From: arvindpatel Date: Wed, 4 Nov 2020 22:20:27 +0000 (+0530) Subject: Edge gallery roles added X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=5a96855385ed2fe197daea2d3f128d7fbd534998;p=ealt-edge.git Edge gallery roles added Signed-off-by: arvindpatel Change-Id: I039d4394b609c7b336d7156b9014b720259e80b4 --- diff --git a/ocd/infra/playbooks/config.yml b/ocd/infra/playbooks/config.yml index 020d1d4..a91c99e 100644 --- a/ocd/infra/playbooks/config.yml +++ b/ocd/infra/playbooks/config.yml @@ -13,29 +13,117 @@ # limitations under the License. --- -firstvar: - name: swrusr: name: swrpass: name: -sUserName: +cert_validity_in_days: + name: 365 +mecm_meo_db_password: + name: +mecm_mepm_db_password: + name: +dockerusr: + name: +dockerpass: + name: +secret_keystorepass: + name: +secret_cert_pass: + name: +private_repo_ip: + name: +mep_pg_admin_pwd: + name: +mep_kong_pg_pwd: + name: +mep_cert_pwd: + name: +system_interfaceeth1: + name: +system_interfaceeth2: + name: +mep_ip_addr_macvlan_eg_mep1: + name: +mep_ip_addr_mm5_eg_mm5: + name: +mep_image_tag: + name: +mep_mepauth_image_tag: + name: +mep_dns_image_tag: + name: +generate_cert_pass: + name: +mecm_mepm_postgresPassword: + name: +mecm_mepm_postgresLcmCntlrPassword: + name: +mecm_mepm_postgresk8sPluginPassword: + name: +mecm_mepm_lcmcontroller_image_tag: + name: +mecm_mepm_k8splugin_image_tag: + name: +mecm_mepm_postgres_image_tag: + name: +user_mgmt_encryptpass: + name: +user_mgmt_oauth_appstore_client_ip: + name: +user_mgmt_oauth_developer_client_ip: + name: +user_mgmt_oauth_mecm_client_ip: + name: +user_mgmt_image_tag: + name: +mecm_meo_keystorePassword: + name: +mecm_meo_truststorePassword: + name: +mecm_meo_postgresPassword: + name: +mecm_meo_postgresApmPassword: + name: +mecm_meo_postgresAppoPassword: + name: +mecm_meo_postgresInventoryPassword: + name: +mecm_meo_edgeRepoUserName: + name: +mecm_meo_edgeRepoPassword: + name: +mecm_meo_image_tag: + name: +mecm_meo_appo_image_tag: + name: +mecm_meo_apm_image_tag: name: -sPass: +mecm_meo_postgres_tag: name: -authServer: +mecm_fe_centernodeip: name: -authServerMecm: +mecm_fe_image_tag: name: -adminpwd: +appstore_centernodeip: name: -kongpgpwd: +appstore_fe_image_tag: name: -interface1: +appstore_be_image_tag: name: -interface2: +developer_centernodeip: name: -ipaddregmep1: +developer_fe_image_tag: name: -ipaddregmep5: +developer_be_image_tag: name: +developer_centernode_port: + name: 30067 +mecm_fe_centernodeport: + name: 30067 +user_mgmt_oauth_appstore_client_port: + name: 30091 +user_mgmt_oauth_developer_client_port: + name: 30092 +user_mgmt_oauth_mecm_client_port: + name: 30093 diff --git a/ocd/infra/playbooks/roles/eg_appstore/tasks/install.yml b/ocd/infra/playbooks/roles/eg_appstore/tasks/install.yml index 57c21af..3d981fa 100644 --- a/ocd/infra/playbooks/roles/eg_appstore/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_appstore/tasks/install.yml @@ -18,11 +18,9 @@ - name: Import vars include_vars: - # yamllint disable rule:line-length file: ../../../config.yml - # yamllint disable rule:line-length name: vardata -- name: Pull helm chart appstore +- name: Helm install appstore # yamllint disable rule:line-length - command: helm install -- wait appstore-edgegallery edgegallery/appstore --set global.oauth2.authServerAddress=https://{{vardata.centernodeip.name}}:30067 --set images.appstoreFe.tag={{vardata.appstorefeimagetag.name}} --set images.appstoreBe.tag={{vardata.appstorebeimagetag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret + command: helm install --wait appstore-edgegallery edgegallery/appstore --set global.oauth2.authServerAddress=https://{{vardata.appstore_centernodeip.name}}:30067 --set images.appstoreFe.tag={{vardata.appstore_fe_image_tag.name}} --set images.appstoreBe.tag={{vardata.appstore_be_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret diff --git a/ocd/infra/playbooks/roles/eg_certs/tasks/install.yml b/ocd/infra/playbooks/roles/eg_certs/tasks/install.yml index 3dc7f8f..1e15a02 100644 --- a/ocd/infra/playbooks/roles/eg_certs/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_certs/tasks/install.yml @@ -16,73 +16,22 @@ --- -- name: Remove old dir - command: rm -rf /tmp/.mep_tmp_cer - args: - chdir: /tmp/ +- name: Import config file + include_vars: + file: ../../../config.yml + name: vardata -- name: Make dir - command: mkdir -p /tmp/.mep_tmp_cer +- name: Remove old ssl key dir + command: rm -rf /tmp/ssl-eg-keys-certs args: chdir: /tmp/ -- name: Openssl genrsa - command: openssl genrsa -out ca.key 2048 - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Opnessl req - # yamllint disable rule:line-length - command: openssl req -new -key ca.key -subj /C=CN/ST=Peking/L=Beijing/O=edgegallery/CN=edgegallery -out ca.csr - # yamllint disable rule:line-length - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Sing key with ca key and ca crt - command: openssl x509 -req -days 365 -in ca.csr -extensions v3_ca -signkey ca.key -out ca.crt - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Openssl genrsa - command: openssl genrsa -out server_tls.key 2048 - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Openssl rsa mep tls - command: openssl rsa -in server_tls.key -aes256 -passout pass:{{ vardata.certspass.name}} -out server_encryptedtls.key - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Openssl req new key mepserver tls key - # yamllint disable rule:line-length - command: openssl req -new -key server_tls.key -subj /C=CN/ST=Beijing/L=Beijing/O=edgegallery/CN=edgegallery -out server_tls.csr - # yamllint disable rule:line-length +- name: Make new ssl key dir + command: mkdir -p /tmp/ssl-eg-keys-certs args: - chdir: /tmp/.mep_tmp_cer/ + chdir: /tmp/ -- name: Openssl mepserver tls csr +- name: generate cert # yamllint disable rule:line-length - command: openssl x509 -req -in server_tls.csr -extensions v3_req -CA ca.crt -CAkey ca.key -CAcreateserial -out server_tls.crt + command: docker run -e CERT_VALIDITY_IN_DAYS={{ vardata.cert_validity_in_days.name}} -v /tmp/ssl-eg-keys-certs:/certs swr.ap-southeast-1.myhuaweicloud.com/edgegallery/deploy-tool:latest # yamllint disable rule:line-length - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Openssl genrsa out - command: openssl genrsa -out jwt_privatekey 2048 - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Openssl rsa jwt privatekey - command: openssl rsa -in jwt_privatekey -pubout -out jwt_publickey - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Openssl rsa jwt privatekey - command: openssl rsa -in jwt_privatekey -pubout -out jwt_publickey - args: - chdir: /tmp/.mep_tmp_cer/ - -- name: Openssl rsa in jwt - command: openssl rsa -in jwt_privatekey -aes256 -passout pass:{{ vardata.certspass.name}} -out jwt_encrypted_privatekey - args: - chdir: /tmp/.mep_tmp_cer/ diff --git a/ocd/infra/playbooks/roles/eg_certs/tasks/main.yml b/ocd/infra/playbooks/roles/eg_certs/tasks/main.yml index b635196..02f073c 100644 --- a/ocd/infra/playbooks/roles/eg_certs/tasks/main.yml +++ b/ocd/infra/playbooks/roles/eg_certs/tasks/main.yml @@ -15,8 +15,9 @@ # --- - # tasks file for eg_certs - include: "install.yml" - static: false when: operation == 'install' + +- include: "uninstall.yml" + when: operation == 'uninstall' diff --git a/ocd/infra/playbooks/roles/eg_certs/tasks/uninstall.yml b/ocd/infra/playbooks/roles/eg_certs/tasks/uninstall.yml new file mode 100644 index 0000000..c6d92b3 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_certs/tasks/uninstall.yml @@ -0,0 +1,22 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +--- + +- name: Remove generated certificates + command: rm -rf /tmp/ssl-eg-keys-certs + args: + chdir: /tmp/ diff --git a/ocd/infra/playbooks/roles/eg_developer/tasks/install.yml b/ocd/infra/playbooks/roles/eg_developer/tasks/install.yml index 7ddadd9..f72ab08 100644 --- a/ocd/infra/playbooks/roles/eg_developer/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_developer/tasks/install.yml @@ -18,11 +18,9 @@ - name: Import config file include_vars: - # yamllint disable rule:line-length file: ../../../config.yml - # yamllint disable rule:line-length name: vardata - name: Developer chart installing # yamllint disable rule:line-length - command: helm install --wait developer-edgegallery edgegallery/developer --set global.oauth2.authServerAddress=https://{{vardata.centernodeip.name}}:30067 --set images.developerFe.tag={{vardata.developerfeimagetag.name}} --set images.developerBe.tag={{vardata.developerbeimagetag.name}} --set images.toolChain.tag={{vardata.toolchainimagetag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret + command: helm install --wait developer-edgegallery edgegallery/developer --set global.oauth2.authServerAddress=https://{{vardata.developer_centernodeip.name}}:{{ vardata.developer_centernode_port.name}} --set images.developerFe.tag={{vardata.developer_fe_image_tag.name}} --set images.developerBe.tag={{vardata.developer_be_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/appstore-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/appstore-0.9.tgz new file mode 100644 index 0000000..53de058 Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/appstore-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/developer-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/developer-0.9.tgz new file mode 100644 index 0000000..34e7c77 Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/developer-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-fe-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-fe-0.9.tgz new file mode 100644 index 0000000..bc76b63 Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-fe-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-meo-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-meo-0.9.tgz new file mode 100644 index 0000000..9f65c7f Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-meo-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-mepm-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-mepm-0.9.tgz new file mode 100644 index 0000000..4f5c572 Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mecm-mepm-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mep-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mep-0.9.tgz new file mode 100644 index 0000000..490d9ef Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/mep-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/servicecenter-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/servicecenter-0.9.tgz new file mode 100644 index 0000000..72aed5a Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/servicecenter-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/usermgmt-0.9.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/usermgmt-0.9.tgz new file mode 100644 index 0000000..d1cc9be Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/edgegallery/usermgmt-0.9.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/grafana-5.5.5.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/grafana-5.5.5.tgz new file mode 100644 index 0000000..2c67c80 Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/grafana-5.5.5.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/nfs-client-provisioner-1.2.8.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/nfs-client-provisioner-1.2.8.tgz new file mode 100644 index 0000000..c63a4b8 Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/nfs-client-provisioner-1.2.8.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/nginx-ingress-1.41.2.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/nginx-ingress-1.41.2.tgz new file mode 100644 index 0000000..00bd24a Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/nginx-ingress-1.41.2.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/prometheus-9.3.1.tgz b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/prometheus-9.3.1.tgz new file mode 100644 index 0000000..3b1090b Binary files /dev/null and b/ocd/infra/playbooks/roles/eg_helm-repo/files/deploy/helm/helm-charts/stable/prometheus-9.3.1.tgz differ diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/tasks/install.yml b/ocd/infra/playbooks/roles/eg_helm-repo/tasks/install.yml index d64cc10..32697ed 100644 --- a/ocd/infra/playbooks/roles/eg_helm-repo/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_helm-repo/tasks/install.yml @@ -21,37 +21,37 @@ src: deploy dest: /tmp/eg_helm-repo/ -- name: Import vars +- name: Import config file include_vars: file: ../../../config.yml name: vardata -- name: Adding helm repo edgegallery +- name: Helm repo index edgegallery command: helm repo index edgegallery/ args: chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/ -- name: Adding helm repo stable +- name: Helm repo index stable command: helm repo index stable/ args: chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/ -- name: Adding helm repo - # yamllint disable rule:line-length - command: docker run --name helm-repo -v /tmp/eg_helm-repo/deploy/helm/helm-charts/:/usr/share/nginx/html:ro -d -p 8080:80 nginx:stable +- name: Creating helm repo # yamllint disable rule:line-length + command: docker run --name helm-repo -v /tmp/eg_helm-repo/deploy/helm/helm-charts/:/usr/share/nginx/html:ro -d -p 8080:80 nginx:stable args: chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/ -- name: Add repo in adgegallery private IP - command: helm repo add edgegallery http://{{ vardata.helmrepoip.name}}:8080/edgegallery +- name: Helm repo add edgegallery + # yamllint disable rule:line-length + command: helm repo add edgegallery http://{{ vardata.private_repo_ip.name}}:8080/edgegallery args: chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/ -- name: Add stable repo in given IP - command: helm repo add stable http://{{ vardata.helmrepoip.name}}:8080/stable +- name: Helm repo add stable + command: helm repo add stable http://{{ vardata.private_repo_ip.name}}:8080/stable args: chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/ - debug: - msg: "Helm repo added successfully" + msg: "Helm repo created" diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/tasks/main.yml b/ocd/infra/playbooks/roles/eg_helm-repo/tasks/main.yml index 52584d1..858c198 100644 --- a/ocd/infra/playbooks/roles/eg_helm-repo/tasks/main.yml +++ b/ocd/infra/playbooks/roles/eg_helm-repo/tasks/main.yml @@ -1,4 +1,3 @@ -# # Copyright 2020 Huawei Technologies Co., Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,7 +15,7 @@ --- -# tasks file for eg_addrepo +# tasks file for eg_helm_repo_add - include: "install.yml" static: false when: operation == 'install' diff --git a/ocd/infra/playbooks/roles/eg_helm-repo/tasks/uninstall.yml b/ocd/infra/playbooks/roles/eg_helm-repo/tasks/uninstall.yml new file mode 100644 index 0000000..6cd47d5 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_helm-repo/tasks/uninstall.yml @@ -0,0 +1,22 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +--- + +- name: Docker stop helm repo + command: docker stop helm-repo + +- name: Docker rm helm repo + command: docker rm helm-repo diff --git a/ocd/infra/playbooks/roles/eg_mecm-fe/tasks/install.yml b/ocd/infra/playbooks/roles/eg_mecm-fe/tasks/install.yml index 9a62619..6dbe665 100644 --- a/ocd/infra/playbooks/roles/eg_mecm-fe/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_mecm-fe/tasks/install.yml @@ -21,6 +21,6 @@ file: ../../../config.yml name: vardata -- name: Mecm-fe chart install and image pull +- name: Install mecm-fe # yamllint disable rule:line-length - command: helm install --wait mecm-fe-edgegallery edgegallery/mecm-fe --set global.oauth2.authServerAddress=https://{{vardata.centernodeip.name}}:30067 --set images.mecmFe.tag={{vardata.imagetag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret + command: helm install --wait mecm-fe-edgegallery edgegallery/mecm-fe --set global.oauth2.authServerAddress=https://{{vardata.mecm_fe_centernodeip.name}}:{{vardata.mecm_fe_centernodeport.name}} --set images.mecmFe.tag={{vardata.mecm_fe_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret diff --git a/ocd/infra/playbooks/roles/eg_mecm-meo/files/deploy/conf/keys/postgres_init.sql b/ocd/infra/playbooks/roles/eg_mecm-meo/files/deploy/conf/keys/postgres_init.sql new file mode 100644 index 0000000..76e94d6 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mecm-meo/files/deploy/conf/keys/postgres_init.sql @@ -0,0 +1,29 @@ +CREATE USER inventory WITH PASSWORD 'PASSWORD_VALUE' CREATEDB; +CREATE DATABASE inventorydb + WITH + OWNER = inventory + ENCODING = 'UTF8' + LC_COLLATE = 'en_US.utf8' + LC_CTYPE = 'en_US.utf8' + TABLESPACE = pg_default + CONNECTION LIMIT = -1; + +CREATE USER appo WITH PASSWORD 'PASSWORD_VALUE' CREATEDB; +CREATE DATABASE appodb + WITH + OWNER = appo + ENCODING = 'UTF8' + LC_COLLATE = 'en_US.utf8' + LC_CTYPE = 'en_US.utf8' + TABLESPACE = pg_default + CONNECTION LIMIT = -1; + +CREATE USER apm WITH PASSWORD 'PASSWORD_VALUE' CREATEDB; +CREATE DATABASE apmdb + WITH + OWNER = apm + ENCODING = 'UTF8' + LC_COLLATE = 'en_US.utf8' + LC_CTYPE = 'en_US.utf8' + TABLESPACE = pg_default + CONNECTION LIMIT = -1; diff --git a/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/install.yml b/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/install.yml index e4de10f..523f07d 100644 --- a/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/install.yml @@ -22,24 +22,33 @@ dest: /tmp/eg_mecm-meo/ - name: Import config file - # yamllint disable rule:line-length include_vars: file: ../../../config.yml name: vardata + +- name: Replacing pwd sql + replace: + path: /tmp/eg_mecm-meo/deploy/conf/keys/postgres_init.sql + regexp: 'PASSWORD_VALUE' + replace: "{{ vardata.mecm_meo_db_password.name }}" + +- name: Generates certificate mecm-ssl-secret # yamllint disable rule:line-length -- name: Generates certificate one eg_mecm-meo - # yamllint disable rule:line-length - command: kubectl create secret generic mecm-ssl-secret --from-file=keystore.p12=/tmp/eg_mecm-meo/deploy/conf/keys/keystore.p12 --from-file=keystore.jks=/tmp/eg_mecm-meo/deploy/conf/keys/keystore.jks --from-literal=keystorePassword={{ vardata.firstvar.name}} --from-literal=keystoreType=PKCS12 --from-literal=keyAlias=edgegallery --from-literal=truststorePassword={{ vardata.firstvar.name}} + command: kubectl create secret generic mecm-ssl-secret --from-file=keystore.p12=/tmp/ssl-eg-keys-certs/keystore.p12 --from-file=keystore.jks=/tmp/ssl-eg-keys-certs/keystore.jks --from-literal=keystorePassword={{ vardata.mecm_meo_keystorePassword.name}} --from-literal=keystoreType=PKCS12 --from-literal=keyAlias=edgegallery --from-literal=truststorePassword={{ vardata.mecm_meo_truststorePassword.name}} # yamllint disable rule:line-length - args: - chdir: /tmp/eg_mecm-meo/deploy/ -- name: Generates sql certificate one eg_mecm-meo +- name: Generates certificate edgegallery-mecm-secret # yamllint disable rule:line-length - command: kubectl create secret generic edgegallery-mecm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-meo/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.firstvar.name}} --from-literal=postgresApmPassword={{ vardata.firstvar.name}} --from-literal=postgresAppoPassword={{ vardata.firstvar.name}} --from-literal=postgresInventoryPassword={{ vardata.firstvar.name}} --from-literal=edgeRepoUserName={{ vardata.sUserName.name}} --from-literal=edgeRepoPassword={{ vardata.sPass.name}} + command: kubectl create secret generic edgegallery-mecm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-meo/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.mecm_meo_postgresPassword.name}} --from-literal=postgresApmPassword={{ vardata.mecm_meo_postgresApmPassword.name}} --from-literal=postgresAppoPassword={{ vardata.mecm_meo_postgresAppoPassword.name}} --from-literal=postgresInventoryPassword={{ vardata.mecm_meo_postgresInventoryPassword.name}} --from-literal=edgeRepoUserName={{ vardata.mecm_meo_edgeRepoUserName.name}} --from-literal=edgeRepoPassword={{ vardata.mecm_meo_edgeRepoPassword.name}} # yamllint disable rule:line-length args: chdir: /tmp/eg_mecm-meo/deploy/ -- name: Repo pulling for mecm-meo - command: helm install mecm-meo-edgegallery edgegallery/mecm-meo --set ssl.secretName=mecm-ssl-secret --set mecm.secretName=edgegallery-mecm-secret +- name: Fs group value + shell: 'getent group docker | cut -d: -f3' + register: result + +- name: Helm install + # yamllint disable rule:line-length + command: helm install --wait mecm-meo-edgegallery edgegallery/mecm-meo --set ssl.secretName=mecm-ssl-secret --set mecm.secretName=edgegallery-mecm-secret --set images.inventory.tag={{ vardata.mecm_meo_image_tag.name}} --set images.appo.tag={{ vardata.mecm_meo_appo_image_tag.name}} --set images.apm.tag={{ vardata.mecm_meo_apm_image_tag.name}} --set images.postgres.tag={{ vardata.mecm_meo_postgres_tag.name}} --set mecm.docker.fsgroup=result.stdout + # yamllint disable rule:line-length diff --git a/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/main.yml b/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/main.yml index 77d70db..06e1be4 100644 --- a/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/main.yml +++ b/ocd/infra/playbooks/roles/eg_mecm-meo/tasks/main.yml @@ -15,6 +15,7 @@ # --- + # tasks file for eg_mecm-meo - include: "install.yml" static: false diff --git a/ocd/infra/playbooks/roles/eg_mecm-mepm/files/deploy/conf/keys/postgres_init.sql b/ocd/infra/playbooks/roles/eg_mecm-mepm/files/deploy/conf/keys/postgres_init.sql new file mode 100644 index 0000000..0fcc8fc --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mecm-mepm/files/deploy/conf/keys/postgres_init.sql @@ -0,0 +1,20 @@ +CREATE USER lcmcontroller WITH PASSWORD 'PASSWORD_VALUE' CREATEDB; +CREATE DATABASE lcmcontrollerdb + WITH + OWNER = lcmcontroller + ENCODING = 'UTF8' + LC_COLLATE = 'en_US.utf8' + LC_CTYPE = 'en_US.utf8' + TABLESPACE = pg_default + CONNECTION LIMIT = -1; + +CREATE USER k8splugin WITH PASSWORD 'PASSWORD_VALUE' CREATEDB; +CREATE DATABASE k8splugindb + WITH + OWNER = k8splugin + ENCODING = 'UTF8' + LC_COLLATE = 'en_US.utf8' + LC_CTYPE = 'en_US.utf8' + TABLESPACE = pg_default + CONNECTION LIMIT = -1; + diff --git a/ocd/infra/playbooks/roles/eg_mecm-mepm/files/deploy/conf/manifest/mepm/mepm-service-account.yaml b/ocd/infra/playbooks/roles/eg_mecm-mepm/files/deploy/conf/manifest/mepm/mepm-service-account.yaml new file mode 100644 index 0000000..9bf8e91 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mecm-mepm/files/deploy/conf/manifest/mepm/mepm-service-account.yaml @@ -0,0 +1,30 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: fabric8-rbac +subjects: + - kind: ServiceAccount + # Reference to upper's `metadata.name` + name: default + # Reference to upper's `metadata.namespace` + namespace: default +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/install.yml b/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/install.yml index a84f9e0..2ad97c0 100644 --- a/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/install.yml @@ -21,37 +21,42 @@ src: deploy dest: /tmp/eg_mecm-mepm/ -- name: Import vars +- name: Import config file include_vars: file: ../../../config.yml name: vardata -- name: Generates certificate one eg_mecm-mepm +- name: Replacing password + replace: + path: /tmp/eg_mecm-mepm/deploy/conf/keys/postgres_init.sql + regexp: 'PASSWORD_VALUE' + replace: "{{ vardata.mecm_mepm_db_password.name }}" + +- name: Create mecm-mepm-ssl-secret secret # yamllint disable rule:line-length - command: kubectl create secret generic mecm-mepm-jwt-public-secret --from-file=publicKey=/tmp/.mep_tmp_cer/server_encryptedtls.key + command: kubectl create secret generic mecm-mepm-jwt-public-secret --from-file=publicKey=/tmp/ssl-eg-keys-certs/encryptedtls.key # yamllint disable rule:line-length args: - chdir: /tmp/.mep_tmp_cer/ + chdir: /tmp/ssl-eg-keys-certs/ -- name: Generates certificate one eg_mecm-mepm +- name: Create mecm-mepm-ssl-secret secret # yamllint disable rule:line-length - command: kubectl create secret generic mecm-mepm-ssl-secret --from-file=server_tls.key=/tmp/.mep_tmp_cer/server_tls.key --from-file=server_tls.crt=/tmp/.mep_tmp_cer/server_tls.crt --from-file=ca.crt=/tmp/.mep_tmp_cer/ca.crt + command: kubectl create secret generic mecm-mepm-ssl-secret --from-file=server_tls.key=/tmp/ssl-eg-keys-certs/tls.key --from-file=server_tls.crt=/tmp/ssl-eg-keys-certs/tls.crt --from-file=ca.crt=/tmp/ssl-eg-keys-certs/ca.crt # yamllint disable rule:line-length args: - chdir: /tmp/.mep_tmp_cer/ + chdir: /tmp/ssl-eg-keys-certs/ -- name: Generates certificate one eg_mecm-mepm +- name: Create edgegallery-mepm-secret secret # yamllint disable rule:line-length - command: kubectl create secret generic edgegallery-mepm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-mepm/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.mepmpostgrespass.name}} --from-literal=postgresLcmCntlrPassword={{ vardata.mepmpostgreslcmpass.name}} --from-literal=postgresk8sPluginPassword={{ vardata.mepmpostgresk8spluginpass.name}} + command: kubectl create secret generic edgegallery-mepm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-mepm/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.mecm_mepm_postgresPassword.name}} --from-literal=postgresLcmCntlrPassword={{ vardata.mecm_mepm_postgresLcmCntlrPassword.name}} --from-literal=postgresk8sPluginPassword={{ vardata.mecm_mepm_postgresk8sPluginPassword.name}} # yamllint disable rule:line-length - args: - chdir: /tmp/.mep_tmp_cer/ -- name: Generates certificate one eg_mecm-mepm +- name: Create mepm service account command: kubectl apply -f /tmp/eg_mecm-mepm/deploy/conf/manifest/mepm/mepm-service-account.yaml args: chdir: /tmp/eg_mecm-mepm/deploy/ -- name: Repo pulling for mecm-mepm +- name: Install mecm-mepm + # yamllint disable rule:line-length + command: helm install mecm-mepm-edgegallery edgegallery/mecm-mepm --set jwt.publicKeySecretName=mecm-mepm-jwt-public-secret --set mepm.secretName=edgegallery-mepm-secret --set ssl.secretName=mecm-mepm-ssl-secret --set images.lcmcontroller.tag={{ vardata.mecm_mepm_lcmcontroller_image_tag.name}} --set images.k8splugin.tag={{ vardata.mecm_mepm_k8splugin_image_tag.name}} --set images.postgres.tag={{ vardata.mecm_mepm_postgres_image_tag.name}} # yamllint disable rule:line-length - command: helm install --wait mecm-mepm-edgegallery edgegallery/mecm-mepm --set jwt.publicKeySecretName=mecm-mepm-jwt-public-secret --set mepm.secretName=edgegallery-mepm-secret --set ssl.secretName=mecm-mepm-ssl-secret --set images.lcmcontroller.tag={{ vardata.mepmlcmcontrollerimagetag.name}} --set images.k8splugin.tag={{ vardata.mepmk8spluginimagetag.name}} --set images.postgres.tag={{ vardata.mepmpostgresimagetag.name}} diff --git a/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/main.yml b/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/main.yml index 7faf1bd..39ca99a 100644 --- a/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/main.yml +++ b/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/main.yml @@ -18,9 +18,7 @@ # tasks file for eg_mecm-mepm - include: "install.yml" - static: false when: operation == 'install' - include: "uninstall.yml" - static: false when: operation == 'uninstall' diff --git a/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/uninstall.yml b/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/uninstall.yml index 8524b68..409b69a 100644 --- a/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/uninstall.yml +++ b/ocd/infra/playbooks/roles/eg_mecm-mepm/tasks/uninstall.yml @@ -16,7 +16,7 @@ --- -- name: Helm chart uninstallation mecm mepm +- name: Delete mecm-mepm secret command: helm uninstall mecm-mepm-edgegallery - name: Mecm mepm jwt delete @@ -24,9 +24,7 @@ command: kubectl delete secret mecm-mepm-jwt-public-secret mecm-mepm-ssl-secret edgegallery-mepm-secret # yamllint disable rule:line-length -- name: Delete mepm service +- name: Delete mep-service-account # yamllint disable rule:line-length command: kubectl delete -f /tmp/eg_mecm-mepm/deploy/conf/manifest/mepm/mepm-service-account.yaml # yamllint disable rule:line-length - args: - chdir: /tmp/eg_mecm-mepm/deploy/ diff --git a/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/config-map.yaml b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/config-map.yaml new file mode 100644 index 0000000..f913463 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/config-map.yaml @@ -0,0 +1,27 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: metallb-system + name: config +data: + config: | + address-pools: + - name: address-pool-1 + protocol: layer2 + addresses: + - 192.168.100.120/32 diff --git a/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/metallb.yaml b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/metallb.yaml new file mode 100644 index 0000000..8594115 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/metallb.yaml @@ -0,0 +1,406 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: + app: metallb + name: controller + namespace: metallb-system +spec: + allowPrivilegeEscalation: false + allowedCapabilities: [] + allowedHostPaths: [] + defaultAddCapabilities: [] + defaultAllowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - secret + - emptyDir +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: + app: metallb + name: speaker + namespace: metallb-system +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + allowedHostPaths: [] + defaultAddCapabilities: [] + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: RunAsAny + hostIPC: false + hostNetwork: true + hostPID: false + hostPorts: + - max: 7472 + min: 7472 + privileged: true + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - secret + - emptyDir +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: metallb + name: controller + namespace: metallb-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: metallb + name: speaker + namespace: metallb-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: metallb + name: metallb-system:controller +rules: + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - services/status + verbs: + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - policy + resourceNames: + - controller + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: metallb + name: metallb-system:speaker +rules: + - apiGroups: + - '' + resources: + - services + - endpoints + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - policy + resourceNames: + - speaker + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: metallb + name: config-watcher + namespace: metallb-system +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: metallb + name: pod-lister + namespace: metallb-system +rules: + - apiGroups: + - '' + resources: + - pods + verbs: + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: metallb + name: metallb-system:controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metallb-system:controller +subjects: + - kind: ServiceAccount + name: controller + namespace: metallb-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: metallb + name: metallb-system:speaker +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metallb-system:speaker +subjects: + - kind: ServiceAccount + name: speaker + namespace: metallb-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: metallb + name: config-watcher + namespace: metallb-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: config-watcher +subjects: + - kind: ServiceAccount + name: controller + - kind: ServiceAccount + name: speaker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: metallb + name: pod-lister + namespace: metallb-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-lister +subjects: + - kind: ServiceAccount + name: speaker +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: metallb + component: speaker + name: speaker + namespace: metallb-system +spec: + selector: + matchLabels: + app: metallb + component: speaker + template: + metadata: + annotations: + prometheus.io/port: '7472' + prometheus.io/scrape: 'true' + labels: + app: metallb + component: speaker + spec: + containers: + - args: + - --port=7472 + - --config=config + env: + - name: METALLB_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: METALLB_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: METALLB_ML_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: METALLB_ML_LABELS + value: "app=metallb,component=speaker" + - name: METALLB_ML_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METALLB_ML_SECRET_KEY + valueFrom: + secretKeyRef: + name: memberlist + key: secretkey + image: metallb/speaker:v0.9.3 + imagePullPolicy: IfNotPresent + name: speaker + ports: + - containerPort: 7472 + name: monitoring + resources: + limits: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + drop: + - ALL + readOnlyRootFilesystem: true + hostNetwork: true + nodeSelector: + beta.kubernetes.io/os: linux + serviceAccountName: speaker + terminationGracePeriodSeconds: 2 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: metallb + component: controller + name: controller + namespace: metallb-system +spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + app: metallb + component: controller + template: + metadata: + annotations: + prometheus.io/port: '7472' + prometheus.io/scrape: 'true' + labels: + app: metallb + component: controller + spec: + containers: + - args: + - --port=7472 + - --config=config + image: metallb/controller:v0.9.3 + imagePullPolicy: IfNotPresent + name: controller + ports: + - containerPort: 7472 + name: monitoring + resources: + limits: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + nodeSelector: + beta.kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: controller + terminationGracePeriodSeconds: 0 diff --git a/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/namespace.yaml b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/namespace.yaml new file mode 100644 index 0000000..d090488 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/namespace.yaml @@ -0,0 +1,21 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: v1 +kind: Namespace +metadata: + name: metallb-system + labels: + app: metallb diff --git a/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/eg-sp-controller.yaml b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/eg-sp-controller.yaml new file mode 100644 index 0000000..95fd455 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/eg-sp-controller.yaml @@ -0,0 +1,28 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +kind: Pod +apiVersion: v1 +metadata: + name: edgegallery-secondary-ep-controller + namespace: kube-system +spec: + serviceAccount: edgegallery-secondary-ep-controller + containers: + - name: edgegallery-secondary-ep-controller + image: edgegallery/edgegallery-secondary-ep-controller:latest + imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-c", "--"] + args: ["edgegallery-secondary-ep-controller"] diff --git a/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/eg-sp-rbac.yaml b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/eg-sp-rbac.yaml new file mode 100644 index 0000000..aa0fa63 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/eg-sp-rbac.yaml @@ -0,0 +1,49 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: edgegallery-secondary-ep-controller + namespace: kube-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: multi-ip-controller +rules: + - apiGroups: [""] + resources: ["services", "pods"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["endpoints", "events"] + verbs: ["*"] + - apiGroups: ["k8s.cni.cncf.io"] + resources: ["network-attachment-definitions"] + verbs: ["*"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: watch-update-secondary-endpoints +subjects: + - kind: ServiceAccount + name: edgegallery-secondary-ep-controller + namespace: kube-system +roleRef: + kind: ClusterRole + name: multi-ip-controller + apiGroup: rbac.authorization.k8s.io diff --git a/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/multus.yaml b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/multus.yaml new file mode 100644 index 0000000..bb21616 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_mep/files/deploy/conf/edge/network-isolation/multus.yaml @@ -0,0 +1,358 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: network-attachment-definitions.k8s.cni.cncf.io +spec: + group: k8s.cni.cncf.io + scope: Namespaced + names: + plural: network-attachment-definitions + singular: network-attachment-definition + kind: NetworkAttachmentDefinition + shortNames: + - net-attach-def + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + # yamllint disable rule:line-length + description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing + Working Group to express the intent for attaching pods to one or more logical or physical + networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec' + # yamllint disable rule:line-length + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this represen + tation of an object. Servers should convert recognized schemas to the + latest internal value, and may reject unrecognized values. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment' + type: object + properties: + config: + description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration' + type: string +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: multus +rules: + - apiGroups: ["k8s.cni.cncf.io"] + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - pods + - pods/status + verbs: + - get + - update + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: multus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: multus +subjects: + - kind: ServiceAccount + name: multus + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: multus + namespace: kube-system +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: multus-cni-config + namespace: kube-system + labels: + tier: node + app: multus +data: + # NOTE: If you'd prefer to manually apply a configuration file, you may create one here. + # In the case you'd like to customize the Multus installation, you should change the arguments to the Multus pod + # change the "args" line below from + # - "--multus-conf-file=auto" + # to: + # "--multus-conf-file=/tmp/multus-conf/70-multus.conf" + # Additionally -- you should ensure that the name "70-multus.conf" is the alphabetically first name in the + # /etc/cni/net.d/ directory on each node, otherwise, it will not be used by the Kubelet. + cni-conf.json: | + { + "name": "multus-cni-network", + "type": "multus", + "capabilities": { + "portMappings": true + }, + "delegates": [ + { + "cniVersion": "0.3.1", + "name": "default-cni-network", + "plugins": [ + { + "type": "flannel", + "name": "flannel.1", + "delegate": { + "isDefaultGateway": true, + "hairpinMode": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ], + "kubeconfig": "/etc/cni/net.d/multus.d/multus.kubeconfig" + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-multus-ds-amd64 + namespace: kube-system + labels: + tier: node + app: multus + name: multus +spec: + selector: + matchLabels: + name: multus + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + tier: node + app: multus + name: multus + spec: + hostNetwork: true + nodeSelector: + kubernetes.io/arch: amd64 + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: multus + containers: + - name: kube-multus + image: docker.io/nfvpe/multus:stable + command: ["/entrypoint.sh"] + args: + - "--multus-conf-file=auto" + - "--cni-version=0.3.1" + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: true + volumeMounts: + - name: cni + mountPath: /host/etc/cni/net.d + - name: cnibin + mountPath: /host/opt/cni/bin + - name: multus-cfg + mountPath: /tmp/multus-conf + volumes: + - name: cni + hostPath: + path: /etc/cni/net.d + - name: cnibin + hostPath: + path: /opt/cni/bin + - name: multus-cfg + configMap: + name: multus-cni-config + items: + - key: cni-conf.json + path: 70-multus.conf +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-multus-ds-ppc64le + namespace: kube-system + labels: + tier: node + app: multus + name: multus +spec: + selector: + matchLabels: + name: multus + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + tier: node + app: multus + name: multus + spec: + hostNetwork: true + nodeSelector: + kubernetes.io/arch: ppc64le + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: multus + containers: + - name: kube-multus + # ppc64le support requires multus:latest for now. support 3.3 or later. + image: docker.io/nfvpe/multus:stable-ppc64le + command: ["/entrypoint.sh"] + args: + - "--multus-conf-file=auto" + - "--cni-version=0.3.1" + resources: + requests: + cpu: "100m" + memory: "90Mi" + limits: + cpu: "100m" + memory: "90Mi" + securityContext: + privileged: true + volumeMounts: + - name: cni + mountPath: /host/etc/cni/net.d + - name: cnibin + mountPath: /host/opt/cni/bin + - name: multus-cfg + mountPath: /tmp/multus-conf + volumes: + - name: cni + hostPath: + path: /etc/cni/net.d + - name: cnibin + hostPath: + path: /opt/cni/bin + - name: multus-cfg + configMap: + name: multus-cni-config + items: + - key: cni-conf.json + path: 70-multus.conf +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-multus-ds-arm64v8 + namespace: kube-system + labels: + tier: node + app: multus + name: multus +spec: + selector: + matchLabels: + name: multus + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + tier: node + app: multus + name: multus + spec: + hostNetwork: true + nodeSelector: + kubernetes.io/arch: arm64 + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: multus + containers: + - name: kube-multus + image: docker.io/nfvpe/multus:stable-arm64v8 + command: ["/entrypoint.sh"] + args: + - "--multus-conf-file=auto" + - "--cni-version=0.3.1" + resources: + requests: + cpu: "100m" + memory: "90Mi" + limits: + cpu: "100m" + memory: "90Mi" + securityContext: + privileged: true + volumeMounts: + - name: cni + mountPath: /host/etc/cni/net.d + - name: cnibin + mountPath: /host/opt/cni/bin + - name: multus-cfg + mountPath: /tmp/multus-conf + volumes: + - name: cni + hostPath: + path: /etc/cni/net.d + - name: cnibin + hostPath: + path: /opt/cni/bin + - name: multus-cfg + configMap: + name: multus-cni-config + items: + - key: cni-conf.json + path: 70-multus.conf diff --git a/ocd/infra/playbooks/roles/eg_mep/tasks/install.yml b/ocd/infra/playbooks/roles/eg_mep/tasks/install.yml index 0033928..8733101 100644 --- a/ocd/infra/playbooks/roles/eg_mep/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_mep/tasks/install.yml @@ -1,4 +1,3 @@ -# # Copyright 2020 Huawei Technologies Co., Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,6 +25,78 @@ file: ../../../config.yml name: vardata +- name: Remove old dir + command: rm -rf /tmp/.mep_tmp_cer + args: + chdir: /tmp/ + +- name: Make dir + command: mkdir -p /tmp/.mep_tmp_cer + args: + chdir: /tmp/ + +- name: Openssl genrsa + command: openssl genrsa -out ca.key 2048 + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Opnessl req + # yamllint disable rule:line-length + command: openssl req -new -key ca.key -subj /C=CN/ST=Peking/L=Beijing/O=edgegallery/CN=edgegallery -out ca.csr + # yamllint disable rule:line-length + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Sing key with ca key and ca crt + # yamllint disable rule:line-length + command: openssl x509 -req -days 365 -in ca.csr -extensions v3_ca -signkey ca.key -out ca.crt + # yamllint disable rule:line-length + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Openssl genrsa + command: openssl genrsa -out mepserver_tls.key 2048 + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Openssl rsa mep tls + # yamllint disable rule:line-length + command: openssl rsa -in mepserver_tls.key -aes256 -passout pass:{{ vardata.generate_cert_pass.name}} -out mepserver_encryptedtls.key + # yamllint disable rule:line-length + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Openssl req new key mepserver tls key + # yamllint disable rule:line-length + command: openssl req -new -key mepserver_tls.key -subj /C=CN/ST=Beijing/L=Beijing/O=edgegallery/CN=edgegallery -out mepserver_tls.csr + # yamllint disable rule:line-length + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Openssl mepserver tls csr + # yamllint disable rule:line-length + command: openssl x509 -req -in mepserver_tls.csr -extensions v3_req -CA ca.crt -CAkey ca.key -CAcreateserial -out mepserver_tls.crt + # yamllint disable rule:line-length + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Openssl genrsa out + command: openssl genrsa -out jwt_privatekey 2048 + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Openssl rsa jwt privatekey + command: openssl rsa -in jwt_privatekey -pubout -out jwt_publickey + args: + chdir: /tmp/.mep_tmp_cer/ + +- name: Openssl rsa in jwt + # yamllint disable rule:line-length + command: openssl rsa -in jwt_privatekey -aes256 -passout pass:{{ vardata.generate_cert_pass.name}} -out jwt_encrypted_privatekey + # yamllint disable rule:line-length + args: + chdir: /tmp/.mep_tmp_cer/ + - name: Create mep namespace command: kubectl create ns mep args: @@ -33,25 +104,33 @@ - name: Create generic pg secret # yamllint disable rule:line-length - command: kubectl -n mep create secret generic pg-secret --from-literal=pg_admin_pwd={{ vardata.mepadminpwd.name}} --from-literal=kong_pg_pwd={{ vardata.mepkongpgpwd.name}} --from-file=server.key=/tmp/.mep_tmp_cer/server_tls.key --from-file=server.crt=/tmp/.mep_tmp_cer/server_tls.crt + command: kubectl -n mep create secret generic pg-secret --from-literal=pg_admin_pwd={{ vardata.mep_pg_admin_pwd.name}} --from-literal=kong_pg_pwd={{ vardata.mep_kong_pg_pwd.name}} + --from-file=server.key=/tmp/.mep_tmp_cer/mepserver_tls.key --from-file=server.crt=/tmp/.mep_tmp_cer/mepserver_tls.crt # yamllint disable rule:line-length args: chdir: /tmp/ - name: Create mep generic for mep ssl # yamllint disable rule:line-length - command: kubectl -n mep create secret generic mep-ssl --from-literal=cert_pwd={{ vardata.mepcertpwd.name}} --from-file=server.cer=/tmp/.mep_tmp_cer/server_tls.crt --from-file=server_key.pem=/tmp/.mep_tmp_cer/server_encryptedtls.key --from-file=trust.cer=/tmp/.mep_tmp_cer/ca.crt + command: kubectl -n mep create secret generic mep-ssl --from-literal=cert_pwd={{ vardata.mep_cert_pwd.name}} --from-file=server.cer=/tmp/.mep_tmp_cer/mepserver_tls.crt + --from-file=server_key.pem=/tmp/.mep_tmp_cer/mepserver_encryptedtls.key --from-file=trust.cer=/tmp/.mep_tmp_cer/ca.crt # yamllint disable rule:line-length args: chdir: /tmp/ - name: Create mep seret generic # yamllint disable rule:line-length - command: kubectl -n mep create secret generic mepauth-secret --from-file=server.crt=/tmp/.mep_tmp_cer/server_tls.crt --from-file=server.key=/tmp/.mep_tmp_cer/server_tls.key --from-file=ca.crt=/tmp/.mep_tmp_cer/ca.crt --from-file=jwt_publickey=/tmp/.mep_tmp_cer/jwt_publickey --from-file=jwt_encrypted_privatekey=/tmp/.mep_tmp_cer/jwt_encrypted_privatekey + command: kubectl -n mep create secret generic mepauth-secret --from-file=server.crt=/tmp/.mep_tmp_cer/mepserver_tls.crt --from-file=server.key=/tmp/.mep_tmp_cer/mepserver_tls.key + --from-file=ca.crt=/tmp/.mep_tmp_cer/ca.crt --from-file=jwt_publickey=/tmp/.mep_tmp_cer/jwt_publickey --from-file=jwt_encrypted_privatekey=/tmp/.mep_tmp_cer/jwt_encrypted_privatekey # yamllint disable rule:line-length args: chdir: /tmp/ +- name: Remove directory + command: rm -rf /tmp/.mep_tmp_cer + args: + chdir: /tmp/ + - debug: msg: Deploy_dns_metallb execution start @@ -66,7 +145,9 @@ chdir: /tmp/eg_mep/deploy/ - name: Eg_Mep deployment create secret + # yamllint disable rule:line-length command: kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" + # yamllint disable rule:line-length args: chdir: /tmp/eg_mep/deploy/ @@ -91,10 +172,11 @@ - name: Replacing image replace: path: /tmp/eg_mep/deploy/conf/edge/network-isolation/eg-sp-controller.yaml - regexp: 'edgegallery/edgegallery-secondary-ep-controller:{{ vardata.egepcontroller.name}}' - replace: "swr.ap-southeast-1.myhuaweicloud.com/edgegallery/edgegallery-secondary-ep-controller:{{ vardata.cloudegepcontroller.name}}" + regexp: 'edgegallery/edgegallery-secondary-ep-controller:latest' + replace: "swr.ap-southeast-1.myhuaweicloud.com/edgegallery/edgegallery-secondary-ep-controller:latest" - name: Running eg-sp-controller yaml files + # yamllint disable rule:line-length command: kubectl apply -f /tmp/eg_mep/deploy/conf/edge/network-isolation/eg-sp-controller.yaml args: chdir: /tmp/eg_mep/deploy/ @@ -103,14 +185,15 @@ msg: Setup_interfaces execution start - name: Link eg mep macvlan - command: ip link add eg-mp1 link {{ vardata.systeminterface1.name}} type macvlan mode bridge + # yamllint disable rule:line-length + command: ip link add eg-mp1 link {{ vardata.system_interfaceeth1.name}} type macvlan mode bridge args: chdir: /tmp/eg_mep/deploy/ ignore_errors: yes no_log: True - name: Link eg mep macvlan - command: ip addr add {{ vardata.ipaddregmepmacvlan.name}} dev eg-mp1 + command: ip addr add {{ vardata.mep_ip_addr_macvlan_eg_mep1.name}} dev eg-mp1 args: chdir: /tmp/eg_mep/deploy/ ignore_errors: yes @@ -124,14 +207,15 @@ no_log: True - name: Link eg eg mm5 with eth1 - command: ip link add eg-mm5 link {{ vardata.systeminterface2.name}} type macvlan mode bridge + # yamllint disable rule:line-length + command: ip link add eg-mm5 link {{ vardata.system_interfaceeth2.name}} type macvlan mode bridge args: chdir: /tmp/eg_mep/deploy/ ignore_errors: yes no_log: True - name: Link eg eg mm5 ip addr - command: ip addr add {{ vardata.ipaddregmep5.name}} dev eg-mm5 + command: ip addr add {{ vardata.mep_ip_addr_mm5_eg_mm5.name}} dev eg-mm5 args: chdir: /tmp/eg_mep/deploy/ ignore_errors: yes @@ -147,11 +231,7 @@ - debug: msg: Pull helm repo start -- name: Edge gallery mep installation pull chart +- name: Edge gallery mep installation pull chart and image # yamllint disable rule:line-length - command: helm install --wait mep-edgegallery edgegallery/mep --set networkIsolation.phyInterface.mp1={{ vardata.systeminterface1.name}} --set networkIsolation.phyInterface.mm5={{ vardata.systeminterface2.name}} --set images.mep.tag={{ vardata.mepimagetag.name}} --set images.mepauth.tag={{ vardata.mepauthimagetag.name}} --set images.dns.tag={{ vardata.mepdnsimagetag.name}} --set ssl.secretName=mep-ssl + command: helm install mep-edgegallery edgegallery/mep --set networkIsolation.phyInterface.mp1={{ vardata.system_interfaceeth1.name}} --set networkIsolation.phyInterface.mm5={{ vardata.system_interfaceeth2.name}} --set images.mep.tag={{ vardata.mep_image_tag.name}} --set images.mepauth.tag={{ vardata.mep_mepauth_image_tag.name}} --set images.dns.tag={{ vardata.mep_dns_image_tag.name}} --set ssl.secretName=mep-ssl # yamllint disable rule:line-length - args: - chdir: /tmp/eg_mep/deploy/ - ignore_errors: yes - no_log: True diff --git a/ocd/infra/playbooks/roles/eg_mep/tasks/uninstall.yml b/ocd/infra/playbooks/roles/eg_mep/tasks/uninstall.yml index d64aa0d..99203f6 100644 --- a/ocd/infra/playbooks/roles/eg_mep/tasks/uninstall.yml +++ b/ocd/infra/playbooks/roles/eg_mep/tasks/uninstall.yml @@ -1,4 +1,3 @@ -# # Copyright 2020 Huawei Technologies Co., Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -44,7 +43,6 @@ - name: Delete network isolation multus eg sp controller # yamllint disable rule:line-length command: kubectl delete -f /tmp/eg_mep/deploy/edge/network-isolation/eg-sp-controller.yaml - # yamllint disable rule:line-length args: chdir: /tmp/eg_mep/deploy/ ignore_errors: yes @@ -53,13 +51,13 @@ - name: Delete network isolation multus eg sp rbac # yamllint disable rule:line-length command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/network-isolation/eg-sp-rbac.yaml - # yamllint disable rule:line-length args: chdir: /tmp/eg_mep/deploy/ ignore_errors: yes no_log: True - name: Delete network isolation multus + # yamllint disable rule:line-length command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/network-isolation/multus.yaml args: chdir: /tmp/eg_mep/deploy/ @@ -67,6 +65,7 @@ no_log: True - name: Delete network isolation rm host local + # yamllint disable rule:line-length command: rm /opt/cni/bin/macvlan /opt/cni/bin/host-local args: chdir: /tmp/remote-platform/ @@ -109,6 +108,7 @@ no_log: True - name: Uninstall dns metallb config mep + # yamllint disable rule:line-length command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/metallb/config-map.yaml args: chdir: /tmp/eg_mep/deploy/ @@ -116,6 +116,7 @@ no_log: True - name: Delete dns metallb + # yamllint disable rule:line-length command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/metallb/metallb.yaml args: chdir: /tmp/eg_mep/deploy/ @@ -125,7 +126,6 @@ - name: Delete dns metallb namespace # yamllint disable rule:line-length command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/metallb/namespace.yaml - # yamllint disable rule:line-length args: chdir: /tmp/eg_mep/deploy/ ignore_errors: yes diff --git a/ocd/infra/playbooks/roles/eg_pre_require/tasks/install.yml b/ocd/infra/playbooks/roles/eg_pre_require/tasks/install.yml index 0871f84..009ea92 100644 --- a/ocd/infra/playbooks/roles/eg_pre_require/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_pre_require/tasks/install.yml @@ -18,18 +18,21 @@ - name: Import config file include_vars: - file: ../../../config.yml - name: vardata + file: ../../../config.yml + name: vardata + +- name: Certificate copy + debug: + msg: Copy certificate from ocd to center and edge - synchronize: - src: /tmp/.mep_tmp_cer - dest: /tmp/ + src: /tmp/ssl-eg-keys-certs + dest: /tmp/ - name: Docker login # yamllint disable rule:line-length - command: docker login -u {{ vardata.dockerusername.name}} -p {{ vardata.dockerpass.name}} swr.ap-southeast-1.myhuaweicloud.com - # yamllint disable rule:line-length + command: docker login -u {{ vardata.dockerusr.name}} -p {{ vardata.dockerpass.name}} swr.ap-southeast-1.myhuaweicloud.com -- name: Setting pull image swr path +- name: Create docker-registry secret # yamllint disable rule:line-length command: kubectl create secret docker-registry swrregcred --docker-server=https://swr.ap-southeast-1.myhuaweicloud.com/v2/ --docker-username={{ vardata.swrusr.name}} --docker-password={{ vardata.swrpass.name}} diff --git a/ocd/infra/playbooks/roles/eg_secret/tasks/install.yml b/ocd/infra/playbooks/roles/eg_secret/tasks/install.yml new file mode 100644 index 0000000..53892cd --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_secret/tasks/install.yml @@ -0,0 +1,27 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +--- + +- name: Import config file + include_vars: + file: ../../../config.yml + name: vardata + +- name: Generate secret + # yamllint disable rule:line-length + command: kubectl create secret generic edgegallery-ssl-secret --from-file=keystore.p12=/tmp/ssl-eg-keys-certs/keystore.p12 --from-literal=keystorePassword={{ vardata.secret_keystorepass.name}} --from-literal=keystoreType=PKCS12 --from-literal=keyAlias=edgegallery --from-file=trust.cer=/tmp/ssl-eg-keys-certs/ca.crt --from-file=server.cer=/tmp/ssl-eg-keys-certs/tls.crt --from-file=server_key.pem=/tmp/ssl-eg-keys-certs/encryptedtls.key --from-literal=cert_pwd={{ vardata.secret_cert_pass.name}} + # yamllint disable rule:line-length diff --git a/ocd/infra/playbooks/roles/eg_secret/tasks/main.yml b/ocd/infra/playbooks/roles/eg_secret/tasks/main.yml new file mode 100644 index 0000000..bd61315 --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_secret/tasks/main.yml @@ -0,0 +1,26 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +--- + +# tasks file for eg_secret +- include: "install.yml" + static: false + when: operation == 'install' + +- include: "uninstall.yml" + static: false + when: operation == 'uninstall' diff --git a/ocd/infra/playbooks/roles/eg_secret/tasks/uninstall.yml b/ocd/infra/playbooks/roles/eg_secret/tasks/uninstall.yml new file mode 100644 index 0000000..c180f5e --- /dev/null +++ b/ocd/infra/playbooks/roles/eg_secret/tasks/uninstall.yml @@ -0,0 +1,20 @@ +# +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +--- + +- name: Delete edgegallery ssl secret + command: kubectl delete secret edgegallery-ssl-secret diff --git a/ocd/infra/playbooks/roles/eg_set-helm-repo/tasks/install.yml b/ocd/infra/playbooks/roles/eg_set-helm-repo/tasks/install.yml index bc779fc..6e517b1 100644 --- a/ocd/infra/playbooks/roles/eg_set-helm-repo/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_set-helm-repo/tasks/install.yml @@ -18,12 +18,13 @@ - name: Import config file include_vars: - file: ../../../config.yml - name: vardata + file: ../../../config.yml + name: vardata -- name: Add adgegallery repo in private IP +- name: Helm repo add edgegallery # yamllint disable rule:line-length - command: helm repo add edgegallery http://{{ vardata.helmrepoip.name}}:8080/edgegallery + command: helm repo add edgegallery http://{{ vardata.private_repo_ip.name}}:8080/edgegallery -- name: Add stable repo in private IP - command: helm repo add stable http://{{ vardata.helmrepoip.name}}:8080/stable +- name: Helm repo add stable + # yamllint disable rule:line-length + command: helm repo add stable http://{{ vardata.private_repo_ip.name}}:8080/stable diff --git a/ocd/infra/playbooks/roles/eg_user-mgmt/tasks/install.yml b/ocd/infra/playbooks/roles/eg_user-mgmt/tasks/install.yml index 24d17b4..2d128ee 100644 --- a/ocd/infra/playbooks/roles/eg_user-mgmt/tasks/install.yml +++ b/ocd/infra/playbooks/roles/eg_user-mgmt/tasks/install.yml @@ -16,26 +16,17 @@ --- -- name: Doing deployment setup eg_user-mgm for edge gallery - copy: - src: deploy - dest: /tmp/eg_user-mgmt/ - -- name: Import vars -# yamllint disable rule:line-length +- name: Import config file include_vars: - file: ../../../config.yml - name: vardata -# yamllint disable rule:line-length + file: ../../../config.yml + name: vardata - name: Generating certificates for usermanagment -# yamllint disable rule:line-length - command: kubectl create secret generic user-mgmt-jwt-secret --from-file=publicKey=/tmp/.mep_tmp_cer/mepserver_encryptedtls.key --from-file=encryptedPrivateKey=/tmp/eg_user-mgmt/deploy/conf/keys/encrypted_rsa_private_key.pem --from-literal=encryptPassword={{ vardata.firstvar.name}} -# yamllint disable rule:line-length - args: - chdir: /tmp/.mep_tmp_cer/ + # yamllint disable rule:line-length + command: kubectl create secret generic user-mgmt-jwt-secret --from-file=publicKey=/tmp/ssl-eg-keys-certs/rsa_public_key.pem --from-file=encryptedPrivateKey=/tmp/ssl-eg-keys-certs/encrypted_rsa_private_key.pem --from-literal=encryptPassword={{ vardata.user_mgmt_encryptpass.name}} + # yamllint disable rule:line-length -- name: Pull helm chart eg_user-mgm -# yamllint disable rule:line-length - command: helm install user-mgmt-edgegallery edgegallery/usermgmt --set global.oauth2.clients.appstore.clientUrl=https://{{ vardata.authServer.name}}:30091,global.oauth2.clients.developer.clientUrl=https://{{ vardata.authServer.name}}:30092,global.oauth2.clients.mecm.clientUrl=https://{{ vardata.authServer.name}}:30093, --set jwt.secretName=user-mgmt-jwt-secret --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret -# yamllint disable rule:line-length +- name: Install user-mgmt + # yamllint disable rule:line-length + command: helm install --wait user-mgmt-edgegallery edgegallery/usermgmt --set global.oauth2.clients.appstore.clientUrl=https://{{ vardata.user_mgmt_oauth_appstore_client_ip.name}}:{{vardata.user_mgmt_oauth_appstore_client_port.name}},global.oauth2.clients.developer.clientUrl=https://{{ vardata.user_mgmt_oauth_developer_client_ip.name}}:{{vardata.user_mgmt_oauth_developer_client_port.name}},global.oauth2.clients.mecm.clientUrl=https://{{ vardata.user_mgmt_oauth_mecm_client_ip.name}}:{{vardata.user_mgmt_oauth_mecm_client_port.name}}, --set jwt.secretName=user-mgmt-jwt-secret --set images.usermgmt.tag={{ vardata.user_mgmt_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret + # yamllint disable rule:line-length