: + cert_manager_cluster_resource_namespace: "{{ configmap_output.resources[0].data.cert_manager_cluster_resource_namespace }}" + when: configmap_output.resources[0].data.cert_manager_cluster_resource_namespace is defined + +- debug: + msg: "Certificate Manager Cluster Resource Namespace .............. {{ cert_manager_cluster_resource_namespace | default(cert_manager_namespace, true )}}" + +# The ClusterIssuer resource is cluster scoped. This means that when referencing a secret via the secretName field +# secrets will be looked for in the Cluster Resource Namespace. By default, this namespace is cert-manager +# however it can be changed via '--cluster-resource-namespace' on the cert-manager-controller +- name: "install: Patch CertManager CR to define Cluster Resource Namespace" + kubernetes.core.k8s: + merge_type: merge + definition: "{{ lookup('template', 'templates/redhat/cert-manager-cluster.yml.j2') }}" + +- name: "install: Wait for Red Hat cert-manager-operator to be up again (60s delay)" + kubernetes.core.k8s_info: + api_version: apps/v1 + name: cert-manager + namespace: "{{ cert_manager_namespace }}" + kind: Deployment + register: certmanager_deployment + until: + - certmanager_deployment.resources is defined + - certmanager_deployment.resources | length > 0 + - certmanager_deployment.resources[0].status is defined + - certmanager_deployment.resources[0].status.replicas is defined + - certmanager_deployment.resources[0].status.readyReplicas is defined + - certmanager_deployment.resources[0].status.readyReplicas == certmanager_deployment.resources[0].status.replicas + retries: 30 # Approximately 1/2 hour before we give up + delay: 60 # 1 minute + +- name: "install: Wait for Red Hat cert-manager-webhook deployment to be ready (60s delay)" + kubernetes.core.k8s_info: + api_version: apps/v1 + name: cert-manager-webhook + namespace: "{{ cert_manager_namespace }}" + kind: Deployment + register: certmanager_webhook_deployment + until: + - certmanager_webhook_deployment.resources is defined + - certmanager_webhook_deployment.resources | length > 0 + - certmanager_webhook_deployment.resources[0].status is defined + - certmanager_webhook_deployment.resources[0].status.replicas is defined + - certmanager_webhook_deployment.resources[0].status.readyReplicas is defined + - certmanager_webhook_deployment.resources[0].status.readyReplicas == certmanager_webhook_deployment.resources[0].status.replicas + retries: 60 # Approximately 1/2 hour before we give up + delay: 60 # 1 minute + +# 5. Update IBM CIS Webhook Cluster Role Binding to point to Red Hat Certificate Manager +# ----------------------------------------------------------------------------- +# Assuming IBM Certificate Manager is being migrated to Red Hat Certificate Manager, +# if cert-manager-webhook-ibm-cis pod is running as part of the CIS configuration (suite_dns role) +# then Cluster Role Binding 'cert-manager-webhook-ibm-cis:domain-solver' needs to be updated to +# lookup to the new Red Hat Certificate Manager service account and namespace +# otherwise the Red Hat Certificate Manager won't have enough permissions to resolve DNS domains due the following error: +# +# cis.acme.cis.ibm.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "cis" in API group "acme.cis.ibm.com" at the cluster scope +# +# The following step will allow Red Hat Certificate Manager to work with CIS webhook seamlessly after migration (if that's already configured in the target cluster) +- name: "install: Check if cert-manager-webhook-ibm-cis is running" + shell: oc get pods -A | grep cert-manager-webhook-ibm-cis | awk '{print $1}' # should return the namespace where the cert-manager-webhook-ibm-cis is running i.e ibm-common-services + register: cert_manager_webhook_cis_lookup + +- name: "install: Update cert-manager-webhook-ibm-cis cluster role binding to point to Red Hat Certificate Manager install" + vars: + cert_manager_service_account: cert-manager + kubernetes.core.k8s: + merge_type: merge + definition: "{{ lookup('template', 'templates/redhat/cert-manager-webhook-ibm-cis-crb.yml.j2') }}" + when: cert_manager_webhook_cis_lookup.stdout_lines | length > 0 diff --git a/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/uninstall.yml b/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/uninstall.yml new file mode 100644 index 000000000..8a2f25502 --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/uninstall.yml @@ -0,0 +1,21 @@ +--- +# Uninstall Red Hat Certificate Manager +# https://docs.openshift.com/container-platform/4.12/security/cert_manager_operator/cert-manager-operator-uninstall.html +# ----------------------------------------------------------------------------- +- name: "uninstall : Delete Red Hat Certificate Manager namespace: {{ cert_manager_operator_namespace }}" + kubernetes.core.k8s: + state: absent + api_version: project.openshift.io/v1 + kind: Project + name: "{{ cert_manager_operator_namespace }}" + wait: yes + wait_timeout: 600 + +- name: "uninstall : Delete Red Hat Certificate Manager namespace: {{ cert_manager_namespace }}" + kubernetes.core.k8s: + state: absent + api_version: project.openshift.io/v1 + kind: Project + name: "{{ cert_manager_namespace }}" + wait: yes + wait_timeout: 600 diff --git a/ibm/mas_devops/roles/cert_manager/templates/ibm-cert-manager-common-service.yml b/ibm/mas_devops/roles/cert_manager/templates/ibm/ibm-cert-manager-common-service.yml similarity index 100% rename from ibm/mas_devops/roles/cert_manager/templates/ibm-cert-manager-common-service.yml rename to ibm/mas_devops/roles/cert_manager/templates/ibm/ibm-cert-manager-common-service.yml diff --git a/ibm/mas_devops/roles/cert_manager/templates/ibm-cert-manager.yml b/ibm/mas_devops/roles/cert_manager/templates/ibm/ibm-cert-manager.yml similarity index 100% rename from ibm/mas_devops/roles/cert_manager/templates/ibm-cert-manager.yml rename to ibm/mas_devops/roles/cert_manager/templates/ibm/ibm-cert-manager.yml diff --git a/ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-cluster.yml.j2 b/ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-cluster.yml.j2 new file mode 100644 index 000000000..6cf925940 --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-cluster.yml.j2 @@ -0,0 +1,20 @@ +# - if IBM Certificate Manager is present, while migrating to red hat cert manager, add '--cluster-resource-namespace' to CertManager CR +# so that it keeps watching for cluster issuer's secrets in 'ibm-common-services' namespace (existing MAS instances) +# - if IBM Certificate Manager is not present, then don't customize '--cluster-resource-namespace' in CertManager CR +# as the default will be $POD_NAMESPACE which will end up being the namespace where Red Hat Certificate Manager operator is located ('cert-manager-operator) +--- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: "cluster" +spec: + controllerConfig: + overrideArgs: + - "--dns01-recursive-nameservers-only" + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" +{% if cert_manager_cluster_resource_namespace is defined and cert_manager_cluster_resource_namespace | length > 0 %} + unsupportedConfigOverrides: + controller: + args: + - "--cluster-resource-namespace={{ cert_manager_cluster_resource_namespace }}" +{% endif %} diff --git a/ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-webhook-ibm-cis-crb.yml.j2 b/ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-webhook-ibm-cis-crb.yml.j2 new file mode 100644 index 000000000..d3ff7ee6e --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/templates/redhat/cert-manager-webhook-ibm-cis-crb.yml.j2 @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "cert-manager-webhook-ibm-cis:domain-solver" + labels: + app: "cert-manager-webhook-ibm-cis" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "cert-manager-webhook-ibm-cis:domain-solver" +subjects: + - apiGroup: "" + kind: ServiceAccount + name: "{{ cert_manager_service_account }}" + namespace: "{{ cert_manager_namespace }}" diff --git a/ibm/mas_devops/roles/cert_manager/templates/redhat/ibm-cpp-configmap.yml.j2 b/ibm/mas_devops/roles/cert_manager/templates/redhat/ibm-cpp-configmap.yml.j2 new file mode 100644 index 000000000..5c3437277 --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/templates/redhat/ibm-cpp-configmap.yml.j2 @@ -0,0 +1,8 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: ibm-cpp-config + namespace: ibm-common-services +data: + deployCSCertManagerOperands: "false" diff --git a/ibm/mas_devops/roles/cert_manager/templates/redhat/namespace.yml.j2 b/ibm/mas_devops/roles/cert_manager/templates/redhat/namespace.yml.j2 new file mode 100644 index 000000000..957914290 --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/templates/redhat/namespace.yml.j2 @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ cert_manager_operator_namespace }} diff --git a/ibm/mas_devops/roles/cert_manager/templates/redhat/subscription.yml.j2 b/ibm/mas_devops/roles/cert_manager/templates/redhat/subscription.yml.j2 new file mode 100644 index 000000000..9289727a0 --- /dev/null +++ b/ibm/mas_devops/roles/cert_manager/templates/redhat/subscription.yml.j2 @@ -0,0 +1,23 @@ +{% if og_info.resources | length ==0 %} +--- +apiVersion: operators.coreos.com/v1alpha2 +kind: OperatorGroup +metadata: + name: operatorgroup + namespace: {{ cert_manager_operator_namespace }} +spec: + targetNamespaces: + - {{ cert_manager_operator_namespace }} +{% endif %} +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: {{ cert_manager_operator_namespace }} +spec: + channel: {{ cert_manager_channel }} # stable-v1 + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/ibm/mas_devops/roles/common_services/tasks/actions/install.yml b/ibm/mas_devops/roles/common_services/tasks/actions/install.yml index bf777293d..3811fdf8a 100644 --- a/ibm/mas_devops/roles/common_services/tasks/actions/install.yml +++ b/ibm/mas_devops/roles/common_services/tasks/actions/install.yml @@ -45,6 +45,12 @@ - "Channel ................................ {{ common_services_channel }}" - "Source ................................. {{ common_services_catalog_source }}" +- name: "Create ibm-common-services namespace" + kubernetes.core.k8s: + definition: "{{ lookup('template', 'templates/namespace.yml.j2') }}" + wait: yes + wait_timeout: 120 # 2 minutes + - name: "Install Foundational Services" kubernetes.core.k8s: definition: "{{ lookup('template', 'templates/subscription.yml.j2') }}" diff --git a/ibm/mas_devops/roles/common_services/templates/namespace.yml.j2 b/ibm/mas_devops/roles/common_services/templates/namespace.yml.j2 new file mode 100644 index 000000000..782dbd1f6 --- /dev/null +++ b/ibm/mas_devops/roles/common_services/templates/namespace.yml.j2 @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ibm-common-services diff --git a/ibm/mas_devops/roles/common_services/templates/subscription.yml.j2 b/ibm/mas_devops/roles/common_services/templates/subscription.yml.j2 index e808b1aad..b9a1f9912 100644 --- a/ibm/mas_devops/roles/common_services/templates/subscription.yml.j2 +++ b/ibm/mas_devops/roles/common_services/templates/subscription.yml.j2 @@ -1,8 +1,3 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ibm-common-services {% if og_info.resources |length ==0 %} --- apiVersion: operators.coreos.com/v1alpha2 diff --git a/ibm/mas_devops/roles/convert_to_olm/README.md b/ibm/mas_devops/roles/convert_to_olm/README.md index 44a3bd888..1120ff6b7 100644 --- a/ibm/mas_devops/roles/convert_to_olm/README.md +++ b/ibm/mas_devops/roles/convert_to_olm/README.md @@ -20,7 +20,7 @@ The instance ID of Maximo Application Suite. This will be used to lookup for app - Environment Variable: `MAS_INSTANCE_ID` - Default: None -### mas_catalog_source +### mas_catalog_source Defines the catalog to be used to install MAS channel subscription. - Optional @@ -62,12 +62,6 @@ Username for entitled registry. This username will be used to create the image p - Environment Variable: `MAS_ENTITLEMENT_KEY` - Default: None -### mas_upgrade_strategy -The Upgrade strategy for MAS Operator. - -- Optional -- Environment Variable: `MAS_UPGRADE_STRATEGY` -- Default: `Manual` Example Playbook ---------------- diff --git a/ibm/mas_devops/roles/convert_to_olm/defaults/main.yml b/ibm/mas_devops/roles/convert_to_olm/defaults/main.yml index 60d285673..be0ffcb18 100644 --- a/ibm/mas_devops/roles/convert_to_olm/defaults/main.yml +++ b/ibm/mas_devops/roles/convert_to_olm/defaults/main.yml @@ -4,7 +4,6 @@ mas_instance_id: "{{ lookup('ansible.builtin.env', 'MAS_INSTANCE_ID') }}" mas_app_id: "{{ lookup('ansible.builtin.env', 'MAS_APP_ID') }}" -mas_upgrade_strategy: "{{ lookup('ansible.builtin.env', 'MAS_UPGRADE_STRATEGY') | default('Manual', true) }}" mas_catalog_source: "{{ lookup('ansible.builtin.env', 'MAS_CATALOG_SOURCE') | default('ibm-operator-catalog', true) }}" mas_app_namespace: "mas-{{ mas_instance_id }}-{{ mas_app_id }}" diff --git a/ibm/mas_devops/roles/convert_to_olm/tasks/main.yml b/ibm/mas_devops/roles/convert_to_olm/tasks/main.yml index 3bc08163c..5d7ad0a0e 100644 --- a/ibm/mas_devops/roles/convert_to_olm/tasks/main.yml +++ b/ibm/mas_devops/roles/convert_to_olm/tasks/main.yml @@ -54,7 +54,6 @@ - "MAS Instance ID ........ '{{ mas_instance_id }}'" - "MAS App ID ............. '{{ mas_app_id }}'" - "MAS App Namespace ...... '{{ mas_app_namespace }}'" - - "MAS Upgrade Strategy ... '{{ mas_upgrade_strategy }}'" # 2. Check App and Determine if OLM conversion is possible # ----------------------------------------------------------------------------- @@ -360,56 +359,7 @@ operator_group: "{{ lookup('template', 'templates/operator-group.yml.j2') }}" subscription: "{{ lookup('template', 'templates/subscription.yml.j2') }}" - # 3.5. Approve InstallPlan(s) when in Manual subscription - # ------------------------------------------------------------------------- - - name: "Lookup and Approve Subscription: {{ supported_apps[mas_app_id]['name'] }}" - when: mas_upgrade_strategy == 'Manual' - block: - - name: Lookup Operator install plan - kubernetes.core.k8s_info: - api_version: operators.coreos.com/v1alpha1 - kind: InstallPlan - namespace: "{{ mas_app_namespace }}" - label_selectors: - - "operators.coreos.com/{{ supported_apps[mas_app_id]['csv_name'] }}.{{ mas_app_namespace }}" - register: _mas_install_plan - retries: 40 - delay: 30 # 40 x 30 seconds = 20 minutes - until: _mas_install_plan.resources | length > 0 - - - name: Approve the subscription install plan - when: - - _mas_install_plan is defined - - _mas_install_plan.resources is defined - - _mas_install_plan.resources | length > 0 - - _mas_install_plan.resources[0].status is defined - - _mas_install_plan.resources[0].status.phase is defined - - _mas_install_plan.resources[0].status.phase != "Complete" - kubernetes.core.k8s: - definition: - apiVersion: operators.coreos.com/v1alpha1 - kind: InstallPlan - metadata: - name: "{{ _mas_install_plan.resources[0].metadata.name }}" - namespace: "{{ mas_app_namespace }}" - spec: - approved: true - - # 3.6. Handle IBM Common Services Install plan approvals when - # upgrade strategy is set to Manual - # ------------------------------------------------------------------------- - # ibm-common-services operators deployed by MAS will inherit the inherit - # MAS upgrade strategy when its set to Manual, we need to iterate those to - # ensure we do approve the first install plan otherwise MAS installation - # won't succeed. - - name: Handle IBM Common Services InstallPlan approvals - ansible.builtin.include_tasks: tasks/ibm-common-services.yml - when: - - mas_upgrade_strategy == 'Manual' - - mas_app_id == 'core' - loop: "{{ ibm_common_services_subscription_labels }}" - - # 3.7. Verify the (main + TM) operator pods are running and ready + # 3.5. Verify the (main + TM) operator pods are running and ready # ------------------------------------------------------------------------- - name: "Check if operator is ready: {{ supported_apps[mas_app_id]['op_name'] }}" kubernetes.core.k8s_info: diff --git a/ibm/mas_devops/roles/convert_to_olm/templates/subscription.yml.j2 b/ibm/mas_devops/roles/convert_to_olm/templates/subscription.yml.j2 index 77cbc34d7..90725cce5 100644 --- a/ibm/mas_devops/roles/convert_to_olm/templates/subscription.yml.j2 +++ b/ibm/mas_devops/roles/convert_to_olm/templates/subscription.yml.j2 @@ -6,7 +6,7 @@ metadata: namespace: "{{ mas_app_namespace }}" spec: channel: "{{ app_channel }}" - installPlanApproval: "{{ mas_upgrade_strategy }}" + installPlanApproval: Automatic name: "{{ supported_apps[mas_app_id]['csv_name'] }}" source: "{{ mas_catalog_source }}" sourceNamespace: openshift-marketplace diff --git a/ibm/mas_devops/roles/cos/README.md b/ibm/mas_devops/roles/cos/README.md index 4f5f8ede2..10b8ab9d3 100644 --- a/ibm/mas_devops/roles/cos/README.md +++ b/ibm/mas_devops/roles/cos/README.md @@ -94,6 +94,12 @@ List of comma separated key=value pairs for setting custom labels on instance sp - Environment Variable: `CUSTOM_LABELS` - Default Value: None +### include_cluster_ingress_cert_chain +Optional. When set to `True`, includes the complete certificates chain in the generated MAS configuration, when a trusted certificate authority is found in your cluster's ingress. + +- Optional +- Environment Variable: `INCLUDE_CLUSTER_INGRESS_CERT_CHAIN` +- Default: `False` Example Playbook ---------------- diff --git a/ibm/mas_devops/roles/cos/defaults/main.yml b/ibm/mas_devops/roles/cos/defaults/main.yml index 628adf976..9aeee0d76 100644 --- a/ibm/mas_devops/roles/cos/defaults/main.yml +++ b/ibm/mas_devops/roles/cos/defaults/main.yml @@ -9,13 +9,12 @@ cos_service: "cloud-object-storage" mas_instance_id: "{{ lookup('env', 'MAS_INSTANCE_ID') }}" mas_config_dir: "{{ lookup('env', 'MAS_CONFIG_DIR') }}" - # OpenShift Container Storage Object Storage (ocs) # --------------------------------------------------------------------------------------------------------------------- - # IBM Cloud Object Storage (ibm) # --------------------------------------------------------------------------------------------------------------------- +ibmcos_include_isrg_root_cert: "{{ lookup('env', 'IBMCOS_INCLUDE_ISRG_ROOT_CERT') | default('true', true) | bool }}" # mainly needed for IBM Cloud hosted services ibmcloud_apikey: "{{ lookup('env', 'IBMCLOUD_APIKEY') }}" ibmcloud_resourcegroup: "{{ lookup('env', 'IBMCLOUD_RESOURCEGROUP') | default('Default', true) }}" ibmcos_resourcegroup: "{{ lookup('env', 'IBMCOS_RESOURCEGROUP') | default(ibmcloud_resourcegroup, true) }}" diff --git a/ibm/mas_devops/roles/cos/tasks/providers/ocs/provision.yml b/ibm/mas_devops/roles/cos/tasks/providers/ocs/provision.yml index ae1f978e1..b319773da 100644 --- a/ibm/mas_devops/roles/cos/tasks/providers/ocs/provision.yml +++ b/ibm/mas_devops/roles/cos/tasks/providers/ocs/provision.yml @@ -23,7 +23,6 @@ msg: - "OCS Cluster is available .... {{ ocsavailable }}" - # 2. Create the object store # ----------------------------------------------------------------------------- - name: "ocs/objectstorage : Create objectstore in OSC Cluster" @@ -32,7 +31,6 @@ apply: yes definition: "{{ lookup('template', 'templates/ocs/object.yaml') }}" - # 3. Create the object User # ----------------------------------------------------------------------------- - name: "ocs/objectstorage : Create objectstore User" @@ -52,10 +50,9 @@ retries: 10 # Approximately 10 minutes before we give up delay: 60 # 1 minute - # 4. Set up the domain name for object storage route # ----------------------------------------------------------------------------- -- name: "ocs/objectstorage :Get cluster subdomain" +- name: "ocs/objectstorage : Get cluster subdomain" when: ocsavailable is defined and ocsavailable kubernetes.core.k8s_info: api_version: config.openshift.io/v1 @@ -63,12 +60,11 @@ name: cluster register: _cluster_subdomain -- name: "ocs/objectstorage :Configure domain" +- name: "ocs/objectstorage : Configure domain" when: ocsavailable is defined and ocsavailable set_fact: cos_domain: "rgw-openshift-storage.{{ _cluster_subdomain.resources[0].spec.domain }}" - # 5. Create route for cos # ----------------------------------------------------------------------------- - name: "ocs/objectstorage : Create objectstore route" @@ -77,10 +73,9 @@ apply: yes definition: "{{ lookup('template', 'templates/ocs/rgw.yaml') }}" - # 6. Query the object User crdential # ----------------------------------------------------------------------------- -- name: "ocs/objectstorage :Lookup if cos user secret is there" +- name: "ocs/objectstorage : Lookup if cos user secret is there" when: ocsavailable is defined and ocsavailable kubernetes.core.k8s_info: api_version: v1 @@ -89,7 +84,6 @@ namespace: "openshift-storage" register: objectuserSecret - # 7. Query the tls for object route # ----------------------------------------------------------------------------- - name: "ocs/objectstorage : Lookup the default cluster ingress secret" @@ -100,9 +94,16 @@ # is necessary :) - name: "ocs/objectstorage : Set COS cert variable" set_fact: - ocscos_certs: "{{ cluster_ingress_tls_crt | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}" + ocscos_tls_crt: "{{ cluster_ingress_tls_crt }}" + +# Load uds_certs template to dynamically set as many uds certificates as identified +- set_fact: + ocscos_certs: "{{ lookup('ansible.builtin.template', 'templates/ocs/ocs-certs.yml.j2') }}" + when: + - ocscos_tls_crt is defined + - ocscos_tls_crt | length > 0 -- name: "ocs/objectstorage :Query cos secret based on existing secret/cm" +- name: "ocs/objectstorage : Query cos secret based on existing secret/cm" when: - ocsavailable is defined and ocsavailable - objectuserSecret.resources| length != 0 @@ -111,7 +112,6 @@ ocscos_username: "{{ objectuserSecret.resources[0]['data']['AccessKey']| b64decode }}" ocscos_password: "{{ objectuserSecret.resources[0]['data']['SecretKey']| b64decode }}" - # 8. Provide debug information and create coscfg.yml # ----------------------------------------------------------------------------- - name: "ocs/objectstorage : Debug information" @@ -127,7 +127,6 @@ fail: msg: "we didn't get the cos info here in ocs cluster." - # 9. Write ObjectStorageCfg to disk # ----------------------------------------------------------------------------- - name: "ocs/objectstorage : Copy objectstorageCfg to filesytem" @@ -139,4 +138,4 @@ ansible.builtin.template: src: ocs/objectstoragecfg.yml.j2 dest: "{{ mas_config_dir }}/cos-ocs-system.yml" - mode: '664' + mode: "664" diff --git a/ibm/mas_devops/roles/cos/templates/ocs/objectstoragecfg.yml.j2 b/ibm/mas_devops/roles/cos/templates/ocs/objectstoragecfg.yml.j2 index ae53ae55f..dc888f176 100644 --- a/ibm/mas_devops/roles/cos/templates/ocs/objectstoragecfg.yml.j2 +++ b/ibm/mas_devops/roles/cos/templates/ocs/objectstoragecfg.yml.j2 @@ -34,14 +34,12 @@ spec: url: "{{ ocscos_url }}" credentials: secretName: ocscos-credentials-system - certificates: - - alias: cospart1 - crt: | - {{ ocscos_certs[0] | indent(8) }} - - alias: cospart2 - crt: | - {{ ocscos_certs[1] | indent(8) }} - - alias: isrg-root-x1 # default root certificate used by Let's Encrypt +{% if ocscos_certs is defined and ocscos_certs | length > 0 %} + certificates: + {{ ocscos_certs | indent(width=4, first=False) }} +{%- endif %} +{% if ocscos_certs is defined and ocscos_certs | length > 0 and ibmcos_include_isrg_root_cert == true %} + - alias: isrgrootx1 # default root certificate used by Let's Encrypt crt: | -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw @@ -74,3 +72,4 @@ spec: mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- +{%- endif %} \ No newline at end of file diff --git a/ibm/mas_devops/roles/cos/templates/ocs/ocs-certs.yml.j2 b/ibm/mas_devops/roles/cos/templates/ocs/ocs-certs.yml.j2 new file mode 100644 index 000000000..fef88d242 --- /dev/null +++ b/ibm/mas_devops/roles/cos/templates/ocs/ocs-certs.yml.j2 @@ -0,0 +1,5 @@ +{% for crt in ocscos_tls_crt %} +- alias: "part{{ loop.index }}" + crt: | + {{ crt | indent(width=4, first=False) }} +{% endfor %} diff --git a/ibm/mas_devops/roles/db2/README.md b/ibm/mas_devops/roles/db2/README.md index 5deeb6ac8..dded26efe 100644 --- a/ibm/mas_devops/roles/db2/README.md +++ b/ibm/mas_devops/roles/db2/README.md @@ -75,7 +75,7 @@ Version of the DB2 engine to be used while creating/upgrading the DB2 instances. - Optional - Environment Variable: `DB2_VERSION` -- Default: The default db2 engine version will be automatically defined to the latest version supported by the installed DB2 operator if this is not set. The DB2 engine versions supported by the installed DB2 operator are stored in `db2u-license-keys` secret under `ibm-common-services` namespace. +- Default: The default db2 engine version will be automatically defined to the latest version supported by the installed DB2 operator if this is not set. The DB2 engine versions supported by the installed DB2 operator are stored in `db2u-release` configmap under `ibm-common-services` namespace. ### db2_4k_device_support Whether 4K device support is turned on or not. diff --git a/ibm/mas_devops/roles/db2/tasks/install/main.yml b/ibm/mas_devops/roles/db2/tasks/install/main.yml index 266d58111..aee04c25a 100644 --- a/ibm/mas_devops/roles/db2/tasks/install/main.yml +++ b/ibm/mas_devops/roles/db2/tasks/install/main.yml @@ -230,31 +230,32 @@ - db2_crd_info.resources | length > 0 # if db2_version is not set, then we define it based on the latest version supported by the db2u-license-keys secret +# Starting with s11.5.8.0-cn3, the 's' prefix is removed in db2u-license-keys, we are recommeded to use db2u-release configmap. - block: - - name: "Wait until the db2u-license-keys secret is available" + - name: "Wait until the db2u-release configmap is available" no_log: true kubernetes.core.k8s_info: api_version: v1 - name: db2u-license-keys + name: db2u-release namespace: "{{ ibm_common_services_namespace }}" - kind: Secret - register: db2_license_info + kind: ConfigMap + register: db2_release_info retries: 20 # ~approx 10 minutes before we give up waiting for the CRD to be created delay: 30 # seconds until: - - db2_license_info.resources is defined - - db2_license_info.resources | length > 0 - - db2_license_info.resources[0].data is defined - - db2_license_info.resources[0].data | length > 0 + - db2_release_info.resources is defined + - db2_release_info.resources | length > 0 + - db2_release_info.resources[0].data is defined + - db2_release_info.resources[0].data | length > 0 - - name: Set db2u-license-keys secret content + - name: Set db2u-release configmap content no_log: true set_fact: - db2_license_content: "{{ db2_license_info.resources[0].data.json | b64decode }}" + db2_releases_content: "{{ db2_release_info.resources[0].data.json }}" - name: Set db2 version ansible.builtin.set_fact: - db2_version: "{{ db2_license_content.db2wh | last }}" + db2_version: "{{ db2_releases_content.databases.db2u | last }}" when: db2_version is not defined or db2_version == "" diff --git a/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml b/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml index 3b6ebf3ff..8928793d7 100644 --- a/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml +++ b/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml @@ -22,31 +22,32 @@ # 2. Determine if upgrade is needed and perform it # ----------------------------------------------------------------------------- # if db2_version is not set, then we define it based on the latest version supported by the db2u-license-keys secret +# Starting with s11.5.8.0-cn3, the 's' prefix is removed in db2u-license-keys, we are recommeded to use db2u-release configmap. - block: - - name: "Wait until the db2u-license-keys secret is available" + - name: "Wait until the db2u-release configmap is available" no_log: true kubernetes.core.k8s_info: api_version: v1 - name: db2u-license-keys + name: db2u-release namespace: "{{ ibm_common_services_namespace }}" - kind: Secret - register: db2_license_info + kind: ConfigMap + register: db2_release_info retries: 20 # ~approx 10 minutes before we give up waiting for the CRD to be created delay: 30 # seconds until: - - db2_license_info.resources is defined - - db2_license_info.resources | length > 0 - - db2_license_info.resources[0].data is defined - - db2_license_info.resources[0].data | length > 0 + - db2_release_info.resources is defined + - db2_release_info.resources | length > 0 + - db2_release_info.resources[0].data is defined + - db2_release_info.resources[0].data | length > 0 - - name: Set db2u-license-keys secret content + - name: Set db2u-release configmap content no_log: true set_fact: - db2_license_content: "{{ db2_license_info.resources[0].data.json | b64decode }}" + db2_releases_content: "{{ db2_release_info.resources[0].data.json }}" - name: Set db2 version ansible.builtin.set_fact: - db2_version: "{{ db2_license_content.db2wh | last }}" + db2_version: "{{ db2_releases_content.databases.db2u | last }}" when: db2_version is not defined or db2_version == "" diff --git a/ibm/mas_devops/roles/dro/README.md b/ibm/mas_devops/roles/dro/README.md index 5b4567d71..ef3d07838 100644 --- a/ibm/mas_devops/roles/dro/README.md +++ b/ibm/mas_devops/roles/dro/README.md @@ -37,7 +37,7 @@ Provide particular StartingCSV version of DRO. Default value is picked from Stab - Default Value: None ### dro_storage_class -Default Storage class. Set this variable if there's no storage class with default annotation. +Required. Storage class where DRO will be installed. MAS ansible playbooks will automatically try to determine a rwo (Read Write Once) storage class from a cluster if DRO_STORAGE_CLASS is not supplied. If a cluster is setup with a customize storage solution, please provide a valid rwo storage class name using DRO_STORAGE_CLASS - Optional - Environment Variable: `DRO_STORAGE_CLASS` @@ -96,10 +96,42 @@ For examples refer to the [BestEfforts reference configuration in the MAS CLI](h - Environment Variable: `MAS_POD_TEMPLATES_DIR` - Default: None +### include_cluster_ingress_cert_chain +Optional. When set to `True`, includes the complete certificates chain in the generated MAS configuration, when a trusted certificate authority is found in your cluster's ingress. + +- Optional +- Environment Variable: `INCLUDE_CLUSTER_INGRESS_CERT_CHAIN` +- Default: `False` + Example Playbook ------------------------------------------------------------------------------- ### Install in-cluster and generate MAS configuration + +To install DRO +``` +export IBM_ENTITLEMENT_KEY= +export DRO_CONTACT_EMAIL=xxx@xxx.com +export DRO_CONTACT_FIRSTNAME=xxx +export DRO_CONTACT_LASTNAME=xxx +export DRO_ACTION=install-dro +export MAS_CONFIG_DIR= +export MAS_INSTANCE_ID= +export DRO_STORAGE_CLASS= +export ROLE_NAME='dro' + +ansible-playbook playbooks/run_role.yml +``` + +To uninstall DRO +``` +export DRO_ACTION=uninstall +export ROLE_NAME='dro' + +ansible-playbook playbooks/run_role.yml + +``` + ```yaml - hosts: localhost any_errors_fatal: true diff --git a/ibm/mas_devops/roles/dro/defaults/main.yml b/ibm/mas_devops/roles/dro/defaults/main.yml index 3c0559c4b..f79d14d4d 100644 --- a/ibm/mas_devops/roles/dro/defaults/main.yml +++ b/ibm/mas_devops/roles/dro/defaults/main.yml @@ -6,7 +6,6 @@ dro_version: "{{ lookup('env', 'DRO_VERSION') | default('', true) }}" # ----------------------------------------------------------------------------- dro_storage_class: "{{ lookup('env', 'DRO_STORAGE_CLASS') }}" - # BASCfg generation for DRO # ----------------------------------------------------------------------------- dro_contact: @@ -15,6 +14,7 @@ dro_contact: last_name: "{{ lookup('env', 'DRO_CONTACT_LASTNAME') }}" ibm_entitlement_key: "{{ lookup('env', 'IBM_ENTITLEMENT_KEY') }}" +dro_include_isrg_root_cert: "{{ lookup('env', 'DRO_INCLUDE_ISRG_ROOT_CERT') | default('true', true) | bool }}" # mainly needed for IBM Cloud hosted services # Custom Labels # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/dro/tasks/gencfg/main.yml b/ibm/mas_devops/roles/dro/tasks/gencfg/main.yml index caab8f3a9..522501964 100644 --- a/ibm/mas_devops/roles/dro/tasks/gencfg/main.yml +++ b/ibm/mas_devops/roles/dro/tasks/gencfg/main.yml @@ -73,7 +73,15 @@ # Break up the certificate into an array - name: "udscfg : Set UDS cert variable" set_fact: - dro_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}" + dro_tls_crt: "{{ cluster_ingress_tls_crt }}" + no_log: true + +# Load uds_certs template to dynamically set as many uds certificates as identified +- set_fact: + dro_certs: "{{ lookup('ansible.builtin.template', 'templates/dro-certs.yml.j2') }}" + when: + - dro_tls_crt is defined + - dro_tls_crt | length > 0 - name: "gencfg : Fail if dro_tls_crt has not been provided" assert: diff --git a/ibm/mas_devops/roles/dro/tasks/install-dro/determine-storage-classes.yml b/ibm/mas_devops/roles/dro/tasks/install-dro/determine-storage-classes.yml index 64a3dc785..ff34ad7be 100644 --- a/ibm/mas_devops/roles/dro/tasks/install-dro/determine-storage-classes.yml +++ b/ibm/mas_devops/roles/dro/tasks/install-dro/determine-storage-classes.yml @@ -7,7 +7,7 @@ - name: "Load default storage class information" include_vars: "{{ role_path }}/../../common_vars/default_storage_classes.yml" -- name: Lookup storage dro +- name: Lookup storage classes kubernetes.core.k8s_info: api_version: storage.k8s.io/v1 kind: StorageClass @@ -28,7 +28,7 @@ - name: Assert that storage class has been defined assert: that: dro_storage_class is defined and dro_storage_class != "" - fail_msg: "dro_storage_class must be defined" + fail_msg: "Unable to auto determine dro_storage_class" # 3. Debug storage class configuration @@ -36,17 +36,4 @@ - name: "Debug DRO storage class configuration" debug: msg: - - "Storage class (dro) .................... {{ dro_storage_class }}" - -# 3. Check if storage class have default annotation -# ----------------------------------------------------------------------------- -- name: add default annotation to DRO storageclass - kubernetes.core.k8s: - state: patched - api_version: storage.k8s.io/v1 - kind: StorageClass - name: "{{ dro_storage_class }}" - definition: - metadata: - annotations: - storageclass.kubernetes.io/is-default-class: 'true' + - "Auto Detected Storage class for DRO .................... {{ dro_storage_class }}" diff --git a/ibm/mas_devops/roles/dro/tasks/install-dro/main.yml b/ibm/mas_devops/roles/dro/tasks/install-dro/main.yml index 7876cfccc..4cc8af4c1 100644 --- a/ibm/mas_devops/roles/dro/tasks/install-dro/main.yml +++ b/ibm/mas_devops/roles/dro/tasks/install-dro/main.yml @@ -5,11 +5,6 @@ - name: "Determine whether this is an airgap environment" include_tasks: "{{ role_path }}/../../common_tasks/detect_airgap.yml" - -# 2. Load default storage class (if not provided by the user) -# ----------------------------------------------------------------------------- -- include_tasks: tasks/install-dro/determine-storage-classes.yml - # 3. Display DRO deployment details # ----------------------------------------------------------------------------- - name: "DRO Deployment details" @@ -29,7 +24,7 @@ # ----------------------------------------------------------------------------- # Check redhat-marketplace operator exists -# ----------------------------------------------------------------------------- +# --------------------------------------g--------------------------------------- - name: Check if operator group is present in redhat-marketplace already kubernetes.core.k8s_info: namespace: redhat-marketplace @@ -40,6 +35,22 @@ kubernetes.core.k8s: definition: "{{ lookup('template', 'templates/operatorgroup.yml.j2') }}" +# Create a PVC using the Chosen Storage Class +# ---------------------------------------------------------------------------- +- name: "Debug User Provided DRO Storage Class" + debug: + msg: + - "User Provided DRO Storage Class Name..................... {{ dro_storage_class }}" + when: dro_storage_class is defined and (dro_storage_class | length > 0) + +- name: Determine Storage Class + include_tasks: tasks/install-dro/determine-storage-classes.yml + when: dro_storage_class is not defined or dro_storage_class == "" + +- name: Create DRO PVC + kubernetes.core.k8s: + definition: "{{ lookup('template', 'templates/dro-pvc.yml.j2') }}" + # Create Marketplace Pull Secret - name: Get marketplace secret kubernetes.core.k8s_info: diff --git a/ibm/mas_devops/roles/dro/tasks/main.yml b/ibm/mas_devops/roles/dro/tasks/main.yml index e0ad4547a..dec2e455f 100644 --- a/ibm/mas_devops/roles/dro/tasks/main.yml +++ b/ibm/mas_devops/roles/dro/tasks/main.yml @@ -7,12 +7,17 @@ # If the user has provided dro_endpoint_url then it means they don't want to install # DRO locally, but instead just generate a BASCfg for the instance defined by # the input variables +- name: Assert DRO_ACTION values + assert: + that: dro_action in ["install", "install-dro", "uninstall"] + fail_msg: "Incorrect value set for DRO_ACTION" + when: dro_action is defined and (dro_action | length > 0) + - include_tasks: "tasks/{{ dro_action }}/main.yml" when: - dro_action in ["install-dro", "uninstall"] - dro_endpoint_url is not defined or dro_endpoint_url == "" - # 2. Generate the DRO configuration for MAS # ----------------------------------------------------------------------------- - include_tasks: tasks/gencfg/main.yml diff --git a/ibm/mas_devops/roles/dro/tasks/uninstall/main.yml b/ibm/mas_devops/roles/dro/tasks/uninstall/main.yml index 6b6d3042d..ebd9e3200 100644 --- a/ibm/mas_devops/roles/dro/tasks/uninstall/main.yml +++ b/ibm/mas_devops/roles/dro/tasks/uninstall/main.yml @@ -151,3 +151,28 @@ kind: Secret namespace: redhat-marketplace name: ibm-data-reporter-operator-api-token + +# Delete PVC's +- name: "uninstall : Delete the Data service PVC 0" + kubernetes.core.k8s: + state: absent + api_version: v1 + kind: PersistentVolumeClaim + namespace: redhat-marketplace + name: rhm-data-service-rhm-data-service-0 + +- name: "uninstall : Delete the Data service PVC 1" + kubernetes.core.k8s: + state: absent + api_version: v1 + kind: PersistentVolumeClaim + namespace: redhat-marketplace + name: rhm-data-service-rhm-data-service-1 + +- name: "uninstall : Delete the Data service PVC 2" + kubernetes.core.k8s: + state: absent + api_version: v1 + kind: PersistentVolumeClaim + namespace: redhat-marketplace + name: rhm-data-service-rhm-data-service-2 diff --git a/ibm/mas_devops/roles/dro/templates/bascfg.yml.j2 b/ibm/mas_devops/roles/dro/templates/bascfg.yml.j2 index 6ccef2f74..5bbef198b 100644 --- a/ibm/mas_devops/roles/dro/templates/bascfg.yml.j2 +++ b/ibm/mas_devops/roles/dro/templates/bascfg.yml.j2 @@ -37,16 +37,12 @@ spec: lastName: "{{ dro_contact.last_name }}" credentials: secretName: dro-apikey - certificates: - - alias: part1 - crt: | - {{ dro_tls_crt[0] | indent(8) }} -{% if dro_tls_crt | length > 1 %} - - alias: part2 - crt: | - {{ dro_tls_crt[1] | indent(8) }} -{% endif %} - - alias: isrg-root-x1 # default root certificate used by Let's Encrypt +{% if dro_certs is defined and dro_certs | length > 0 %} + certificates: + {{ dro_certs | indent(width=4, first=False) }} +{%- endif %} +{% if dro_certs is defined and dro_certs | length > 0 and dro_include_isrg_root_cert == true %} + - alias: isrgrootx1 # default root certificate used by Let's Encrypt crt: | -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw @@ -79,6 +75,7 @@ spec: mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- +{% endif %} {% if ibm_mas_bascfg_pod_templates is defined %} podTemplates: {{ ibm_mas_bascfg_pod_templates }} {% endif %} diff --git a/ibm/mas_devops/roles/dro/templates/dro-certs.yml.j2 b/ibm/mas_devops/roles/dro/templates/dro-certs.yml.j2 new file mode 100644 index 000000000..40acbae59 --- /dev/null +++ b/ibm/mas_devops/roles/dro/templates/dro-certs.yml.j2 @@ -0,0 +1,5 @@ +{% for crt in dro_tls_crt %} +- alias: "part{{ loop.index }}" + crt: | + {{ crt | indent(width=4, first=False) }} +{% endfor %} diff --git a/ibm/mas_devops/roles/dro/templates/dro-pvc.yml.j2 b/ibm/mas_devops/roles/dro/templates/dro-pvc.yml.j2 new file mode 100644 index 000000000..a7e522b49 --- /dev/null +++ b/ibm/mas_devops/roles/dro/templates/dro-pvc.yml.j2 @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app: rhm-data-service + name: rhm-data-service-rhm-data-service-0 + namespace: redhat-marketplace +spec: + storageClassName: {{ dro_storage_class }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app: rhm-data-service + name: rhm-data-service-rhm-data-service-1 + namespace: redhat-marketplace +spec: + storageClassName: {{ dro_storage_class }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app: rhm-data-service + name: rhm-data-service-rhm-data-service-2 + namespace: redhat-marketplace +spec: + storageClassName: {{ dro_storage_class }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/ibm/mas_devops/roles/gencfg_jdbc/tasks/main.yml b/ibm/mas_devops/roles/gencfg_jdbc/tasks/main.yml index 80f79e725..9b73ad96e 100644 --- a/ibm/mas_devops/roles/gencfg_jdbc/tasks/main.yml +++ b/ibm/mas_devops/roles/gencfg_jdbc/tasks/main.yml @@ -1,5 +1,4 @@ --- - # 1. Check for undefined properties that do not have a default # ----------------------------------------------------------------------------- - name: "Fail if mas_instance_id is not provided" @@ -39,7 +38,6 @@ fail_msg: "db_pem_file property is required" when: ssl_enabled == true - # 2. Provide debug information # ----------------------------------------------------------------------------- - name: "Configure namespace" @@ -68,7 +66,7 @@ - mas_config_dir is defined - mas_config_dir != "" template: src=vars/jdbccfg/{{ mas_config_scope }}.yml.j2 - dest=/tmp/{{ mas_config_scope }}.yml + dest=/tmp/{{ mas_config_scope }}.yml # 4. Load JDBCCfg yml definition # ----------------------------------------------------------------------------- @@ -83,11 +81,19 @@ # 5. Read file information # ----------------------------------------------------------------------------- - name: Read DB Certificate file - set_fact: - db_pem: "{{ lookup('file', db_pem_file) }}" when: - db_pem_file is defined - ssl_enabled == true + set_fact: + jdbc_tls_crt: "{{ lookup('file', db_pem_file) | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}" + no_log: true + +# Load jdbc_certs template to dynamically set as many jdbc certificates as identified +- set_fact: + jdbc_certs: "{{ lookup('ansible.builtin.template', 'templates/jdbc-certs.yml.j2') }}" + when: + - jdbc_tls_crt is defined + - jdbc_tls_crt | length > 0 # 6. Generate JDBCcfg for MAS configuration # ----------------------------------------------------------------------------- @@ -98,4 +104,4 @@ ansible.builtin.template: src: jdbccfg.yml.j2 dest: "{{ mas_config_dir }}/jdbc.yml" - mode: '664' + mode: "664" diff --git a/ibm/mas_devops/roles/gencfg_jdbc/templates/jdbc-certs.yml.j2 b/ibm/mas_devops/roles/gencfg_jdbc/templates/jdbc-certs.yml.j2 new file mode 100644 index 000000000..4588c68e1 --- /dev/null +++ b/ibm/mas_devops/roles/gencfg_jdbc/templates/jdbc-certs.yml.j2 @@ -0,0 +1,5 @@ +{% for crt in jdbc_tls_crt %} +- alias: "part{{ loop.index }}" + crt: | + {{ crt | indent(width=4, first=False) }} +{% endfor %} diff --git a/ibm/mas_devops/roles/gencfg_jdbc/templates/jdbccfg.yml.j2 b/ibm/mas_devops/roles/gencfg_jdbc/templates/jdbccfg.yml.j2 index 8f3fa42e2..f1f21dbf1 100644 --- a/ibm/mas_devops/roles/gencfg_jdbc/templates/jdbccfg.yml.j2 +++ b/ibm/mas_devops/roles/gencfg_jdbc/templates/jdbccfg.yml.j2 @@ -32,10 +32,7 @@ spec: {% endif %} credentials: secretName: "jdbc-{{ db_instance_id | lower }}-credentials" -{% if ssl_enabled | bool %} +{% if ssl_enabled | bool and jdbc_certs is defined and jdbc_certs | length > 0 %} certificates: - - alias: "{{ db_instance_id | lower }}" - crt: | - {{ db_pem | indent(8) }} -{% endif %} - + {{ jdbc_certs | indent(width=4, first=False) }} +{%- endif %} diff --git a/ibm/mas_devops/roles/gencfg_mongo/tasks/main.yml b/ibm/mas_devops/roles/gencfg_mongo/tasks/main.yml index 6b3936454..50a0141a9 100644 --- a/ibm/mas_devops/roles/gencfg_mongo/tasks/main.yml +++ b/ibm/mas_devops/roles/gencfg_mongo/tasks/main.yml @@ -66,11 +66,16 @@ # 5. Read file information # ----------------------------------------------------------------------------- -- name: Read Mongo CA PEM file +- name: Read Mongo Certificate file + when: mongodb_ca_pem_local_file set_fact: - mongo_ca_pem: "{{ lookup('file', mongodb_ca_pem_local_file) }}" - when: - - mongodb_ca_pem_local_file is defined + mongo_tls_crt: "{{ lookup('file', mongodb_ca_pem_local_file) | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}" + no_log: true + +# Load mongo_certs template to dynamically set as many mongo certificates as identified +- set_fact: + mongo_certs: "{{ lookup('ansible.builtin.template', 'templates/mongo-certs.yml.j2') }}" + when: mongo_tls_crt | length > 0 - name: "Create MAS MongoCfg" when: diff --git a/ibm/mas_devops/roles/gencfg_mongo/templates/mongo-certs.yml.j2 b/ibm/mas_devops/roles/gencfg_mongo/templates/mongo-certs.yml.j2 new file mode 100644 index 000000000..01c2863d6 --- /dev/null +++ b/ibm/mas_devops/roles/gencfg_mongo/templates/mongo-certs.yml.j2 @@ -0,0 +1,5 @@ +{% for crt in mongo_tls_crt %} +- alias: "part{{ loop.index }}" + crt: | + {{ crt | indent(width=4, first=False) }} +{% endfor %} diff --git a/ibm/mas_devops/roles/gencfg_mongo/templates/suite_mongocfg.yml.j2 b/ibm/mas_devops/roles/gencfg_mongo/templates/suite_mongocfg.yml.j2 index 60de2e07c..ef28688eb 100644 --- a/ibm/mas_devops/roles/gencfg_mongo/templates/suite_mongocfg.yml.j2 +++ b/ibm/mas_devops/roles/gencfg_mongo/templates/suite_mongocfg.yml.j2 @@ -41,7 +41,7 @@ spec: secretName: mongodb-{{mas_instance_id|lower}}-admin hosts: {{ mongodb_hosts | indent(6) }} - certificates: - - alias: ca - crt: | - {{ mongo_ca_pem | indent(8) }} +{%- if mongo_certs is defined and mongo_certs | length > 0 %} + certificates: + {{ mongo_certs | indent(width=6, first=False) }} +{%- endif %} \ No newline at end of file diff --git a/ibm/mas_devops/roles/kafka/tasks/provider/redhat/run-kafka-instances-upgrade.yml b/ibm/mas_devops/roles/kafka/tasks/provider/redhat/run-kafka-instances-upgrade.yml index a4925bb74..e2a79c5e3 100644 --- a/ibm/mas_devops/roles/kafka/tasks/provider/redhat/run-kafka-instances-upgrade.yml +++ b/ibm/mas_devops/roles/kafka/tasks/provider/redhat/run-kafka-instances-upgrade.yml @@ -51,7 +51,7 @@ - "Catalog source ....................... {{ kafka_source }}" - "Catalog source namespace .............. {{ kafka_source_namespace }}" - "Current Kafka Version ................. {{ kafka_current_version }}" - - "Target Kafka Version .................. {{ kafka_version }} " + - "Target Kafka Version .................. {{ kafka_version }}" # 4. Determine if upgrade is needed and perform it # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/mirror_case_prepare/tasks/prepare-released.yml b/ibm/mas_devops/roles/mirror_case_prepare/tasks/prepare-released.yml index 6404462c8..c320cfdb3 100644 --- a/ibm/mas_devops/roles/mirror_case_prepare/tasks/prepare-released.yml +++ b/ibm/mas_devops/roles/mirror_case_prepare/tasks/prepare-released.yml @@ -1,5 +1,4 @@ --- - # 1. Check for required software # ----------------------------------------------------------------------------- - name: "{{ case_name }} : Test if ibm-pak is installed" @@ -12,7 +11,6 @@ that: ( ibmpak_version_result['rc'] == 0 ) fail_msg: "ibm-pak tool must be installed." - # 2. Debug # ----------------------------------------------------------------------------- @@ -34,7 +32,6 @@ - "Skip Dependencies ...................... {{ ibmpak_skip_dependencies }}" - "IBM Pak Flags .......................... {{ ibmpak_flag_insecure }} {{ ibmpak_flag_skip_verify }} {{ ibmpak_flag_skip_dependencies }}" - # 3. Get the CASE bundle # ----------------------------------------------------------------------------- - name: "{{ case_name }} : Get the CASE bundle" @@ -49,7 +46,6 @@ set_fact: case_version: "8.7.0+20230925.114420" - # 4. Remove excluded images # ----------------------------------------------------------------------------- # Some CASE bundles define images that we don't want to mirror, so delete the excluded image files. @@ -64,17 +60,29 @@ register: excludeImagesResult loop: "{{ exclude_images }}" - # 5. Generate mirror-manifest # ----------------------------------------------------------------------------- -- name: "{{ case_name }} : Generate the mirror manifest from the CASE bundle (direct)" - shell: oc ibm-pak generate mirror-manifests {{ case_name }} {{ registry_public_url }} --version {{ case_version }} - register: ibmpak_gen1_result - -- name: "{{ case_name }} : Generate the mirror manifest from the CASE bundle (indirect)" - shell: oc ibm-pak generate mirror-manifests {{ case_name }} file:// --version {{ case_version }} --final-registry {{ registry_public_url }} - register: ibmpak_gen2_result - +- name: Generate mirror-manifest with image group filter + block: + - name: "{{ case_name }} : Generate the mirror manifest from the CASE bundle (direct)" + shell: "oc ibm-pak generate mirror-manifests {{ case_name }} {{ registry_public_url }} --version {{ case_version }} --filter {{ image_group_filter }}" + register: ibmpak_gen1_result + + - name: "{{ case_name }} : Generate the mirror manifest from the CASE bundle (indirect)" + shell: "oc ibm-pak generate mirror-manifests {{ case_name }} file:// --version {{ case_version }} --final-registry {{ registry_public_url }} --filter {{ image_group_filter }}" + register: ibmpak_gen2_result + when: image_group_filter is defined + +- name: Generate mirror-manifest without image group filter + block: + - name: "{{ case_name }} : Generate the mirror manifest from the CASE bundle (direct)" + shell: "oc ibm-pak generate mirror-manifests {{ case_name }} {{ registry_public_url }} --version {{ case_version }}" + register: ibmpak_gen1_result + + - name: "{{ case_name }} : Generate the mirror manifest from the CASE bundle (indirect)" + shell: "oc ibm-pak generate mirror-manifests {{ case_name }} file:// --version {{ case_version }} --final-registry {{ registry_public_url }}" + register: ibmpak_gen2_result + when: image_group_filter is not defined # 6. Collect generated files # ----------------------------------------------------------------------------- @@ -93,7 +101,6 @@ path: "{{ mirror_working_dir }}/manifests/from-filesystem" state: directory - # 7. Save the manifests to our working directory # ----------------------------------------------------------------------------- # Team messed up the release and the version we will get back is 8.7.0+20230925.114420 rather than 8.7.0 @@ -127,7 +134,6 @@ src: ~/.ibm-pak/data/mirror/{{ case_name }}/{{ case_version }}/images-mapping.txt dest: "{{ mirror_working_dir }}/manifests/direct/{{ case_name }}_{{ _manifest_version }}.txt" - # 7. IBM SLS 3.5.0 Bad Digest Hack # ----------------------------------------------------------------------------- # The SLS CASE bundle for 3.5.0 has the wrong image digest in it ... not really sure why TBH @@ -135,7 +141,6 @@ when: case_name == "ibm-sls" and case_version == "3.5.0" include_tasks: "tasks/sls-350-fix.yml" - # 8. IBM UDS Entitled Image Hacks # ----------------------------------------------------------------------------- # The UDS CASE bundle includes one entitled image - cp/uds/uds-submodule:2.0.8 @@ -153,7 +158,6 @@ when: case_name == "ibm-uds" and case_version == "2.0.10" include_tasks: "tasks/uds-2010-fix.yml" - # 9. IBM Maximo IoT Hacks # ----------------------------------------------------------------------------- # The IoT CASE bundle for 8.6.0 has an incorrect image digest in it diff --git a/ibm/mas_devops/roles/mirror_extras_prepare/vars/amlen_1.0.2.yml b/ibm/mas_devops/roles/mirror_extras_prepare/vars/amlen_1.0.2.yml new file mode 100644 index 000000000..915f7aab1 --- /dev/null +++ b/ibm/mas_devops/roles/mirror_extras_prepare/vars/amlen_1.0.2.yml @@ -0,0 +1,11 @@ +--- +extra_images: + - name: amlen/operator-bundle + registry: quay.io + digest: sha256:5b850a46f4c00458efae2dafdad292fcd20312279324110aef65aec92bb9807e + tag: 1.0.2 + + - name: amlen/operator + registry: quay.io + digest: sha256:1c65cc6211019f35364552f4ed331cbec45425e4f21e737eda7dfc88d453057e + tag: 1.0.2 diff --git a/ibm/mas_devops/roles/mirror_extras_prepare/vars/db2u_1.0.3.yml b/ibm/mas_devops/roles/mirror_extras_prepare/vars/db2u_1.0.3.yml new file mode 100644 index 000000000..2d098ced3 --- /dev/null +++ b/ibm/mas_devops/roles/mirror_extras_prepare/vars/db2u_1.0.3.yml @@ -0,0 +1,31 @@ +--- +extra_images: + - name: cp/cpd/norootsquash + registry: cp.icr.io + digest: sha256:5dbe9310d15cbe452f6099017defd411eeb6eebb2fecea5d99463227e2518574 + tag: 3.0-amd64 + + - name: db2u/db2u.auxiliary.auth + registry: icr.io + digest: sha256:6cbd1214c5368a0cb3e3a8a8795456ee9e9ad590b7ac9c90499bad708873dea1 + tag: s11.5.8.0-cn3-28-amd64 + + - name: db2u/db2u.instdb + registry: icr.io + digest: sha256:30e4c813edd70191a76849725685d762f86db69a41b356a0d72bf9c701f464c6 + tag: s11.5.8.0-cn3-28-amd64 + + - name: db2u/etcd + registry: icr.io + digest: sha256:e4b9a4de3c8812eb76772f5bb8024ace07afaa90b885470c6235f8c0d20ba0cf + tag: 3.4.14-28-amd64 + + - name: db2u/db2u.tools + registry: icr.io + digest: sha256:4227b96a791cddb001a9555d75b1936c96e8793f12479e8b147cc254351f9b68 + tag: s11.5.8.0-cn3-28-amd64 + + - name: db2u/db2u + registry: icr.io + digest: sha256:4d451bde704bfc33783129a60d4ef4b07033325c9ed34e528436ae4d5ff9f582 + tag: s11.5.8.0-cn3-28-amd64 diff --git a/ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_5.0.23.yml b/ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_5.0.23.yml new file mode 100644 index 000000000..ad976973a --- /dev/null +++ b/ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_5.0.23.yml @@ -0,0 +1,26 @@ +--- +extra_images: + - name: mongodb/mongodb-kubernetes-operator + registry: quay.io + tag: 0.8.3 + digest: sha256:9ef7a689b7f2789b436458a6d5f361ffcb4e182daa6c33d79687e87f268c7761 # 0.8.3-b20231215T000000Z + + - name: mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook + registry: quay.io + tag: 1.0.8 + digest: sha256:641ecd0798cd5b49a060df50ad60dc75d964430d6cf9b3d3e91ebc9b19a67a34 # 1.0.8-b20231215T000000Z + + - name: mongodb/mongodb-agent + registry: quay.io + tag: 12.0.25.7724-1 + digest: sha256:ae9a33c87fc623985b26140ed93bb2ea510fd3682279ea50770f9c4d47b20b2c # 12.0.25.7724-1 + + - name: mongodb/mongodb-kubernetes-readinessprobe + registry: quay.io + tag: 1.0.17 + digest: sha256:99013fbeb1dccde1f4995adba188b95ce14b336d587730146d3695cb175fcf03 # 1.0.17-b20231215T000000Z + + - name: ibmmas/mongo + registry: quay.io + tag: 5.0.23 + digest: sha256:2d91d0b38b28660e068a77fea8bc51cfdd97e2b8c236c5eeaacdfa50fa798231 # quay.io/mongodb/mongodb-community-server:5.0.23-ubi8-20231214T080737Z diff --git a/ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_6.0.12.yml b/ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_6.0.12.yml new file mode 100644 index 000000000..be87e169e --- /dev/null +++ b/ibm/mas_devops/roles/mirror_extras_prepare/vars/mongoce_6.0.12.yml @@ -0,0 +1,26 @@ +--- +extra_images: + - name: mongodb/mongodb-kubernetes-operator + registry: quay.io + tag: 0.8.3 + digest: sha256:9ef7a689b7f2789b436458a6d5f361ffcb4e182daa6c33d79687e87f268c7761 # 0.8.3-b20231215T000000Z + + - name: mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook + registry: quay.io + tag: 1.0.8 + digest: sha256:641ecd0798cd5b49a060df50ad60dc75d964430d6cf9b3d3e91ebc9b19a67a34 # 1.0.8-b20231215T000000Z + + - name: mongodb/mongodb-agent + registry: quay.io + tag: 12.0.25.7724-1 + digest: sha256:ae9a33c87fc623985b26140ed93bb2ea510fd3682279ea50770f9c4d47b20b2c # 12.0.25.7724-1 + + - name: mongodb/mongodb-kubernetes-readinessprobe + registry: quay.io + tag: 1.0.17 + digest: sha256:99013fbeb1dccde1f4995adba188b95ce14b336d587730146d3695cb175fcf03 # 1.0.17-b20231215T000000Z + + - name: ibmmas/mongo + registry: quay.io + tag: 6.0.12 + digest: sha256:64ed5175850c3be8bd2976823e245141c4e6a7046102136f8c333850dbe6a399 # quay.io/mongodb/mongodb-community-server:6.0.12-ubi8-20231214T084821Z diff --git a/ibm/mas_devops/roles/mirror_extras_prepare/vars/uds_1.5.0.yml b/ibm/mas_devops/roles/mirror_extras_prepare/vars/uds_1.5.0.yml new file mode 100644 index 000000000..624a77601 --- /dev/null +++ b/ibm/mas_devops/roles/mirror_extras_prepare/vars/uds_1.5.0.yml @@ -0,0 +1,11 @@ +--- +extra_images: + - name: cpopen/cpfs/ibm-events-kafka-3.5.1 + registry: icr.io + tag: 4.9.0 + digest: sha256:4049092de0221944ffcc8764b7d61ae53773f00c90938127341afb08e6f3704d + + - name: cpopen/ibm-events-operator + registry: icr.io + tag: 4.9.0 + digest: sha256:815003818cc6c5e9303580fed35de26720f3aa4336c5e7e0e676eb2475c0f2af diff --git a/ibm/mas_devops/roles/mirror_extras_prepare/vars/wd_1.0.2.yml b/ibm/mas_devops/roles/mirror_extras_prepare/vars/wd_1.0.2.yml new file mode 100644 index 000000000..66a0534c3 --- /dev/null +++ b/ibm/mas_devops/roles/mirror_extras_prepare/vars/wd_1.0.2.yml @@ -0,0 +1,126 @@ +--- +extra_images: + - name: cpopen/ibm-etcd-operator-bundle + registry: icr.io + digest: sha256:413e96950048ecb4a1d3ec9396f61c8501f7732839bcbf52cd82ed4462d82997 + tag: 1.0.21 + + - name: cp/opencontent-etcd-3 + registry: cp.icr.io + digest: sha256:45bbe9ee755a9123b8baa77c70a2c81f68d2819dfb3b2ace59edd25bafbc6df2 + tag: 1.0.21-1 + + - name: cp/opencontent-etcd-3 + registry: cp.icr.io + digest: sha256:e1c7d84c7f35660519fa2465d3ec78cb749649fdc8d7895cc54eace8fa4a8e21 + tag: 1.0.21-2 + + - name: cpopen/opencontent-etcd-operator + registry: icr.io + digest: sha256:12dfed47e5869daae6afd6d090c8ee9d98b3268e8899a378c06aac2988f90d33 + tag: 1.0.21 + + - name: cpopen/watson-gateway-operator-bundle + registry: icr.io + digest: sha256:61952ede495982378fb195572843a3d243eaada0a9f8af99a2906c08332b1ec9 + tag: 1.0.21 + + - name: cp/watson-gateway + registry: cp.icr.io + digest: sha256:7912152ccf958a247dc74a5d191231ecd52491885e539966b40662e9534a65df + tag: 1.0.16 + + - name: cp/watson-gateway + registry: cp.icr.io + digest: sha256:c369f6a6c224f7353d86a3b8f8b3906b7a8f00878a3efc8e08dec90de16c121b + tag: 1.0.21 + + - name: cpopen/watson-gateway-operator + registry: icr.io + digest: sha256:5152a9ba1183fec626e1bf688b403eeb192973c0fc2caa2ed71201575a2ff367 + tag: 1.0.21 + + - name: cp/cpd/edb-postgres-license-provider + registry: cp.icr.io + tag: 1.18.7 + digest: sha256:2f302acebe51e10c5ddb24e425b70eebda3cd0cc1696a01e9aa1c51558da5f99 + + - name: cpopen/ibm-cpd-cloud-native-postgresql-operator-bundle + registry: icr.io + tag: 1.18.7 + digest: sha256:ce47f862015dab2b172269c58874a844d761fb864f412dda51f7d0a9d3a2e55f + + - name: cpopen/ibm-cpd-cloud-native-postgresql-operator + registry: icr.io + tag: 1.18.7 + digest: sha256:655ef203121469f73bf5a6f35274cad898f926cd94acdfc23aab1224823a72e6 + + - name: cp/opencontent-minio-client + registry: cp.icr.io + tag: 1.0.18-1 + digest: sha256:ff5ec8f2836bb5c57a1c92d64590644c0037e721ae7781f0348c61df57a81ff3 + + - name: cp/opencontent-minio-client + registry: cp.icr.io + tag: 1.0.18-2 + digest: sha256:1a9d535341eaa32c107528e403c418a62c765280ee4fb4351963d7a4a246bd9c + + - name: cp/opencontent-minio-kes + registry: cp.icr.io + tag: 1.0.18-1 + digest: sha256:2254b0a9d5e25ab3430d02b2330befafbffda34d93a77249fe8863260365e07a + + - name: cp/opencontent-minio-kes + registry: cp.icr.io + tag: 1.0.18-2 + digest: sha256:602d73c1a22e7618483f3ff8352298b92c615a89ce3c6b4b2c5b7b5510381928 + + - name: cp/opencontent-minio + registry: cp.icr.io + tag: 1.0.18-1 + digest: sha256:24271daff8afac3ac20476ea353516c0ab8d08d6ab471c5aa7eafadc261e7b1e + + - name: cp/opencontent-minio + registry: cp.icr.io + tag: 1.0.18-2 + digest: sha256:277555141cbfd67a66b5f483b5b96e1fbadb49c72bde8bd9a38398b5c6b6e395 + + - name: cpopen/opencontent-minio-operator-bundle + registry: icr.io + tag: 1.0.18 + digest: sha256:926a9b103066c024fbf66d3c48b62a96f2fbb1423157734f8d7cb373077b2690 + + - name: cpopen/opencontent-minio-operator + registry: icr.io + tag: 1.0.18 + digest: sha256:57e474051817578504c3c78ff1772552aa0c47dcf701eb8f8a96aee57136ce9d + + - name: cp/opencontent-rabbitmq-3 + registry: cp.icr.io + tag: 1.0.21-1 + digest: sha256:ab9a7ebb2c5ab9538a1a9e9c3ced9be99ac1a05215ff3f29b047d68ccb25745f + + - name: cp/opencontent-rabbitmq-3 + registry: cp.icr.io + tag: 1.0.21-2 + digest: sha256:cd3819f4fec97cee4d4ee544aab013fabec0c02f16040b84b2a12b4956ad7619 + + - name: cp/opencontent-rabbitmq-config-copy + registry: cp.icr.io + tag: 1.0.21-1 + digest: sha256:3320939892ce206fc1b4dcfcf4177ee5d85e3493513d9c92f17b490e4dc75231 + + - name: cp/opencontent-rabbitmq-config-copy + registry: cp.icr.io + tag: 1.0.21-2 + digest: sha256:0d266c256c04af2dba6032c6e7e3ceb4beedc5b366b6f1dc1ce3b4ab35b2e108 + + - name: cpopen/opencontent-rabbitmq-operator-bundle + registry: icr.io + tag: 1.0.21 + digest: sha256:c327a962e08a6cce2a1aa95caa1fddccf34a123403167daae32a7befe64e2317 + + - name: cpopen/opencontent-rabbitmq-operator + registry: icr.io + tag: 1.0.21 + digest: sha256:9c4af898cf03bf398dfd7a6b574e03df7fbc2a9e73ce353ada80e25f3690ee69 diff --git a/ibm/mas_devops/roles/mirror_ocp/README.md b/ibm/mas_devops/roles/mirror_ocp/README.md index 5dde08a5b..813a27b0f 100644 --- a/ibm/mas_devops/roles/mirror_ocp/README.md +++ b/ibm/mas_devops/roles/mirror_ocp/README.md @@ -7,25 +7,29 @@ Four actions are supported: - `direct` Directly mirror content to your target registry - `to-filesystem` Mirror content to the local filesystem - `from-filesystem` Mirror content from the local filesystem to your target registry -- `install-catalogs` Install CatalogSources for the mirrored content. -Two **CatalogSources** are created by the `install-catalogs` action in the `openshift-marketplace` namespace, containing the following content: +Three **Catalogs** are mirrored, containing the following content: ### certified-operator-index - crunchy-postgres-operator (required by ibm.mas_devops.uds role) +- gpu-operator-certified (required by ibm.mas_devops.nvidia_gpu role) +- kubeturbo-certified (required by ibm.mas_devops.kubeturbo role) +- ibm-metrics-operator (required by ibm.mas_devops.dro role) +- ibm-data-reporter-operator (required by ibm.mas_devops.dro role) +- redhat-marketplace-operator (required by ibm.mas_devops.dro role) + +### community-operator-index +- grafana-operator (required by ibm.mas_devops.cluster_monitoring role) +- opentelemetry-operator (required by ibm.mas_devops.cluster_monitoring role) +- strimzi-kafka-operator (required by ibm.mas_devops.kafka role) ### redhat-operator-index - amq-streams (required by ibm.mas_devops.kafka role) - openshift-pipelines-operator-rh (required by the MAS CLI) - -!!! note - We are limited to the content we can support mirroring for today due to bug with Red Hat's support for OCI images, this prevents the mirroring of the following packages (which are all optional dependencies): - - - **kubeturbo-certified** - - **grafana-operator** - - **opentelemetry-operator** - - For more information refer to [solution 6997884](https://access.redhat.com/solutions/6997884) and [CFE 780](https://issues.redhat.com/browse/CFE-780). +- nfd (required by ibm.mas_devops.nvidia_gpu role) +- aws-efs-csi-driver-operator (required by ibm.mas_devops.ocp_efs role) +- local-storage-operator (required by ibm.mas_devops.ocs role) +- odf-operator (required by ibm.mas_devops.ocs role) Requirements @@ -136,9 +140,9 @@ Example Playbook ```yaml - hosts: localhost vars: - registry_public_host: myocp-5f1320191125833da1cac8216c06779e-0000.us-south.containers.appdomain.cloud - registry_public_port: 32500 - registry_username: admin + registry_public_host: myregistry.mycompany.com + registry_public_port: 5000 + registry_username: user1 registry_password: 8934jk77s862! # Not a real password, don't worry security folks mirror_mode: direct diff --git a/ibm/mas_devops/roles/mirror_ocp/tasks/actions/to-filesystem.yml b/ibm/mas_devops/roles/mirror_ocp/tasks/actions/to-filesystem.yml index c11bc7fae..6d0d69ea0 100644 --- a/ibm/mas_devops/roles/mirror_ocp/tasks/actions/to-filesystem.yml +++ b/ibm/mas_devops/roles/mirror_ocp/tasks/actions/to-filesystem.yml @@ -25,4 +25,4 @@ - name: "Mirror Red Hat content from source registry to filesystem" shell: > - DOCKER_CONFIG={{ mirror_working_dir }} oc mirror --config={{ mirror_working_dir }}/imageset-ocp{{ ocp_release }}.yml file:///{{ mirror_working_dir }} &> {{ mirror_working_dir }}/logs/mirror-ocp{{ ocp_release }}.log + DOCKER_CONFIG={{ mirror_working_dir }} oc mirror --config={{ mirror_working_dir }}/imageset-ocp{{ ocp_release }}.yml file:///{{ mirror_working_dir }} &> {{ mirror_working_dir }}/logs/mirror-to-filesystem-ocp{{ ocp_release }}.log diff --git a/ibm/mas_devops/roles/mirror_ocp/tasks/main.yml b/ibm/mas_devops/roles/mirror_ocp/tasks/main.yml index eb7fcb969..ece89bc35 100644 --- a/ibm/mas_devops/roles/mirror_ocp/tasks/main.yml +++ b/ibm/mas_devops/roles/mirror_ocp/tasks/main.yml @@ -55,6 +55,7 @@ # 4. Generate new docker config # ----------------------------------------------------------------------------- - name: Generate Docker config + no_log: true # Output contains credentials for all docker registries command: > jq ".auths[\"{{ registry_public_url }}\"]={\"auth\":\"{{ registry_auth | b64encode }}\"}" "{{ redhat_pullsecret }}" register: new_pull_secret diff --git a/ibm/mas_devops/roles/mirror_ocp/templates/imagesetconfiguration.yml.j2 b/ibm/mas_devops/roles/mirror_ocp/templates/imagesetconfiguration.yml.j2 index abdbbcb07..6b0dd7682 100644 --- a/ibm/mas_devops/roles/mirror_ocp/templates/imagesetconfiguration.yml.j2 +++ b/ibm/mas_devops/roles/mirror_ocp/templates/imagesetconfiguration.yml.j2 @@ -25,11 +25,25 @@ mirror: channels: - name: v5 - name: gpu-operator-certified # Required by ibm.mas_devops.nvidia_gpu role - # - name: kubeturbo-certified # Required by ibm.mas_devops.kubeturbo role - # OCI images are not supported by oc image mirror - # https://access.redhat.com/solutions/6997884 - # https://issues.redhat.com/browse/CFE-780 - # OCI index found, but accept header does not support OCI indexes + channels: + - name: v23.3 + # We don't use the v23.9 channel, but oc-mirror fails when the default channel is not included + # - https://access.redhat.com/solutions/7013461 + # - https://issues.redhat.com/browse/OCPBUGS-385 + - name: v23.9 + - name: kubeturbo-certified # Required by ibm.mas_devops.kubeturbo role + channels: + - name: stable + - name: ibm-metrics-operator # Required by ibm.mas_devops.dro role + channels: + - name: stable + - name: ibm-data-reporter-operator # Required by ibm.mas_devops.dro role + channels: + - name: stable + - name: redhat-marketplace-operator # Required by ibm.mas_devops.dro role + channels: + - name: stable + # community-operators - catalog: registry.redhat.io/redhat/community-operator-index:v{{ ocp_release }} @@ -37,12 +51,16 @@ mirror: - name: grafana-operator # Required by ibm.mas_devops.cluster_monitoring role channels: - name: v4 - # - name: opentelemetry-operator # Required by ibm.mas_devops.cluster_monitoring role - - # OCI images are not supported by oc image mirror - # https://access.redhat.com/solutions/6997884 - # https://issues.redhat.com/browse/CFE-780 - # OCI index found, but accept header does not support OCI indexes + # We don't use the v5 channel, but oc-mirror fails when the default channel is not included + # - https://access.redhat.com/solutions/7013461 + # - https://issues.redhat.com/browse/OCPBUGS-385 + - name: v5 + - name: opentelemetry-operator # Required by ibm.mas_devops.cluster_monitoring role + channels: + - name: alpha + - name: strimzi-kafka-operator # Required by ibm.mas_devops.kafka role + channels: + - name: stable # redhat-operators - catalog: registry.redhat.io/redhat/redhat-operator-index:v{{ ocp_release }} diff --git a/ibm/mas_devops/roles/mongodb/README.md b/ibm/mas_devops/roles/mongodb/README.md index e895e35c4..90aa4a047 100644 --- a/ibm/mas_devops/roles/mongodb/README.md +++ b/ibm/mas_devops/roles/mongodb/README.md @@ -6,8 +6,10 @@ This role currently supports provisioning of mongodb in three different provider - aws (documentdb) - ibm +!!! important + According to the [MongoDB Software Lifecycle Schedules](https://www.mongodb.com/support-policy/lifecycles) MongoDB 4.4 will reach end of life in February of 2024. Given this fact it is encouraged that either MongoDB 5 or 6 be used for MAS Deployments. The MAS Devops Ansible Collection can be used to install or upgrade MongoDB when the selected service provider is `community`. If the MonogDB instance used by MAS is hosted by a third party please consult the applicable documentation with respect to MongoDB 5 or 6 options. If the MongoDB instance is hosted on premises please review the appropriate MongoDB documentation related to upgrading. As a best practice it is advised perform MongoDB backups on a regular basis. This is especially important before any upgrade of MongoDB. -If selected provider is `community` [MongoDb CE operator](https://github.com/mongodb/mongodb-kubernetes-operator) will be installed into the specified namespace, a 3 node cluster cluster will be created. The cluster will bind six PVCs, these provide persistence for the data and system logs across the three nodes. Currently there is no support built-in for customizing the cluster beyond this configuration. +If the selected provider is `community` then the [MongoDB Community Kubernetes Operator](https://github.com/mongodb/mongodb-kubernetes-operator) will be configured and deployed into the specified namespace. By default a three member MongoDB replica set will be created. The cluster will bind six PVCs, these provide persistence for the data and system logs across the three nodes. Currently there is no support built-in for customizing the cluster beyond this configuration. !!! tip The role will generate a yaml file containing the definition of a Secret and MongoCfg resource that can be used to configure the deployed instance as the MAS system MongoDb. @@ -71,7 +73,10 @@ The namespace where the operator and MongoDb cluster will be deployed. - Default Value: `mongoce` ### mongodb_version -Defines the specific mongo version to be used. +Defines the specific mongo version to be used. Best practice would be to use the version associated with the current Maximo Application Suite catalog. However, this value can currently be overridden to 4.4.21, 5.0.21, 5.0.23, 6.0.10 or 6.0.12 + +!!! important + It is advised to never attempt a downgrade a MongoDB instance managed by the MAS Devops Ansible Collection. Also best practices should include creating scheduled backups of any MongoDB instance. - Optional - Environment Variable: `MONGODB_VERSION` diff --git a/ibm/mas_devops/roles/mongodb/defaults/main.yml b/ibm/mas_devops/roles/mongodb/defaults/main.yml index d9222c491..0b903a426 100644 --- a/ibm/mas_devops/roles/mongodb/defaults/main.yml +++ b/ibm/mas_devops/roles/mongodb/defaults/main.yml @@ -116,7 +116,8 @@ custom_labels: "{{ lookup('env', 'CUSTOM_LABELS') | default(None, true) | string mongodb_v5_upgrade: "{{ lookup('env', 'MONGODB_V5_UPGRADE') | default(false, true) | bool }}" mongodb_v6_upgrade: "{{ lookup('env', 'MONGODB_V6_UPGRADE') | default(false, true) | bool }}" -mongo_feature_compatibility_matrix: +mongo_compatibility_matrix_default: "4.2": "4.4.21" "4.4": "5.0.21" "5.0": "6.0.10" + "6.0": "6.0.10" diff --git a/ibm/mas_devops/roles/mongodb/tasks/determine-ibmcatalog-tag.yml b/ibm/mas_devops/roles/mongodb/tasks/determine-ibmcatalog-tag.yml new file mode 100644 index 000000000..6efa6dca5 --- /dev/null +++ b/ibm/mas_devops/roles/mongodb/tasks/determine-ibmcatalog-tag.yml @@ -0,0 +1,105 @@ +--- +# The MongoDB version is based on the chosen ibm-operator-catalog. However the +# ibm-operator-catalog does not explicitly include information about the mongo version. +# +# The configuration files in common_vars/casebundles do specify the MongoDB +# version for each of the MAS published ibm-operator-catalog catalogs. +# +# To determine which common_vars/casebundles configuration file to use, this role +# extracts the catalog_tag from the ibm-operator-catalog's displayName. +# +# For example: +# displayName: IBM Maximo Operators (v8-230926-amd64) +# +# catalog_tag is v8-230926-amd64 +# MongoDB version will be determined by loading common_vars/casebundles/v8-230926-amd64.yml +# +# And FINALLY... +# If the MongoDB version cannot be determined from the above logic, +# the MongoDB version will be determined by the last configuration file in +# common_vars/casebundles/ +# +# And if still it cannot be determined because perhaps its not specified in the +# configuration file, a default value will be used. + +# List the common_vars/casebundle configuration files if last_catalog_tag is not defined +- block: + - name: "List yml files in common_vars/casebundles folder" + find: + paths: "{{ role_path }}/../../common_vars/casebundles" + patterns: "*.yml" + file_type: "file" + register: find_result + + - debug: + var: find_result + + # Determine the last configuration file in the list just in case we need it later + - set_fact: + last_catalog_tag: "{{ find_result['files'] | map(attribute='path') | map('regex_replace', '^.*/(.*).yml$', '\\1') | sort |last }}" + when: find_result is defined + when: last_catalog_tag is not defined or last_catalog_tag == "" + +# Display the Last Catalog Version +- name: "Display the Last Catalog Version" + debug: + msg: + - "Last Catalog Version ............................ {{ last_catalog_tag }}" + +# 1. Get the IBM Catalog if available +# ----------------------------------------------------------------------------- +- name: "Lookup ibm-operator-catalog" + kubernetes.core.k8s_info: + api_version: operators.coreos.com/v1alpha1 + name: ibm-operator-catalog + namespace: openshift-marketplace + kind: CatalogSource + register: catalog_lookup + +- name: "Determine catalog version from catalog displayName" + block: + # extract the catalog tag from displayName + - set_fact: + catalog_tag: "{{ catalog_lookup.resources[0].spec.displayName.split('(')[1].split(')')[0].split(' ')[0] }}" + when: + - catalog_lookup is defined + - catalog_lookup.resources is defined + - catalog_lookup.resources | length > 0 + - catalog_lookup.resources[0].spec is defined + - catalog_lookup.resources[0].spec.displayName is defined + - '"(" in catalog_lookup.resources[0].spec.displayName' + + - name: Check if file exists in casebundles + stat: + path: "{{ role_path }}/../../common_vars/casebundles/{{ catalog_tag }}.yml" + register: file_exists_result + when: catalog_tag is defined and catalog_tag != "" + + # use last_catalog_tag if the casebundles file does not exist + - set_fact: + catalog_tag: "{{ last_catalog_tag }}" + when: + - file_exists_result is defined + - file_exists_result.stat is defined + - file_exists_result.stat.exists is defined + - not file_exists_result.stat.exists + - last_catalog_tag is defined and last_catalog_tag != "" + + # use last_catalog_tag if unable to get catalog_tag from displayName + - set_fact: + catalog_tag: "{{ last_catalog_tag }}" + when: + - catalog_tag is not defined + - last_catalog_tag is defined and last_catalog_tag != "" + + rescue: + # use the last_catalog_tag when the catalog_tag cannot be determined from the displayName + - set_fact: + catalog_tag: "{{ last_catalog_tag }}" + when: last_catalog_tag is defined and last_catalog_tag != "" + +- name: "Catalog Version" + debug: + msg: + - "Catalog Version ............................ {{ catalog_tag }}" + when: catalog_tag is defined and catalog_tag != "" diff --git a/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml b/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml index cb6be5830..1afe283d9 100644 --- a/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml +++ b/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml @@ -38,10 +38,30 @@ set_fact: existing_mongo_minor_version: "{{ existing_mongo_version | regex_search('(?<=)(.*)(?=...)') }}" + - include_tasks: tasks/determine-ibmcatalog-tag.yml + + - name: Check if file exists in casebundles + stat: + path: "{{ role_path }}/../../common_vars/casebundles/{{ catalog_tag }}.yml" + register: stat_result + when: catalog_tag is defined and catalog_tag != "" + + - name: Load CASE bundle versions + include_vars: + file: "{{ role_path }}/../../common_vars/casebundles/{{ catalog_tag }}.yml" + when: stat_result is defined and stat_result.stat.exists + # holds the expected target mongo version that is feature compatible with the existing mongo instance version + # mongo extras version are picked up from the catalog if available or uses defaults. - name: Set mongo_compatible_target_version set_fact: mongo_compatible_target_version: "{{ mongo_feature_compatibility_matrix[existing_mongo_minor_version] }}" + vars: + mongo_feature_compatibility_matrix: + "4.2": "{{ mongo_extras_version_4 | default(mongo_compatibility_matrix_default['4.2'], true) }}" + "4.4": "{{ mongo_extras_version_5 | default(mongo_compatibility_matrix_default['4.4'], true) }}" + "5.0": "{{ mongo_extras_version_6 | default(mongo_compatibility_matrix_default['5.0'], true) }}" + "6.0": "{{ mongo_extras_version_6 | default(mongo_compatibility_matrix_default['6.0'], true) }}" when: - existing_mongodb.resources[0].spec.version is defined diff --git a/ibm/mas_devops/roles/mongodb/tasks/providers/community/install-mongo.yml b/ibm/mas_devops/roles/mongodb/tasks/providers/community/install-mongo.yml index a1f32ffcd..ad2f2bf58 100644 --- a/ibm/mas_devops/roles/mongodb/tasks/providers/community/install-mongo.yml +++ b/ibm/mas_devops/roles/mongodb/tasks/providers/community/install-mongo.yml @@ -22,87 +22,10 @@ # And if still it cannot be determined because perhaps its not specified in the # configuration file, a default value will be used. -# List the common_vars/casebundle configuration files if last_catalog_tag is not defined -- block: - - name: "List yml files in common_vars/casebundles folder" - find: - paths: "{{ role_path }}/../../common_vars/casebundles" - patterns: "*.yml" - file_type: "file" - register: find_result - - - debug: - var: find_result - - # Determine the last configuration file in the list just in case we need it later - - set_fact: - last_catalog_tag: "{{ find_result['files'] | map(attribute='path') | map('regex_replace', '^.*/(.*).yml$', '\\1') | sort |last }}" - when: find_result is defined - when: last_catalog_tag is not defined or last_catalog_tag == "" - -# Display the Last Catalog Version -- name: "Display the Last Catalog Version" - debug: - msg: - - "Last Catalog Version ............................ {{ last_catalog_tag }}" - # 1. Get the IBM Catalog if available # ----------------------------------------------------------------------------- -- name: "Lookup ibm-operator-catalog" - kubernetes.core.k8s_info: - api_version: operators.coreos.com/v1alpha1 - name: ibm-operator-catalog - namespace: openshift-marketplace - kind: CatalogSource - register: catalog_lookup - -- name: "Determine catalog version from catalog displayName" - block: - # extract the catalog tag from displayName - - set_fact: - catalog_tag: "{{ catalog_lookup.resources[0].spec.displayName.split('(')[1].split(')')[0].split(' ')[0] }}" - when: - - catalog_lookup is defined - - catalog_lookup.resources is defined - - catalog_lookup.resources | length > 0 - - catalog_lookup.resources[0].spec is defined - - catalog_lookup.resources[0].spec.displayName is defined - - '"(" in catalog_lookup.resources[0].spec.displayName' - - - name: Check if file exists in casebundles - stat: - path: "{{ role_path }}/../../common_vars/casebundles/{{ catalog_tag }}.yml" - register: file_exists_result - when: catalog_tag is defined and catalog_tag != "" - - # use last_catalog_tag if the casebundles file does not exist - - set_fact: - catalog_tag: "{{ last_catalog_tag }}" - when: - - file_exists_result is defined - - file_exists_result.stat is defined - - file_exists_result.stat.exists is defined - - not file_exists_result.stat.exists - - last_catalog_tag is defined and last_catalog_tag != "" - - # use last_catalog_tag if unable to get catalog_tag from displayName - - set_fact: - catalog_tag: "{{ last_catalog_tag }}" - when: - - catalog_tag is not defined - - last_catalog_tag is defined and last_catalog_tag != "" - rescue: - # use the last_catalog_tag when the catalog_tag cannot be determined from the displayName - - set_fact: - catalog_tag: "{{ last_catalog_tag }}" - when: last_catalog_tag is defined and last_catalog_tag != "" - -- name: "Catalog Version" - debug: - msg: - - "Catalog Version ............................ {{ catalog_tag }}" - when: catalog_tag is defined and catalog_tag != "" +- include_tasks: tasks/determine-ibmcatalog-tag.yml # 2. Load default settings # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/mongodb/tasks/providers/community/validate-upgrade.yml b/ibm/mas_devops/roles/mongodb/tasks/providers/community/validate-upgrade.yml index 8f323794b..3eb3d8363 100644 --- a/ibm/mas_devops/roles/mongodb/tasks/providers/community/validate-upgrade.yml +++ b/ibm/mas_devops/roles/mongodb/tasks/providers/community/validate-upgrade.yml @@ -10,6 +10,14 @@ - "Existing MongoDb version .................. {{ existing_mongo_version }}" - "Minor mongo version ....................... {{ existing_mongo_minor_version }}" +# Only allow Mongo upgrades if existing instance is in Running state +- name: "Assert existing Mongo is running" + assert: + that: existing_mongodb.resources[0].status.phase == 'Running' + fail_msg: + - "Unable to upgrade existing Mongo instance to {{ target_mongodb_version }} in namespace {{ mongodb_namespace }} because it is not in 'Running' state." + - "Current Mongo Status: {{ existing_mongodb.resources[0].status.phase }}" + # Only allow Mongo upgrades, prevent downgrades from happening - name: Assert no Mongo downgrade operations assert: diff --git a/ibm/mas_devops/roles/nvidia_gpu/README.md b/ibm/mas_devops/roles/nvidia_gpu/README.md index 0693394d0..d8aeb4252 100644 --- a/ibm/mas_devops/roles/nvidia_gpu/README.md +++ b/ibm/mas_devops/roles/nvidia_gpu/README.md @@ -29,7 +29,7 @@ The namespace where the NVIDIA GPU operator will be deployed. For version 1.8.x, The channel to subscribe to for the gpu operator installation and updates. Available channels may be found in the package manifest of gpu-operator-certified operator in openshift. - Environment Variable: `GPU_CHANNEL` -- Default Value: `v1.11` +- Default Value: `v23.3` ### gpu_driver_version The gpu driver version image that needs to be pulled from the gpu driver repository. It is recommended that the right version of GPU driver is used depending on the OS version. The default versions are shown below. See the attached links for more information and to decide which driver version to use. diff --git a/ibm/mas_devops/roles/ocp_contentsourcepolicy/templates/redhat-catalogs.yml.j2 b/ibm/mas_devops/roles/ocp_contentsourcepolicy/templates/redhat-catalogs.yml.j2 index fab64409e..63ab5cbff 100644 --- a/ibm/mas_devops/roles/ocp_contentsourcepolicy/templates/redhat-catalogs.yml.j2 +++ b/ibm/mas_devops/roles/ocp_contentsourcepolicy/templates/redhat-catalogs.yml.j2 @@ -40,51 +40,69 @@ metadata: operators.openshift.org/catalog: "true" spec: repositoryDigestMirrors: + - mirrors: + - {{ registry_private_url }}/cpopen + source: icr.io/cpopen + - mirrors: + - {{ registry_private_url }}/rhel8 + source: registry.redhat.io/rhel8 - mirrors: - {{ registry_private_url }}/crunchydata source: registry.connect.redhat.com/crunchydata - mirrors: - - {{ registry_private_url }}/kubebuilder - source: gcr.io/kubebuilder + - {{ registry_private_url }}/nvidia + source: registry.connect.redhat.com/nvidia - mirrors: - - {{ registry_private_url }}/amq-streams - source: registry.redhat.io/amq-streams + - {{ registry_private_url }}/grafana-operator + source: quay.io/grafana-operator + - mirrors: + - {{ registry_private_url }}/open-telemetry + source: ghcr.io/open-telemetry + - mirrors: + - {{ registry_private_url }}/source-to-image + source: registry.redhat.io/source-to-image + - mirrors: + - {{ registry_private_url }}/odf4 + source: registry.redhat.io/odf4 + - mirrors: + - {{ registry_private_url }}/operator-pipeline-prod + source: quay.io/operator-pipeline-prod + - mirrors: + - {{ registry_private_url }}/strimzi + source: quay.io/strimzi - mirrors: - {{ registry_private_url }}/rhceph source: registry.redhat.io/rhceph + - mirrors: + - {{ registry_private_url }}/amq-streams + source: registry.redhat.io/amq-streams - mirrors: - {{ registry_private_url }}/nvidia source: nvcr.io/nvidia - mirrors: - {{ registry_private_url }}/openshift4 source: registry.redhat.io/openshift4 - - mirrors: - - {{ registry_private_url }}/openshift-pipelines - source: registry.redhat.io/openshift-pipelines - - mirrors: - - {{ registry_private_url }}/operator-pipeline-prod - source: quay.io/operator-pipeline-prod - mirrors: - {{ registry_private_url }}/openshift-community-operators source: quay.io/openshift-community-operators - mirrors: - - {{ registry_private_url }}/grafana-operator - source: quay.io/grafana-operator + - {{ registry_private_url }}/kubebuilder + source: gcr.io/kubebuilder - mirrors: - {{ registry_private_url }}/ubi8 source: registry.redhat.io/ubi8 - mirrors: - - {{ registry_private_url }}/ocp-tools-4-tech-preview - source: registry.redhat.io/ocp-tools-4-tech-preview + - {{ registry_private_url }}/openshift-pipelines + source: registry.redhat.io/openshift-pipelines - mirrors: - {{ registry_private_url }}/openshift-serverless-1 source: registry.redhat.io/openshift-serverless-1 - mirrors: - - {{ registry_private_url }}/odf4 - source: registry.redhat.io/odf4 + - {{ registry_private_url }}/turbonomic + source: registry.connect.redhat.com/turbonomic - mirrors: - - {{ registry_private_url }}/rhel8 - source: registry.redhat.io/rhel8 + - {{ registry_private_url }}/rh-marketplace + source: quay.io/rh-marketplace - mirrors: - - {{ registry_private_url }}/nvidia - source: registry.connect.redhat.com/nvidia + - {{ registry_private_url }}/rh-marketplace + source: registry.connect.redhat.com/rh-marketplace diff --git a/ibm/mas_devops/roles/sls/README.md b/ibm/mas_devops/roles/sls/README.md index 66bbf9434..f4f1b547b 100644 --- a/ibm/mas_devops/roles/sls/README.md +++ b/ibm/mas_devops/roles/sls/README.md @@ -238,6 +238,13 @@ The URL of the LicenseService to be called when the Maximo Application Suite is - Environment Variable: `SLS_URL` - Default Value: None +### mas_license_sync_frequency +The sync frequency of user license sync cronjob between Maximo Application Suite and SLS. + +- Optional +- Environment Variable: `MAS_LICENSE_SYNC_FREQUENCY` +- Default Value: `*/30 * * * *` + ### sls_tls_crt The TLS CA certificate of the LicenseService to be used when the Maximo Application Suite is registered with SLS. Takes precedence over `sls_tls_crt_local_file_path`. diff --git a/ibm/mas_devops/roles/sls/defaults/main.yml b/ibm/mas_devops/roles/sls/defaults/main.yml index 8d50a2e59..5907d608f 100644 --- a/ibm/mas_devops/roles/sls/defaults/main.yml +++ b/ibm/mas_devops/roles/sls/defaults/main.yml @@ -44,6 +44,7 @@ entitlement_file: "{{ lookup('env', 'SLS_ENTITLEMENT_FILE') | default(\"\", true # SLSCfg generation mas_instance_id: "{{ lookup('env', 'MAS_INSTANCE_ID') }}" mas_config_dir: "{{ lookup('env', 'MAS_CONFIG_DIR') }}" +mas_license_sync_frequency: "{{ lookup('env', 'MAS_LICENSE_SYNC_FREQUENCY') | default('*/30 * * * *', true) }}" sls_url: "{{ lookup('env', 'SLS_URL') }}" sls_registration_key: "{{ lookup('env', 'SLS_REGISTRATION_KEY') }}" diff --git a/ibm/mas_devops/roles/sls/templates/slscfg.yml.j2 b/ibm/mas_devops/roles/sls/templates/slscfg.yml.j2 index 0140d3017..a6f09142a 100644 --- a/ibm/mas_devops/roles/sls/templates/slscfg.yml.j2 +++ b/ibm/mas_devops/roles/sls/templates/slscfg.yml.j2 @@ -33,6 +33,7 @@ spec: url: "{{ sls_url }}" credentials: secretName: sls-registration-key + syncFrequency: "{{ mas_license_sync_frequency }}" certificates: - alias: ca crt: | diff --git a/ibm/mas_devops/roles/suite_app_install/defaults/main.yml b/ibm/mas_devops/roles/suite_app_install/defaults/main.yml index 488bd3338..19c76de1d 100644 --- a/ibm/mas_devops/roles/suite_app_install/defaults/main.yml +++ b/ibm/mas_devops/roles/suite_app_install/defaults/main.yml @@ -25,6 +25,9 @@ mas_app_bindings_jdbc: "{{ lookup('env', 'MAS_APP_BINDINGS_JDBC') | default('sys # Additional Visual Inspection Settings mas_app_settings_visualinspection_storage_class: "{{ lookup('env', 'MAS_APP_SETTINGS_VISUALINSPECTION_STORAGE_CLASS') }}" mas_app_settings_visualinspection_storage_size: "{{ lookup('env', 'MAS_APP_SETTINGS_VISUALINSPECTION_STORAGE_SIZE') | default('100Gi', true) }}" +mas_app_settings_visualinspection_object_storage_enabled: "{{ lookup('env', 'MAS_APP_SETTINGS_VISUALINSPECTION_OBJECT_STORAGE_ENABLED') | default('false', true) | bool }}" +mas_app_settings_visualinspection_object_storage_bucket_name_default: "mvi-bucket-{{ mas_instance_id }}-{{ mas_workspace_id }}" +mas_app_settings_visualinspection_object_storage_workspace: "{{ lookup('env', 'MAS_APP_SETTINGS_VISUALINSPECTION_OBJECT_STORAGE_WORKSPACE') | default(mas_app_settings_visualinspection_object_storage_bucket_name_default, true) | bool }}" # Additional IoT Settings mas_app_settings_iot_deployment_size: "{{ lookup('env', 'MAS_APP_SETTINGS_IOT_DEPLOYMENT_SIZE') | default('small', true) }}" diff --git a/ibm/mas_devops/roles/suite_app_install/tasks/iot.yml b/ibm/mas_devops/roles/suite_app_install/tasks/iot.yml index d21c1dd52..bb279f561 100644 --- a/ibm/mas_devops/roles/suite_app_install/tasks/iot.yml +++ b/ibm/mas_devops/roles/suite_app_install/tasks/iot.yml @@ -61,7 +61,7 @@ msg: - "IoT Deployment Size ............... {{ mas_app_settings_iot_deployment_size }}" - "IoT FPL PVC Storage Class ......... {{ mas_app_settings_iot_fpl_pvc_storage_class }}" - - "IoT FPL PVC Router Size ........... {{ mas_app_settings_iot_fpl_router_pvc_size }} " - - "IoT FPL PVC Executor Size ......... {{ mas_app_settings_iot_fpl_executor_pvc_size }} " + - "IoT FPL PVC Router Size ........... {{ mas_app_settings_iot_fpl_router_pvc_size }}" + - "IoT FPL PVC Executor Size ......... {{ mas_app_settings_iot_fpl_executor_pvc_size }}" - "IoT MQTT Broker PVC Storage Class . {{ mas_app_settings_iot_mqttbroker_pvc_storage_class }}" - "IoT MQTT Broker PVC Size .......... {{ mas_app_settings_iot_mqttbroker_pvc_size }}" diff --git a/ibm/mas_devops/roles/suite_app_install/tasks/visualinspection.yml b/ibm/mas_devops/roles/suite_app_install/tasks/visualinspection.yml index 085b75b78..c7d9b01d6 100644 --- a/ibm/mas_devops/roles/suite_app_install/tasks/visualinspection.yml +++ b/ibm/mas_devops/roles/suite_app_install/tasks/visualinspection.yml @@ -1,5 +1,4 @@ --- - # Provide intelligent storage class selection to minimize required user knowledge # 1. Lookup storage class availabiity @@ -17,7 +16,6 @@ debug: msg: "{{ lookup_storageclasses | ibm.mas_devops.getResourceNames }}" - # 2. Set Storage (Required) # ----------------------------------------------------------------------------- - name: Default Storage if not set by user @@ -30,6 +28,13 @@ that: mas_app_settings_visualinspection_storage_class is defined and mas_app_settings_visualinspection_storage_class != "" fail_msg: "mas_app_settings_visualinspection_storage_class must be defined" +- name: Enable Object Storage integration + set_fact: + mas_app_spec: "{{ lookup('ansible.builtin.template', 'vars/customspecs/{{ mas_app_id }}.yml.j2') | from_yaml }}" + when: + - mas_app_spec is not defined + - mas_app_settings_visualinspection_object_storage_enabled + # 3. Debug storage class configuration # ----------------------------------------------------------------------------- - name: "Debug visualinspection storage class configuration" diff --git a/ibm/mas_devops/roles/suite_app_install/vars/customspecs/visualinspection.yml.j2 b/ibm/mas_devops/roles/suite_app_install/vars/customspecs/visualinspection.yml.j2 new file mode 100644 index 000000000..6cb1ba397 --- /dev/null +++ b/ibm/mas_devops/roles/suite_app_install/vars/customspecs/visualinspection.yml.j2 @@ -0,0 +1,10 @@ + +settings: + storage: + size: "{{ mas_app_settings_visualinspection_storage_size }}" + storageClassName: "{{ mas_app_settings_visualinspection_storage_class }}" +{% if mas_app_settings_visualinspection_object_storage_enabled and mas_app_settings_visualinspection_object_storage_workspace %} + objectStorageEnabled: {{ mas_app_settings_visualinspection_object_storage_enabled }} + objectStorageBucketNames: + "{{ mas_workspace_id }}": "{{ mas_app_settings_visualinspection_object_storage_workspace }}" +{% endif %} diff --git a/ibm/mas_devops/roles/suite_certs/defaults/main.yml b/ibm/mas_devops/roles/suite_certs/defaults/main.yml index 776712fbe..f454b3982 100644 --- a/ibm/mas_devops/roles/suite_certs/defaults/main.yml +++ b/ibm/mas_devops/roles/suite_certs/defaults/main.yml @@ -2,14 +2,14 @@ mas_instance_id: "{{ lookup('env', 'MAS_INSTANCE_ID') }}" mas_config_dir: "{{ lookup('env', 'MAS_CONFIG_DIR') }}" mas_suite_certs_dir: "{{ mas_config_dir }}/certs" -mas_manual_cert_mgmt: "{{ lookup('env', 'MAS_MANUAL_CERT_MGMT') | default(False, true) }}" +mas_manual_cert_mgmt: "{{ lookup('env', 'MAS_MANUAL_CERT_MGMT') | default(False, true) | bool }}" # Optional parameters when using CIS as DNS Provider dns_provider: "{{ lookup('env', 'DNS_PROVIDER') }}" # optional - works only if DNS provider is CIS cis_crn: "{{ lookup('env', 'CIS_CRN') }}" cis_apikey: "{{ lookup('env', 'CIS_APIKEY') }}" cis_subdomain: "{{ lookup('env', 'CIS_SUBDOMAIN') }}" -cis_proxy: "{{ lookup('env', 'CIS_PROXY') | default('False', true) }}" +cis_proxy: "{{ lookup('env', 'CIS_PROXY') | default('False', true) | bool }}" mas_workspace_id: "{{ lookup('env', 'MAS_WORKSPACE_ID') }}" # All the TLS secret names across the suite. Currently there's no common naming convention we can use. diff --git a/ibm/mas_devops/roles/suite_db2_setup_for_manage/tasks/apply-db2-config-settings.yml b/ibm/mas_devops/roles/suite_db2_setup_for_manage/tasks/apply-db2-config-settings.yml index 8e2762f9b..a58f723e4 100644 --- a/ibm/mas_devops/roles/suite_db2_setup_for_manage/tasks/apply-db2-config-settings.yml +++ b/ibm/mas_devops/roles/suite_db2_setup_for_manage/tasks/apply-db2-config-settings.yml @@ -28,7 +28,7 @@ minutes: 1 - name: Run script to make changes take effect - shell: oc exec -n {{db2_namespace}} {{db2_pod_name}} -- su -lc '/db2u/scripts/apply-db2cfg-settings.sh | tee /tmp/apply-db2cfg-settings.log' db2inst1 + shell: oc exec -n {{db2_namespace}} {{db2_pod_name}} -- su -lc '/db2u/scripts/apply-db2cfg-settings.sh --setting all | tee /tmp/apply-db2cfg-settings.log' db2inst1 register: prepare_cmds_status - fail: msg="Failed to execute the script /db2u/scripts/apply-db2cfg-settings.sh on DB2 instance" @@ -38,7 +38,7 @@ # Run script twice for DB2 standalone - name: Check DB2 cfg is take effect shell: | - oc exec -n {{db2_namespace}} {{db2_pod_name}} -- su -lc '/db2u/scripts/apply-db2cfg-settings.sh | tee /tmp/apply-db2cfg-settings.log' db2inst1 + oc exec -n {{db2_namespace}} {{db2_pod_name}} -- su -lc '/db2u/scripts/apply-db2cfg-settings.sh --setting all | tee /tmp/apply-db2cfg-settings.log' db2inst1 oc exec -n {{db2_namespace}} {{db2_pod_name}} -- su -lc 'db2 get db cfg for {{ db2_dbname }} | grep "(CHNGPGS_THRESH) = 40"' db2inst1 register: check_cmds_status until: check_cmds_status.rc == 0 diff --git a/ibm/mas_devops/roles/suite_dns/defaults/main.yaml b/ibm/mas_devops/roles/suite_dns/defaults/main.yaml index 5dad37836..1de4275e3 100644 --- a/ibm/mas_devops/roles/suite_dns/defaults/main.yaml +++ b/ibm/mas_devops/roles/suite_dns/defaults/main.yaml @@ -10,8 +10,9 @@ mas_manual_cert_mgmt: "{{ lookup('env', 'MAS_MANUAL_CERT_MGMT')| default(False, # Certificate Manager # ----------------------------------------------------------------------------- -cert_manager_namespace: ibm-common-services -cert_manager_service_account: ibm-cert-manager-controller +# If IBM Certificate Manager is installed then 'cert_manager_service_account' must be 'ibm-cert-manager-controller' +# If Red Hat Certificate Manager is installed then 'cert_manager_service_account' must be 'cert-manager' +cert_manager_service_account: "{{ 'ibm-cert-manager-controller' if (cert_manager_namespace == 'ibm-common-services') else 'cert-manager' }}" # MAS Domain # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_webhook.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_webhook.yml index 5ad1c5228..f0013db6b 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_webhook.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_webhook.yml @@ -1,7 +1,7 @@ --- # 1. Deploy the CIS Webhook # ============================================================================= -- name: "cis : Create service account and permissions for CIS webhook" +- name: "cis : Create service account {{ cert_manager_service_account }} and permissions for CIS webhook" kubernetes.core.k8s: namespace: "{{ cert_manager_namespace }}" state: present diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/create-cnames.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/create-cnames.yml index da1056bdf..c294f1972 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/create-cnames.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/create-cnames.yml @@ -20,21 +20,31 @@ route53_lb_dnsname_output: "{{ aws_hosted_zone_loadbalancer_output.stdout }}" - set_fact: - route53_lb_dnsname: "{{ route53_lb_dnsname_output | first }}" + route53_lb_dnsname: "{{ route53_lb_dnsname_output | first | regex_search('^.*(?=.$)') }}" # removes a dot at the end that aws cli command adds + +- name: "aws-route53 : Lookup Load Balancer's zone id" # this finds the load balancer host id based on the load balancer dns name + shell: | + aws elb describe-load-balancers | + jq --arg name {{ route53_lb_dnsname }} \ + -r '.LoadBalancerDescriptions | .[] | select(.CanonicalHostedZoneName=="\($name)") | .CanonicalHostedZoneNameID' + register: aws_hosted_zone_id_loadbalancer_output + +- set_fact: + route53_lb_zone_id: "{{ aws_hosted_zone_id_loadbalancer_output.stdout }}" - name: "Assert Load Balancer DNS Name for cluster {{ cluster_ingress }} exists" assert: that: route53_lb_dnsname is defined and route53_lb_dnsname != "" fail_msg: "There is no Load Balancer DNS Name found for {{ cluster_ingress }}. Verify your AWS Route53 hosted zone '{{ route53_hosted_zone_name }}' and ensure there's an 'A type' entry for your cluster and a corresponding load balancer associated to it." -- name: "aws-route53 : Generate CNAME json file for {{ route53_lb_dnsname }}" +- name: "aws-route53 : Generate CNAME json file in: {{ route53_cname_json_file_path_local }}/{{ mas_instance_id }}-{{ route53_hosted_zone_name }}-cnames.json" ansible.builtin.template: src: "{{ route53_cname_json_file_path_local }}/create-cnames.json.j2" dest: "{{ route53_cname_json_file_path_local }}/{{ mas_instance_id }}-{{ route53_hosted_zone_name }}-cnames.json" - mode: '664' + mode: "664" - name: "aws-route53 : Create CNAME records pointing to {{ route53_lb_dnsname }}" shell: | aws route53 change-resource-record-sets --hosted-zone-id {{ route53_hosted_zone_id }} --change-batch file://{{ route53_cname_json_file_path_local }}/{{ mas_instance_id }}-{{ route53_hosted_zone_name }}-cnames.json register: aws_hosted_zone_loadbalancer_output - failed_when: aws_hosted_zone_loadbalancer_output.rc > 0 and ('it already exists' not in aws_hosted_zone_loadbalancer_output.stderr ) + failed_when: aws_hosted_zone_loadbalancer_output.rc > 0 and ('it already exists' in aws_hosted_zone_loadbalancer_output.stderr ) diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/main.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/main.yml index 57f48c149..6e41850c1 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/main.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/route53/main.yml @@ -71,11 +71,3 @@ namespace: "ibm-common-services" state: present template: templates/route53/clusterissuer.yml.j2 - -# 7. Change cert-manager deployment to include dns01-recursive parameters -# ----------------------------------------------------------------------------- -# This step does not seem to be strictly necessary, thus will not be automated right now, but in some cases, there's a workaround that needs to be done in cert-manager-controller -# https://community.ibm.com/community/user/asset-facilities/blogs/brian-zhu/2022/10/08/using-lets-encrypt-ssl-certificates-with-maximo-ap?CommunityKey=3d7261ae-48f7-481d-b675-a40eb407e0fd -# Add the following parameters in args property for cert-manager-controller deployment: -# - '--dns01-recursive-nameservers-only' -# - '--dns01-recursive-nameservers=8.8.8.8:53' diff --git a/ibm/mas_devops/roles/suite_dns/tasks/run.yml b/ibm/mas_devops/roles/suite_dns/tasks/run.yml index 2ca2c13f2..bf15c80dc 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/run.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/run.yml @@ -1,22 +1,11 @@ --- # 1. Check cert-manager installation # ----------------------------------------------------------------------------- -- name: Lookup ibm cert manager installation - kubernetes.core.k8s_info: - api_version: apps/v1 - name: cert-manager-controller - namespace: ibm-common-services - kind: Deployment - register: _cert_manager_deployed - # Ensure cert manager is installed prior continuing as this role will install # v1alpha1.acme.cis.ibm.com apiservice which requires cert manager to be running -- name: Assert that ibm cert manager is installed - assert: - that: - - _cert_manager_deployed.resources is defined - - _cert_manager_deployed.resources | length > 0 - fail_msg: "Failed! IBM Certificate Manager is not installed in your cluster! Run `cert_manager` role to have it installed prior running `suite_dns` role." +- name: Detect Certificate Manager installation + include_tasks: "{{ role_path }}/../../common_tasks/detect_cert_manager.yml" + when: cert_manager_namespace is not defined or cert_manager_namespace | length == 0 # 2. Run provider task # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/suite_dns/templates/cis/webhook/apiservice.yml.j2 b/ibm/mas_devops/roles/suite_dns/templates/cis/webhook/apiservice.yml.j2 index 7f404b7ab..2fdaab0fe 100644 --- a/ibm/mas_devops/roles/suite_dns/templates/cis/webhook/apiservice.yml.j2 +++ b/ibm/mas_devops/roles/suite_dns/templates/cis/webhook/apiservice.yml.j2 @@ -3,7 +3,7 @@ apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: "v1alpha1.{{ cis_apiservice.group_name }}" - namespace: "{{cert_manager_namespace }}" + namespace: "{{ cert_manager_namespace }}" labels: app: "cert-manager-webhook-ibm-cis" {% if custom_labels is defined and custom_labels.items() %} diff --git a/ibm/mas_devops/roles/suite_dns/templates/route53/create-cnames.json.j2 b/ibm/mas_devops/roles/suite_dns/templates/route53/create-cnames.json.j2 index 2da3bd6f2..5499c3055 100644 --- a/ibm/mas_devops/roles/suite_dns/templates/route53/create-cnames.json.j2 +++ b/ibm/mas_devops/roles/suite_dns/templates/route53/create-cnames.json.j2 @@ -21,6 +21,18 @@ "Value": "{{ route53_lb_dnsname }}" }] } + }, + { + "Action": "CREATE", + "ResourceRecordSet": { + "Name": "{{ cluster_ingress }}", + "Type": "A", + "AliasTarget": { + "HostedZoneId": "{{ route53_lb_zone_id }}", + "DNSName": "{{ route53_lb_dnsname }}", + "EvaluateTargetHealth": false + } + } } ] } diff --git a/ibm/mas_devops/roles/suite_install/README.md b/ibm/mas_devops/roles/suite_install/README.md index bac9dc552..f5479ae4b 100644 --- a/ibm/mas_devops/roles/suite_install/README.md +++ b/ibm/mas_devops/roles/suite_install/README.md @@ -1,7 +1,6 @@ suite_install =============================================================================== - -This role install Maximo Application Suite. It internally resolve the namespace based on the `mas_instance_id` as `mas-{mas_instance_id}-core`. By default this role install MAS Operator using Manual Upgrade Strategy. Set `MAS_UPGRADE_STRATEGY` environment variable to Automatic to override it. In the `Manual` upgrade mode, IBM Common Services operators requested by MAS will inherit the upgrade strategy from MAS and their pending install plans approved. +This role install Maximo Application Suite. It internally resolve the namespace based on the `mas_instance_id` as `mas-{mas_instance_id}-core`. Role Variables @@ -42,9 +41,6 @@ Directory containing configuration files (`*.yaml` and `*.yml`) to be applied to ### certManager.namespace The namespace containing the cert-manager to be used by MAS -### mas_upgrade_strategy -The Upgrade strategy for MAS Operator. Default is set to Automatic - ### mas_annotations Provide a list of comma-separated key=value pairs which will be applied as labels on all resources created. This variable takes a comma separated list of annotations. For example, to deploy your suite in non production mode, set this to `mas.ibm.com/operationalMode=nonproduction` or set `MAS_ANNOTATIONS` environment variable as `export MAS_ANNOTATIONS=mas.ibm.com/operationalMode=nonproduction` diff --git a/ibm/mas_devops/roles/suite_install/defaults/main.yml b/ibm/mas_devops/roles/suite_install/defaults/main.yml index 693e7f178..6c2f76847 100644 --- a/ibm/mas_devops/roles/suite_install/defaults/main.yml +++ b/ibm/mas_devops/roles/suite_install/defaults/main.yml @@ -18,6 +18,13 @@ mas_manual_cert_mgmt: "{{ lookup('env', 'MAS_MANUAL_CERT_MGMT') | default(False, mas_trust_default_cas: "{{ lookup('env', 'MAS_TRUST_DEFAULT_CAS') }}" +# Cert Manager will be configured to lookup for cluster issuer's secrets +# into the Cluster Resource Namespace, which will be 'ibm-common-services' namespace +# even though we're installing now Certificate Manager into 'cert-manager' namespace +# This is to avoid migration issues while moving from IBM Cert Manager to Red Hat Cert Manager +# https://cert-manager.io/docs/configuration/ +# cert_manager_cluster_resource_namespace: ibm-common-services + # Source container registry # ----------------------------------------------------------------------------- mas_icr_cp: "{{ lookup('env', 'MAS_ICR_CP') | default('cp.icr.io/cp', true) }}" @@ -34,20 +41,6 @@ mas_entitlement_key: "{{ lookup('env', 'MAS_ENTITLEMENT_KEY') | default(ibm_enti mas_add_catalog: "{{ lookup('env', 'MAS_ADD_CATALOG') | default('ibm-operator-catalog', true) }}" mas_add_channel: "{{ lookup('env', 'MAS_ADD_CHANNEL') }}" -# Manual upgrade support -# ----------------------------------------------------------------------------- -# Following variables are used when MAS Operator upgrade is set to Manual. -# it contains the ibm-common-services namespace and the list of labels from -# the Subcriptions created by MAS installation. -mas_upgrade_strategy: "{{ lookup('env', 'MAS_UPGRADE_STRATEGY') | default('Automatic', true) }}" - -ibm_common_services_namespace: ibm-common-services -ibm_common_services_subscription_labels: - - ibm-common-service-operator.ibm-common-services - - ibm-namespace-scope-operator.ibm-common-services - - ibm-odlm.ibm-common-services - - ibm-licensing-operator-app.ibm-common-services - # MAS Annotation block # ----------------------------------------------------------------------------- mas_annotations: "{{ lookup('env', 'MAS_ANNOTATIONS') | default(None, true) }}" diff --git a/ibm/mas_devops/roles/suite_install/tasks/detect-cert-manager.yml b/ibm/mas_devops/roles/suite_install/tasks/detect-cert-manager.yml deleted file mode 100644 index 8ad59d69e..000000000 --- a/ibm/mas_devops/roles/suite_install/tasks/detect-cert-manager.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# 1. Check if cert-manager is installed -# ----------------------------------------------------------------------------- -- name: Check if cert-manager is installed - when: certManager is not defined or certManager.namespace is not defined - kubernetes.core.k8s_info: - api_version: v1 - name: cert-manager - namespace: "cert-manager" - kind: Deployment - register: jetstack_cert_manager_lookup - - -# 2. Choose the version of cert-manager to use -# ----------------------------------------------------------------------------- -# If jetstack cert-manager is available use it, otherwise assume IBM -# cert-manager will be used (ibm-common-services). -- name: Use JetStack cert-manager - when: - - certManager is not defined or certManager.namespace is not defined - - jetstack_cert_manager_lookup.resources is defined - - jetstack_cert_manager_lookup.resources | length == 1 - set_fact: - certManager: - namespace: cert-manager - -- name: Use IBM cert-manager - when: certManager is not defined or certManager.namespace is not defined - set_fact: - certManager: - namespace: ibm-common-services - -- debug: - msg: - - "Cert-manager namespace: {{ certManager.namespace }}" diff --git a/ibm/mas_devops/roles/suite_install/tasks/ibm-common-services.yml b/ibm/mas_devops/roles/suite_install/tasks/ibm-common-services.yml deleted file mode 100644 index bc7bd9b00..000000000 --- a/ibm/mas_devops/roles/suite_install/tasks/ibm-common-services.yml +++ /dev/null @@ -1,63 +0,0 @@ -# 1. Lookup Common Services Operator Install Plans and approve -# ---------------------------------------------------------------------------- -- name: Debug Operator name - debug: - msg: "{{item}}" - -- name: "Verify if ibm operator is already installed" - kubernetes.core.k8s_info: - api_version: operators.coreos.com/v1alpha1 - kind: Subscription - namespace: "{{ ibm_common_services_namespace }}" - label_selectors: - - "operators.coreos.com/{{item}}" - register: _item_subscription - -- name: Lookup and Approve IBM Common Services operators - block: - - name: "Lookup and wait for Operator subscription to exist" - kubernetes.core.k8s_info: - api_version: operators.coreos.com/v1alpha1 - kind: Subscription - namespace: "{{ ibm_common_services_namespace }}" - label_selectors: - - "operators.coreos.com/{{item}}" - register: _item_subscription_result - retries: 20 - delay: 60 # Retry for approx 20 minutes (60s * 20 attempts) before giving up - until: _item_subscription_result.resources | length > 0 - - - name: Lookup Operator install plan - kubernetes.core.k8s_info: - api_version: operators.coreos.com/v1alpha1 - kind: InstallPlan - namespace: "{{ ibm_common_services_namespace }}" - label_selectors: - - "operators.coreos.com/{{item}}" - register: item_install_plan - retries: 20 - delay: 60 # Retry for approx 20 minutes (60s * 20 attempts) before giving up - until: item_install_plan.resources | length > 0 - when: - - _item_subscription_result.resources | length > 0 - - _item_subscription_result.resources[0].status is defined - - _item_subscription_result.resources[0].status.state != "AtLatestKnown" - - - name: Approve the subscription install plan - when: - - _item_subscription_result.resources[0].status.state != "AtLatestKnown" - - _item_subscription_result.resources[0].status is defined - - item_install_plan.resources | length > 0 - - item_install_plan.resources[0].status is defined - - item_install_plan.resources[0].status.phase != "Complete" - kubernetes.core.k8s: - definition: - apiVersion: operators.coreos.com/v1alpha1 - kind: InstallPlan - metadata: - name: "{{ item_install_plan.resources[0].metadata.name }}" - namespace: "{{ ibm_common_services_namespace }}" - spec: - approved: true - when: - - (_item_subscription.resources | length == 0 or _item_subscription.resources[0].status.state == 'UpgradePending') diff --git a/ibm/mas_devops/roles/suite_install/tasks/main.yml b/ibm/mas_devops/roles/suite_install/tasks/main.yml index c6596e8b9..4ba73d8a6 100644 --- a/ibm/mas_devops/roles/suite_install/tasks/main.yml +++ b/ibm/mas_devops/roles/suite_install/tasks/main.yml @@ -140,7 +140,9 @@ # 4. Determine version of cert-manager in use on the cluster # ----------------------------------------------------------------------------- -- include_tasks: tasks/detect-cert-manager.yml +- name: Detect Certificate Manager installation + include_tasks: "{{ role_path }}/../../common_tasks/detect_cert_manager.yml" + when: cert_manager_cluster_resource_namespace is not defined or cert_manager_cluster_resource_namespace != '' # 5. Provide debug information # ----------------------------------------------------------------------------- @@ -158,8 +160,8 @@ - "MAS domain .................... {{ mas_domain }}" - "MAS ICR cp content ............ {{ mas_icr_cp }}" - "MAS ICR cpopen content ........ {{ mas_icr_cpopen }}" + - "Cert Manager namespace ........ {{ cert_manager_cluster_resource_namespace }}" - "MAS Cluster Issuer ............ {{ mas_cluster_issuer }}" - - "MAS Subscription Upgrade ...... {{ mas_upgrade_strategy }}" - "IPv6 Enabled .................. {{ enable_ipv6 }}" # 6. Install the operator & create entitlement secret @@ -175,35 +177,6 @@ operator_group: "{{ lookup('template', 'templates/operator-group.yml.j2') }}" subscription: "{{ lookup('template', 'templates/subscription.yml.j2') }}" -- name: Lookup and Approve MAS Subscription - when: mas_upgrade_strategy == 'Manual' - block: - - name: Lookup Operator install plan - kubernetes.core.k8s_info: - api_version: operators.coreos.com/v1alpha1 - kind: InstallPlan - namespace: "{{ mas_namespace }}" - label_selectors: - - "operators.coreos.com/ibm-mas.{{ mas_namespace }}" - register: mas_install_plan - retries: 20 - delay: 60 # Retry for approx 20 minutes (60s * 20 attempts) before giving up - until: mas_install_plan.resources | length > 0 - - - name: Approve the subscription install plan - when: - - mas_install_plan.resources | length > 0 - - mas_install_plan.resources[0].status.phase != "Complete" - kubernetes.core.k8s: - definition: - apiVersion: operators.coreos.com/v1alpha1 - kind: InstallPlan - metadata: - name: "{{ mas_install_plan.resources[0].metadata.name }}" - namespace: "{{ mas_namespace }}" - spec: - approved: true - # 7. Wait until the Suite CRD is available # ----------------------------------------------------------------------------- - name: "Wait until the Suite CRD is available" @@ -249,12 +222,3 @@ - name: debug suiteResult debug: msg: "{{ suiteResult }}" - -# 10. Handle IBM Common Services Install plan approvals when upgrade strategy is set to Manual -# ----------------------------------------------------------------------------- -# ibm-common-services operators deployed by MAS will inherit the inherit MAS upgrade strategy -# when its set to Manual, we need to iterate those to ensure we do approve the first install plan -# otherwise MAS installation wont succeed. -- include_tasks: tasks/ibm-common-services.yml - when: mas_upgrade_strategy == 'Manual' - loop: "{{ibm_common_services_subscription_labels}}" diff --git a/ibm/mas_devops/roles/suite_install/templates/core_v1_suite.yml.j2 b/ibm/mas_devops/roles/suite_install/templates/core_v1_suite.yml.j2 index c31862f68..022f71d2a 100644 --- a/ibm/mas_devops/roles/suite_install/templates/core_v1_suite.yml.j2 +++ b/ibm/mas_devops/roles/suite_install/templates/core_v1_suite.yml.j2 @@ -17,7 +17,7 @@ metadata: {% endfor %} {% endif %} spec: - certManagerNamespace: "{{ certManager.namespace }}" + certManagerNamespace: "{{ cert_manager_cluster_resource_namespace }}" {% if mas_cluster_issuer is defined and mas_cluster_issuer != '' %} certificateIssuer: name: "{{ mas_cluster_issuer }}" diff --git a/ibm/mas_devops/roles/suite_install/templates/subscription.yml.j2 b/ibm/mas_devops/roles/suite_install/templates/subscription.yml.j2 index cce736267..d6274123f 100644 --- a/ibm/mas_devops/roles/suite_install/templates/subscription.yml.j2 +++ b/ibm/mas_devops/roles/suite_install/templates/subscription.yml.j2 @@ -12,7 +12,7 @@ metadata: {% endif %} spec: channel: "{{ mas_channel }}" - installPlanApproval: "{{ mas_upgrade_strategy }}" + installPlanApproval: Automatic name: ibm-mas source: "{{ mas_catalog_source }}" sourceNamespace: openshift-marketplace diff --git a/ibm/mas_devops/roles/uds/README.md b/ibm/mas_devops/roles/uds/README.md index 3314ecfd5..5767104ec 100644 --- a/ibm/mas_devops/roles/uds/README.md +++ b/ibm/mas_devops/roles/uds/README.md @@ -127,6 +127,13 @@ For examples refer to the [BestEfforts reference configuration in the MAS CLI](h - Environment Variable: `MAS_POD_TEMPLATES_DIR` - Default: None +### include_cluster_ingress_cert_chain +Optional. When set to `True`, includes the complete certificates chain in the generated MAS configuration, when a trusted certificate authority is found in your cluster's ingress. + +- Optional +- Environment Variable: `INCLUDE_CLUSTER_INGRESS_CERT_CHAIN` +- Default: `False` + Example Playbook ------------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/uds/defaults/main.yml b/ibm/mas_devops/roles/uds/defaults/main.yml index ad22336f5..644021ebc 100644 --- a/ibm/mas_devops/roles/uds/defaults/main.yml +++ b/ibm/mas_devops/roles/uds/defaults/main.yml @@ -26,6 +26,7 @@ cluster_name: "{{ lookup('env', 'CLUSTER_NAME')}}" uds_endpoint_url: "{{ lookup('env', 'UDS_ENDPOINT_URL') }}" uds_tls_crt: "{{ lookup('env', 'UDS_TLS_CERT') }}" uds_tls_crt_local_file_path: "{{ lookup('env', 'UDS_TLS_CERT_LOCAL_FILE_PATH') }}" +uds_include_isrg_root_cert: "{{ lookup('env', 'UDS_INCLUDE_ISRG_ROOT_CERT') | default('true', true) | bool }}" # mainly needed for IBM Cloud hosted services uds_api_key: "{{ lookup('env', 'UDS_API_KEY') }}" # Custom Labels diff --git a/ibm/mas_devops/roles/uds/tasks/gencfg/main.yml b/ibm/mas_devops/roles/uds/tasks/gencfg/main.yml index 51e9b6ee6..2bd33c746 100644 --- a/ibm/mas_devops/roles/uds/tasks/gencfg/main.yml +++ b/ibm/mas_devops/roles/uds/tasks/gencfg/main.yml @@ -1,5 +1,4 @@ --- - # 1. Set uds_tls_crt # ----------------------------------------------------------------------------- - name: "gencfg : Set uds_tls_crt fact for BasCfg when using existing UDS" @@ -10,6 +9,12 @@ uds_tls_crt: "{{ lookup('file', uds_tls_crt_local_file_path) | regex_findall('(-----BEGIN .+?-----(?s).+?-----END .+?-----)', multiline=True, ignorecase=True) }}" no_log: true +# Load uds_certs template to dynamically set as many uds certificates as identified +- set_fact: + uds_certs: "{{ lookup('ansible.builtin.template', 'templates/bas-certs.yml.j2') }}" + when: + - uds_tls_crt is defined + - uds_tls_crt | length > 0 # 2. Check for required facts # ----------------------------------------------------------------------------- @@ -28,7 +33,6 @@ that: uds_tls_crt is defined and uds_tls_crt|length != 0 fail_msg: "uds_tls_crt property has not been set" - # 3. Provide Debug information # ----------------------------------------------------------------------------- - name: "gencfg : Debug information" @@ -39,12 +43,11 @@ - "UDS Contact Last Name .............. {{ uds_contact.last_name | default('', True) }}" - "UDS Contact e-mail ................. {{ uds_contact.email | default('', True) }}" - # 4. Generate BASCfg for MAS # ----------------------------------------------------------------------------- - name: "gencfg : Copy BASCfg to filesystem" ansible.builtin.template: src: bascfg.yml.j2 dest: "{{ mas_config_dir }}/uds.yml" - mode: '664' + mode: "664" when: mas_instance_id is defined diff --git a/ibm/mas_devops/roles/uds/tasks/install/main.yml b/ibm/mas_devops/roles/uds/tasks/install/main.yml index b699e2cd2..1a97b3654 100644 --- a/ibm/mas_devops/roles/uds/tasks/install/main.yml +++ b/ibm/mas_devops/roles/uds/tasks/install/main.yml @@ -1,11 +1,9 @@ --- - # 1. Check for MAS ImageContentSourcePolicy # ----------------------------------------------------------------------------- - name: "Determine whether this is an airgap environment" include_tasks: "{{ role_path }}/../../common_tasks/detect_airgap.yml" - # 2. Load default storage class (if not provided by the user) # ----------------------------------------------------------------------------- - include_tasks: tasks/install/determine-storage-classes.yml @@ -24,7 +22,6 @@ - "UDS Contact Last Name .............. {{ uds_contact.last_name | default('', True) }}" - "UDS Contact e-mail ................. {{ uds_contact.email | default('', True) }}" - # 3. Load PodTemplates configuration # ----------------------------------------------------------------------------- - name: "Load podTemplates configuration" @@ -32,7 +29,6 @@ vars: config_files: ["ibm-mas-bascfg.yml"] - # 4. Install Crunchy Postgres Operator (Properly) # ----------------------------------------------------------------------------- # UDS installs the operator with a startingCSV set explicitly to 5.1.0 for some @@ -56,7 +52,7 @@ api_version: packages.operators.coreos.com/v1 kind: PackageManifest name: "crunchy-postgres-operator" - namespace: openshift-marketplace # Note: A namespace must be provided when calling packages.operators.coreos.com/v1 + namespace: openshift-marketplace # Note: A namespace must be provided when calling packages.operators.coreos.com/v1 register: postgres_manifest - name: Assert that PackageManifest exists @@ -79,7 +75,6 @@ wait: yes wait_timeout: 120 - # 5. Wait for Postgres Operator to be Ready # ----------------------------------------------------------------------------- - name: "Wait for Crunchy Postgres operator to be ready (60s delay)" @@ -93,7 +88,6 @@ retries: 90 # Approximately 10 minutes before we give up delay: 60 # 1 minute - # 6. Install UDS Operator # ----------------------------------------------------------------------------- - name: Install Foundation Services ibm-user-data-services operand request @@ -102,7 +96,6 @@ wait: yes wait_timeout: 120 - # 7. Wait for UDS Operator to be Ready # ----------------------------------------------------------------------------- - name: "Wait for Foundation Services ibm-user-data-services operator to be ready (60s delay)" @@ -116,7 +109,6 @@ retries: 90 # Approximately 10 minutes before we give up delay: 60 # 1 minute - # 8. Create UDS AnalyticsProxy # ----------------------------------------------------------------------------- - name: "Create UDS AnalyticsProxy" @@ -126,7 +118,6 @@ # Note that the AnalyticsProxy references a 'uds-images-pull-secret', but we do not create this. # For some reason it seems to work anyway. - # 9. Wait for the UDS AnalyticsProxy to be ready # ----------------------------------------------------------------------------- - name: "Wait for the AnalyticsProxy to be ready" @@ -144,14 +135,12 @@ retries: 30 # approx 1 hour (!!) before we give up waiting for status.phase to be Ready delay: 120 # 2 minutes - -# 10. Cretae the GenerateKey CR +# 10. Create the GenerateKey CR # ----------------------------------------------------------------------------- - name: "Create UDS Generate Key" kubernetes.core.k8s: definition: "{{ lookup('template', 'templates/foundation-services/generateKey.yaml') }}" - # 11. Wait for GenerateKey to be complete # ----------------------------------------------------------------------------- - name: "Wait for GenerateKey to be ready (60s delay)" @@ -169,7 +158,6 @@ retries: 30 # approx 30 minutes before we give up delay: 60 # 1 minute - # 12. MAS Config # ----------------------------------------------------------------------------- # Note that the MAS config resource still refers to UDS by its diff --git a/ibm/mas_devops/roles/uds/tasks/install/udscfg.yml b/ibm/mas_devops/roles/uds/tasks/install/udscfg.yml index 6252a12d0..91ed560fe 100644 --- a/ibm/mas_devops/roles/uds/tasks/install/udscfg.yml +++ b/ibm/mas_devops/roles/uds/tasks/install/udscfg.yml @@ -56,7 +56,7 @@ # Break up the certificate into an array - name: "udscfg : Set UDS cert variable" set_fact: - uds_tls_crt: "{{ cluster_ingress_tls_crt | regex_findall('(?s)(-----BEGIN .+?-----.+?-----END .+?-----)', multiline=True, ignorecase=True) }}" + uds_tls_crt: "{{ cluster_ingress_tls_crt }}" # 5. Debug # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/uds/tasks/main.yml b/ibm/mas_devops/roles/uds/tasks/main.yml index a2cb52529..3759de051 100644 --- a/ibm/mas_devops/roles/uds/tasks/main.yml +++ b/ibm/mas_devops/roles/uds/tasks/main.yml @@ -1,5 +1,4 @@ --- - # 1. Install UDS # ----------------------------------------------------------------------------- # If the user has provided uds_endpoint_url then it means they don't want to install @@ -10,7 +9,6 @@ - uds_action in ["install", "install-suds", "uninstall", "uninstall-suds"] - uds_endpoint_url is not defined or uds_endpoint_url == "" - # 2. Generate the UDS configuration for MAS # ----------------------------------------------------------------------------- - include_tasks: tasks/gencfg/main.yml diff --git a/ibm/mas_devops/roles/uds/templates/bas-certs.yml.j2 b/ibm/mas_devops/roles/uds/templates/bas-certs.yml.j2 new file mode 100644 index 000000000..f38f55bd0 --- /dev/null +++ b/ibm/mas_devops/roles/uds/templates/bas-certs.yml.j2 @@ -0,0 +1,5 @@ +{% for crt in uds_tls_crt %} +- alias: "part{{ loop.index }}" + crt: | + {{ crt | indent(width=4, first=False) }} +{% endfor %} diff --git a/ibm/mas_devops/roles/uds/templates/bascfg.yml.j2 b/ibm/mas_devops/roles/uds/templates/bascfg.yml.j2 index ef1a9a867..33be2a5fb 100644 --- a/ibm/mas_devops/roles/uds/templates/bascfg.yml.j2 +++ b/ibm/mas_devops/roles/uds/templates/bascfg.yml.j2 @@ -40,16 +40,12 @@ spec: {% if mas_segment_key is defined and mas_segment_key != "" %} segmentKey: "{{ mas_segment_key }}" {% endif %} - certificates: - - alias: part1 - crt: | - {{ uds_tls_crt[0] | indent(8) }} -{% if uds_tls_crt | length > 1 %} - - alias: part2 - crt: | - {{ uds_tls_crt[1] | indent(8) }} -{% endif %} - - alias: isrg-root-x1 # default root certificate used by Let's Encrypt +{% if uds_certs is defined and uds_certs | length > 0 %} + certificates: + {{ uds_certs | indent(width=4, first=False) }} +{%- endif %} +{% if uds_certs is defined and uds_certs | length > 0 and uds_include_isrg_root_cert == true %} + - alias: isrgrootx1 # default root certificate used by Let's Encrypt crt: | -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw @@ -82,6 +78,7 @@ spec: mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- +{% endif %} {% if ibm_mas_bascfg_pod_templates is defined %} podTemplates: {{ ibm_mas_bascfg_pod_templates }} {% endif %} From 6f1a135f9c26a8da539f14ef2e2a67433ce6bf2d Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Tue, 16 Jan 2024 16:59:09 +0000 Subject: [PATCH 4/8] [patch] refactor mat settings to condition list --- ibm/mas_devops/roles/suite_app_config/defaults/main.yml | 2 +- ibm/mas_devops/roles/suite_app_config/tasks/main.yml | 6 ++++++ .../roles/suite_app_config/vars/defaultspecs/predict.yml | 5 +++-- ibm/mas_devops/roles/suite_app_config/vars/predict.yml | 7 +++++++ 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml index 3649a1c7a..c5732f466 100644 --- a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml +++ b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml @@ -36,4 +36,4 @@ cpd_wml_instance_id: "{{ lookup('env', 'CPD_WML_INSTANCE_ID') | default('openshi cpd_wml_url: "{{ lookup('env', 'CPD_WML_URL') | default('https://internal-nginx-svc.ibm-cpd.svc:12443', true) }}" # Watson OpenScale (Predict) -cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" +# cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" diff --git a/ibm/mas_devops/roles/suite_app_config/tasks/main.yml b/ibm/mas_devops/roles/suite_app_config/tasks/main.yml index cc6063515..42a6b0adc 100644 --- a/ibm/mas_devops/roles/suite_app_config/tasks/main.yml +++ b/ibm/mas_devops/roles/suite_app_config/tasks/main.yml @@ -19,6 +19,12 @@ - name: Load mas_app variables include_vars: "{{ role_path }}/../suite_app_install/vars/{{ mas_app_id }}.yml" +# TODO: remove this before PR +- name: display variables for MAT and OpenScale + debug: + msg: + - "Settings ......... {{ settings }}" + - "Mat settings ..... {{ settings.mat }}" # 3. Run Application Specific Pre-configuration # ----------------------------------------------------------------------------- diff --git a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml index 6685e8ead..9c1516d34 100644 --- a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml +++ b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml @@ -6,8 +6,9 @@ mas_appws_spec: watsonstudio: system settings: mat: - datamartid: "{{ cpd_wos_datamart_id }}" - install: true + mat_customization_list: "{{ mat_app_settings_customization_list if (cpd_wos_datamart_id is defined and cpd_wos_datamart_id | length > 0) else [])}}" + # datamartid: "{{ cpd_wos_datamart_id }}" + # install: true watsonstudio: projectid: "{{ cpd_wsl_project_id }}" wml: diff --git a/ibm/mas_devops/roles/suite_app_config/vars/predict.yml b/ibm/mas_devops/roles/suite_app_config/vars/predict.yml index f860d1e61..ba43728ee 100644 --- a/ibm/mas_devops/roles/suite_app_config/vars/predict.yml +++ b/ibm/mas_devops/roles/suite_app_config/vars/predict.yml @@ -5,3 +5,10 @@ mas_app_ws_kind: PredictWorkspace mas_app_cfg_delay: "{{ lookup('env', 'MAS_APP_CFG_DELAY') | default(120, true)}}" mas_app_cfg_retries: "{{ lookup('env', 'MAS_APP_CFG_RETRIES') | default(30, true)}}" + +cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" +mat_install: "{{ lookup('env', 'MAT_INSTALL') | default('', true) }}" + +mat_app_settings_customization_list: + - datamartid: "{{ cpd_wos_datamart_id }}" + install: "{{ mat_install }}" \ No newline at end of file From b79e9b0b4a5ad27420ea8af86fdaa5a5f9b6ad34 Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Tue, 16 Jan 2024 17:04:04 +0000 Subject: [PATCH 5/8] [patch] fix linter errors --- ibm/mas_devops/roles/suite_app_config/tasks/main.yml | 4 ++-- ibm/mas_devops/roles/suite_app_config/vars/predict.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ibm/mas_devops/roles/suite_app_config/tasks/main.yml b/ibm/mas_devops/roles/suite_app_config/tasks/main.yml index 42a6b0adc..c1fcca59f 100644 --- a/ibm/mas_devops/roles/suite_app_config/tasks/main.yml +++ b/ibm/mas_devops/roles/suite_app_config/tasks/main.yml @@ -21,8 +21,8 @@ # TODO: remove this before PR - name: display variables for MAT and OpenScale - debug: - msg: + debug: + msg: - "Settings ......... {{ settings }}" - "Mat settings ..... {{ settings.mat }}" diff --git a/ibm/mas_devops/roles/suite_app_config/vars/predict.yml b/ibm/mas_devops/roles/suite_app_config/vars/predict.yml index ba43728ee..4f16c2e75 100644 --- a/ibm/mas_devops/roles/suite_app_config/vars/predict.yml +++ b/ibm/mas_devops/roles/suite_app_config/vars/predict.yml @@ -11,4 +11,4 @@ mat_install: "{{ lookup('env', 'MAT_INSTALL') | default('', true) }}" mat_app_settings_customization_list: - datamartid: "{{ cpd_wos_datamart_id }}" - install: "{{ mat_install }}" \ No newline at end of file + install: "{{ mat_install }}" From 250e0b30dec5aa92d0f19b491ff7a2b70fdb7f79 Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Wed, 17 Jan 2024 11:18:56 +0000 Subject: [PATCH 6/8] [patch] remove debug --- ibm/mas_devops/roles/suite_app_config/tasks/main.yml | 7 ------- .../roles/suite_app_config/vars/defaultspecs/predict.yml | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/ibm/mas_devops/roles/suite_app_config/tasks/main.yml b/ibm/mas_devops/roles/suite_app_config/tasks/main.yml index c1fcca59f..db5730fba 100644 --- a/ibm/mas_devops/roles/suite_app_config/tasks/main.yml +++ b/ibm/mas_devops/roles/suite_app_config/tasks/main.yml @@ -19,13 +19,6 @@ - name: Load mas_app variables include_vars: "{{ role_path }}/../suite_app_install/vars/{{ mas_app_id }}.yml" -# TODO: remove this before PR -- name: display variables for MAT and OpenScale - debug: - msg: - - "Settings ......... {{ settings }}" - - "Mat settings ..... {{ settings.mat }}" - # 3. Run Application Specific Pre-configuration # ----------------------------------------------------------------------------- # The following will auto determine storage classes to be used as persistent diff --git a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml index 9c1516d34..eb176930e 100644 --- a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml +++ b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml @@ -6,7 +6,7 @@ mas_appws_spec: watsonstudio: system settings: mat: - mat_customization_list: "{{ mat_app_settings_customization_list if (cpd_wos_datamart_id is defined and cpd_wos_datamart_id | length > 0) else [])}}" + mat_customization_list: "{{ mat_app_settings_customization_list if (cpd_wos_datamart_id is defined and cpd_wos_datamart_id | length > 0) else [] }}" # datamartid: "{{ cpd_wos_datamart_id }}" # install: true watsonstudio: From 44e3f4cb6b0acb412f1fee7e8ac8feddf24b2672 Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Wed, 17 Jan 2024 17:06:27 +0000 Subject: [PATCH 7/8] [patch] fix logic for install mat if datamart id not provide --- ibm/mas_devops/roles/suite_app_config/defaults/main.yml | 2 +- .../roles/suite_app_config/vars/defaultspecs/predict.yml | 5 ++--- ibm/mas_devops/roles/suite_app_config/vars/predict.yml | 7 ------- 3 files changed, 3 insertions(+), 11 deletions(-) diff --git a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml index c5732f466..3649a1c7a 100644 --- a/ibm/mas_devops/roles/suite_app_config/defaults/main.yml +++ b/ibm/mas_devops/roles/suite_app_config/defaults/main.yml @@ -36,4 +36,4 @@ cpd_wml_instance_id: "{{ lookup('env', 'CPD_WML_INSTANCE_ID') | default('openshi cpd_wml_url: "{{ lookup('env', 'CPD_WML_URL') | default('https://internal-nginx-svc.ibm-cpd.svc:12443', true) }}" # Watson OpenScale (Predict) -# cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" +cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" diff --git a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml index eb176930e..e3f29bbed 100644 --- a/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml +++ b/ibm/mas_devops/roles/suite_app_config/vars/defaultspecs/predict.yml @@ -6,9 +6,8 @@ mas_appws_spec: watsonstudio: system settings: mat: - mat_customization_list: "{{ mat_app_settings_customization_list if (cpd_wos_datamart_id is defined and cpd_wos_datamart_id | length > 0) else [] }}" - # datamartid: "{{ cpd_wos_datamart_id }}" - # install: true + datamartid: "{{ cpd_wos_datamart_id }}" + install: "{{ true if (cpd_wos_datamart_id is defined and cpd_wos_datamart_id | length > 0) else false }}" watsonstudio: projectid: "{{ cpd_wsl_project_id }}" wml: diff --git a/ibm/mas_devops/roles/suite_app_config/vars/predict.yml b/ibm/mas_devops/roles/suite_app_config/vars/predict.yml index 4f16c2e75..f860d1e61 100644 --- a/ibm/mas_devops/roles/suite_app_config/vars/predict.yml +++ b/ibm/mas_devops/roles/suite_app_config/vars/predict.yml @@ -5,10 +5,3 @@ mas_app_ws_kind: PredictWorkspace mas_app_cfg_delay: "{{ lookup('env', 'MAS_APP_CFG_DELAY') | default(120, true)}}" mas_app_cfg_retries: "{{ lookup('env', 'MAS_APP_CFG_RETRIES') | default(30, true)}}" - -cpd_wos_datamart_id: "{{ lookup('env', 'CPD_WOS_DATAMART_ID') | default('', true) }}" -mat_install: "{{ lookup('env', 'MAT_INSTALL') | default('', true) }}" - -mat_app_settings_customization_list: - - datamartid: "{{ cpd_wos_datamart_id }}" - install: "{{ mat_install }}" From 44a8ebc6e50f5a7bd9f23ab34bfeba770870f014 Mon Sep 17 00:00:00 2001 From: KAROL CZARNECKI Date: Wed, 17 Jan 2024 17:24:44 +0000 Subject: [PATCH 8/8] [patch] fix linter errors --- ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml | 2 +- .../roles/cert_manager/tasks/provider/redhat/install.yml | 2 +- ibm/mas_devops/roles/db2/tasks/install/main.yml | 2 +- .../roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml | 2 +- ibm/mas_devops/roles/mongodb/defaults/main.yml | 2 +- .../mongodb/tasks/providers/community/check-mongo-exists.yml | 2 +- ibm/mas_devops/roles/suite_install/tasks/main.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml b/ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml index 750113b5c..d04d90dff 100644 --- a/ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml +++ b/ibm/mas_devops/roles/cert_manager/tasks/prereqs-migration.yml @@ -47,4 +47,4 @@ - certmanager_webhook_deployment.resources is defined - certmanager_webhook_deployment.resources | length == 0 retries: 10 - delay: 30 # seconds \ No newline at end of file + delay: 30 # seconds diff --git a/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml b/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml index 43b08fdb1..299abadc3 100644 --- a/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml +++ b/ibm/mas_devops/roles/cert_manager/tasks/provider/redhat/install.yml @@ -192,4 +192,4 @@ kubernetes.core.k8s: merge_type: merge definition: "{{ lookup('template', 'templates/redhat/cert-manager-webhook-ibm-cis-crb.yml.j2') }}" - when: cert_manager_webhook_cis_lookup.stdout_lines | length > 0 \ No newline at end of file + when: cert_manager_webhook_cis_lookup.stdout_lines | length > 0 diff --git a/ibm/mas_devops/roles/db2/tasks/install/main.yml b/ibm/mas_devops/roles/db2/tasks/install/main.yml index 6ff1d0edd..f4bc97ccc 100644 --- a/ibm/mas_devops/roles/db2/tasks/install/main.yml +++ b/ibm/mas_devops/roles/db2/tasks/install/main.yml @@ -427,4 +427,4 @@ - mas_instance_id is defined - mas_instance_id != "" - mas_config_dir is defined - - mas_config_dir != "" \ No newline at end of file + - mas_config_dir != "" diff --git a/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml b/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml index 65f86ebcd..2557c258b 100644 --- a/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml +++ b/ibm/mas_devops/roles/db2/tasks/upgrade/run-db2-instances-upgrade.yml @@ -95,4 +95,4 @@ - db2_cluster_lookup.resources[0].status.version == db2_version retries: 30 # Approximately 30 minutes before we give up delay: 60 # 1 minute - loop: "{{ db2uCluster_names | zip(db2uCluster_versions) | list }}" \ No newline at end of file + loop: "{{ db2uCluster_names | zip(db2uCluster_versions) | list }}" diff --git a/ibm/mas_devops/roles/mongodb/defaults/main.yml b/ibm/mas_devops/roles/mongodb/defaults/main.yml index bd1cf5eed..9212dcc3c 100644 --- a/ibm/mas_devops/roles/mongodb/defaults/main.yml +++ b/ibm/mas_devops/roles/mongodb/defaults/main.yml @@ -135,4 +135,4 @@ mongo_compatible_target_version: - "6.0.10" - "6.0.12" "6.0.10": - - "6.0.12" \ No newline at end of file + - "6.0.12" diff --git a/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml b/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml index 22dc98f1d..0bcb73ab9 100644 --- a/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml +++ b/ibm/mas_devops/roles/mongodb/tasks/providers/community/check-mongo-exists.yml @@ -53,4 +53,4 @@ when: - existing_mongodb.resources[0].spec.version is defined - - existing_mongodb.resources[0].spec.version | length > 0 \ No newline at end of file + - existing_mongodb.resources[0].spec.version | length > 0 diff --git a/ibm/mas_devops/roles/suite_install/tasks/main.yml b/ibm/mas_devops/roles/suite_install/tasks/main.yml index dc3f3d9dc..7bc7ca8d5 100644 --- a/ibm/mas_devops/roles/suite_install/tasks/main.yml +++ b/ibm/mas_devops/roles/suite_install/tasks/main.yml @@ -223,4 +223,4 @@ - name: debug suiteResult debug: - msg: "{{ suiteResult }}" \ No newline at end of file + msg: "{{ suiteResult }}"