diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/README.md b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/README.md new file mode 100644 index 00000000000..225dd44b9fc --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/defaults/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/defaults/main.yml new file mode 100644 index 00000000000..050dcd266ab --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/defaults/main.yml @@ -0,0 +1,62 @@ +--- +ocp4_username: system:admin +become_override: false +silent: false + +ocp4_workload_redhat_developer_hub_gitlab_namespace: gitlab +ocp4_workload_redhat_developer_hub_backstage_namespace: backstage +ocp4_workload_redhat_developer_hub_backstage_helm_repo: https://janus-idp.github.io/helm-backstage +ocp4_workload_redhat_developer_hub_backstage_helm_chart: backstage +ocp4_workload_redhat_developer_hub_backstage_helm_chart_version: 2.10.3 + +ocp4_workload_redhat_developer_hub_backstage_gitlab_group: janus-idp + +ocp4_workload_redhat_developer_hub_postgresql_password: postgres + +ocp4_workload_redhat_developer_hub_gitlab_root_user: root +ocp4_workload_redhat_developer_hub_gitlab_root_password: openshift + +ocp4_workload_redhat_developer_hub_janus_bootstrap_repo: https://github.com/treddy08/janus-idp-bootstrap.git +ocp4_workload_redhat_developer_hub_janus_bootstrap_repo_target_revision: main + +ocp4_workload_redhat_developer_hub_admin_user: admin +ocp4_workload_redhat_developer_hub_admin_password: "{{ common_password }}" + +ocp4_workload_redhat_developer_hub_users_count: "{{ num_users | default(1) }}" +ocp4_workload_redhat_developer_hub_users_password: "{{ common_password }}" + +ocp4_workload_redhat_developer_hub_vault_namespace: vault + +ocp4_workload_redhat_developer_hub_gitlab_template_locations: + - group: janus-idp + project: software-templates + branch: main + file: showcase-templates.yaml + rules: + allow: Template + templates: + - scaffolder-templates/quarkus-web-template/template.yaml + - group: janus-idp + project: software-templates + branch: main + file: org.yaml + rules: + allow: Group, User + - group: summit-lab + project: backstage-workshop + branch: master + file: showcase-templates.yaml + rules: + allow: Template + templates: + - scaffolder-templates/poi-map/template.yaml + - scaffolder-templates/poi-gateway/template.yaml + - scaffolder-templates/poi-backend/template.yaml + +ocp4_workload_redhat_developer_hub_backstage_image_registry: quay.io +ocp4_workload_redhat_developer_hub_backstage_image_repository: rhdh/rhdh-hub-rhel9 +ocp4_workload_redhat_developer_hub_backstage_image_tag: "1.0" + +redhat_gpte_devhub_pull_secret: "" + +ocp4_workload_redhat_developer_hub_username_base: user \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/create_devspace_user_namespaces.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/create_devspace_user_namespaces.yml new file mode 100644 index 00000000000..9424ed7f258 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/create_devspace_user_namespaces.yml @@ -0,0 +1,9 @@ +--- +- name: Create devspace resources + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', item ) | from_yaml }}" + loop: + - namespace-devspaces-user.yml.j2 + - secret-devspaces-gitcreds.yml.j2 + - config-devspaces-gitconfig.yml.j2 \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/fetch_and_apply_template.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/fetch_and_apply_template.yml new file mode 100644 index 00000000000..382583425d0 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/fetch_and_apply_template.yml @@ -0,0 +1,13 @@ +--- +- name: Fetch {{ folder }}/{{ template_file }} template from remote host + run_once: true + fetch: + src: "{{ folder }}/{{ template_file }}" + dest: /tmp/{{ template_file }} + flat: yes + fail_on_missing: yes + +- name: Apply template {{ folder }}/{{ template_file }} + ansible.builtin.template: + src: /tmp/{{ template_file }} + dest: "{{ folder }}/{{ template_file }}" \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/main.yml new file mode 100644 index 00000000000..03a4801b4c7 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/main.yml @@ -0,0 +1,30 @@ +--- +# Do not modify this file + +- name: Running Pre Workload Tasks + include_tasks: + file: ./pre_workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "create" or ACTION == "provision" + +- name: Running Workload Tasks + include_tasks: + file: ./workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "create" or ACTION == "provision" + +- name: Running Post Workload Tasks + include_tasks: + file: ./post_workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "create" or ACTION == "provision" + +- name: Running Workload removal Tasks + include_tasks: + file: ./remove_workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "destroy" or ACTION == "remove" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/post_workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/post_workload.yml new file mode 100644 index 00000000000..b259e8df93c --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/post_workload.yml @@ -0,0 +1,21 @@ +--- + +# For deployment onto a dedicated cluster (as part of the +# cluster deployment) set workload_shared_deployment to False +# This is the default so it does not have to be set explicitely +- name: post_workload tasks complete + debug: + msg: "Post-Workload tasks completed successfully." + when: + - not silent|bool + - not workload_shared_deployment|default(False) + +# For RHPDS deployment (onto a shared cluster) set +# workload_shared_deployment to True +# (in the deploy script or AgnosticV configuration) +- name: post_workload tasks complete + debug: + msg: "Post-Software checks completed successfully" + when: + - not silent|bool + - workload_shared_deployment|default(False) diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/pre_workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/pre_workload.yml new file mode 100644 index 00000000000..3164e542ad1 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/pre_workload.yml @@ -0,0 +1,21 @@ +--- + +# For deployment onto a dedicated cluster (as part of the +# cluster deployment) set workload_shared_deployment to False +# This is the default so it does not have to be set explicitely +- name: pre_workload tasks complete + debug: + msg: "Pre-Workload tasks completed successfully." + when: + - not silent|bool + - not workload_shared_deployment|default(False) + +# For RHPDS deployment (onto a shared cluster) set +# workload_shared_deployment to True +# (in the deploy script or AgnosticV configuration) +- name: pre_workload tasks complete + debug: + msg: "Pre-Software checks completed successfully" + when: + - not silent|bool + - workload_shared_deployment|default(False) diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/remove_workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/remove_workload.yml new file mode 100644 index 00000000000..de399741e4f --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/remove_workload.yml @@ -0,0 +1,46 @@ +--- +# Implement your workload removal tasks here +# ------------------------------------------ + +- name: Update default storage class + when: ocp4_workload_gitops_amqstreams_update_default_storage_class | bool + block: + - name: Remove annotation from current default storage class + command: + cmd: >- + oc annotate sc {{ ocp4_workload_gitops_amqstreams_new_default_storage_class_name }} + storageclass.kubernetes.io/is-default-class- + ignore_errors: true + + - name: Set previous default storage class + command: + cmd: >- + oc annotate sc {{ ocp4_workload_gitops_amqstreams_old_default_storage_class_name }} + storageclass.kubernetes.io/is-default-class="true" + ignore_errors: true + +- name: Remove Operator + include_role: + name: install_operator + vars: + install_operator_action: remove + install_operator_name: "{{ ocp4_workload_gitops_amqstreams_operator_name }}" + install_operator_namespace: "{{ ocp4_workload_gitops_amqstreams_namespace }}" + install_operator_catalog: redhat-operators + install_operator_csv_nameprefix: "{{ ocp4_workload_gitops_amqstreams_operator_csv_prefix }}" + install_operator_channel: "{{ ocp4_workload_gitops_amqstreams_channel }}" + install_operator_automatic_install_plan_approval: "{{ ocp4_workload_gitops_amqstreams_automatic_install_plan_approval | default(true) }}" + install_operator_manage_namespaces: + - "{{ ocp4_workload_gitops_amqstreams_namespace }}" + install_operator_catalogsource_setup: "{{ ocp4_workload_gitops_amqstreams_catalogsource_setup | default(false)}}" + install_operator_catalogsource_name: "{{ ocp4_workload_gitops_amqstreams_catalogsource_name | default('') }}" + install_operator_catalogsource_image: "{{ ocp4_workload_gitops_amqstreams_catalogsource_image | default('') }}" + install_operator_catalogsource_image_tag: "{{ ocp4_workload_gitops_amqstreams_catalogsource_image_tag | default('') }}" + +# Leave this as the last task in the playbook. +# -------------------------------------------- + +- name: remove_workload tasks complete + debug: + msg: "Remove Workload tasks completed successfully." + when: not silent|bool diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_backstage.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_backstage.yml new file mode 100644 index 00000000000..479e233afce --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_backstage.yml @@ -0,0 +1,120 @@ +--- +- name: Retrieve ArgoCD credentials + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: argocd-cluster + namespace: janus-argocd + register: r_argo_creds + until: + - r_argo_creds is defined + - r_argo_creds.resources is defined + - r_argo_creds.resources | length > 0 + +- name: Decode argo credentials + set_fact: + ocp4_workload_redhat_developer_hub_argocd_password: "{{ r_argo_creds.resources[0].data['admin.password'] | b64decode }}" + +- name: Retrieve openshift gitops route + kubernetes.core.k8s_info: + api_version: route.openshift.io/v1 + kind: Route + name: argocd-server + namespace: janus-argocd + register: r_argocd_route + until: + - r_argocd_route is defined + - r_argocd_route.resources is defined + - r_argocd_route.resources | length > 0 + +- name: Retrieve openshift gitops hostname + set_fact: + ocp4_workload_redhat_developer_hub_argocd_host: "{{ r_argocd_route.resources[0].spec.host }}" + +- name: Create backstage pre-requisite resources + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', item ) | from_yaml }}" + loop: + - cluster-role-binding-default-sa-admin.yml.j2 + - object-bucket-claim.yml.j2 + +- name: Get default token + shell: oc get secret $(oc get secret -n default | grep default-token | awk '{print $1}') -n default -o json | jq -r '.data.token' + register: r_default_token + +- name: Get Openshift REST API + shell: oc config view -o jsonpath='{.clusters[0].cluster.server}' + register: r_ocp_api + +- name: Decode default token + set_fact: + ocp4_workload_redhat_developer_hub_ocp_default_sa_token: "{{ r_default_token.stdout | b64decode }}" + ocp4_workload_redhat_developer_hub_ocp_api: "{{ r_ocp_api.stdout }}" + +- name: Retrieve quay admin token + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: quay-admin-token + namespace: quay-enterprise + register: r_quay_token + retries: 120 + delay: 10 + until: + - r_quay_token is defined + - r_quay_token.resources is defined + - r_quay_token.resources | length > 0 + - r_quay_token.resources[0] is defined + +- name: Decode quay admin token + set_fact: + ocp4_workload_redhat_developer_hub_quay_admin_token: "{{ r_quay_token.resources[0].data.token | b64decode }}" + +- name: Retrieve s3 bucket details + kubernetes.core.k8s_info: + api_version: objectbucket.io/v1alpha1 + kind: ObjectBucketClaim + name: backstage-bucket-claim + namespace: backstage + register: r_bucket_claim + until: + - r_bucket_claim is defined + - r_bucket_claim.resources is defined + - r_bucket_claim.resources | length > 0 + +- name: Retrieve bucket secret + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: backstage-bucket-claim + namespace: "{{ ocp4_workload_redhat_developer_hub_backstage_namespace }}" + register: r_bucket_secret + retries: 120 + delay: 10 + until: + - r_bucket_secret is defined + - r_bucket_secret.resources is defined + - r_bucket_secret.resources | length > 0 + +- name: Extract S3 Details + set_fact: + ocp4_workload_redhat_developer_hub_s3_bucket_name: "{{ r_bucket_claim.resources[0].spec.bucketName }}" + ocp4_workload_redhat_developer_hub_s3_bucket_region: "{{ aws_region }}" + ocp4_workload_redhat_developer_hub_s3_bucket_endpoint: "https://s3-openshift-storage.{{ ocp4_workload_redhat_developer_hub_apps_domain }}" + ocp4_workload_redhat_developer_hub_s3_bucket_aws_access_key_id: "{{ r_bucket_secret.resources[0].data.AWS_ACCESS_KEY_ID | b64decode}}" + ocp4_workload_redhat_developer_hub_s3_bucket_aws_secret_access_key: "{{ r_bucket_secret.resources[0].data.AWS_SECRET_ACCESS_KEY | b64decode}}" + +- name: Setup Backstage Repo + include_tasks: + file: ./setup_backstage_repo.yml + +- name: Create Backstage Gitops application + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'application-backstage-gitops.yml.j2' ) | from_yaml }}" + +- name: Create vault secret for common password + shell: | + oc exec vault-0 -n {{ ocp4_workload_redhat_developer_hub_vault_namespace + }} -- vault kv put kv/secrets/janusidp/common_password password={{ common_password }} \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_backstage_repo.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_backstage_repo.yml new file mode 100644 index 00000000000..14a583fbfe0 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_backstage_repo.yml @@ -0,0 +1,48 @@ +--- +- name: Build git repo url + set_fact: + ocp4_workload_redhat_developer_hub_backstage_helm_repo: + https://{{ ocp4_workload_redhat_developer_hub_gitlab_root_user }}:{{ + ocp4_workload_redhat_developer_hub_gitlab_root_password }}@{{ + ocp4_workload_redhat_developer_hub_gitlab_host }}/gitops/janus-idp-gitops + +- name: Remove older repo folders + shell: rm -rf ~/janus-idp-gitops + +- name: Clone janus-idp-gitops + ansible.builtin.git: + accept_hostkey: true + force: true + repo: "{{ ocp4_workload_redhat_developer_hub_backstage_helm_repo }}" + dest: "~/janus-idp-gitops" + version: "main" + environment: + GIT_SSL_NO_VERIFY: "true" + +- name: Apply template values to location template + include_tasks: fetch_and_apply_template.yml + vars: + folder: /home/ec2-user/janus-idp-gitops/charts/backstage + template_file: backstage-values.yaml + +- name: Add new files to the repository + command: + chdir: >- + /home/ec2-user/janus-idp-gitops + cmd: "git add ." + ignore_errors: true + +- name: Commit changes to the repository + command: + chdir: >- + /home/ec2-user/janus-idp-gitops + cmd: >- + git commit -a -m 'Updates for starting scenario.' + ignore_errors: true + +- name: Push all changes back to the project repository + command: + chdir: >- + /home/ec2-user/janus-idp-gitops + cmd: >- + git push {{ ocp4_workload_redhat_developer_hub_backstage_helm_repo }} \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_gitlab.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_gitlab.yml new file mode 100644 index 00000000000..5b739e6f8af --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_gitlab.yml @@ -0,0 +1,124 @@ +--- +- name: Retrieve root private token + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: root-user-personal-token + namespace: "{{ ocp4_workload_redhat_developer_hub_gitlab_namespace }}" + register: r_root_token + retries: 120 + delay: 10 + until: + - r_root_token is defined + - r_root_token.resources is defined + - r_root_token.resources | length > 0 + - r_root_token.resources[0] is defined + - r_root_token.resources[0].data is defined + - r_root_token.resources[0].data.token is defined + - r_root_token.resources[0].data.token | length > 0 + +- name: Decode root token + set_fact: + ocp4_workload_redhat_developer_hub_gitlab_root_token: "{{ r_root_token.resources[0].data.token | b64decode }}" + +- name: Create vault secret for gitlab token + shell: | + oc exec vault-0 -n {{ ocp4_workload_redhat_developer_hub_vault_namespace + }} -- vault kv put kv/secrets/janusidp/gitlab token={{ ocp4_workload_redhat_developer_hub_gitlab_root_token }} + oc exec vault-0 -n {{ ocp4_workload_redhat_developer_hub_vault_namespace + }} -- vault kv put kv/secrets/janusidp/gitlab_webhook secret={{ lookup('password', '/dev/null chars=ascii_lowercase length=12') }} + +- name: Create Keycloak GitLab application + ansible.builtin.uri: + url: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/api/v4/applications + method: POST + body_format: form-urlencoded + body: + name: keycloak + redirect_uri: https://{{ ocp4_workload_redhat_developer_hub_keycloak_host }}/auth/realms/backstage/broker/GitLab/endpoint + scopes: api read_user read_repository write_repository sudo openid profile email + confidential: false + headers: + PRIVATE-TOKEN: "{{ ocp4_workload_redhat_developer_hub_gitlab_root_token }}" + validate_certs: false + status_code: [201] + register: r_keycloak_app + retries: 60 + delay: 10 + until: r_keycloak_app.status == 201 + +- name: Get Keycloak client credentials + set_fact: + ocp4_workload_redhat_developer_hub_keycloak_client_id: "{{ r_keycloak_app.json.application_id }}" + ocp4_workload_redhat_developer_hub_keycloak_client_secret: "{{ r_keycloak_app.json.secret }}" + +- name: Create Devspaces GitLab application + ansible.builtin.uri: + url: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/api/v4/applications + method: POST + body_format: form-urlencoded + body: + name: devspaces + redirect_uri: https://{{ ocp4_workload_redhat_developer_hub_devspaces_host }}/api/oauth/callback + scopes: api read_user read_repository write_repository sudo openid profile email + confidential: false + headers: + PRIVATE-TOKEN: "{{ ocp4_workload_redhat_developer_hub_gitlab_root_token }}" + validate_certs: false + status_code: [201] + register: r_devspaces_app + retries: 60 + delay: 10 + until: r_devspaces_app.status == 201 + +- name: Get Keycloak client credentials + set_fact: + ocp4_workload_redhat_developer_hub_devspaces_client_id: "{{ r_devspaces_app.json.application_id }}" + ocp4_workload_redhat_developer_hub_devspaces_client_secret: "{{ r_devspaces_app.json.secret }}" + +- name: List Gitlab users + ansible.builtin.uri: + url: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/api/v4/users + method: GET + headers: + PRIVATE-TOKEN: "{{ ocp4_workload_redhat_developer_hub_gitlab_root_token }}" + validate_certs: false + status_code: 200 + register: r_users + +- name: Create development group + ansible.builtin.uri: + url: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/api/v4/groups + method: POST + body_format: form-urlencoded + body: + name: development + path: development + visibility: public + headers: + PRIVATE-TOKEN: "{{ ocp4_workload_redhat_developer_hub_gitlab_root_token }}" + validate_certs: false + status_code: 201 + register: r_group + retries: 100 + delay: 5 + until: r_group.status == 201 + +- name: Add users to development group + when: item.username.startswith('user') + ansible.builtin.uri: + url: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/api/v4/groups/{{ r_group.json.id }}/members + method: POST + body_format: form-urlencoded + body: + user_id: "{{ item.id }}" + access_level: 50 + headers: + PRIVATE-TOKEN: "{{ ocp4_workload_redhat_developer_hub_gitlab_root_token }}" + validate_certs: false + status_code: 201 + register: r_group_user + retries: 100 + delay: 5 + until: r_group_user.status == 201 + loop: "{{ r_users.json }}" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_gitlab_runner.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_gitlab_runner.yml new file mode 100644 index 00000000000..bf73722c8a2 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_gitlab_runner.yml @@ -0,0 +1,98 @@ +--- +- name: Install GitLab Runner Operator + block: + - name: Install GitLab Runner Operator + include_role: + name: install_operator + vars: + install_operator_action: install + install_operator_name: gitlab-runner-operator + install_operator_namespace: openshift-operators + install_operator_channel: stable + install_operator_catalog: certified-operators + install_operator_packagemanifest_name: gitlab-runner-operator + install_operator_automatic_install_plan_approval: true + install_operator_csv_nameprefix: gitlab-runner-operator + +- name: Template out registration token script + ansible.builtin.template: + src: templates/script-get-registration-token.yml.j2 + dest: /home/ec2-user/create-registration-token.sh + +- name: Create registration token secret + shell: | + sh /home/ec2-user/create-registration-token.sh + +- name: Create GitLab Runner instance + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'gitlab-runner-techdocs.yml.j2' ) | from_yaml }}" + +- name: Retrieve bucket secret + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: backstage-bucket-claim + namespace: "{{ ocp4_workload_redhat_developer_hub_backstage_namespace }}" + register: r_bucket_secret + retries: 120 + delay: 10 + until: + - r_bucket_secret is defined + - r_bucket_secret.resources is defined + - r_bucket_secret.resources | length > 0 + +- name: Retrieve bucket config + kubernetes.core.k8s_info: + api_version: v1 + kind: ConfigMap + name: backstage-bucket-claim + namespace: "{{ ocp4_workload_redhat_developer_hub_backstage_namespace }}" + register: r_bucket_config + retries: 120 + delay: 10 + until: + - r_bucket_config is defined + - r_bucket_config.resources is defined + - r_bucket_config.resources | length > 0 + +- name: Retrieve s3 bucket route + kubernetes.core.k8s_info: + api_version: route.openshift.io/v1 + kind: Route + name: s3 + namespace: openshift-storage + register: r_s3_route + until: + - r_s3_route is defined + - r_s3_route.resources is defined + - r_s3_route.resources | length > 0 + +- name: Create CI/CD Variables + ansible.builtin.uri: + url: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/api/v4/admin/ci/variables + method: POST + body_format: json + body: + "key": "{{ item.name }}" + "variable_type": "env_var" + "value": "{{ item.value }}" + "protected": false + "masked": false + "raw": false + "environment_scope": "*" + headers: + PRIVATE-TOKEN: "{{ ocp4_workload_redhat_developer_hub_gitlab_root_token }}" + validate_certs: false + status_code: [201] + loop: + - name: TECHDOCS_S3_BUCKET_NAME + value: "{{ r_bucket_config.resources[0].data.BUCKET_NAME }}" + - name: AWS_ACCESS_KEY_ID + value: "{{ r_bucket_secret.resources[0].data.AWS_ACCESS_KEY_ID | b64decode }}" + - name: AWS_SECRET_ACCESS_KEY + value: "{{ r_bucket_secret.resources[0].data.AWS_SECRET_ACCESS_KEY | b64decode }}" + - name: AWS_REGION + value: us-east-2 + - name: AWS_ENDPOINT + value: "https://{{ r_s3_route.resources[0].spec.host }}" \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_rhsso.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_rhsso.yml new file mode 100644 index 00000000000..3838ffc33b3 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_rhsso.yml @@ -0,0 +1,80 @@ +--- +- name: Create RHSSO application + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'application-rhsso-backstage.yml.j2' ) | from_yaml }}" + +- name: Retrieve backstage realm client credentials + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: keycloak-client-secret-backstage + namespace: "{{ ocp4_workload_redhat_developer_hub_backstage_namespace }}" + register: r_realm_credentials + retries: 120 + delay: 10 + until: + - r_realm_credentials is defined + - r_realm_credentials.resources is defined + - r_realm_credentials.resources | length > 0 + - r_realm_credentials.resources[0].data is defined + - r_realm_credentials.resources[0].data.CLIENT_ID is defined + - r_realm_credentials.resources[0].data.CLIENT_ID | length > 0 + - r_realm_credentials.resources[0].data.CLIENT_SECRET is defined + - r_realm_credentials.resources[0].data.CLIENT_SECRET | length > 0 + +- name: Decode realm credentials + set_fact: + ocp4_workload_redhat_developer_hub_backstage_client_id: "{{ r_realm_credentials.resources[0].data.CLIENT_ID | b64decode }}" + ocp4_workload_redhat_developer_hub_backstage_client_secret: "{{ r_realm_credentials.resources[0].data.CLIENT_SECRET | b64decode }}" + +- name: Create Openshift SSO via Keycloak + block: + - name: Create keycloak auth resources + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', item ) | from_yaml }}" + namespace: "{{ ocp4_workload_redhat_developer_hub_backstage_namespace }}" + loop: + - keycloak-realm-openshift.yml.j2 + - keycloak-client-openshift.yml.j2 + - keycloak-admin-user-openshift.yml.j2 + + - name: Create KeyCloak Users + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'keycloak-dev-user-openshift.yml.j2' ) | from_yaml }}" + namespace: "{{ ocp4_workload_redhat_developer_hub_backstage_namespace }}" + loop: "{{ range(0, ocp4_workload_redhat_developer_hub_users_count | int, 1) | list }}" + + - name: Retrieve openshift realm client credentials + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: keycloak-client-secret-openshift + namespace: "{{ ocp4_workload_redhat_developer_hub_backstage_namespace }}" + register: r_realm_credentials + retries: 120 + delay: 10 + until: + - r_realm_credentials is defined + - r_realm_credentials.resources is defined + - r_realm_credentials.resources | length > 0 + - r_realm_credentials.resources[0].data is defined + - r_realm_credentials.resources[0].data.CLIENT_ID is defined + - r_realm_credentials.resources[0].data.CLIENT_ID | length > 0 + - r_realm_credentials.resources[0].data.CLIENT_SECRET is defined + - r_realm_credentials.resources[0].data.CLIENT_SECRET | length > 0 + + - name: Decode openshift realm client secret + set_fact: + ocp4_workload_redhat_developer_hub_openshift_client_secret: "{{ r_realm_credentials.resources[0].data.CLIENT_SECRET | b64decode }}" + + - name: Create openshift auth resources + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', item ) | from_yaml }}" + loop: + - secret-openid-client-openshift.yml.j2 + - oauth-keycloak-openshift.yml.j2 + - cluster-role-binding-admin.yml.j2 diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_templates.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_templates.yml new file mode 100644 index 00000000000..bbae6da72cd --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/setup_templates.yml @@ -0,0 +1,67 @@ +--- +- name: Build git repo url + set_fact: + ocp4_workload_redhat_developer_hub_template_repo_url: + https://{{ ocp4_workload_redhat_developer_hub_gitlab_root_user }}:{{ + ocp4_workload_redhat_developer_hub_gitlab_root_password }}@{{ + ocp4_workload_redhat_developer_hub_gitlab_host }}/{{ + location.group }}/{{ location.project }} + +- name: Remove older repo folders + shell: rm -rf ~/{{ location.project }} + +- name: Clone {{ location.project }} + ansible.builtin.git: + accept_hostkey: true + force: true + repo: "{{ ocp4_workload_redhat_developer_hub_template_repo_url }}" + dest: "~/{{ location.project }}" + version: "{{ location.branch }}" + environment: + GIT_SSL_NO_VERIFY: "true" + +- name: Apply template values to location template + include_tasks: fetch_and_apply_template.yml + loop: + - "{{ location.file }}" + loop_control: + loop_var: template_file + vars: + folder: /home/ec2-user/{{ location.project }} + gitlab_host: "{{ ocp4_workload_redhat_developer_hub_gitlab_host }}" + gitlab_group: "{{ location.group }}" + gitlab_user_count: "{{ ocp4_workload_redhat_developer_hub_users_count }}" + +- name: Apply template values to scaffolding templates + include_tasks: fetch_and_apply_template.yml + loop: "{{ location.templates }}" + loop_control: + loop_var: template_file + vars: + folder: /home/ec2-user/{{ location.project }} + gitlab_host: "{{ ocp4_workload_redhat_developer_hub_gitlab_host }}" + gitlab_destination_group: development + cluster_subdomain: ".{{ ocp4_workload_redhat_developer_hub_apps_domain}}" + quay_host: "{{ ocp4_workload_redhat_developer_hub_quay_host }}" + +- name: Add new files to the repository + command: + chdir: >- + /home/ec2-user/{{ location.project }} + cmd: "git add ." + ignore_errors: true + +- name: Commit changes to the repository + command: + chdir: >- + /home/ec2-user/{{ location.project }} + cmd: >- + git commit -a -m 'Updates for starting scenario.' + ignore_errors: true + +- name: Push all changes back to the project repository + command: + chdir: >- + /home/ec2-user/{{ location.project }} + cmd: >- + git push {{ ocp4_workload_redhat_developer_hub_template_repo_url }} \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/workload.yml new file mode 100644 index 00000000000..2ff42594c71 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/tasks/workload.yml @@ -0,0 +1,158 @@ +--- +- name: Setting up workload + debug: + msg: "Setting up GitLab" + +- name: Retrieve Ingress config + k8s_info: + api_version: config.openshift.io/v1 + kind: Ingress + name: cluster + register: r_ingress_config + +- name: Get OpenShift Apps Domain + set_fact: + ocp4_workload_redhat_developer_hub_apps_domain: "{{ r_ingress_config.resources[0].spec.domain }}" + ocp4_workload_redhat_developer_hub_gitlab_host: "gitlab-{{ + ocp4_workload_redhat_developer_hub_gitlab_namespace }}.{{ + r_ingress_config.resources[0].spec.domain }}" + ocp4_workload_redhat_developer_hub_keycloak_host: "keycloak-{{ + ocp4_workload_redhat_developer_hub_backstage_namespace }}.{{ + r_ingress_config.resources[0].spec.domain }}" + ocp4_workload_redhat_developer_hub_backstage_host: "backstage-{{ + ocp4_workload_redhat_developer_hub_backstage_namespace }}.{{ + r_ingress_config.resources[0].spec.domain }}" + ocp4_workload_redhat_developer_hub_devspaces_host: "devspaces.{{ + r_ingress_config.resources[0].spec.domain }}" + ocp4_workload_redhat_developer_hub_openshift_redirect_host: "oauth-openshift.{{ + r_ingress_config.resources[0].spec.domain }}" + ocp4_workload_redhat_developer_hub_openshift_console_host: console-openshift-console.{{ + r_ingress_config.resources[0].spec.domain }} + ocp4_workload_redhat_developer_hub_quay_host: quay-{{ guid }}.{{ + r_ingress_config.resources[0].spec.domain }} + +- name: Setup Gitlab dependencies + include_tasks: + file: ./setup_gitlab.yml + +- name: Setup RHSSO dependencies + include_tasks: + file: ./setup_rhsso.yml + +- name: Setup Gitlab repo dependencies + include_tasks: + file: ./setup_templates.yml + loop: "{{ ocp4_workload_redhat_developer_hub_gitlab_template_locations }}" + loop_control: + loop_var: location + +- name: Setup Backstage dependencies + include_tasks: + file: ./setup_backstage.yml + +- name: Setup Gitlab dependencies Runner + include_tasks: + file: ./setup_gitlab_runner.yml + +- name: Setup Devspaces dependencies + include_tasks: + file: ./setup_devspaces.yml + +- name: Build user output + block: + - set_fact: + user_list: "{{ ocp4_workload_redhat_developer_hub_username_base}}1" + - when: ocp4_workload_redhat_developer_hub_users_count | int > 1 + set_fact: + user_list: "{{ user_list }}\n{{ ocp4_workload_redhat_developer_hub_username_base }}{{ item + 1 }}" + loop: "{{ range(1, ocp4_workload_redhat_developer_hub_users_count | int, 1) | list }}" + +- name: Save user information + block: + - name: Save user information for user access + agnosticd_user_info: + user: "{{ ocp4_workload_redhat_developer_hub_username_base }}{{ n +1 }}" + data: + user: "{{ ocp4_workload_redhat_developer_hub_username_base }}{{ n +1 }}" + password: "{{ ocp4_workload_redhat_developer_hub_users_password }}" + loop: "{{ range(0, ocp4_workload_redhat_developer_hub_users_count | int) | list }}" + loop_control: + loop_var: n + +- name: Save user data + agnosticd_user_info: + data: + openshift_console_url: https://{{ ocp4_workload_redhat_developer_hub_openshift_console_host }} + openshift_admin_user: "{{ ocp4_workload_redhat_developer_hub_admin_user }}" + openshift_admin_password: "{{ ocp4_workload_redhat_developer_hub_admin_password }}" + rhdh_url: https://{{ ocp4_workload_redhat_developer_hub_backstage_host }} + rhdh_id_provider: GitLab + rhdh_user: "{{ user_list }}" + rhdh_user_password: "{{ ocp4_workload_redhat_developer_hub_users_password }}" + argocd_url: https://{{ ocp4_workload_redhat_developer_hub_argocd_host }} + argocd_user: admin + argocd_user_password: "{{ common_password }}" + gitlab_url: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }} + gitlab_user: "{{ user_list }}" + gitlab_user_password: "{{ ocp4_workload_redhat_developer_hub_users_password }}" + devspaces_url: https://{{ ocp4_workload_redhat_developer_hub_devspaces_host }} + devspaces_user: "{{ user_list }}" + devspaces_user_password: "{{ ocp4_workload_redhat_developer_hub_users_password }}" + +- name: Print Admin credentials + agnosticd_user_info: + msg: "{{ item }}" + loop: + - "" + - "Your Openshift login credentials:" + - "Openshift console: https://{{ ocp4_workload_redhat_developer_hub_openshift_console_host }}" + - "Openshift admin user: {{ ocp4_workload_redhat_developer_hub_admin_user }}" + - "Openshift admin password: {{ ocp4_workload_redhat_developer_hub_admin_password }}" + +- name: Print RH Developer Hub credentials + agnosticd_user_info: + msg: "{{ item }}" + loop: + - "" + - "Your Backstage login credentials:" + - "RH Developer Hub: https://{{ ocp4_workload_redhat_developer_hub_backstage_host }}" + - "RH Developer Hub identity provider: GitLab" + - "RH Developer Hub user: {{ user_list }}" + - "RH Developer Hub password: {{ ocp4_workload_redhat_developer_hub_users_password }}" + +- name: Print Janus ArgoCD credentials + agnosticd_user_info: + msg: "{{ item }}" + loop: + - "" + - "Your Janus ArgoCD login credentials:" + - "ArgoCD: https://{{ ocp4_workload_redhat_developer_hub_argocd_host }}" + - "ArgoCD user: admin" + - "ArgoCD password: {{ common_password }}" + +- name: Print GitLab credentials + agnosticd_user_info: + msg: "{{ item }}" + loop: + - "" + - "Your GitLab login credentials:" + - "GitLab: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}" + - "GitLab user: {{ user_list }}" + - "GitLab password: {{ ocp4_workload_redhat_developer_hub_users_password }}" + +- name: Print Devspaces credentials + agnosticd_user_info: + msg: "{{ item }}" + loop: + - "" + - "Your Devspaces login credentials:" + - "Devspaces: https://{{ ocp4_workload_redhat_developer_hub_devspaces_host }}" + - "Devspaces user: {{ user_list }}" + - "Devspaces password: {{ ocp4_workload_redhat_developer_hub_users_password }}" + +# Leave this as the last task in the playbook. +# -------------------------------------------- +- name: workload tasks complete + debug: + msg: "Workload Tasks completed successfully." + when: not silent|bool diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-backstage-gitops.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-backstage-gitops.yml.j2 new file mode 100644 index 00000000000..928bc8aca3d --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-backstage-gitops.yml.j2 @@ -0,0 +1,40 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: backstage-gitops + namespace: openshift-gitops +spec: + project: default + source: + helm: + parameters: + - name: backstage.image.pullSecret + value: {{ redhat_gpte_devhub_pull_secret | b64encode }} + - name: backstage.app.repoURL + value: {{ ocp4_workload_redhat_developer_hub_backstage_helm_chart_repo }} + - name: backstage.app.chart + value: {{ ocp4_workload_redhat_developer_hub_backstage_helm_chart }} + - name: backstage.app.valueFile + value: {{ ocp4_workload_redhat_developer_hub_backstage_helm_repo }}/-/raw/main/charts/backstage/backstage-values.yaml + - name: backstage.app.targetRevision + value: {{ ocp4_workload_redhat_developer_hub_backstage_helm_chart_version }} + repoURL: {{ ocp4_workload_redhat_developer_hub_backstage_helm_repo }}.git + targetRevision: main + path: charts/backstage + destination: + server: https://kubernetes.default.svc + namespace: {{ ocp4_workload_redhat_developer_hub_backstage_namespace }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - RespectIgnoreDifferences=true + - ApplyOutOfSyncOnly=true + retry: + backoff: + duration: 10s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") + factor: 2 # a factor to multiply the base duration after each failed retry + maxDuration: 10m # the maximum amount of time allowed for the backoff strategy + limit: 15 \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-devspaces.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-devspaces.yml.j2 new file mode 100644 index 00000000000..c87010794a7 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-devspaces.yml.j2 @@ -0,0 +1,42 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: devspaces + namespace: openshift-gitops +spec: + project: default + source: + helm: + parameters: + - name: oauth.clientId + value: {{ ocp4_workload_redhat_developer_hub_devspaces_client_id }} + - name: oauth.clientSecret + value: {{ ocp4_workload_redhat_developer_hub_devspaces_client_secret }} + - name: oauth.provider + value: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }} + repoURL: {{ ocp4_workload_redhat_developer_hub_janus_bootstrap_repo }} + targetRevision: {{ ocp4_workload_redhat_developer_hub_janus_bootstrap_repo_target_revision }} + path: charts/devspaces + destination: + server: https://kubernetes.default.svc + namespace: openshift-devspaces + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - RespectIgnoreDifferences=true + - ApplyOutOfSyncOnly=true + retry: + backoff: + duration: 10s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") + factor: 2 # a factor to multiply the base duration after each failed retry + maxDuration: 10m # the maximum amount of time allowed for the backoff strategy + limit: 15 + ignoreDifferences: + - group: org.eclipse.che + kind: CheCluster + name: devspaces + jsonPointers: + - /spec \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-rhsso-backstage.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-rhsso-backstage.yml.j2 new file mode 100644 index 00000000000..8189933168a --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/application-rhsso-backstage.yml.j2 @@ -0,0 +1,57 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: rhsso-backstage + namespace: openshift-gitops +spec: + destination: + namespace: {{ ocp4_workload_redhat_developer_hub_backstage_namespace }} + server: https://kubernetes.default.svc + project: default + source: + helm: + parameters: + - name: client.redirectUri[0] + value: https://{{ ocp4_workload_redhat_developer_hub_backstage_host }}/oauth2/callback + - name: realm.identityProviders[0].alias + value: GitLab + - name: realm.identityProviders[0].providerId + value: oidc + - name: realm.identityProviders[0].clientId + value: {{ ocp4_workload_redhat_developer_hub_keycloak_client_id }} + - name: realm.identityProviders[0].clientSecret + value: {{ ocp4_workload_redhat_developer_hub_keycloak_client_secret }} + - name: realm.identityProviders[0].tokenUrl + value: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/oauth/token + - name: realm.identityProviders[0].authorizationUrl + value: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/oauth/authorize + - name: realm.identityProviders[0].clientAuthMethod + value: client_secret_basic + - name: realm.identityProviders[0].syncMode + value: IMPORT + - name: subscription.channel + value: stable + - name: subscription.installPlanApproval + value: Automatic + - name: subscription.name + value: rhsso-operator + - name: subscription.source + value: redhat-operators + - name: subscription.sourceNamespace + value: openshift-marketplace + - name: subscription.startingCSV + value: rhsso-operator.7.6.4-opr-002 + path: charts/rhsso + repoURL: https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}/gitops/janus-idp-gitops.git + targetRevision: HEAD + syncPolicy: + automated: {} + retry: + limit: -1 + backoff: + duration: 5s + factor: 2 + maxDuration: 1m0s + syncOptions: + - CreateNamespace=true + - RespectIgnoreDifferences=true \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/cluster-role-binding-admin.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/cluster-role-binding-admin.yml.j2 new file mode 100644 index 00000000000..a5f5b1f0b68 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/cluster-role-binding-admin.yml.j2 @@ -0,0 +1,13 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "cluster-admin-{{ ocp4_workload_redhat_developer_hub_admin_user }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: "{{ ocp4_workload_redhat_developer_hub_admin_user }}" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/cluster-role-binding-default-sa-admin.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/cluster-role-binding-default-sa-admin.yml.j2 new file mode 100644 index 00000000000..cbaae8a007d --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/cluster-role-binding-default-sa-admin.yml.j2 @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cluster-admin-default-default +subjects: + - kind: ServiceAccount + namespace: default + name: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/crb-default-sa-cluster-admin.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/crb-default-sa-cluster-admin.yml.j2 new file mode 100644 index 00000000000..87402c80817 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/crb-default-sa-cluster-admin.yml.j2 @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cluster-admin-default-default +subjects: + - kind: serviceAccount + namespace: default + name: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/gitlab-runner-techdocs.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/gitlab-runner-techdocs.yml.j2 new file mode 100644 index 00000000000..4ba161c0f86 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/gitlab-runner-techdocs.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: apps.gitlab.com/v1beta2 +kind: Runner +metadata: + name: techdocs-runner + namespace: {{ ocp4_workload_redhat_developer_hub_gitlab_namespace }} +spec: + gitlabUrl: 'https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}' + token: gitlab-dev-runner-secret diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-admin-user-openshift.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-admin-user-openshift.yml.j2 new file mode 100644 index 00000000000..e9665ce6c2f --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-admin-user-openshift.yml.j2 @@ -0,0 +1,23 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakUser +metadata: + name: {{ ocp4_workload_redhat_developer_hub_admin_user }} + labels: + app: rhsso-openshift + app.kubernetes.io/instance: rhsso-openshift + app.kubernetes.io/name: rhsso-openshift +spec: + realmSelector: + matchLabels: + app: rhsso-openshift + app.kubernetes.io/instance: rhsso-openshift + app.kubernetes.io/name: rhsso-openshift + user: + credentials: + - temporary: false + type: password + value: {{ ocp4_workload_redhat_developer_hub_admin_password }} + username: {{ ocp4_workload_redhat_developer_hub_admin_user }} + email: {{ ocp4_workload_redhat_developer_hub_admin_user }}@opentlc.com + enabled: true + emailVerified: true diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-client-openshift.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-client-openshift.yml.j2 new file mode 100644 index 00000000000..ee41ce6bc23 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-client-openshift.yml.j2 @@ -0,0 +1,30 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakClient +metadata: + labels: + app: rhsso-openshift + app.kubernetes.io/instance: rhsso-openshift + app.kubernetes.io/name: rhsso-openshift + name: openshift +spec: + client: + clientAuthenticatorType: client-secret + redirectUris: + - https://{{ ocp4_workload_redhat_developer_hub_openshift_redirect_host }}/oauth2callback/rhsso + serviceAccountsEnabled: true + clientId: idp-4-ocp + defaultClientScopes: + - profile + - email + - roles + - acr + - web-origins + implicitFlowEnabled: false + publicClient: false + standardFlowEnabled: true + directAccessGrantsEnabled: true + realmSelector: + matchLabels: + app: rhsso-openshift + app.kubernetes.io/instance: rhsso-openshift + app.kubernetes.io/name: rhsso-openshift diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-dev-user-openshift.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-dev-user-openshift.yml.j2 new file mode 100644 index 00000000000..41d8d9eaf74 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-dev-user-openshift.yml.j2 @@ -0,0 +1,23 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakUser +metadata: + name: user{{ item + 1 }} + labels: + app: rhsso-openshift + app.kubernetes.io/instance: rhsso-openshift + app.kubernetes.io/name: rhsso-openshift +spec: + realmSelector: + matchLabels: + app: rhsso-openshift + app.kubernetes.io/instance: rhsso-openshift + app.kubernetes.io/name: rhsso-openshift + user: + credentials: + - temporary: false + type: password + value: {{ ocp4_workload_redhat_developer_hub_admin_password }} + username: user{{ item + 1 }} + email: user{{ item + 1 }}@opentlc.com + enabled: true + emailVerified: true diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-realm-openshift.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-realm-openshift.yml.j2 new file mode 100644 index 00000000000..e46e53036dd --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/keycloak-realm-openshift.yml.j2 @@ -0,0 +1,19 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakRealm +metadata: + name: openshift + labels: + app: rhsso-openshift + app.kubernetes.io/instance: rhsso-openshift + app.kubernetes.io/name: rhsso-openshift +spec: + instanceSelector: + matchLabels: + app: rhsso-backstage + app.kubernetes.io/instance: rhsso-backstage + app.kubernetes.io/name: rhsso-backstage + realm: + displayName: Openshift Authentication Realm + enabled: true + id: openshift + realm: openshift diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/oauth-keycloak-openshift.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/oauth-keycloak-openshift.yml.j2 new file mode 100644 index 00000000000..ad16c24c19a --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/oauth-keycloak-openshift.yml.j2 @@ -0,0 +1,24 @@ +--- +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: + - mappingMethod: claim + name: rhsso + openID: + claims: + email: + - email + name: + - name + preferredUsername: + - preferred_username + clientID: idp-4-ocp + clientSecret: + name: openid-client-secret-bb6zw + extraScopes: [] + issuer: >- + https://{{ ocp4_workload_redhat_developer_hub_keycloak_host }}/auth/realms/openshift + type: OpenID \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/object-bucket-claim.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/object-bucket-claim.yml.j2 new file mode 100644 index 00000000000..fcdd6ddeb67 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/object-bucket-claim.yml.j2 @@ -0,0 +1,8 @@ +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: backstage-bucket-claim + namespace: {{ ocp4_workload_redhat_developer_hub_backstage_namespace }} +spec: + generateBucketName: backstage-bucket- + storageClassName: openshift-storage.noobaa.io \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/script-get-registration-token.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/script-get-registration-token.yml.j2 new file mode 100644 index 00000000000..7eea587d7cb --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/script-get-registration-token.yml.j2 @@ -0,0 +1,21 @@ +set -x + +gitlab_host="https://{{ ocp4_workload_redhat_developer_hub_gitlab_host }}" +gitlab_user="{{ ocp4_workload_redhat_developer_hub_gitlab_root_user }}" +gitlab_password="{{ ocp4_workload_redhat_developer_hub_gitlab_root_password }}" + +body_header=$(curl -c /tmp/cookies.txt -i "${gitlab_host}/users/sign_in" -s --insecure) + +csrf_token=$(echo $body_header | perl -ne 'print "$1\n" if /new_user.*?authenticity_token"[[:blank:]]value="(.+?)"/' | sed -n 1p) + +curl -L -b /tmp/cookies.txt -c /tmp/cookies.txt -i "${gitlab_host}/users/sign_in" \ +  --data-raw "user%5Blogin%5D=${gitlab_user}&user%5Bpassword%5D=${gitlab_password}" \ +  --data-urlencode "authenticity_token=${csrf_token}" \ +  --compressed \ +  --insecure 2>&1 > /dev/null + +body_header=$(curl -sS -k -H 'user-agent: curl' -b /tmp/cookies.txt "${gitlab_host}/admin/runners" -o /tmp/gitlab-header.txt) + +reg_token=$(cat /tmp/gitlab-header.txt | grep data-registration-token | sed -e 's/^.*data-registration-token="//' -e 's/".*//') + +oc create secret generic gitlab-dev-runner-secret --from-literal=runner-registration-token=$reg_token -n gitlab \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/secret-openid-client-openshift.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/secret-openid-client-openshift.yml.j2 new file mode 100644 index 00000000000..16484bb3d9d --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_redhat_developer_hub_operator/templates/secret-openid-client-openshift.yml.j2 @@ -0,0 +1,8 @@ +kind: Secret +apiVersion: v1 +metadata: + name: openid-client-secret-bb6zw + namespace: openshift-config +stringData: + clientSecret: {{ ocp4_workload_redhat_developer_hub_openshift_client_secret }} +type: Opaque