# limitations under the License.
---
-firstvar:
- name:
swrusr:
name:
swrpass:
name:
-sUserName:
+cert_validity_in_days:
+ name: 365
+mecm_meo_db_password:
+ name:
+mecm_mepm_db_password:
+ name:
+dockerusr:
+ name:
+dockerpass:
+ name:
+secret_keystorepass:
+ name:
+secret_cert_pass:
+ name:
+private_repo_ip:
+ name:
+mep_pg_admin_pwd:
+ name:
+mep_kong_pg_pwd:
+ name:
+mep_cert_pwd:
+ name:
+system_interfaceeth1:
+ name:
+system_interfaceeth2:
+ name:
+mep_ip_addr_macvlan_eg_mep1:
+ name:
+mep_ip_addr_mm5_eg_mm5:
+ name:
+mep_image_tag:
+ name:
+mep_mepauth_image_tag:
+ name:
+mep_dns_image_tag:
+ name:
+generate_cert_pass:
+ name:
+mecm_mepm_postgresPassword:
+ name:
+mecm_mepm_postgresLcmCntlrPassword:
+ name:
+mecm_mepm_postgresk8sPluginPassword:
+ name:
+mecm_mepm_lcmcontroller_image_tag:
+ name:
+mecm_mepm_k8splugin_image_tag:
+ name:
+mecm_mepm_postgres_image_tag:
+ name:
+user_mgmt_encryptpass:
+ name:
+user_mgmt_oauth_appstore_client_ip:
+ name:
+user_mgmt_oauth_developer_client_ip:
+ name:
+user_mgmt_oauth_mecm_client_ip:
+ name:
+user_mgmt_image_tag:
+ name:
+mecm_meo_keystorePassword:
+ name:
+mecm_meo_truststorePassword:
+ name:
+mecm_meo_postgresPassword:
+ name:
+mecm_meo_postgresApmPassword:
+ name:
+mecm_meo_postgresAppoPassword:
+ name:
+mecm_meo_postgresInventoryPassword:
+ name:
+mecm_meo_edgeRepoUserName:
+ name:
+mecm_meo_edgeRepoPassword:
+ name:
+mecm_meo_image_tag:
+ name:
+mecm_meo_appo_image_tag:
+ name:
+mecm_meo_apm_image_tag:
name:
-sPass:
+mecm_meo_postgres_tag:
name:
-authServer:
+mecm_fe_centernodeip:
name:
-authServerMecm:
+mecm_fe_image_tag:
name:
-adminpwd:
+appstore_centernodeip:
name:
-kongpgpwd:
+appstore_fe_image_tag:
name:
-interface1:
+appstore_be_image_tag:
name:
-interface2:
+developer_centernodeip:
name:
-ipaddregmep1:
+developer_fe_image_tag:
name:
-ipaddregmep5:
+developer_be_image_tag:
name:
+developer_centernode_port:
+ name: 30067
+mecm_fe_centernodeport:
+ name: 30067
+user_mgmt_oauth_appstore_client_port:
+ name: 30091
+user_mgmt_oauth_developer_client_port:
+ name: 30092
+user_mgmt_oauth_mecm_client_port:
+ name: 30093
- name: Import vars
include_vars:
- # yamllint disable rule:line-length
file: ../../../config.yml
- # yamllint disable rule:line-length
name: vardata
-- name: Pull helm chart appstore
+- name: Helm install appstore
# yamllint disable rule:line-length
- command: helm install -- wait appstore-edgegallery edgegallery/appstore --set global.oauth2.authServerAddress=https://{{vardata.centernodeip.name}}:30067 --set images.appstoreFe.tag={{vardata.appstorefeimagetag.name}} --set images.appstoreBe.tag={{vardata.appstorebeimagetag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
+ command: helm install --wait appstore-edgegallery edgegallery/appstore --set global.oauth2.authServerAddress=https://{{vardata.appstore_centernodeip.name}}:30067 --set images.appstoreFe.tag={{vardata.appstore_fe_image_tag.name}} --set images.appstoreBe.tag={{vardata.appstore_be_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
---
-- name: Remove old dir
- command: rm -rf /tmp/.mep_tmp_cer
- args:
- chdir: /tmp/
+- name: Import config file
+ include_vars:
+ file: ../../../config.yml
+ name: vardata
-- name: Make dir
- command: mkdir -p /tmp/.mep_tmp_cer
+- name: Remove old ssl key dir
+ command: rm -rf /tmp/ssl-eg-keys-certs
args:
chdir: /tmp/
-- name: Openssl genrsa
- command: openssl genrsa -out ca.key 2048
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Opnessl req
- # yamllint disable rule:line-length
- command: openssl req -new -key ca.key -subj /C=CN/ST=Peking/L=Beijing/O=edgegallery/CN=edgegallery -out ca.csr
- # yamllint disable rule:line-length
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Sing key with ca key and ca crt
- command: openssl x509 -req -days 365 -in ca.csr -extensions v3_ca -signkey ca.key -out ca.crt
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Openssl genrsa
- command: openssl genrsa -out server_tls.key 2048
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Openssl rsa mep tls
- command: openssl rsa -in server_tls.key -aes256 -passout pass:{{ vardata.certspass.name}} -out server_encryptedtls.key
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Openssl req new key mepserver tls key
- # yamllint disable rule:line-length
- command: openssl req -new -key server_tls.key -subj /C=CN/ST=Beijing/L=Beijing/O=edgegallery/CN=edgegallery -out server_tls.csr
- # yamllint disable rule:line-length
+- name: Make new ssl key dir
+ command: mkdir -p /tmp/ssl-eg-keys-certs
args:
- chdir: /tmp/.mep_tmp_cer/
+ chdir: /tmp/
-- name: Openssl mepserver tls csr
+- name: generate cert
# yamllint disable rule:line-length
- command: openssl x509 -req -in server_tls.csr -extensions v3_req -CA ca.crt -CAkey ca.key -CAcreateserial -out server_tls.crt
+ command: docker run -e CERT_VALIDITY_IN_DAYS={{ vardata.cert_validity_in_days.name}} -v /tmp/ssl-eg-keys-certs:/certs swr.ap-southeast-1.myhuaweicloud.com/edgegallery/deploy-tool:latest
# yamllint disable rule:line-length
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Openssl genrsa out
- command: openssl genrsa -out jwt_privatekey 2048
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Openssl rsa jwt privatekey
- command: openssl rsa -in jwt_privatekey -pubout -out jwt_publickey
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Openssl rsa jwt privatekey
- command: openssl rsa -in jwt_privatekey -pubout -out jwt_publickey
- args:
- chdir: /tmp/.mep_tmp_cer/
-
-- name: Openssl rsa in jwt
- command: openssl rsa -in jwt_privatekey -aes256 -passout pass:{{ vardata.certspass.name}} -out jwt_encrypted_privatekey
- args:
- chdir: /tmp/.mep_tmp_cer/
#
---
-
# tasks file for eg_certs
- include: "install.yml"
- static: false
when: operation == 'install'
+
+- include: "uninstall.yml"
+ when: operation == 'uninstall'
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+---
+
+- name: Remove generated certificates
+ command: rm -rf /tmp/ssl-eg-keys-certs
+ args:
+ chdir: /tmp/
- name: Import config file
include_vars:
- # yamllint disable rule:line-length
file: ../../../config.yml
- # yamllint disable rule:line-length
name: vardata
- name: Developer chart installing
# yamllint disable rule:line-length
- command: helm install --wait developer-edgegallery edgegallery/developer --set global.oauth2.authServerAddress=https://{{vardata.centernodeip.name}}:30067 --set images.developerFe.tag={{vardata.developerfeimagetag.name}} --set images.developerBe.tag={{vardata.developerbeimagetag.name}} --set images.toolChain.tag={{vardata.toolchainimagetag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
+ command: helm install --wait developer-edgegallery edgegallery/developer --set global.oauth2.authServerAddress=https://{{vardata.developer_centernodeip.name}}:{{ vardata.developer_centernode_port.name}} --set images.developerFe.tag={{vardata.developer_fe_image_tag.name}} --set images.developerBe.tag={{vardata.developer_be_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
src: deploy
dest: /tmp/eg_helm-repo/
-- name: Import vars
+- name: Import config file
include_vars:
file: ../../../config.yml
name: vardata
-- name: Adding helm repo edgegallery
+- name: Helm repo index edgegallery
command: helm repo index edgegallery/
args:
chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/
-- name: Adding helm repo stable
+- name: Helm repo index stable
command: helm repo index stable/
args:
chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/
-- name: Adding helm repo
- # yamllint disable rule:line-length
- command: docker run --name helm-repo -v /tmp/eg_helm-repo/deploy/helm/helm-charts/:/usr/share/nginx/html:ro -d -p 8080:80 nginx:stable
+- name: Creating helm repo
# yamllint disable rule:line-length
+ command: docker run --name helm-repo -v /tmp/eg_helm-repo/deploy/helm/helm-charts/:/usr/share/nginx/html:ro -d -p 8080:80 nginx:stable
args:
chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/
-- name: Add repo in adgegallery private IP
- command: helm repo add edgegallery http://{{ vardata.helmrepoip.name}}:8080/edgegallery
+- name: Helm repo add edgegallery
+ # yamllint disable rule:line-length
+ command: helm repo add edgegallery http://{{ vardata.private_repo_ip.name}}:8080/edgegallery
args:
chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/
-- name: Add stable repo in given IP
- command: helm repo add stable http://{{ vardata.helmrepoip.name}}:8080/stable
+- name: Helm repo add stable
+ command: helm repo add stable http://{{ vardata.private_repo_ip.name}}:8080/stable
args:
chdir: /tmp/eg_helm-repo/deploy/helm/helm-charts/
- debug:
- msg: "Helm repo added successfully"
+ msg: "Helm repo created"
-#
# Copyright 2020 Huawei Technologies Co., Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
---
-# tasks file for eg_addrepo
+# tasks file for eg_helm_repo_add
- include: "install.yml"
static: false
when: operation == 'install'
--- /dev/null
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+---
+
+- name: Docker stop helm repo
+ command: docker stop helm-repo
+
+- name: Docker rm helm repo
+ command: docker rm helm-repo
file: ../../../config.yml
name: vardata
-- name: Mecm-fe chart install and image pull
+- name: Install mecm-fe
# yamllint disable rule:line-length
- command: helm install --wait mecm-fe-edgegallery edgegallery/mecm-fe --set global.oauth2.authServerAddress=https://{{vardata.centernodeip.name}}:30067 --set images.mecmFe.tag={{vardata.imagetag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
+ command: helm install --wait mecm-fe-edgegallery edgegallery/mecm-fe --set global.oauth2.authServerAddress=https://{{vardata.mecm_fe_centernodeip.name}}:{{vardata.mecm_fe_centernodeport.name}} --set images.mecmFe.tag={{vardata.mecm_fe_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
--- /dev/null
+CREATE USER inventory WITH PASSWORD 'PASSWORD_VALUE' CREATEDB;
+CREATE DATABASE inventorydb
+ WITH
+ OWNER = inventory
+ ENCODING = 'UTF8'
+ LC_COLLATE = 'en_US.utf8'
+ LC_CTYPE = 'en_US.utf8'
+ TABLESPACE = pg_default
+ CONNECTION LIMIT = -1;
+
+CREATE USER appo WITH PASSWORD 'PASSWORD_VALUE' CREATEDB;
+CREATE DATABASE appodb
+ WITH
+ OWNER = appo
+ ENCODING = 'UTF8'
+ LC_COLLATE = 'en_US.utf8'
+ LC_CTYPE = 'en_US.utf8'
+ TABLESPACE = pg_default
+ CONNECTION LIMIT = -1;
+
+CREATE USER apm WITH PASSWORD 'PASSWORD_VALUE' CREATEDB;
+CREATE DATABASE apmdb
+ WITH
+ OWNER = apm
+ ENCODING = 'UTF8'
+ LC_COLLATE = 'en_US.utf8'
+ LC_CTYPE = 'en_US.utf8'
+ TABLESPACE = pg_default
+ CONNECTION LIMIT = -1;
dest: /tmp/eg_mecm-meo/
- name: Import config file
- # yamllint disable rule:line-length
include_vars:
file: ../../../config.yml
name: vardata
+
+- name: Replacing pwd sql
+ replace:
+ path: /tmp/eg_mecm-meo/deploy/conf/keys/postgres_init.sql
+ regexp: 'PASSWORD_VALUE'
+ replace: "{{ vardata.mecm_meo_db_password.name }}"
+
+- name: Generates certificate mecm-ssl-secret
# yamllint disable rule:line-length
-- name: Generates certificate one eg_mecm-meo
- # yamllint disable rule:line-length
- command: kubectl create secret generic mecm-ssl-secret --from-file=keystore.p12=/tmp/eg_mecm-meo/deploy/conf/keys/keystore.p12 --from-file=keystore.jks=/tmp/eg_mecm-meo/deploy/conf/keys/keystore.jks --from-literal=keystorePassword={{ vardata.firstvar.name}} --from-literal=keystoreType=PKCS12 --from-literal=keyAlias=edgegallery --from-literal=truststorePassword={{ vardata.firstvar.name}}
+ command: kubectl create secret generic mecm-ssl-secret --from-file=keystore.p12=/tmp/ssl-eg-keys-certs/keystore.p12 --from-file=keystore.jks=/tmp/ssl-eg-keys-certs/keystore.jks --from-literal=keystorePassword={{ vardata.mecm_meo_keystorePassword.name}} --from-literal=keystoreType=PKCS12 --from-literal=keyAlias=edgegallery --from-literal=truststorePassword={{ vardata.mecm_meo_truststorePassword.name}}
# yamllint disable rule:line-length
- args:
- chdir: /tmp/eg_mecm-meo/deploy/
-- name: Generates sql certificate one eg_mecm-meo
+- name: Generates certificate edgegallery-mecm-secret
# yamllint disable rule:line-length
- command: kubectl create secret generic edgegallery-mecm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-meo/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.firstvar.name}} --from-literal=postgresApmPassword={{ vardata.firstvar.name}} --from-literal=postgresAppoPassword={{ vardata.firstvar.name}} --from-literal=postgresInventoryPassword={{ vardata.firstvar.name}} --from-literal=edgeRepoUserName={{ vardata.sUserName.name}} --from-literal=edgeRepoPassword={{ vardata.sPass.name}}
+ command: kubectl create secret generic edgegallery-mecm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-meo/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.mecm_meo_postgresPassword.name}} --from-literal=postgresApmPassword={{ vardata.mecm_meo_postgresApmPassword.name}} --from-literal=postgresAppoPassword={{ vardata.mecm_meo_postgresAppoPassword.name}} --from-literal=postgresInventoryPassword={{ vardata.mecm_meo_postgresInventoryPassword.name}} --from-literal=edgeRepoUserName={{ vardata.mecm_meo_edgeRepoUserName.name}} --from-literal=edgeRepoPassword={{ vardata.mecm_meo_edgeRepoPassword.name}}
# yamllint disable rule:line-length
args:
chdir: /tmp/eg_mecm-meo/deploy/
-- name: Repo pulling for mecm-meo
- command: helm install mecm-meo-edgegallery edgegallery/mecm-meo --set ssl.secretName=mecm-ssl-secret --set mecm.secretName=edgegallery-mecm-secret
+- name: Fs group value
+ shell: 'getent group docker | cut -d: -f3'
+ register: result
+
+- name: Helm install
+ # yamllint disable rule:line-length
+ command: helm install --wait mecm-meo-edgegallery edgegallery/mecm-meo --set ssl.secretName=mecm-ssl-secret --set mecm.secretName=edgegallery-mecm-secret --set images.inventory.tag={{ vardata.mecm_meo_image_tag.name}} --set images.appo.tag={{ vardata.mecm_meo_appo_image_tag.name}} --set images.apm.tag={{ vardata.mecm_meo_apm_image_tag.name}} --set images.postgres.tag={{ vardata.mecm_meo_postgres_tag.name}} --set mecm.docker.fsgroup=result.stdout
+ # yamllint disable rule:line-length
#
---
+
# tasks file for eg_mecm-meo
- include: "install.yml"
static: false
--- /dev/null
+CREATE USER lcmcontroller WITH PASSWORD 'PASSWORD_VALUE' CREATEDB;
+CREATE DATABASE lcmcontrollerdb
+ WITH
+ OWNER = lcmcontroller
+ ENCODING = 'UTF8'
+ LC_COLLATE = 'en_US.utf8'
+ LC_CTYPE = 'en_US.utf8'
+ TABLESPACE = pg_default
+ CONNECTION LIMIT = -1;
+
+CREATE USER k8splugin WITH PASSWORD 'PASSWORD_VALUE' CREATEDB;
+CREATE DATABASE k8splugindb
+ WITH
+ OWNER = k8splugin
+ ENCODING = 'UTF8'
+ LC_COLLATE = 'en_US.utf8'
+ LC_CTYPE = 'en_US.utf8'
+ TABLESPACE = pg_default
+ CONNECTION LIMIT = -1;
+
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: fabric8-rbac
+subjects:
+ - kind: ServiceAccount
+ # Reference to upper's `metadata.name`
+ name: default
+ # Reference to upper's `metadata.namespace`
+ namespace: default
+roleRef:
+ kind: ClusterRole
+ name: cluster-admin
+ apiGroup: rbac.authorization.k8s.io
src: deploy
dest: /tmp/eg_mecm-mepm/
-- name: Import vars
+- name: Import config file
include_vars:
file: ../../../config.yml
name: vardata
-- name: Generates certificate one eg_mecm-mepm
+- name: Replacing password
+ replace:
+ path: /tmp/eg_mecm-mepm/deploy/conf/keys/postgres_init.sql
+ regexp: 'PASSWORD_VALUE'
+ replace: "{{ vardata.mecm_mepm_db_password.name }}"
+
+- name: Create mecm-mepm-ssl-secret secret
# yamllint disable rule:line-length
- command: kubectl create secret generic mecm-mepm-jwt-public-secret --from-file=publicKey=/tmp/.mep_tmp_cer/server_encryptedtls.key
+ command: kubectl create secret generic mecm-mepm-jwt-public-secret --from-file=publicKey=/tmp/ssl-eg-keys-certs/encryptedtls.key
# yamllint disable rule:line-length
args:
- chdir: /tmp/.mep_tmp_cer/
+ chdir: /tmp/ssl-eg-keys-certs/
-- name: Generates certificate one eg_mecm-mepm
+- name: Create mecm-mepm-ssl-secret secret
# yamllint disable rule:line-length
- command: kubectl create secret generic mecm-mepm-ssl-secret --from-file=server_tls.key=/tmp/.mep_tmp_cer/server_tls.key --from-file=server_tls.crt=/tmp/.mep_tmp_cer/server_tls.crt --from-file=ca.crt=/tmp/.mep_tmp_cer/ca.crt
+ command: kubectl create secret generic mecm-mepm-ssl-secret --from-file=server_tls.key=/tmp/ssl-eg-keys-certs/tls.key --from-file=server_tls.crt=/tmp/ssl-eg-keys-certs/tls.crt --from-file=ca.crt=/tmp/ssl-eg-keys-certs/ca.crt
# yamllint disable rule:line-length
args:
- chdir: /tmp/.mep_tmp_cer/
+ chdir: /tmp/ssl-eg-keys-certs/
-- name: Generates certificate one eg_mecm-mepm
+- name: Create edgegallery-mepm-secret secret
# yamllint disable rule:line-length
- command: kubectl create secret generic edgegallery-mepm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-mepm/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.mepmpostgrespass.name}} --from-literal=postgresLcmCntlrPassword={{ vardata.mepmpostgreslcmpass.name}} --from-literal=postgresk8sPluginPassword={{ vardata.mepmpostgresk8spluginpass.name}}
+ command: kubectl create secret generic edgegallery-mepm-secret --from-file=postgres_init.sql=/tmp/eg_mecm-mepm/deploy/conf/keys/postgres_init.sql --from-literal=postgresPassword={{ vardata.mecm_mepm_postgresPassword.name}} --from-literal=postgresLcmCntlrPassword={{ vardata.mecm_mepm_postgresLcmCntlrPassword.name}} --from-literal=postgresk8sPluginPassword={{ vardata.mecm_mepm_postgresk8sPluginPassword.name}}
# yamllint disable rule:line-length
- args:
- chdir: /tmp/.mep_tmp_cer/
-- name: Generates certificate one eg_mecm-mepm
+- name: Create mepm service account
command: kubectl apply -f /tmp/eg_mecm-mepm/deploy/conf/manifest/mepm/mepm-service-account.yaml
args:
chdir: /tmp/eg_mecm-mepm/deploy/
-- name: Repo pulling for mecm-mepm
+- name: Install mecm-mepm
+ # yamllint disable rule:line-length
+ command: helm install mecm-mepm-edgegallery edgegallery/mecm-mepm --set jwt.publicKeySecretName=mecm-mepm-jwt-public-secret --set mepm.secretName=edgegallery-mepm-secret --set ssl.secretName=mecm-mepm-ssl-secret --set images.lcmcontroller.tag={{ vardata.mecm_mepm_lcmcontroller_image_tag.name}} --set images.k8splugin.tag={{ vardata.mecm_mepm_k8splugin_image_tag.name}} --set images.postgres.tag={{ vardata.mecm_mepm_postgres_image_tag.name}}
# yamllint disable rule:line-length
- command: helm install --wait mecm-mepm-edgegallery edgegallery/mecm-mepm --set jwt.publicKeySecretName=mecm-mepm-jwt-public-secret --set mepm.secretName=edgegallery-mepm-secret --set ssl.secretName=mecm-mepm-ssl-secret --set images.lcmcontroller.tag={{ vardata.mepmlcmcontrollerimagetag.name}} --set images.k8splugin.tag={{ vardata.mepmk8spluginimagetag.name}} --set images.postgres.tag={{ vardata.mepmpostgresimagetag.name}}
# tasks file for eg_mecm-mepm
- include: "install.yml"
- static: false
when: operation == 'install'
- include: "uninstall.yml"
- static: false
when: operation == 'uninstall'
---
-- name: Helm chart uninstallation mecm mepm
+- name: Delete mecm-mepm secret
command: helm uninstall mecm-mepm-edgegallery
- name: Mecm mepm jwt delete
command: kubectl delete secret mecm-mepm-jwt-public-secret mecm-mepm-ssl-secret edgegallery-mepm-secret
# yamllint disable rule:line-length
-- name: Delete mepm service
+- name: Delete mep-service-account
# yamllint disable rule:line-length
command: kubectl delete -f /tmp/eg_mecm-mepm/deploy/conf/manifest/mepm/mepm-service-account.yaml
# yamllint disable rule:line-length
- args:
- chdir: /tmp/eg_mecm-mepm/deploy/
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: metallb-system
+ name: config
+data:
+ config: |
+ address-pools:
+ - name: address-pool-1
+ protocol: layer2
+ addresses:
+ - 192.168.100.120/32
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ labels:
+ app: metallb
+ name: controller
+ namespace: metallb-system
+spec:
+ allowPrivilegeEscalation: false
+ allowedCapabilities: []
+ allowedHostPaths: []
+ defaultAddCapabilities: []
+ defaultAllowPrivilegeEscalation: false
+ fsGroup:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ hostIPC: false
+ hostNetwork: false
+ hostPID: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ requiredDropCapabilities:
+ - ALL
+ runAsUser:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ volumes:
+ - configMap
+ - secret
+ - emptyDir
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ labels:
+ app: metallb
+ name: speaker
+ namespace: metallb-system
+spec:
+ allowPrivilegeEscalation: false
+ allowedCapabilities:
+ - NET_ADMIN
+ - NET_RAW
+ - SYS_ADMIN
+ allowedHostPaths: []
+ defaultAddCapabilities: []
+ defaultAllowPrivilegeEscalation: false
+ fsGroup:
+ rule: RunAsAny
+ hostIPC: false
+ hostNetwork: true
+ hostPID: false
+ hostPorts:
+ - max: 7472
+ min: 7472
+ privileged: true
+ readOnlyRootFilesystem: true
+ requiredDropCapabilities:
+ - ALL
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - configMap
+ - secret
+ - emptyDir
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: metallb
+ name: controller
+ namespace: metallb-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: metallb
+ name: speaker
+ namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app: metallb
+ name: metallb-system:controller
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - policy
+ resourceNames:
+ - controller
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app: metallb
+ name: metallb-system:speaker
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ - endpoints
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - policy
+ resourceNames:
+ - speaker
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app: metallb
+ name: config-watcher
+ namespace: metallb-system
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app: metallb
+ name: pod-lister
+ namespace: metallb-system
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: metallb
+ name: metallb-system:controller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: metallb-system:controller
+subjects:
+ - kind: ServiceAccount
+ name: controller
+ namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: metallb
+ name: metallb-system:speaker
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: metallb-system:speaker
+subjects:
+ - kind: ServiceAccount
+ name: speaker
+ namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app: metallb
+ name: config-watcher
+ namespace: metallb-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: config-watcher
+subjects:
+ - kind: ServiceAccount
+ name: controller
+ - kind: ServiceAccount
+ name: speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app: metallb
+ name: pod-lister
+ namespace: metallb-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: pod-lister
+subjects:
+ - kind: ServiceAccount
+ name: speaker
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ labels:
+ app: metallb
+ component: speaker
+ name: speaker
+ namespace: metallb-system
+spec:
+ selector:
+ matchLabels:
+ app: metallb
+ component: speaker
+ template:
+ metadata:
+ annotations:
+ prometheus.io/port: '7472'
+ prometheus.io/scrape: 'true'
+ labels:
+ app: metallb
+ component: speaker
+ spec:
+ containers:
+ - args:
+ - --port=7472
+ - --config=config
+ env:
+ - name: METALLB_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: METALLB_HOST
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: METALLB_ML_BIND_ADDR
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: METALLB_ML_LABELS
+ value: "app=metallb,component=speaker"
+ - name: METALLB_ML_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: METALLB_ML_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: memberlist
+ key: secretkey
+ image: metallb/speaker:v0.9.3
+ imagePullPolicy: IfNotPresent
+ name: speaker
+ ports:
+ - containerPort: 7472
+ name: monitoring
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ add:
+ - NET_ADMIN
+ - NET_RAW
+ - SYS_ADMIN
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ hostNetwork: true
+ nodeSelector:
+ beta.kubernetes.io/os: linux
+ serviceAccountName: speaker
+ terminationGracePeriodSeconds: 2
+ tolerations:
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: metallb
+ component: controller
+ name: controller
+ namespace: metallb-system
+spec:
+ revisionHistoryLimit: 3
+ selector:
+ matchLabels:
+ app: metallb
+ component: controller
+ template:
+ metadata:
+ annotations:
+ prometheus.io/port: '7472'
+ prometheus.io/scrape: 'true'
+ labels:
+ app: metallb
+ component: controller
+ spec:
+ containers:
+ - args:
+ - --port=7472
+ - --config=config
+ image: metallb/controller:v0.9.3
+ imagePullPolicy: IfNotPresent
+ name: controller
+ ports:
+ - containerPort: 7472
+ name: monitoring
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ readOnlyRootFilesystem: true
+ nodeSelector:
+ beta.kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
+ serviceAccountName: controller
+ terminationGracePeriodSeconds: 0
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: metallb-system
+ labels:
+ app: metallb
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+kind: Pod
+apiVersion: v1
+metadata:
+ name: edgegallery-secondary-ep-controller
+ namespace: kube-system
+spec:
+ serviceAccount: edgegallery-secondary-ep-controller
+ containers:
+ - name: edgegallery-secondary-ep-controller
+ image: edgegallery/edgegallery-secondary-ep-controller:latest
+ imagePullPolicy: IfNotPresent
+ command: ["/bin/sh", "-c", "--"]
+ args: ["edgegallery-secondary-ep-controller"]
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+ name: edgegallery-secondary-ep-controller
+ namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: multi-ip-controller
+rules:
+ - apiGroups: [""]
+ resources: ["services", "pods"]
+ verbs: ["get", "watch", "list"]
+ - apiGroups: [""]
+ resources: ["endpoints", "events"]
+ verbs: ["*"]
+ - apiGroups: ["k8s.cni.cncf.io"]
+ resources: ["network-attachment-definitions"]
+ verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: watch-update-secondary-endpoints
+subjects:
+ - kind: ServiceAccount
+ name: edgegallery-secondary-ep-controller
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: multi-ip-controller
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: network-attachment-definitions.k8s.cni.cncf.io
+spec:
+ group: k8s.cni.cncf.io
+ scope: Namespaced
+ names:
+ plural: network-attachment-definitions
+ singular: network-attachment-definition
+ kind: NetworkAttachmentDefinition
+ shortNames:
+ - net-attach-def
+ versions:
+ - name: v1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ # yamllint disable rule:line-length
+ description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing
+ Working Group to express the intent for attaching pods to one or more logical or physical
+ networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec'
+ # yamllint disable rule:line-length
+ type: object
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this represen
+ tation of an object. Servers should convert recognized schemas to the
+ latest internal value, and may reject unrecognized values. More info:
+ https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment'
+ type: object
+ properties:
+ config:
+ description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
+ type: string
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: multus
+rules:
+ - apiGroups: ["k8s.cni.cncf.io"]
+ resources:
+ - '*'
+ verbs:
+ - '*'
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - pods/status
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - update
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: multus
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: multus
+subjects:
+ - kind: ServiceAccount
+ name: multus
+ namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: multus
+ namespace: kube-system
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: multus-cni-config
+ namespace: kube-system
+ labels:
+ tier: node
+ app: multus
+data:
+ # NOTE: If you'd prefer to manually apply a configuration file, you may create one here.
+ # In the case you'd like to customize the Multus installation, you should change the arguments to the Multus pod
+ # change the "args" line below from
+ # - "--multus-conf-file=auto"
+ # to:
+ # "--multus-conf-file=/tmp/multus-conf/70-multus.conf"
+ # Additionally -- you should ensure that the name "70-multus.conf" is the alphabetically first name in the
+ # /etc/cni/net.d/ directory on each node, otherwise, it will not be used by the Kubelet.
+ cni-conf.json: |
+ {
+ "name": "multus-cni-network",
+ "type": "multus",
+ "capabilities": {
+ "portMappings": true
+ },
+ "delegates": [
+ {
+ "cniVersion": "0.3.1",
+ "name": "default-cni-network",
+ "plugins": [
+ {
+ "type": "flannel",
+ "name": "flannel.1",
+ "delegate": {
+ "isDefaultGateway": true,
+ "hairpinMode": true
+ }
+ },
+ {
+ "type": "portmap",
+ "capabilities": {
+ "portMappings": true
+ }
+ }
+ ]
+ }
+ ],
+ "kubeconfig": "/etc/cni/net.d/multus.d/multus.kubeconfig"
+ }
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: kube-multus-ds-amd64
+ namespace: kube-system
+ labels:
+ tier: node
+ app: multus
+ name: multus
+spec:
+ selector:
+ matchLabels:
+ name: multus
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ tier: node
+ app: multus
+ name: multus
+ spec:
+ hostNetwork: true
+ nodeSelector:
+ kubernetes.io/arch: amd64
+ tolerations:
+ - operator: Exists
+ effect: NoSchedule
+ serviceAccountName: multus
+ containers:
+ - name: kube-multus
+ image: docker.io/nfvpe/multus:stable
+ command: ["/entrypoint.sh"]
+ args:
+ - "--multus-conf-file=auto"
+ - "--cni-version=0.3.1"
+ resources:
+ requests:
+ cpu: "100m"
+ memory: "50Mi"
+ limits:
+ cpu: "100m"
+ memory: "50Mi"
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: cni
+ mountPath: /host/etc/cni/net.d
+ - name: cnibin
+ mountPath: /host/opt/cni/bin
+ - name: multus-cfg
+ mountPath: /tmp/multus-conf
+ volumes:
+ - name: cni
+ hostPath:
+ path: /etc/cni/net.d
+ - name: cnibin
+ hostPath:
+ path: /opt/cni/bin
+ - name: multus-cfg
+ configMap:
+ name: multus-cni-config
+ items:
+ - key: cni-conf.json
+ path: 70-multus.conf
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: kube-multus-ds-ppc64le
+ namespace: kube-system
+ labels:
+ tier: node
+ app: multus
+ name: multus
+spec:
+ selector:
+ matchLabels:
+ name: multus
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ tier: node
+ app: multus
+ name: multus
+ spec:
+ hostNetwork: true
+ nodeSelector:
+ kubernetes.io/arch: ppc64le
+ tolerations:
+ - operator: Exists
+ effect: NoSchedule
+ serviceAccountName: multus
+ containers:
+ - name: kube-multus
+ # ppc64le support requires multus:latest for now. support 3.3 or later.
+ image: docker.io/nfvpe/multus:stable-ppc64le
+ command: ["/entrypoint.sh"]
+ args:
+ - "--multus-conf-file=auto"
+ - "--cni-version=0.3.1"
+ resources:
+ requests:
+ cpu: "100m"
+ memory: "90Mi"
+ limits:
+ cpu: "100m"
+ memory: "90Mi"
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: cni
+ mountPath: /host/etc/cni/net.d
+ - name: cnibin
+ mountPath: /host/opt/cni/bin
+ - name: multus-cfg
+ mountPath: /tmp/multus-conf
+ volumes:
+ - name: cni
+ hostPath:
+ path: /etc/cni/net.d
+ - name: cnibin
+ hostPath:
+ path: /opt/cni/bin
+ - name: multus-cfg
+ configMap:
+ name: multus-cni-config
+ items:
+ - key: cni-conf.json
+ path: 70-multus.conf
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: kube-multus-ds-arm64v8
+ namespace: kube-system
+ labels:
+ tier: node
+ app: multus
+ name: multus
+spec:
+ selector:
+ matchLabels:
+ name: multus
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ tier: node
+ app: multus
+ name: multus
+ spec:
+ hostNetwork: true
+ nodeSelector:
+ kubernetes.io/arch: arm64
+ tolerations:
+ - operator: Exists
+ effect: NoSchedule
+ serviceAccountName: multus
+ containers:
+ - name: kube-multus
+ image: docker.io/nfvpe/multus:stable-arm64v8
+ command: ["/entrypoint.sh"]
+ args:
+ - "--multus-conf-file=auto"
+ - "--cni-version=0.3.1"
+ resources:
+ requests:
+ cpu: "100m"
+ memory: "90Mi"
+ limits:
+ cpu: "100m"
+ memory: "90Mi"
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: cni
+ mountPath: /host/etc/cni/net.d
+ - name: cnibin
+ mountPath: /host/opt/cni/bin
+ - name: multus-cfg
+ mountPath: /tmp/multus-conf
+ volumes:
+ - name: cni
+ hostPath:
+ path: /etc/cni/net.d
+ - name: cnibin
+ hostPath:
+ path: /opt/cni/bin
+ - name: multus-cfg
+ configMap:
+ name: multus-cni-config
+ items:
+ - key: cni-conf.json
+ path: 70-multus.conf
-#
# Copyright 2020 Huawei Technologies Co., Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
file: ../../../config.yml
name: vardata
+- name: Remove old dir
+ command: rm -rf /tmp/.mep_tmp_cer
+ args:
+ chdir: /tmp/
+
+- name: Make dir
+ command: mkdir -p /tmp/.mep_tmp_cer
+ args:
+ chdir: /tmp/
+
+- name: Openssl genrsa
+ command: openssl genrsa -out ca.key 2048
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Opnessl req
+ # yamllint disable rule:line-length
+ command: openssl req -new -key ca.key -subj /C=CN/ST=Peking/L=Beijing/O=edgegallery/CN=edgegallery -out ca.csr
+ # yamllint disable rule:line-length
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Sing key with ca key and ca crt
+ # yamllint disable rule:line-length
+ command: openssl x509 -req -days 365 -in ca.csr -extensions v3_ca -signkey ca.key -out ca.crt
+ # yamllint disable rule:line-length
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Openssl genrsa
+ command: openssl genrsa -out mepserver_tls.key 2048
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Openssl rsa mep tls
+ # yamllint disable rule:line-length
+ command: openssl rsa -in mepserver_tls.key -aes256 -passout pass:{{ vardata.generate_cert_pass.name}} -out mepserver_encryptedtls.key
+ # yamllint disable rule:line-length
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Openssl req new key mepserver tls key
+ # yamllint disable rule:line-length
+ command: openssl req -new -key mepserver_tls.key -subj /C=CN/ST=Beijing/L=Beijing/O=edgegallery/CN=edgegallery -out mepserver_tls.csr
+ # yamllint disable rule:line-length
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Openssl mepserver tls csr
+ # yamllint disable rule:line-length
+ command: openssl x509 -req -in mepserver_tls.csr -extensions v3_req -CA ca.crt -CAkey ca.key -CAcreateserial -out mepserver_tls.crt
+ # yamllint disable rule:line-length
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Openssl genrsa out
+ command: openssl genrsa -out jwt_privatekey 2048
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Openssl rsa jwt privatekey
+ command: openssl rsa -in jwt_privatekey -pubout -out jwt_publickey
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
+- name: Openssl rsa in jwt
+ # yamllint disable rule:line-length
+ command: openssl rsa -in jwt_privatekey -aes256 -passout pass:{{ vardata.generate_cert_pass.name}} -out jwt_encrypted_privatekey
+ # yamllint disable rule:line-length
+ args:
+ chdir: /tmp/.mep_tmp_cer/
+
- name: Create mep namespace
command: kubectl create ns mep
args:
- name: Create generic pg secret
# yamllint disable rule:line-length
- command: kubectl -n mep create secret generic pg-secret --from-literal=pg_admin_pwd={{ vardata.mepadminpwd.name}} --from-literal=kong_pg_pwd={{ vardata.mepkongpgpwd.name}} --from-file=server.key=/tmp/.mep_tmp_cer/server_tls.key --from-file=server.crt=/tmp/.mep_tmp_cer/server_tls.crt
+ command: kubectl -n mep create secret generic pg-secret --from-literal=pg_admin_pwd={{ vardata.mep_pg_admin_pwd.name}} --from-literal=kong_pg_pwd={{ vardata.mep_kong_pg_pwd.name}}
+ --from-file=server.key=/tmp/.mep_tmp_cer/mepserver_tls.key --from-file=server.crt=/tmp/.mep_tmp_cer/mepserver_tls.crt
# yamllint disable rule:line-length
args:
chdir: /tmp/
- name: Create mep generic for mep ssl
# yamllint disable rule:line-length
- command: kubectl -n mep create secret generic mep-ssl --from-literal=cert_pwd={{ vardata.mepcertpwd.name}} --from-file=server.cer=/tmp/.mep_tmp_cer/server_tls.crt --from-file=server_key.pem=/tmp/.mep_tmp_cer/server_encryptedtls.key --from-file=trust.cer=/tmp/.mep_tmp_cer/ca.crt
+ command: kubectl -n mep create secret generic mep-ssl --from-literal=cert_pwd={{ vardata.mep_cert_pwd.name}} --from-file=server.cer=/tmp/.mep_tmp_cer/mepserver_tls.crt
+ --from-file=server_key.pem=/tmp/.mep_tmp_cer/mepserver_encryptedtls.key --from-file=trust.cer=/tmp/.mep_tmp_cer/ca.crt
# yamllint disable rule:line-length
args:
chdir: /tmp/
- name: Create mep seret generic
# yamllint disable rule:line-length
- command: kubectl -n mep create secret generic mepauth-secret --from-file=server.crt=/tmp/.mep_tmp_cer/server_tls.crt --from-file=server.key=/tmp/.mep_tmp_cer/server_tls.key --from-file=ca.crt=/tmp/.mep_tmp_cer/ca.crt --from-file=jwt_publickey=/tmp/.mep_tmp_cer/jwt_publickey --from-file=jwt_encrypted_privatekey=/tmp/.mep_tmp_cer/jwt_encrypted_privatekey
+ command: kubectl -n mep create secret generic mepauth-secret --from-file=server.crt=/tmp/.mep_tmp_cer/mepserver_tls.crt --from-file=server.key=/tmp/.mep_tmp_cer/mepserver_tls.key
+ --from-file=ca.crt=/tmp/.mep_tmp_cer/ca.crt --from-file=jwt_publickey=/tmp/.mep_tmp_cer/jwt_publickey --from-file=jwt_encrypted_privatekey=/tmp/.mep_tmp_cer/jwt_encrypted_privatekey
# yamllint disable rule:line-length
args:
chdir: /tmp/
+- name: Remove directory
+ command: rm -rf /tmp/.mep_tmp_cer
+ args:
+ chdir: /tmp/
+
- debug:
msg: Deploy_dns_metallb execution start
chdir: /tmp/eg_mep/deploy/
- name: Eg_Mep deployment create secret
+ # yamllint disable rule:line-length
command: kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
+ # yamllint disable rule:line-length
args:
chdir: /tmp/eg_mep/deploy/
- name: Replacing image
replace:
path: /tmp/eg_mep/deploy/conf/edge/network-isolation/eg-sp-controller.yaml
- regexp: 'edgegallery/edgegallery-secondary-ep-controller:{{ vardata.egepcontroller.name}}'
- replace: "swr.ap-southeast-1.myhuaweicloud.com/edgegallery/edgegallery-secondary-ep-controller:{{ vardata.cloudegepcontroller.name}}"
+ regexp: 'edgegallery/edgegallery-secondary-ep-controller:latest'
+ replace: "swr.ap-southeast-1.myhuaweicloud.com/edgegallery/edgegallery-secondary-ep-controller:latest"
- name: Running eg-sp-controller yaml files
+ # yamllint disable rule:line-length
command: kubectl apply -f /tmp/eg_mep/deploy/conf/edge/network-isolation/eg-sp-controller.yaml
args:
chdir: /tmp/eg_mep/deploy/
msg: Setup_interfaces execution start
- name: Link eg mep macvlan
- command: ip link add eg-mp1 link {{ vardata.systeminterface1.name}} type macvlan mode bridge
+ # yamllint disable rule:line-length
+ command: ip link add eg-mp1 link {{ vardata.system_interfaceeth1.name}} type macvlan mode bridge
args:
chdir: /tmp/eg_mep/deploy/
ignore_errors: yes
no_log: True
- name: Link eg mep macvlan
- command: ip addr add {{ vardata.ipaddregmepmacvlan.name}} dev eg-mp1
+ command: ip addr add {{ vardata.mep_ip_addr_macvlan_eg_mep1.name}} dev eg-mp1
args:
chdir: /tmp/eg_mep/deploy/
ignore_errors: yes
no_log: True
- name: Link eg eg mm5 with eth1
- command: ip link add eg-mm5 link {{ vardata.systeminterface2.name}} type macvlan mode bridge
+ # yamllint disable rule:line-length
+ command: ip link add eg-mm5 link {{ vardata.system_interfaceeth2.name}} type macvlan mode bridge
args:
chdir: /tmp/eg_mep/deploy/
ignore_errors: yes
no_log: True
- name: Link eg eg mm5 ip addr
- command: ip addr add {{ vardata.ipaddregmep5.name}} dev eg-mm5
+ command: ip addr add {{ vardata.mep_ip_addr_mm5_eg_mm5.name}} dev eg-mm5
args:
chdir: /tmp/eg_mep/deploy/
ignore_errors: yes
- debug:
msg: Pull helm repo start
-- name: Edge gallery mep installation pull chart
+- name: Edge gallery mep installation pull chart and image
# yamllint disable rule:line-length
- command: helm install --wait mep-edgegallery edgegallery/mep --set networkIsolation.phyInterface.mp1={{ vardata.systeminterface1.name}} --set networkIsolation.phyInterface.mm5={{ vardata.systeminterface2.name}} --set images.mep.tag={{ vardata.mepimagetag.name}} --set images.mepauth.tag={{ vardata.mepauthimagetag.name}} --set images.dns.tag={{ vardata.mepdnsimagetag.name}} --set ssl.secretName=mep-ssl
+ command: helm install mep-edgegallery edgegallery/mep --set networkIsolation.phyInterface.mp1={{ vardata.system_interfaceeth1.name}} --set networkIsolation.phyInterface.mm5={{ vardata.system_interfaceeth2.name}} --set images.mep.tag={{ vardata.mep_image_tag.name}} --set images.mepauth.tag={{ vardata.mep_mepauth_image_tag.name}} --set images.dns.tag={{ vardata.mep_dns_image_tag.name}} --set ssl.secretName=mep-ssl
# yamllint disable rule:line-length
- args:
- chdir: /tmp/eg_mep/deploy/
- ignore_errors: yes
- no_log: True
-#
# Copyright 2020 Huawei Technologies Co., Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
- name: Delete network isolation multus eg sp controller
# yamllint disable rule:line-length
command: kubectl delete -f /tmp/eg_mep/deploy/edge/network-isolation/eg-sp-controller.yaml
- # yamllint disable rule:line-length
args:
chdir: /tmp/eg_mep/deploy/
ignore_errors: yes
- name: Delete network isolation multus eg sp rbac
# yamllint disable rule:line-length
command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/network-isolation/eg-sp-rbac.yaml
- # yamllint disable rule:line-length
args:
chdir: /tmp/eg_mep/deploy/
ignore_errors: yes
no_log: True
- name: Delete network isolation multus
+ # yamllint disable rule:line-length
command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/network-isolation/multus.yaml
args:
chdir: /tmp/eg_mep/deploy/
no_log: True
- name: Delete network isolation rm host local
+ # yamllint disable rule:line-length
command: rm /opt/cni/bin/macvlan /opt/cni/bin/host-local
args:
chdir: /tmp/remote-platform/
no_log: True
- name: Uninstall dns metallb config mep
+ # yamllint disable rule:line-length
command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/metallb/config-map.yaml
args:
chdir: /tmp/eg_mep/deploy/
no_log: True
- name: Delete dns metallb
+ # yamllint disable rule:line-length
command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/metallb/metallb.yaml
args:
chdir: /tmp/eg_mep/deploy/
- name: Delete dns metallb namespace
# yamllint disable rule:line-length
command: kubectl delete -f /tmp/eg_mep/deploy/conf/edge/metallb/namespace.yaml
- # yamllint disable rule:line-length
args:
chdir: /tmp/eg_mep/deploy/
ignore_errors: yes
- name: Import config file
include_vars:
- file: ../../../config.yml
- name: vardata
+ file: ../../../config.yml
+ name: vardata
+
+- name: Certificate copy
+ debug:
+ msg: Copy certificate from ocd to center and edge
- synchronize:
- src: /tmp/.mep_tmp_cer
- dest: /tmp/
+ src: /tmp/ssl-eg-keys-certs
+ dest: /tmp/
- name: Docker login
# yamllint disable rule:line-length
- command: docker login -u {{ vardata.dockerusername.name}} -p {{ vardata.dockerpass.name}} swr.ap-southeast-1.myhuaweicloud.com
- # yamllint disable rule:line-length
+ command: docker login -u {{ vardata.dockerusr.name}} -p {{ vardata.dockerpass.name}} swr.ap-southeast-1.myhuaweicloud.com
-- name: Setting pull image swr path
+- name: Create docker-registry secret
# yamllint disable rule:line-length
command: kubectl create secret docker-registry swrregcred --docker-server=https://swr.ap-southeast-1.myhuaweicloud.com/v2/ --docker-username={{ vardata.swrusr.name}} --docker-password={{ vardata.swrpass.name}}
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+---
+
+- name: Import config file
+ include_vars:
+ file: ../../../config.yml
+ name: vardata
+
+- name: Generate secret
+ # yamllint disable rule:line-length
+ command: kubectl create secret generic edgegallery-ssl-secret --from-file=keystore.p12=/tmp/ssl-eg-keys-certs/keystore.p12 --from-literal=keystorePassword={{ vardata.secret_keystorepass.name}} --from-literal=keystoreType=PKCS12 --from-literal=keyAlias=edgegallery --from-file=trust.cer=/tmp/ssl-eg-keys-certs/ca.crt --from-file=server.cer=/tmp/ssl-eg-keys-certs/tls.crt --from-file=server_key.pem=/tmp/ssl-eg-keys-certs/encryptedtls.key --from-literal=cert_pwd={{ vardata.secret_cert_pass.name}}
+ # yamllint disable rule:line-length
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+---
+
+# tasks file for eg_secret
+- include: "install.yml"
+ static: false
+ when: operation == 'install'
+
+- include: "uninstall.yml"
+ static: false
+ when: operation == 'uninstall'
--- /dev/null
+#
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+---
+
+- name: Delete edgegallery ssl secret
+ command: kubectl delete secret edgegallery-ssl-secret
- name: Import config file
include_vars:
- file: ../../../config.yml
- name: vardata
+ file: ../../../config.yml
+ name: vardata
-- name: Add adgegallery repo in private IP
+- name: Helm repo add edgegallery
# yamllint disable rule:line-length
- command: helm repo add edgegallery http://{{ vardata.helmrepoip.name}}:8080/edgegallery
+ command: helm repo add edgegallery http://{{ vardata.private_repo_ip.name}}:8080/edgegallery
-- name: Add stable repo in private IP
- command: helm repo add stable http://{{ vardata.helmrepoip.name}}:8080/stable
+- name: Helm repo add stable
+ # yamllint disable rule:line-length
+ command: helm repo add stable http://{{ vardata.private_repo_ip.name}}:8080/stable
---
-- name: Doing deployment setup eg_user-mgm for edge gallery
- copy:
- src: deploy
- dest: /tmp/eg_user-mgmt/
-
-- name: Import vars
-# yamllint disable rule:line-length
+- name: Import config file
include_vars:
- file: ../../../config.yml
- name: vardata
-# yamllint disable rule:line-length
+ file: ../../../config.yml
+ name: vardata
- name: Generating certificates for usermanagment
-# yamllint disable rule:line-length
- command: kubectl create secret generic user-mgmt-jwt-secret --from-file=publicKey=/tmp/.mep_tmp_cer/mepserver_encryptedtls.key --from-file=encryptedPrivateKey=/tmp/eg_user-mgmt/deploy/conf/keys/encrypted_rsa_private_key.pem --from-literal=encryptPassword={{ vardata.firstvar.name}}
-# yamllint disable rule:line-length
- args:
- chdir: /tmp/.mep_tmp_cer/
+ # yamllint disable rule:line-length
+ command: kubectl create secret generic user-mgmt-jwt-secret --from-file=publicKey=/tmp/ssl-eg-keys-certs/rsa_public_key.pem --from-file=encryptedPrivateKey=/tmp/ssl-eg-keys-certs/encrypted_rsa_private_key.pem --from-literal=encryptPassword={{ vardata.user_mgmt_encryptpass.name}}
+ # yamllint disable rule:line-length
-- name: Pull helm chart eg_user-mgm
-# yamllint disable rule:line-length
- command: helm install user-mgmt-edgegallery edgegallery/usermgmt --set global.oauth2.clients.appstore.clientUrl=https://{{ vardata.authServer.name}}:30091,global.oauth2.clients.developer.clientUrl=https://{{ vardata.authServer.name}}:30092,global.oauth2.clients.mecm.clientUrl=https://{{ vardata.authServer.name}}:30093, --set jwt.secretName=user-mgmt-jwt-secret --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
-# yamllint disable rule:line-length
+- name: Install user-mgmt
+ # yamllint disable rule:line-length
+ command: helm install --wait user-mgmt-edgegallery edgegallery/usermgmt --set global.oauth2.clients.appstore.clientUrl=https://{{ vardata.user_mgmt_oauth_appstore_client_ip.name}}:{{vardata.user_mgmt_oauth_appstore_client_port.name}},global.oauth2.clients.developer.clientUrl=https://{{ vardata.user_mgmt_oauth_developer_client_ip.name}}:{{vardata.user_mgmt_oauth_developer_client_port.name}},global.oauth2.clients.mecm.clientUrl=https://{{ vardata.user_mgmt_oauth_mecm_client_ip.name}}:{{vardata.user_mgmt_oauth_mecm_client_port.name}}, --set jwt.secretName=user-mgmt-jwt-secret --set images.usermgmt.tag={{ vardata.user_mgmt_image_tag.name}} --set global.ssl.enabled=true --set global.ssl.secretName=edgegallery-ssl-secret
+ # yamllint disable rule:line-length
Code Review / ealt-edge.git / commitdiff