├── .ansible-lint ├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── .gitignore ├── CHANGELOG.md ├── CONTRIBUTING.md ├── LICENSE ├── README-orig.md ├── README.md ├── assets ├── cluster-role-binding.png ├── config-map-add.png ├── config-map-variables.png ├── cp4ba-installation.png ├── cp4ba-postdeploy-cm.png ├── cp4ba-postdeploy-md.png ├── crb-delete.png ├── failed-install-job-log.png ├── failed-install-job-pod.png ├── failed-remove-job-log.png ├── failed-remove-job-pod.png ├── fncm-es-google-oidc-post.mp4 ├── fncm-es-google-oidc-pre.mp4 ├── install-job-pod-log.png ├── install-job-pod.png ├── install-job.png ├── installation-steps.png ├── pm-postdeploy-cm.png ├── pm-postdeploy-md.png ├── project-delete.png ├── project.png ├── remove-job-pod-log.png ├── remove-job-pod.png ├── remove-job.png ├── rpa-postdeploy-cm.png ├── rpa-postdeploy-md.png ├── success-install-job-log.png ├── success-install-job-pod.png ├── success-remove-job-log.png ├── success-remove-job-pod.png ├── usage-cm.png ├── usage-md.png └── utilization.png └── scripts ├── .DS_Store ├── ansible-lint-rules ├── CommonRoleVariableRule.py └── __init__.py ├── ansible.cfg ├── apollo-one-shot.sh ├── debug.yml ├── functions.sh ├── install.yml ├── local.md ├── main.yml ├── remove.yml ├── requirements.yml ├── requirements_git.yml ├── roles ├── akhq │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ └── values.yaml.j2 ├── asset_repo │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── assign-roles.yml │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── assetrepository.yaml.j2 │ │ ├── catalogsource.yaml.j2 │ │ └── subscription.yaml.j2 ├── cerebro │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── anyuid-scc-clusterrolebinding.yaml.j2 │ │ ├── configmap.yaml.j2 │ │ ├── deployment.yaml.j2 │ │ └── service.yaml.j2 ├── cloudbeaver │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── anyuid-scc-rolebinding.yaml.j2 │ │ ├── data-sources.json.j2 │ │ ├── deployment.yaml.j2 │ │ ├── pvc.yaml.j2 │ │ ├── secrets.yaml.j2 │ │ └── service.yaml.j2 ├── common │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── add-db2-user.yml │ │ ├── add-db2mc-connection.yml │ │ ├── apps-endpoint.yml │ │ ├── clear-resource-finalizers.yml │ │ ├── create-edge-route.yml │ │ ├── create-icr-secret.yml │ │ ├── create-project.yml │ │ ├── iam-token-client.yml │ │ ├── iam-token-user.yml │ │ ├── manage-manual-operator.yml │ │ ├── nexus-upload.yml │ │ ├── remove-db2-db.yml │ │ ├── remove-db2-user.yml │ │ ├── remove-db2mc-connection.yml │ │ ├── remove-operator.yml │ │ ├── remove-postgresql-db.yml │ │ ├── remove-postgresql-tablespace.yml │ │ ├── remove-postgresql-user.yml │ │ ├── wait-crd.yml │ │ ├── wait-operator.yml │ │ ├── wait-resource-condition-generic.yml │ │ ├── wait-resource-condition.yml │ │ └── zen-token.yml │ ├── templates │ │ ├── db2mc-profile.json.j2 │ │ ├── db2mc-token-request.json.j2 │ │ ├── edge-route.yaml.j2 │ │ ├── icr-secret.yaml.j2 │ │ └── project.yaml.j2 │ └── vars │ │ └── main.yml ├── config │ └── tasks │ │ ├── external-ldap.yml │ │ ├── internal-variables.yml │ │ └── main.yml ├── cp4ba │ ├── defaults │ │ └── main.yml │ ├── files │ │ ├── ban │ │ │ ├── lic-server-virtual.v1 │ │ │ └── lic-server.v1 │ │ ├── force-uninstall.sh │ │ └── ier │ │ │ ├── AdditionalJars.tgz │ │ │ └── ierconfig.tgz │ ├── tasks │ │ ├── cr-log.yml │ │ ├── db │ │ │ ├── aae-data-persistence.yml │ │ │ ├── aae.yml │ │ │ ├── adp.yml │ │ │ ├── ban.yml │ │ │ ├── bas.yml │ │ │ ├── bawaut.yml │ │ │ ├── fncm.yml │ │ │ ├── ier.yml │ │ │ └── odm.yml │ │ ├── dbs.yml │ │ ├── deploy.yml │ │ ├── install.yml │ │ ├── main.yml │ │ ├── postdeploy.yml │ │ ├── postdeploy │ │ │ ├── adp.yml │ │ │ ├── ads-maven-plugins.yml │ │ │ ├── ads.yml │ │ │ ├── baml.yml │ │ │ ├── bawaut.yml │ │ │ ├── ier-tm.yml │ │ │ ├── ier.yml │ │ │ ├── odm.yml │ │ │ ├── tm.yml │ │ │ └── zen.yml │ │ ├── predeploy.yml │ │ ├── predeploy │ │ │ ├── aae-data-persistence.yml │ │ │ ├── aae.yml │ │ │ ├── adp.yml │ │ │ ├── ads.yml │ │ │ ├── bai.yml │ │ │ ├── ban.yml │ │ │ ├── bas.yml │ │ │ ├── bawaut.yml │ │ │ ├── fncm-es.yml │ │ │ ├── fncm.yml │ │ │ ├── iaf-automationbase.yml │ │ │ ├── iaf-automationuiconfig.yml │ │ │ ├── ier.yml │ │ │ ├── odm.yml │ │ │ ├── operator.yml │ │ │ ├── rr.yml │ │ │ └── shared.yml │ │ ├── remove.yml │ │ └── repository.yml │ └── templates │ │ ├── aae │ │ ├── aae-secret.yaml.j2 │ │ ├── cr-persistence.yaml.j2 │ │ └── cr.yaml.j2 │ │ ├── adp │ │ ├── adp-secret.yaml.j2 │ │ └── cr.yaml.j2 │ │ ├── ads │ │ ├── ads-secret.yaml.j2 │ │ ├── cr-designer.yaml.j2 │ │ └── cr-runtime.yaml.j2 │ │ ├── bai │ │ ├── bai-secret.yaml.j2 │ │ ├── cr.yaml.j2 │ │ └── workforce-insights-config-secret.yaml.j2 │ │ ├── ban │ │ ├── ban-secret.yaml.j2 │ │ └── cr.yaml.j2 │ │ ├── bas │ │ ├── bas-secret.yaml.j2 │ │ └── cr.yaml.j2 │ │ ├── bawaut │ │ ├── bawaut-custom-xml-secret.yaml.j2 │ │ └── cr.yaml.j2 │ │ ├── catalogsource.yaml.j2 │ │ ├── cp4ba-cr-configmap.yaml.j2 │ │ ├── cp4ba-operator-log-configmap.yaml.j2 │ │ ├── cr.yaml.j2 │ │ ├── fncm │ │ ├── cr-cmis.yaml.j2 │ │ ├── cr-cpe.yaml.j2 │ │ ├── cr-css.yaml.j2 │ │ ├── cr-es-gid.yaml.j2 │ │ ├── cr-es.yaml.j2 │ │ ├── cr-graphql.yaml.j2 │ │ ├── cr-tm.yaml.j2 │ │ ├── fncm-google-idp-secret.yaml.j2 │ │ ├── fncm-google-tls-secret.yaml.j2 │ │ └── fncm-secret.yaml.j2 │ │ ├── iaf │ │ ├── automationbase.yaml.j2 │ │ ├── automationuiconfig.yaml.j2 │ │ ├── es-secret.yaml.j2 │ │ ├── global-ca-secret.yaml.j2 │ │ ├── iaf-issuer.yaml.j2 │ │ ├── iaf-tls-secret.yaml.j2 │ │ ├── kafkauser-secret.yaml.j2 │ │ └── kafkauser.yaml.j2 │ │ ├── ier │ │ ├── cr.yaml.j2 │ │ ├── ier-cpe-route.yaml.j2 │ │ └── ier-secret.yaml.j2 │ │ ├── odm │ │ ├── cr.yaml.j2 │ │ ├── odm-db-secret.yaml.j2 │ │ └── odm-web-security-secret.yaml.j2 │ │ ├── operator │ │ ├── operatorgroup.yaml.j2 │ │ └── subscription.yaml.j2 │ │ ├── postdeploy-configmap.yaml.j2 │ │ ├── postdeploy.md.j2 │ │ ├── rr │ │ ├── cr.yaml.j2 │ │ └── rr-secret.yaml.j2 │ │ └── shared │ │ ├── ldap-secret.yaml.j2 │ │ ├── ldap-ssl-secret.yaml.j2 │ │ └── root-ca-secret.yaml.j2 ├── cpfs │ ├── defaults │ │ └── main.yml │ ├── files │ │ └── force-uninstall.sh │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── catalogsource.yaml.j2 │ │ ├── common-service-maps.yaml.j2 │ │ ├── ibmlicenseservicereporter.yaml.j2 │ │ ├── ldap-connection.json.j2 │ │ ├── license-service-secret.yaml.j2 │ │ ├── operandrequest.yaml.j2 │ │ ├── operatorgroup.yaml.j2 │ │ ├── route-tls-secret.yaml.j2 │ │ └── subscription.yaml.j2 ├── db2 │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── catalogsource.yaml.j2 │ │ ├── daemon-set.yaml.j2 │ │ ├── db2ucluster.yaml.j2 │ │ ├── operatorgroup.yaml.j2 │ │ ├── privileged-scc-clusterrolebinding.yaml.j2 │ │ ├── project.yaml.j2 │ │ ├── service-account.yaml.j2 │ │ └── subscription.yaml.j2 ├── db2mc │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── deployment.yaml.j2 │ │ ├── pvc.yaml.j2 │ │ ├── route.yaml.j2 │ │ ├── secrets.yaml.j2 │ │ └── service.yaml.j2 ├── gitea │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ └── values.yaml.j2 ├── global_ca │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ └── secret.yaml.j2 ├── kibana │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── deployment.yaml.j2 │ │ └── service.yaml.j2 ├── mail │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── configmaps.yaml.j2 │ │ ├── deployment.yaml.j2 │ │ ├── privileged-scc-rolebinding.yaml.j2 │ │ ├── pvc.yaml.j2 │ │ ├── secret.yaml.j2 │ │ └── service.yaml.j2 ├── mongo_express │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── deployment.yaml.j2 │ │ └── service.yaml.j2 ├── mongodb │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── anyuid-scc-clusterrolebinding.yaml.j2 │ │ └── values.yaml.j2 ├── mssql │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── deployment.yaml.j2 │ │ ├── pvc.yaml.j2 │ │ ├── secret.yaml.j2 │ │ └── service.yaml.j2 ├── nexus │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── ldap-config.json.j2 │ │ ├── maven-settings.xml.j2 │ │ ├── nexus-maven-settings-configmap.yaml.j2 │ │ ├── nexus-role.json.j2 │ │ ├── nexusrepo.yaml.j2 │ │ ├── operatorgroup.yaml.j2 │ │ ├── privileged-scc-clusterrolebinding.yaml.j2 │ │ └── subscription.yaml.j2 ├── openldap │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── anyuid-scc-rolebinding.yaml.j2 │ │ └── values.yaml.j2 ├── pgadmin │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── anyuid-scc-rolebinding.yaml.j2 │ │ ├── configmap.yaml.j2 │ │ ├── deployment.yaml.j2 │ │ ├── pvc.yaml.j2 │ │ ├── secrets.yaml.j2 │ │ └── service.yaml.j2 ├── pm │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── catalogsource.yaml.j2 │ │ ├── licensing-configmap.yaml.j2 │ │ ├── licensing-secret.yaml.j2 │ │ ├── postdeploy-configmap.yaml.j2 │ │ ├── postdeploy.md.j2 │ │ ├── processmining.yaml.j2 │ │ ├── secrets.yaml.j2 │ │ └── subscription.yaml.j2 ├── postgresql │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── deployment.yaml.j2 │ │ ├── privileged-scc-rolebinding.yaml.j2 │ │ ├── pvc.yaml.j2 │ │ ├── secret.yaml.j2 │ │ └── service.yaml.j2 ├── roundcube │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── anyuid-scc-clusterrolebinding.yaml.j2 │ │ ├── configmaps.yaml.j2 │ │ ├── db-deployment.yaml.j2 │ │ ├── deployment.yaml.j2 │ │ ├── nginx-deployment.yaml.j2 │ │ ├── pvcs.yaml.j2 │ │ ├── secrets.yaml.j2 │ │ └── services.yaml.j2 ├── rpa │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── catalogsource.yaml.j2 │ │ ├── licensing-configmap.yaml.j2 │ │ ├── licensing-secret.yaml.j2 │ │ ├── postdeploy-configmap.yaml.j2 │ │ ├── postdeploy.md.j2 │ │ ├── roboticprocessautomation.yaml.j2 │ │ ├── secrets.yaml.j2 │ │ └── subscription.yaml.j2 ├── usage │ ├── defaults │ │ └── main.yml │ ├── tasks │ │ ├── install.yml │ │ ├── main.yml │ │ └── remove.yml │ └── templates │ │ ├── usage-configmap.yaml.j2 │ │ └── usage.md.j2 └── validations │ └── tasks │ ├── boolean-variables.yml │ ├── choice-list-variables.yml │ ├── empty-variables.yml │ ├── icr-password.yml │ ├── input-validations.yml │ ├── ocp-access.yml │ └── universal-password.yml ├── servicing-pod.yaml ├── servicing.sh ├── storage-class ├── deployment.yaml ├── make-default.sh ├── rbac.yaml ├── storageclass.yaml └── traditional-nfs.sh └── tooling ├── install.sh └── remove.sh /.ansible-lint: -------------------------------------------------------------------------------- 1 | exclude_paths: 2 | - ./assets/ 3 | - ./scripts/archive 4 | - ./scripts/apollo-one-shot 5 | - .ansible-lint 6 | - ./scripts/install.yml 7 | - ./scripts/remove.yml 8 | - ./scripts/requirements.yml 9 | - ./scripts/requirements_git.yml 10 | - ./scripts/variables.yml 11 | - ./scripts/internal-variables.yml 12 | - ./scripts/storage-class 13 | - ./scripts/tooling 14 | - ./scripts/servicing-pod.yaml 15 | - .pre-commit-config.yaml 16 | - ./scripts/roles/common/tasks/wait-resource-condition-generic.yml 17 | 18 | use_default_rules: true 19 | 20 | enable_list: 21 | - yaml 22 | 23 | rulesdir: 24 | - ./scripts/ansible-lint-rules/ 25 | 26 | skip_list: 27 | - var-naming 28 | - command-instead-of-module 29 | - new-line-at-end-of-file 30 | - trailing-spaces 31 | - empty-lines 32 | - line-length 33 | - indentation 34 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Additional context** 27 | Add any other context about the problem here. 28 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Additional context** 17 | Add any other context or screenshots about the feature request here. 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.target.* 2 | nohup* 3 | #ansibles 4 | scripts/variables.yml 5 | .vscode 6 | scripts/ansible-lint-rules/__pycache__ 7 | .DS_Store 8 | scripts/ier_configmgr_workspace -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Tips 2 | - Clone the repository to your local 3 | - Thoroughly test your changes before you commit 4 | - Also have [ansible-lint](https://ansible-lint.readthedocs.io/en/latest/) installed. 5 | -------------------------------------------------------------------------------- /assets/cluster-role-binding.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/cluster-role-binding.png -------------------------------------------------------------------------------- /assets/config-map-add.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/config-map-add.png -------------------------------------------------------------------------------- /assets/config-map-variables.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/config-map-variables.png -------------------------------------------------------------------------------- /assets/cp4ba-installation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/cp4ba-installation.png -------------------------------------------------------------------------------- /assets/cp4ba-postdeploy-cm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/cp4ba-postdeploy-cm.png -------------------------------------------------------------------------------- /assets/cp4ba-postdeploy-md.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/cp4ba-postdeploy-md.png -------------------------------------------------------------------------------- /assets/crb-delete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/crb-delete.png -------------------------------------------------------------------------------- /assets/failed-install-job-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/failed-install-job-log.png -------------------------------------------------------------------------------- /assets/failed-install-job-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/failed-install-job-pod.png -------------------------------------------------------------------------------- /assets/failed-remove-job-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/failed-remove-job-log.png -------------------------------------------------------------------------------- /assets/failed-remove-job-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/failed-remove-job-pod.png -------------------------------------------------------------------------------- /assets/fncm-es-google-oidc-post.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/fncm-es-google-oidc-post.mp4 -------------------------------------------------------------------------------- /assets/fncm-es-google-oidc-pre.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/fncm-es-google-oidc-pre.mp4 -------------------------------------------------------------------------------- /assets/install-job-pod-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/install-job-pod-log.png -------------------------------------------------------------------------------- /assets/install-job-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/install-job-pod.png -------------------------------------------------------------------------------- /assets/install-job.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/install-job.png -------------------------------------------------------------------------------- /assets/installation-steps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/installation-steps.png -------------------------------------------------------------------------------- /assets/pm-postdeploy-cm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/pm-postdeploy-cm.png -------------------------------------------------------------------------------- /assets/pm-postdeploy-md.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/pm-postdeploy-md.png -------------------------------------------------------------------------------- /assets/project-delete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/project-delete.png -------------------------------------------------------------------------------- /assets/project.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/project.png -------------------------------------------------------------------------------- /assets/remove-job-pod-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/remove-job-pod-log.png -------------------------------------------------------------------------------- /assets/remove-job-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/remove-job-pod.png -------------------------------------------------------------------------------- /assets/remove-job.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/remove-job.png -------------------------------------------------------------------------------- /assets/rpa-postdeploy-cm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/rpa-postdeploy-cm.png -------------------------------------------------------------------------------- /assets/rpa-postdeploy-md.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/rpa-postdeploy-md.png -------------------------------------------------------------------------------- /assets/success-install-job-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/success-install-job-log.png -------------------------------------------------------------------------------- /assets/success-install-job-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/success-install-job-pod.png -------------------------------------------------------------------------------- /assets/success-remove-job-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/success-remove-job-log.png -------------------------------------------------------------------------------- /assets/success-remove-job-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/success-remove-job-pod.png -------------------------------------------------------------------------------- /assets/usage-cm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/usage-cm.png -------------------------------------------------------------------------------- /assets/usage-md.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/usage-md.png -------------------------------------------------------------------------------- /assets/utilization.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/assets/utilization.png -------------------------------------------------------------------------------- /scripts/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/scripts/.DS_Store -------------------------------------------------------------------------------- /scripts/ansible-lint-rules/CommonRoleVariableRule.py: -------------------------------------------------------------------------------- 1 | from typing import TYPE_CHECKING, Any, Dict, Union 2 | import warnings 3 | import ansiblelint.utils 4 | from ansiblelint.rules import AnsibleLintRule 5 | 6 | if TYPE_CHECKING: 7 | from typing import Optional 8 | 9 | from ansiblelint.file_utils import Lintable 10 | 11 | class CommonRoleVariableRule(AnsibleLintRule): 12 | id: str = 'common_role_variable_rule' 13 | shortdesc: str = 'Do not allow use of common_ prefix outside of common role in ansible.builtin.set_fact' 14 | description: str = 'Do not allow use of common_ prefix outside of common role in ansible.builtin.set_fact' 15 | severity = 'HIGH' 16 | tags = ['common_role_variable_rule'] 17 | 18 | def matchtask(self, task: Dict[str, Any], file: 'Optional[Lintable]' = None) -> Union[bool,str]: 19 | if 'common' not in str(file): 20 | if 'action' in task: 21 | action = task.get('action') 22 | matches = [ v for k,v in action.items() if 'common_' in k] 23 | if len(matches) > 0: 24 | return True 25 | 26 | return False -------------------------------------------------------------------------------- /scripts/ansible-lint-rules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/scripts/ansible-lint-rules/__init__.py -------------------------------------------------------------------------------- /scripts/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | callback_enabled = profile_tasks -------------------------------------------------------------------------------- /scripts/apollo-one-shot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ $CONTAINER_RUN_MODE == "true" ]]; then 4 | echo 5 | echo ">>>>Copy variables.yml" 6 | cp /config/variables.yml variables.yml 7 | fi 8 | 9 | find . -type f \( -iname \*.sh \) | xargs chmod u+x 10 | 11 | echo 12 | echo ">>>>Source functions" 13 | . functions.sh 14 | 15 | echo 16 | echo ">>>>Update HOME to internal folder" 17 | HOME=`pwd` 18 | 19 | cd tooling 20 | ./install.sh 21 | exit_test $? "Install Tooling Failed" 22 | cd .. 23 | 24 | echo 25 | echo ">>>>Update PATH to include new tooling" 26 | REAL_PATH=`realpath tooling` 27 | PATH=`python3 -m site --user-base`/bin:$REAL_PATH:$PATH 28 | 29 | if [[ $ACTION == "install" ]]; then 30 | echo 31 | echo ">>>>Starting install action" 32 | if [[ $CONTAINER_RUN_MODE == "true" ]]; then 33 | ansible-playbook main.yml -e global_action=install 34 | status=$? 35 | exit $status 36 | else 37 | nohup ansible-playbook main.yml -e global_action=install &> nohup_install.log & 38 | sleep 1 39 | tail -f nohup_install.log 40 | fi 41 | fi 42 | 43 | if [[ $ACTION == "remove" ]]; then 44 | echo 45 | echo ">>>>Starting remove action" 46 | if [[ $CONTAINER_RUN_MODE == "true" ]]; then 47 | ansible-playbook main.yml -e global_action=remove 48 | status=$? 49 | exit $status 50 | else 51 | nohup ansible-playbook main.yml -e global_action=remove &> nohup_remove.log & 52 | sleep 1 53 | tail -f nohup_remove.log 54 | fi 55 | fi 56 | -------------------------------------------------------------------------------- /scripts/debug.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: CP4BA Enterprise 3 | hosts: localhost 4 | connection: local 5 | gather_facts: false 6 | vars_files: 7 | - variables.yml 8 | tasks: 9 | - name: Prepare the Playbook Configuration 10 | ansible.builtin.include_role: 11 | name: config 12 | 13 | - name: Input Validations 14 | ansible.builtin.include_role: 15 | name: validations 16 | tasks_from: input-validations 17 | 18 | - name: Create Project 19 | ansible.builtin.include_role: 20 | name: common 21 | tasks_from: create-project 22 | vars: 23 | common_k8s_api_key: "{{ ocp_cluster_token | default(omit) }}" 24 | common_k8s_host: "{{ ocp_api_endpoint | default(omit) }}" 25 | common_namespace_name: apollo-one-shot 26 | common_output_directory: "{{ generic_directory }}" 27 | 28 | - name: Install Global CA 29 | ansible.builtin.include_role: 30 | name: global_ca 31 | 32 | - name: Run role 33 | ansible.builtin.include_role: 34 | name: "{{ role_name }}" 35 | -------------------------------------------------------------------------------- /scripts/functions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exit_test() { 4 | local exit_code="${1}" 5 | local fail_message="${2:-Failed}" 6 | 7 | if [[ "$exit_code" != "0" ]]; then 8 | echo ">>>>$(print_timestamp) ${fail_message}" 9 | exit $exit_code 10 | fi 11 | } 12 | 13 | print_timestamp() { 14 | date --utc +%FT%TZ 15 | } 16 | -------------------------------------------------------------------------------- /scripts/local.md: -------------------------------------------------------------------------------- 1 | # Local run 2 | 3 | When running this guide from local environment 4 | 5 | - create variables.yml in root folder and fill it as described in README.md 6 | - add global CA files to scripts/global-ca 7 | - setup tooling or local tooling correctly exposed to PATH 8 | - setup $HOME (for maven and ADS jars to work correctly) 9 | 10 | Run whole installation sequence 11 | ```bash 12 | ansible-playbook main.yml -e global_action=install 13 | ``` 14 | 15 | Debug particular role 16 | ```bash 17 | ansible-playbook debug.yml -e global_action=install -e role_name=cp4ba 18 | ``` 19 | 20 | Run whole remove sequence 21 | ```bash 22 | ansible-playbook main.yml -e global_action=remove 23 | ``` 24 | -------------------------------------------------------------------------------- /scripts/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: CP4BA Enterprise 3 | hosts: localhost 4 | connection: local 5 | gather_facts: false 6 | vars_files: 7 | - variables.yml 8 | tasks: 9 | - name: Prepare the Playbook Configuration 10 | ansible.builtin.include_role: 11 | name: config 12 | 13 | - name: Input Validations 14 | ansible.builtin.include_role: 15 | name: validations 16 | tasks_from: input-validations 17 | 18 | - name: Install CP4BA Enterprise 19 | include_tasks: install.yml 20 | when: "global_action == 'install'" 21 | 22 | - name: Remove CP4BA Enterprise 23 | include_tasks: remove.yml 24 | when: "global_action == 'remove'" 25 | -------------------------------------------------------------------------------- /scripts/requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | collections: 3 | - name: kubernetes.core 4 | version: 2.3.1 5 | - name: community.crypto 6 | version: 2.3.1 7 | - name: community.general 8 | version: 4.8.1 9 | -------------------------------------------------------------------------------- /scripts/requirements_git.yml: -------------------------------------------------------------------------------- 1 | --- 2 | collections: 3 | - name: kubernetes.core 4 | src: git+http://github.com/ansible-collections/kubernetes.core 5 | version: 2.3.1 6 | - name: community.crypto 7 | src: git+http://github.com/ansible-collections/community.crypto 8 | version: 2.3.1 9 | - name: community.general 10 | src: git+http://github.com/ansible-collections/community.general 11 | version: 4.8.1 12 | -------------------------------------------------------------------------------- /scripts/roles/akhq/defaults/main.yml: -------------------------------------------------------------------------------- 1 | akhq_action: install 2 | akhq_base_dir: /tmp 3 | akhq_dir_name: akhq 4 | akhq_universal_password: "" 5 | akhq_admin_user: "" 6 | akhq_storage_class_name: "" 7 | akhq_chart_version: 0.3.0 8 | akhq_cp4ba_project_name: "cp4ba" 9 | akhq_ca_key_path: "" 10 | akhq_ca_crt_path: "" 11 | akhq_wildcard_key_path: "" 12 | akhq_wildcard_crt_path: "" 13 | -------------------------------------------------------------------------------- /scripts/roles/akhq/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | akhq_output_directory: "{{ akhq_base_dir }}/{{ akhq_dir_name }}" 4 | 5 | - name: Remove AKHQ directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ akhq_output_directory }}" 8 | state: absent 9 | 10 | - name: Install AKHQ 11 | include_tasks: install.yml 12 | when: "akhq_action == 'install'" 13 | 14 | - name: Remove AKHQ 15 | include_tasks: remove.yml 16 | when: "akhq_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/akhq/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project akhq 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ akhq_k8s_api_key | default(omit) }}" 5 | host: "{{ akhq_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: akhq 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | -------------------------------------------------------------------------------- /scripts/roles/akhq/templates/values.yaml.j2: -------------------------------------------------------------------------------- 1 | configuration: 2 | akhq: 3 | server: 4 | access-log: 5 | enabled: true 6 | name: org.akhq.log.access 7 | secrets: 8 | akhq: 9 | connections: 10 | iaf-kafka: 11 | properties: 12 | bootstrap.servers: "iaf-system-kafka-bootstrap-{{ akhq_cp4ba_project_name }}.{{ apps_endpoint_domain }}:443" 13 | security.protocol: SASL_SSL 14 | sasl.mechanism: SCRAM-SHA-512 15 | sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username='{{ akhq_admin_user }}' password='{{ akhq_universal_password }}'; 16 | ssl.truststore.location: /app/truststore.jks 17 | ssl.truststore.password: '{{ akhq_universal_password }}' 18 | # IAF apicurio avro not supported 19 | #schema-registry: 20 | # type: "confluent" 21 | # url: "https://iaf-system-apicurio.cp4ba.svc.cluster.local" 22 | # basic-auth-username: "{{ akhq_admin_user }}" 23 | # basic-auth-password: '{{ akhq_universal_password }}' 24 | # properties: 25 | # schema.registry.ssl.truststore.location: /app/truststore.jks 26 | # schema.registry.ssl.truststore.password: '{{ akhq_universal_password }}' 27 | kafkaSecrets: 28 | truststorejks: "{{ _jks }}" 29 | extraVolumeMounts: 30 | - name: secrets 31 | mountPath: /app/truststore.jks 32 | subPath: truststorejks 33 | readinessProbe: 34 | prefix: "" # set same as `micronaut.server.context-path` 35 | -------------------------------------------------------------------------------- /scripts/roles/asset_repo/defaults/main.yml: -------------------------------------------------------------------------------- 1 | asset_repo_action: install 2 | asset_repo_base_dir: /tmp 3 | asset_repo_dir_name: asset-repo 4 | asset_repo_k8s_api_key: "" 5 | asset_repo_k8s_host: "" 6 | asset_repo_operator_channel: v1.5 7 | asset_repo_version: 2022.2.1-4 8 | asset_repo_project_name: cp4ba 9 | asset_repo_storage_class_name: "" 10 | asset_repo_universal_password: "" 11 | -------------------------------------------------------------------------------- /scripts/roles/asset_repo/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | asset_repo_output_directory: "{{ asset_repo_base_dir }}/{{ asset_repo_dir_name }}" 4 | 5 | - name: Remove Asset Repo directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ asset_repo_output_directory }}" 8 | state: absent 9 | 10 | - name: Install Asset Repo 11 | include_tasks: install.yml 12 | when: "asset_repo_action == 'install'" 13 | 14 | - name: Remove Asset Repo 15 | include_tasks: remove.yml 16 | when: "asset_repo_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/asset_repo/templates/assetrepository.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: integration.ibm.com/v1beta1 2 | kind: AssetRepository 3 | metadata: 4 | name: assets 5 | namespace: "{{ asset_repo_project_name }}" 6 | spec: 7 | license: 8 | accept: true 9 | license: L-RJON-CD3JKX 10 | version: "{{ asset_repo_version }}" 11 | replicas: 1 12 | storage: 13 | assetDataVolume: 14 | class: "{{ asset_repo_storage_class_name }}" 15 | couchVolume: 16 | class: "{{ asset_repo_storage_class_name }}" 17 | -------------------------------------------------------------------------------- /scripts/roles/asset_repo/templates/catalogsource.yaml.j2: -------------------------------------------------------------------------------- 1 | # case 1.5.4 / csv 1.5.4 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-integration-asset-repository 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: CatalogSource 4 | metadata: 5 | name: ibm-integration-asset-repository-catalog 6 | namespace: openshift-marketplace 7 | spec: 8 | displayName: IBM CP4I Asset Repository 9 | publisher: IBM 10 | sourceType: grpc 11 | image: icr.io/cpopen/ibm-integration-asset-repository-catalog@sha256:89cd0b2bfc66241cfaf542de906982434c23d1c6391db72fc6ef99d851568abe 12 | updateStrategy: 13 | registryPoll: 14 | interval: 45m 15 | -------------------------------------------------------------------------------- /scripts/roles/asset_repo/templates/subscription.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: ibm-integration-asset-repository 5 | namespace: "{{ asset_repo_project_name }}" 6 | spec: 7 | channel: "{{ asset_repo_operator_channel }}" 8 | name: ibm-integration-asset-repository 9 | source: ibm-integration-asset-repository-catalog 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /scripts/roles/cerebro/defaults/main.yml: -------------------------------------------------------------------------------- 1 | cerebro_action: install 2 | cerebro_base_dir: /tmp 3 | cerebro_dir_name: cerebro 4 | cerebro_k8s_api_key: "" 5 | cerebro_k8s_host: "" 6 | cerebro_image_tag: 0.9.4 7 | cerebro_ca_crt_path: "" 8 | cerebro_wildcard_key_path: "" 9 | cerebro_wildcard_crt_path: "" 10 | cerebro_universal_password: "" 11 | cerebro_cp4ba_project_name: "" 12 | -------------------------------------------------------------------------------- /scripts/roles/cerebro/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | cerebro_output_directory: "{{ cerebro_base_dir }}/{{ cerebro_dir_name }}" 4 | 5 | - name: Remove Cerebro directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ cerebro_output_directory }}" 8 | state: absent 9 | 10 | - name: Install Cerebro 11 | include_tasks: install.yml 12 | when: "cerebro_action == 'install'" 13 | 14 | - name: Remove Cerebro 15 | include_tasks: remove.yml 16 | when: "cerebro_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/cerebro/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project cerebro 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ cerebro_k8s_api_key | default(omit) }}" 5 | host: "{{ cerebro_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: cerebro 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | 13 | - name: Remove CRB cerebro-anyuid 14 | kubernetes.core.k8s: 15 | state: absent 16 | api_key: "{{ cerebro_k8s_api_key | default(omit) }}" 17 | host: "{{ cerebro_k8s_host | default(omit) }}" 18 | api_version: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | name: cerebro-anyuid 21 | wait: true 22 | wait_sleep: 15 23 | wait_timeout: 120 24 | -------------------------------------------------------------------------------- /scripts/roles/cerebro/templates/anyuid-scc-clusterrolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'cerebro-anyuid' 5 | subjects: 6 | - kind: ServiceAccount 7 | name: default 8 | namespace: cerebro 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: 'system:openshift:scc:anyuid' 13 | -------------------------------------------------------------------------------- /scripts/roles/cerebro/templates/deployment.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: cerebro 5 | namespace: cerebro 6 | labels: 7 | app: cerebro 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: cerebro 13 | strategy: 14 | type: Recreate 15 | template: 16 | metadata: 17 | labels: 18 | app: cerebro 19 | spec: 20 | containers: 21 | - name: cerebro 22 | image: "lmenezes/cerebro:{{ cerebro_image_tag }}" 23 | imagePullPolicy: IfNotPresent 24 | args: 25 | - "-Dplay.ws.ssl.loose.acceptAnyCertificate=true" 26 | readinessProbe: 27 | tcpSocket: 28 | port: 8080 29 | initialDelaySeconds: 45 30 | timeoutSeconds: 1 31 | periodSeconds: 10 32 | successThreshold: 1 33 | failureThreshold: 5 34 | livenessProbe: 35 | tcpSocket: 36 | port: 8080 37 | initialDelaySeconds: 45 38 | timeoutSeconds: 1 39 | periodSeconds: 10 40 | successThreshold: 1 41 | failureThreshold: 10 42 | ports: 43 | - name: cerebro 44 | containerPort: 8080 45 | protocol: TCP 46 | env: 47 | - name: CEREBRO_PORT 48 | value: "8080" 49 | volumeMounts: 50 | - name: config 51 | mountPath: /opt/cerebro/conf/application.conf 52 | subPath: application.conf 53 | restartPolicy: Always 54 | volumes: 55 | - name: config 56 | configMap: 57 | name: cerebro 58 | -------------------------------------------------------------------------------- /scripts/roles/cerebro/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: cerebro 5 | namespace: cerebro 6 | spec: 7 | ports: 8 | - protocol: TCP 9 | port: 8080 10 | targetPort: 8080 11 | name: cerebro 12 | selector: 13 | app: cerebro 14 | type: ClusterIP 15 | sessionAffinity: None 16 | -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/defaults/main.yml: -------------------------------------------------------------------------------- 1 | cloudbeaver_action: install 2 | cloudbeaver_base_dir: /tmp 3 | cloudbeaver_dir_name: cloudbeaver 4 | cloudbeaver_k8s_api_key: "" 5 | cloudbeaver_k8s_host: "" 6 | cloudbeaver_image_tag: 22.3.2 7 | cloudbeaver_storage_class_name: "" 8 | cloudbeaver_ca_crt_path: "" 9 | cloudbeaver_wildcard_key_path: "" 10 | cloudbeaver_wildcard_crt_path: "" 11 | cloudbeaver_universal_password: "" 12 | -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | cloudbeaver_output_directory: "{{ cloudbeaver_base_dir }}/{{ cloudbeaver_dir_name }}" 4 | 5 | - name: Remove cloudbeaver directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ cloudbeaver_output_directory }}" 8 | state: absent 9 | 10 | - name: Install cloudbeaver 11 | include_tasks: install.yml 12 | when: "cloudbeaver_action == 'install'" 13 | 14 | - name: Remove cloudbeaver 15 | include_tasks: remove.yml 16 | when: "cloudbeaver_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project cloudbeaver 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ cloudbeaver_k8s_api_key | default(omit) }}" 5 | host: "{{ cloudbeaver_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: cloudbeaver 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/templates/anyuid-scc-rolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'cloudbeaver-anyuid' 5 | namespace: cloudbeaver 6 | subjects: 7 | - kind: ServiceAccount 8 | name: default 9 | namespace: cloudbeaver 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: 'system:openshift:scc:anyuid' 14 | -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/templates/data-sources.json.j2: -------------------------------------------------------------------------------- 1 | { 2 | "folders": {}, 3 | "connections": { 4 | "microsoft-185c5978b87-3e35aa064539af68": { 5 | "provider": "sqlserver", 6 | "driver": "microsoft", 7 | "name": "SQL Server@{{ cloudbeaver_mssql_hostname }}", 8 | "save-password": false, 9 | "configuration": { 10 | "host": "{{ cloudbeaver_mssql_hostname }}", 11 | "port": "1433", 12 | "database": "master", 13 | "url": "jdbc:sqlserver://;serverName\u003d{{ cloudbeaver_mssql_hostname }};databaseName\u003dmaster", 14 | "configurationType": "MANUAL", 15 | "type": "dev", 16 | "auth-model": "sqlserver_database" 17 | } 18 | } 19 | }, 20 | "connection-types": { 21 | "dev": { 22 | "name": "Development", 23 | "color": "255,255,255", 24 | "description": "Regular development database", 25 | "auto-commit": true, 26 | "confirm-execute": false, 27 | "confirm-data-change": false, 28 | "auto-close-transactions": false 29 | } 30 | } 31 | } -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/templates/pvc.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: cloudbeaver-data 5 | namespace: cloudbeaver 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | storageClassName: "{{ cloudbeaver_storage_class_name }}" 10 | resources: 11 | requests: 12 | storage: 3Gi 13 | -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/templates/secrets.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: cloudbeaver 5 | namespace: cloudbeaver 6 | type: Opaque 7 | stringData: 8 | cloudbeaver-password: "{{ cloudbeaver_universal_password }}" 9 | -------------------------------------------------------------------------------- /scripts/roles/cloudbeaver/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: cloudbeaver 5 | namespace: cloudbeaver 6 | spec: 7 | ports: 8 | - protocol: TCP 9 | port: 8978 10 | targetPort: http 11 | selector: 12 | app: cloudbeaver 13 | type: ClusterIP 14 | sessionAffinity: None -------------------------------------------------------------------------------- /scripts/roles/common/defaults/main.yml: -------------------------------------------------------------------------------- 1 | common_k8s_api_key: "" 2 | common_k8s_host: "" 3 | common_namespace_name: "" 4 | common_crd_name: "" 5 | common_output_to_var: "" 6 | common_output_directory: "" 7 | common_user: "" 8 | common_password: "" 9 | common_db2_db_name: "" 10 | common_db2_hostname: "" 11 | common_db2_password: "" 12 | common_route_name: "" 13 | common_project_output_name: "project.yaml" 14 | common_db2_user: "" 15 | common_api_version: "" 16 | common_kind: "" 17 | common_resource_name: "" 18 | common_force_approve: "" 19 | common_file_folder_path: "" 20 | common_file_name: "" 21 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/add-db2-user.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Add DB2 user 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: add-db2-user 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_db2_user: _db2_user 11 | # common_db2_password: "{{ prefix_universal_password }}" 12 | 13 | - name: Check if DB2 user already exists 14 | kubernetes.core.k8s_exec: 15 | api_key: "{{ common_k8s_api_key | default(omit) }}" 16 | host: "{{ common_k8s_host | default(omit) }}" 17 | namespace: db2 18 | pod: c-db2ucluster-db2u-0 19 | command: | 20 | id {{ common_db2_user }} 21 | register: command_status 22 | ignore_errors: true 23 | 24 | - name: Create DB2 user 25 | block: 26 | 27 | - name: Get DB2 LDAP pod 28 | kubernetes.core.k8s_info: 29 | api_key: "{{ common_k8s_api_key | default(omit) }}" 30 | host: "{{ common_k8s_host | default(omit) }}" 31 | api_version: v1 32 | kind: Pod 33 | namespace: db2 34 | label_selectors: 35 | - role=ldap 36 | register: ldap_pod 37 | 38 | # Based on https://www.ibm.com/docs/en/db2/11.5?topic=ldap-managing-users 39 | - name: Create DB2 user 40 | kubernetes.core.k8s_exec: 41 | api_key: "{{ common_k8s_api_key | default(omit) }}" 42 | host: "{{ common_k8s_host | default(omit) }}" 43 | namespace: db2 44 | pod: "{{ ldap_pod.resources[0].metadata.name }}" 45 | command: | 46 | /opt/ibm/ldap_scripts/addLdapUser.py -u {{ common_db2_user }} -p {{ common_db2_password }} -r user 47 | register: command_status 48 | 49 | when: command_status.rc == 1 and command_status.stderr is search('.*no such user.*') 50 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/apps-endpoint.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Get OCP Apps domain 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: apps-endpoint 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_output_to_var: "apps_endpoint_domain" 11 | 12 | - name: Get Ingress 13 | kubernetes.core.k8s_info: 14 | api_key: "{{ common_k8s_api_key | default(omit) }}" 15 | host: "{{ common_k8s_host | default(omit) }}" 16 | api_version: config.openshift.io/v1 17 | kind: Ingress 18 | name: cluster 19 | register: common_ingress 20 | retries: 10 21 | delay: 1 22 | 23 | - name: Set apps endpoint 24 | ansible.builtin.set_fact: 25 | "{{ common_output_to_var }}": "{{ common_ingress.resources[0].spec.domain }}" 26 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/clear-resource-finalizers.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Clear resources finalizers 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: clear-resource-finalizers 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_api_version: _api_version 11 | # common_kind: _kind 12 | # common_resource_name: _resource_name # Optional, when elft out allinstances of given kind are cleared 13 | # common_namespace_name: _namespace_name 14 | 15 | - name: Get resource with api '{{ common_api_version }}', kind '{{ common_kind }}', 16 | name '{{ common_resource_name | default("N/A") }}' in namespace {{ common_namespace_name }} 17 | kubernetes.core.k8s_info: 18 | api_key: "{{ common_k8s_api_key | default(omit) }}" 19 | host: "{{ common_k8s_host | default(omit) }}" 20 | api_version: "{{ common_api_version }}" 21 | kind: "{{ common_kind }}" 22 | name: "{{ common_resource_name | default(omit) }}" 23 | namespace: "{{ common_namespace_name }}" 24 | register: resources 25 | 26 | - name: Clear resource finalizers 27 | kubernetes.core.k8s: 28 | api_key: "{{ common_k8s_api_key | default(omit) }}" 29 | host: "{{ common_k8s_host | default(omit) }}" 30 | state: patched 31 | api_version: "{{ common_api_version }}" 32 | kind: "{{ common_kind }}" 33 | name: "{{ item.metadata.name }}" 34 | namespace: "{{ common_namespace_name }}" 35 | definition: 36 | metadata: 37 | finalizers: [] 38 | with_items: "{{ resources.resources }}" 39 | when: resources | json_query(json_query) | length != 0 40 | vars: 41 | json_query: "resources[0].metadata.finalizers" 42 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/create-icr-secret.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Create ICR Secret 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: create-icr-secret 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_output_directory: "{{ prefix_output_directory }}" 11 | # common_icr_secret_name: _secret_name 12 | # common_icr_password: "{{ prefix_icr_password }}" 13 | # common_namespace_name: _namespace_name 14 | 15 | - name: Set IBM Container Registry JSON 16 | ansible.builtin.set_fact: 17 | container_registry_json: '{{ {"auths": {"cp.icr.io": {"username": "cp", "password": common_icr_password} }} | to_json | b64encode }}' 18 | 19 | - name: Prepare yaml file for IBM Container Registry Secret 20 | ansible.builtin.template: 21 | src: icr-secret.yaml.j2 22 | dest: "{{ common_output_directory }}/icr-secret.yaml" 23 | mode: u+rwx 24 | 25 | - name: Add IBM Container Registry Secret 26 | kubernetes.core.k8s: 27 | api_key: "{{ common_k8s_api_key | default(omit) }}" 28 | host: "{{ common_k8s_host | default(omit) }}" 29 | state: present 30 | force: false 31 | merge_type: merge 32 | src: "{{ common_output_directory }}/icr-secret.yaml" 33 | wait: true 34 | wait_sleep: 15 35 | wait_timeout: 15 36 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/create-project.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Create Project 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: create-project 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_namespace_name: _project_name 11 | # common_output_directory: "{{ prefix_output_directory }}" 12 | # common_project_output_name: _project_output_name # Optional 13 | 14 | - name: Prepare yaml file for Project {{ common_namespace_name }} 15 | ansible.builtin.template: 16 | src: project.yaml.j2 17 | dest: "{{ common_output_directory }}/{{ common_project_output_name }}" 18 | mode: u+rwx 19 | 20 | - name: Add Project {{ common_namespace_name }} 21 | kubernetes.core.k8s: 22 | api_key: "{{ common_k8s_api_key | default(omit) }}" 23 | host: "{{ common_k8s_host | default(omit) }}" 24 | state: present 25 | force: false 26 | merge_type: merge 27 | src: "{{ common_output_directory }}/{{ common_project_output_name }}" 28 | wait: true 29 | wait_sleep: 15 30 | wait_timeout: 15 31 | 32 | - name: Wait for Project {{ common_namespace_name }} 33 | kubernetes.core.k8s_info: 34 | api_key: "{{ common_k8s_api_key | default(omit) }}" 35 | host: "{{ common_k8s_host | default(omit) }}" 36 | api_version: project.openshift.io/v1 37 | kind: Project 38 | name: "{{ common_namespace_name }}" 39 | register: project 40 | retries: 10 41 | delay: 1 42 | until: ('Active' in project | json_query(phase_query) | unique) 43 | vars: 44 | phase_query: 'resources[*].status.phase' 45 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/iam-token-client.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # Based on https://www.ibm.com/docs/en/cpfs?topic=apis-oidc-registration#get2 (Get access token by using username and password) 3 | # 4 | # - name: Get IAM token 5 | # ansible.builtin.include_role: 6 | # name: common 7 | # tasks_from: iam-token 8 | # vars: 9 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 10 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 11 | # common_client_id: _client_id 12 | # common_client_secret: _client_secret 13 | # common_output_to_var: "iam_token" 14 | 15 | - name: Get OCP Apps domain 16 | ansible.builtin.include_role: 17 | name: common 18 | tasks_from: apps-endpoint 19 | vars: 20 | common_output_to_var: "apps_endpoint_domain" 21 | 22 | - name: Get IAM access token 23 | ansible.builtin.uri: 24 | url: "https://cp-console-ibm-common-services.{{ apps_endpoint_domain }}/idprovider/v1/auth/identitytoken" 25 | method: POST 26 | headers: 27 | Content-Type: application/x-www-form-urlencoded;charset=UTF-8 28 | body_format: form-urlencoded 29 | body: 30 | grant_type: client_credentials 31 | client_id: "{{ common_client_id }}" 32 | client_secret: "{{ common_client_secret }}" 33 | scope: openid 34 | validate_certs: false 35 | status_code: 200 36 | register: token_response 37 | 38 | - name: Set apps endpoint 39 | ansible.builtin.set_fact: 40 | "{{ common_output_to_var }}": "{{ token_response | json_query('json.access_token') }}" 41 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/iam-token-user.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # Based on https://www.ibm.com/docs/en/cpfs?topic=apis-oidc-registration#get2 (Get access token by using username and password) 3 | # 4 | # - name: Get IAM token 5 | # ansible.builtin.include_role: 6 | # name: common 7 | # tasks_from: iam-token 8 | # vars: 9 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 10 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 11 | # common_user: "{{ admin_user }}" 12 | # common_password: "{{ prefix_universal_password }}" 13 | # common_output_to_var: "iam_token" 14 | 15 | - name: Get OCP Apps domain 16 | ansible.builtin.include_role: 17 | name: common 18 | tasks_from: apps-endpoint 19 | vars: 20 | common_output_to_var: "apps_endpoint_domain" 21 | 22 | - name: Get IAM access token 23 | ansible.builtin.uri: 24 | url: "https://cp-console-ibm-common-services.{{ apps_endpoint_domain }}/idprovider/v1/auth/identitytoken" 25 | method: POST 26 | headers: 27 | Content-Type: application/x-www-form-urlencoded;charset=UTF-8 28 | body_format: form-urlencoded 29 | body: 30 | grant_type: password 31 | username: "{{ common_user }}" 32 | password: "{{ common_password }}" 33 | scope: openid 34 | validate_certs: false 35 | status_code: 200 36 | register: token_response 37 | 38 | - name: Set apps endpoint 39 | ansible.builtin.set_fact: 40 | "{{ common_output_to_var }}": "{{ token_response | json_query('json.access_token') }}" 41 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/remove-db2-db.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Remove DB@ DB 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: remove-db2-db 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_db2_db_name: _db2_db_name 11 | 12 | - name: Get DB2 Pod 13 | kubernetes.core.k8s_info: 14 | api_key: "{{ common_k8s_api_key | default(omit) }}" 15 | host: "{{ common_k8s_host | default(omit) }}" 16 | api_version: v1 17 | kind: Pod 18 | namespace: db2 19 | label_selectors: 20 | - component=db2oltp 21 | register: pods 22 | retries: 4 23 | delay: 15 24 | 25 | - name: Delete DB2 DB 26 | kubernetes.core.k8s_exec: 27 | api_key: "{{ common_k8s_api_key | default(omit) }}" 28 | host: "{{ common_k8s_host | default(omit) }}" 29 | namespace: db2 30 | pod: c-db2ucluster-db2u-0 31 | command: > 32 | su - db2inst1 -s /usr/bin/bash -c " 33 | db2 connect to {{ common_db2_db_name }}; 34 | db2 force application all; 35 | sleep 30; 36 | db2 connect reset; 37 | db2 deactivate db {{ common_db2_db_name }}; 38 | db2 drop db {{ common_db2_db_name }}; 39 | " 40 | register: command_status 41 | failed_when: command_status.rc != 0 42 | and command_status.stdout is not search('.*SQL1013N The database alias name or database name \"'+common_db2_db_name+'\".*') 43 | when: pods.resources | length != 0 44 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/remove-postgresql-db.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Remove PostgreSQL DB 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: remove-postgresql-db 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_postgresql_db_name: _postgresql_db_name 11 | 12 | - name: Get postgresql pod 13 | kubernetes.core.k8s_info: 14 | api_key: "{{ common_k8s_api_key | default(omit) }}" 15 | host: "{{ common_k8s_host | default(omit) }}" 16 | api_version: v1 17 | kind: Pod 18 | namespace: postgresql 19 | label_selectors: 20 | - app=postgresql 21 | register: postgresql_pod 22 | 23 | - name: Delete PostgreSQL DB 24 | kubernetes.core.k8s_exec: 25 | api_key: "{{ common_k8s_api_key | default(omit) }}" 26 | host: "{{ common_k8s_host | default(omit) }}" 27 | namespace: postgresql 28 | pod: "{{ postgresql_pod.resources[0].metadata.name }}" 29 | command: > 30 | bash -c " 31 | psql postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:5432/postgres <<-EOF 32 | DROP DATABASE IF EXISTS {{ common_postgresql_db_name }} WITH (FORCE); 33 | EOF" 34 | register: command_status 35 | when: postgresql_pod.resources | length != 0 36 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/remove-postgresql-tablespace.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Remove PostgreSQL tablespace 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: remove-postgresql-tablespace 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_postgresql_tablespace_name: _postgresql_tablespace_name 11 | 12 | - name: Get postgresql pod 13 | kubernetes.core.k8s_info: 14 | api_key: "{{ common_k8s_api_key | default(omit) }}" 15 | host: "{{ common_k8s_host | default(omit) }}" 16 | api_version: v1 17 | kind: Pod 18 | namespace: postgresql 19 | label_selectors: 20 | - app=postgresql 21 | register: postgresql_pod 22 | 23 | - name: Delete PostgreSQL tablespace 24 | kubernetes.core.k8s_exec: 25 | api_key: "{{ common_k8s_api_key | default(omit) }}" 26 | host: "{{ common_k8s_host | default(omit) }}" 27 | namespace: postgresql 28 | pod: "{{ postgresql_pod.resources[0].metadata.name }}" 29 | command: > 30 | bash -c " 31 | psql postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:5432/postgres <<-EOF 32 | DROP TABLESPACE IF EXISTS {{ common_postgresql_tablespace_name }}_tbs; 33 | EOF" 34 | register: command_status 35 | when: postgresql_pod.resources | length != 0 36 | 37 | - name: Delete PostgreSQL tablespace folder 38 | kubernetes.core.k8s_exec: 39 | api_key: "{{ common_k8s_api_key | default(omit) }}" 40 | host: "{{ common_k8s_host | default(omit) }}" 41 | namespace: postgresql 42 | pod: "{{ postgresql_pod.resources[0].metadata.name }}" 43 | command: "rm -rf /pgsqldata/{{ common_postgresql_tablespace_name }}" 44 | register: command_status 45 | when: postgresql_pod.resources | length != 0 46 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/remove-postgresql-user.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Remove PostgreSQL user 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: remove-postgresql-user 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_postgresql_user: _postgresql_user 11 | 12 | - name: Get postgresql pod 13 | kubernetes.core.k8s_info: 14 | api_key: "{{ common_k8s_api_key | default(omit) }}" 15 | host: "{{ common_k8s_host | default(omit) }}" 16 | api_version: v1 17 | kind: Pod 18 | namespace: postgresql 19 | label_selectors: 20 | - app=postgresql 21 | register: postgresql_pod 22 | 23 | - name: Delete PostgreSQL user 24 | kubernetes.core.k8s_exec: 25 | api_key: "{{ common_k8s_api_key | default(omit) }}" 26 | host: "{{ common_k8s_host | default(omit) }}" 27 | namespace: postgresql 28 | pod: "{{ postgresql_pod.resources[0].metadata.name }}" 29 | command: > 30 | bash -c " 31 | psql postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:5432/postgres <<-EOF 32 | DROP USER IF EXISTS {{ common_postgresql_user }}; 33 | EOF" 34 | register: command_status 35 | when: postgresql_pod.resources | length != 0 36 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/wait-crd.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Wait for CRD 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: wait-crd 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_crd_name: crd_name 11 | 12 | - name: Wait for '{{ common_crd_name }}' CRD to be Established 13 | kubernetes.core.k8s_info: 14 | api_key: "{{ common_k8s_api_key | default(omit) }}" 15 | host: "{{ common_k8s_host | default(omit) }}" 16 | api_version: apiextensions.k8s.io/v1 17 | kind: CustomResourceDefinition 18 | name: "{{ common_crd_name }}" 19 | register: common_crd 20 | retries: 20 21 | delay: 2 22 | until: common_crd.resources and ('True' in common_crd | json_query(condition_query) | unique ) 23 | vars: 24 | condition_query: "resources[0].status.conditions[?type == 'Established'].status" 25 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/wait-operator.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Wait Operator 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: wait-operator 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_namespace_name: _namespace_name 11 | # common_label_selector_stub: _label_selector_stub 12 | 13 | - name: Set label_selectors 14 | ansible.builtin.set_fact: 15 | common_label_selector: "{{ ('operators.coreos.com/'+common_label_selector_stub+'.'+common_namespace_name)[:84] }}" 16 | 17 | - name: Wait for Operator Deployment with label {{ common_label_selector }} to be Available 18 | kubernetes.core.k8s_info: 19 | api_key: "{{ common_k8s_api_key | default(omit) }}" 20 | host: "{{ common_k8s_host | default(omit) }}" 21 | api_version: v1 22 | kind: Deployment 23 | namespace: "{{ common_namespace_name }}" 24 | label_selectors: 25 | - "{{ common_label_selector }}" 26 | register: common_deployment 27 | retries: 80 28 | delay: 15 29 | until: (['True'] in common_deployment | json_query(condition_query) | unique ) 30 | vars: 31 | condition_query: "resources[*].status.conditions[?type == 'Available'].status" 32 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/wait-resource-condition-generic.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Wait for resource condition generic 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: wait-resource-condition-generic 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_api_version: api_version 11 | # common_resource_kind: resource_kind 12 | # common_resource_name: resource_name 13 | # common_resource_namespace: _resource_namespace 14 | # common_condition_query: condition_query 15 | # common_condition_value: condition_value 16 | # common_retries: retries 17 | # common_delay: delay 18 | 19 | - name: Wait on api version '{{ common_api_version }}', kind '{{ common_resource_kind }}', name '{{ common_resource_name }}' 20 | in namespace '{{ common_resource_namespace }}' for condition query '{{ common_condition_query }}' to return '{{ common_condition_value }}' 21 | with '{{ common_retries }}' retries with '{{ common_delay }}' seconds delay each (total of '{{ common_retries * common_delay / 60 }}' minutes) 22 | kubernetes.core.k8s_info: 23 | api_key: "{{ common_k8s_api_key | default(omit) }}" 24 | host: "{{ common_k8s_host | default(omit) }}" 25 | api_version: "{{ common_api_version }}" 26 | kind: "{{ common_resource_kind }}" 27 | name: "{{ common_resource_name }}" 28 | namespace: "{{ common_resource_namespace }}" 29 | register: common_resource_condition 30 | retries: "{{ common_retries }}" 31 | delay: "{{ common_delay }}" 32 | until: (common_condition_value in common_resource_condition | json_query(common_condition_query) | unique ) 33 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/wait-resource-condition.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # 3 | # - name: Wait for resource condition 4 | # ansible.builtin.include_role: 5 | # name: common 6 | # tasks_from: wait-resource-condition 7 | # vars: 8 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 9 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 10 | # common_api_version: api_version 11 | # common_resource_kind: resource_kind 12 | # common_resource_name: resource_name 13 | # common_resource_namespace: _resource_namespace 14 | # common_condition_name: condition_name 15 | # common_retries: retries 16 | # common_delay: delay 17 | 18 | - name: Wait on api version '{{ common_api_version }}', kind '{{ common_resource_kind }}', name '{{ common_resource_name }}' 19 | in namespace '{{ common_resource_namespace }}' for condition '{{ common_condition_name }}' with '{{ common_retries }}' retries 20 | with '{{ common_delay }}' seconds delay each (total of '{{ common_retries * common_delay / 60 }}' minutes) 21 | ansible.builtin.include_role: 22 | name: common 23 | tasks_from: wait-resource-condition-generic 24 | vars: 25 | common_condition_query: "resources[*].status.conditions[?type == '{{ common_condition_name }}'].status" 26 | common_condition_value: ['True'] 27 | -------------------------------------------------------------------------------- /scripts/roles/common/tasks/zen-token.yml: -------------------------------------------------------------------------------- 1 | # Example of the functionality call 2 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=resources-generating-authorization-token 3 | # 4 | # - name: Get Zen token 5 | # ansible.builtin.include_role: 6 | # name: common 7 | # tasks_from: zen-token 8 | # vars: 9 | # common_k8s_api_key: "{{ prefix_k8s_api_key | default(omit) }}" 10 | # common_k8s_host: "{{ prefix_k8s_host | default(omit) }}" 11 | # comon_iam_token: "{{ iam_token }}" 12 | # common_user: "{{ admin_user }}" 13 | # common_namespace_name: _namespace_name 14 | # common_output_to_var: "zen_token" 15 | 16 | - name: Get OCP Apps domain 17 | ansible.builtin.include_role: 18 | name: common 19 | tasks_from: apps-endpoint 20 | vars: 21 | common_output_to_var: "apps_endpoint_domain" 22 | 23 | - name: Exchange IAM access token for Zen token 24 | ansible.builtin.uri: 25 | url: "https://cpd-{{ common_namespace_name }}.{{ apps_endpoint_domain }}/v1/preauth/validateAuth" 26 | method: GET 27 | headers: 28 | iam-token: "{{ comon_iam_token }}" 29 | username: "{{ common_user }}" 30 | validate_certs: false 31 | status_code: 200 32 | register: token_response 33 | 34 | - name: Set zen token 35 | ansible.builtin.set_fact: 36 | "{{ common_output_to_var }}": "{{ token_response.json | json_query('accessToken') }}" 37 | -------------------------------------------------------------------------------- /scripts/roles/common/templates/db2mc-profile.json.j2: -------------------------------------------------------------------------------- 1 | { 2 | "host": "{{ common_db2_hostname }}", 3 | "port": "50000", 4 | "databaseName": "{{ common_db2_db_name }}", 5 | "dataServerType": "DB2LUW", 6 | "name": "{{ common_db2_db_name }}", 7 | "operationCred": { 8 | "user": "db2inst1", 9 | "password": "{{ common_db2_password }}", 10 | "saveOperationCred": "true" 11 | }, 12 | "sslConnection": "false" 13 | } 14 | -------------------------------------------------------------------------------- /scripts/roles/common/templates/db2mc-token-request.json.j2: -------------------------------------------------------------------------------- 1 | { 2 | "userid": "{{ common_user }}", 3 | "password": "{{ common_password }}" 4 | } 5 | -------------------------------------------------------------------------------- /scripts/roles/common/templates/edge-route.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Route 3 | metadata: 4 | name: "{{ common_route_name }}" 5 | spec: 6 | host: "{{ common_route_name }}.{{ common_apps_endpoint_domain }}" 7 | to: 8 | kind: Service 9 | name: "{{ common_service_name }}" 10 | tls: 11 | termination: edge 12 | insecureEdgeTerminationPolicy: Redirect 13 | key: |- 14 | {{ common_edge_route_slurped_wildcard_key_data.content | b64decode | indent(6) }} 15 | certificate: |- 16 | {{ common_edge_route_slurped_wildcard_crt_data.content | b64decode | indent(6) }} 17 | caCertificate: |- 18 | {{ common_edge_route_slurped_ca_data.content | b64decode | indent(6) }} -------------------------------------------------------------------------------- /scripts/roles/common/templates/icr-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: "{{ common_icr_secret_name }}" 5 | namespace: "{{ common_namespace_name }}" 6 | data: 7 | .dockerconfigjson: "{{ container_registry_json }}" 8 | type: kubernetes.io/dockerconfigjson 9 | -------------------------------------------------------------------------------- /scripts/roles/common/templates/project.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Project 2 | apiVersion: project.openshift.io/v1 3 | metadata: 4 | name: {{ common_namespace_name }} 5 | -------------------------------------------------------------------------------- /scripts/roles/common/vars/main.yml: -------------------------------------------------------------------------------- 1 | common_k8s_api_key: "" 2 | common_k8s_host: "" 3 | common_namespace_name: "" 4 | common_crd_name: "" 5 | common_output_to_var: "" 6 | common_output_directory: "" 7 | common_password: "" 8 | common_db2_db_name: "" 9 | common_db2_hostname: "" 10 | common_route_name: "" 11 | common_project_output_name: "project.yaml" 12 | common_db2_user: "" 13 | common_api_version: "" 14 | common_kind: "" 15 | common_resource_name: "" 16 | common_force_approve: "" 17 | common_file_folder_path: "" 18 | common_file_name: "" 19 | -------------------------------------------------------------------------------- /scripts/roles/config/tasks/external-ldap.yml: -------------------------------------------------------------------------------- 1 | - name: Load External LDAP Secret 2 | kubernetes.core.k8s_info: 3 | api_key: "{{ ocp_cluster_token | default(omit) }}" 4 | host: "{{ ocp_api_endpoint | default(omit) }}" 5 | api_version: v1 6 | kind: Secret 7 | namespace: apollo-one-shot 8 | name: apollo-one-shot 9 | register: external_ldap_secret 10 | retries: 40 11 | delay: 15 12 | 13 | - name: Store External LDAP binds 14 | ansible.builtin.set_fact: 15 | lc_bind_admin_user: "{{ external_ldap_secret.resources[0].data.ldapUsername | b64decode }}" 16 | lc_bind_admin_password: "{{ external_ldap_secret.resources[0].data.ldapPassword | b64decode }}" 17 | lc_principal_admin_user: "{{ external_ldap_secret.resources[0].data.principalAdminUsername | b64decode }}" 18 | lc_principal_admin_password: "{{ external_ldap_secret.resources[0].data.principalAdminPassword | b64decode }}" 19 | no_log: true 20 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/files/ban/lic-server-virtual.v1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/scripts/roles/cp4ba/files/ban/lic-server-virtual.v1 -------------------------------------------------------------------------------- /scripts/roles/cp4ba/files/ban/lic-server.v1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/scripts/roles/cp4ba/files/ban/lic-server.v1 -------------------------------------------------------------------------------- /scripts/roles/cp4ba/files/ier/AdditionalJars.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/scripts/roles/cp4ba/files/ier/AdditionalJars.tgz -------------------------------------------------------------------------------- /scripts/roles/cp4ba/files/ier/ierconfig.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apollo-business-automation/ibm-cp4ba-enterprise-deployment/692c6ab7ecbca789b0a21ec31b24dc1d511f7896/scripts/roles/cp4ba/files/ier/ierconfig.tgz -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/db/aae.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=database-creating-postgresql 2 | 3 | - name: Get postgresql pod 4 | kubernetes.core.k8s_info: 5 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 6 | host: "{{ cp4ba_k8s_host | default(omit) }}" 7 | api_version: v1 8 | kind: Pod 9 | namespace: postgresql 10 | label_selectors: 11 | - app=postgresql 12 | register: postgresql_pod 13 | 14 | - name: AAE DB 15 | kubernetes.core.k8s_exec: 16 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 17 | host: "{{ cp4ba_k8s_host | default(omit) }}" 18 | namespace: postgresql 19 | pod: "{{ postgresql_pod.resources[0].metadata.name }}" 20 | command: > 21 | bash -c " 22 | psql postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:5432/postgres <<-EOF 23 | -- create a new user 24 | create user aae with password '{{ cp4ba_postgresql_universal_password }}'; 25 | 26 | -- create database aae 27 | create database aae owner aae; 28 | 29 | -- The following grant is used for databases 30 | grant all privileges on database aae to aae; 31 | EOF" 32 | register: command_status 33 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/dbs.yml: -------------------------------------------------------------------------------- 1 | - name: Manage DBs for BAN 2 | include_tasks: db/ban.yml 3 | 4 | - name: Manage DBs for BAS 5 | include_tasks: db/bas.yml 6 | when: cp4ba_config.optional_components.bas 7 | 8 | - name: Manage DBs for ODM 9 | include_tasks: db/odm.yml 10 | when: cp4ba_config.deployment_patterns.decisions 11 | 12 | - name: Manage DBs for FNCM 13 | include_tasks: db/fncm.yml 14 | when: cp4ba_config.deployment_patterns.content 15 | 16 | - name: Manage DBs for IER 17 | include_tasks: db/ier.yml 18 | when: cp4ba_config.deployment_patterns.content and cp4ba_config.optional_components.ier 19 | 20 | - name: Manage DBs for AAE 21 | include_tasks: db/aae.yml 22 | when: cp4ba_config.deployment_patterns.application 23 | 24 | - name: Manage DBs for AAE Data persistence 25 | include_tasks: db/aae-data-persistence.yml 26 | when: cp4ba_config.deployment_patterns.application and cp4ba_config.optional_components.ae_data_persistence 27 | 28 | - name: Manage DBs for ADP 29 | include_tasks: db/adp.yml 30 | when: cp4ba_config.deployment_patterns.document_processing 31 | 32 | - name: Manage DBs for BAWAUT 33 | include_tasks: db/bawaut.yml 34 | when: cp4ba_config.deployment_patterns.workflow and cp4ba_config.optional_components.baw_authoring 35 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/install.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=openshift-installing-production-deployments 2 | 3 | - name: Repository 4 | include_tasks: repository.yml 5 | when: _cp4ba_run_repository 6 | 7 | - name: DBs 8 | include_tasks: dbs.yml 9 | when: _cp4ba_run_dbs 10 | 11 | - name: Predeploy 12 | include_tasks: predeploy.yml 13 | when: _cp4ba_run_predeploy 14 | 15 | - name: Deploy 16 | block: 17 | 18 | - name: Deploy 19 | include_tasks: deploy.yml 20 | when: _cp4ba_run_deploy 21 | 22 | - name: Set failted state to false 23 | ansible.builtin.set_fact: 24 | _cp4ba_run_deploy_failed: false 25 | 26 | rescue: 27 | 28 | - name: Set failed state 29 | ansible.builtin.set_fact: 30 | _cp4ba_run_deploy_failed: true 31 | 32 | - name: CR & Log 33 | include_tasks: cr-log.yml 34 | when: _cp4ba_run_deploy 35 | 36 | - name: End play 37 | ansible.builtin.fail: 38 | msg: CP4BA deployment failed. 39 | 40 | - name: Deploy CR & Log 41 | include_tasks: cr-log.yml 42 | when: _cp4ba_run_deploy 43 | 44 | - name: Postdeploy 45 | include_tasks: postdeploy.yml 46 | when: _cp4ba_run_postdeploy 47 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | cp4ba_output_directory: "{{ cp4ba_base_dir }}/{{ cp4ba_dir_name }}" 4 | 5 | - name: Remove CP4BA directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ cp4ba_output_directory }}" 8 | state: absent 9 | 10 | - name: Create CP4BA directory for generated files 11 | ansible.builtin.file: 12 | path: "{{ cp4ba_output_directory }}" 13 | state: directory 14 | mode: u+rwx 15 | 16 | - name: Install CP4BA 17 | include_tasks: install.yml 18 | vars: 19 | _cp4ba_run_repository: "{{ _cp4ba_run_repository_override if _cp4ba_run_repository_override is defined else true }}" 20 | _cp4ba_run_dbs: "{{ _cp4ba_run_dbs_override if _cp4ba_run_dbs_override is defined else true }}" 21 | _cp4ba_run_predeploy: "{{ _cp4ba_run_predeploy_override if _cp4ba_run_predeploy_override is defined else true }}" 22 | _cp4ba_run_deploy: "{{ _cp4ba_run_deploy_override if _cp4ba_run_deploy_override is defined else true }}" 23 | _cp4ba_run_postdeploy: "{{ _cp4ba_run_postdeploy_override if _cp4ba_run_postdeploy_override is defined else true }}" 24 | when: "cp4ba_action == 'install'" 25 | 26 | - name: Remove CP4BA 27 | include_tasks: remove.yml 28 | when: "cp4ba_action == 'remove'" 29 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/aae-data-persistence.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=engine-creating-secrets-protect-sensitive-configuration-data 2 | # If you plan to use AAE data persistence, you need to update FNCM secret for new object store. 3 | # Make sure FNCM secret already exists 4 | - name: Add AAE OS to FNCM Secret 5 | kubernetes.core.k8s: 6 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 7 | host: "{{ cp4ba_k8s_host | default(omit) }}" 8 | state: present 9 | api_version: v1 10 | kind: Secret 11 | name: ibm-fncm-secret 12 | namespace: "{{ cp4ba_project_name }}" 13 | definition: 14 | data: 15 | aeosDBUsername: "{{ 'aeos' | b64encode }}" 16 | aeosDBPassword: "{{ cp4ba_postgresql_universal_password | b64encode }}" 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/aae.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=engine-creating-secrets-protect-sensitive-configuration-data 2 | - name: Prepare yaml file for AAE Secret 3 | ansible.builtin.template: 4 | src: aae/aae-secret.yaml.j2 5 | dest: "{{ cp4ba_output_directory }}/aae-secret.yaml" 6 | mode: u+rwx 7 | 8 | - name: Add AAE Secret 9 | kubernetes.core.k8s: 10 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 11 | host: "{{ cp4ba_k8s_host | default(omit) }}" 12 | state: present 13 | force: false 14 | merge_type: merge 15 | src: "{{ cp4ba_output_directory }}/aae-secret.yaml" 16 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/adp.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=dp-creating-secrets-protect-sensitive-document-processing-configuration-data 2 | - name: Prepare yaml file for ADP Secret 3 | ansible.builtin.template: 4 | src: adp/adp-secret.yaml.j2 5 | dest: "{{ cp4ba_output_directory }}/adp-secret.yaml" 6 | mode: u+rwx 7 | 8 | - name: Add ADP Secret 9 | kubernetes.core.k8s: 10 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 11 | host: "{{ cp4ba_k8s_host | default(omit) }}" 12 | state: present 13 | force: false 14 | merge_type: merge 15 | src: "{{ cp4ba_output_directory }}/adp-secret.yaml" 16 | 17 | - name: Add ADP OS to FNCM Secret 18 | kubernetes.core.k8s: 19 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 20 | host: "{{ cp4ba_k8s_host | default(omit) }}" 21 | state: present 22 | api_version: v1 23 | kind: Secret 24 | name: ibm-fncm-secret 25 | namespace: "{{ cp4ba_project_name }}" 26 | definition: 27 | data: 28 | devos1DBUsername: "{{ 'devos1' | b64encode }}" 29 | devos1DBPassword: "{{ cp4ba_postgresql_universal_password | b64encode }}" 30 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/ads.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=services-configuring-decision-runtime 2 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=services-configuring-mongodb-storage 3 | - name: Prepare yaml file for ADS Secret 4 | ansible.builtin.template: 5 | src: ads/ads-secret.yaml.j2 6 | dest: "{{ cp4ba_output_directory }}/ads-secret.yaml" 7 | mode: u+rwx 8 | 9 | - name: Add ADS Secret 10 | kubernetes.core.k8s: 11 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 12 | host: "{{ cp4ba_k8s_host | default(omit) }}" 13 | state: present 14 | force: false 15 | merge_type: merge 16 | src: "{{ cp4ba_output_directory }}/ads-secret.yaml" 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/bai.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=secrets-creating-custom-bpc-workforce-secret 2 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=secrets-creating-custom-bai-secret 3 | - name: Prepare yaml file for BAI Secret 4 | ansible.builtin.template: 5 | src: bai/bai-secret.yaml.j2 6 | dest: "{{ cp4ba_output_directory }}/bai-secret.yaml" 7 | mode: u+rwx 8 | 9 | - name: Add BAI Secret 10 | kubernetes.core.k8s: 11 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 12 | host: "{{ cp4ba_k8s_host | default(omit) }}" 13 | state: present 14 | force: false 15 | merge_type: merge 16 | src: "{{ cp4ba_output_directory }}/bai-secret.yaml" 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/ban.yml: -------------------------------------------------------------------------------- 1 | # Based on 2 | # https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=ban-creating-secrets-protect-sensitive-business-automation-navigator-configuration-data 3 | - name: Prepare yaml file for BAN Secret 4 | ansible.builtin.template: 5 | src: ban/ban-secret.yaml.j2 6 | dest: "{{ cp4ba_output_directory }}/ban-secret.yaml" 7 | mode: u+rwx 8 | 9 | - name: Add BAN Secret 10 | kubernetes.core.k8s: 11 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 12 | host: "{{ cp4ba_k8s_host | default(omit) }}" 13 | state: present 14 | force: false 15 | merge_type: merge 16 | src: "{{ cp4ba_output_directory }}/ban-secret.yaml" 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/bas.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=studio-creating-secrets-protect-sensitive-configuration-data 2 | - name: Prepare yaml file for BAS Secret 3 | ansible.builtin.template: 4 | src: bas/bas-secret.yaml.j2 5 | dest: "{{ cp4ba_output_directory }}/bas-secret.yaml" 6 | mode: u+rwx 7 | 8 | - name: Add BAS Secret 9 | kubernetes.core.k8s: 10 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 11 | host: "{{ cp4ba_k8s_host | default(omit) }}" 12 | state: present 13 | force: false 14 | merge_type: merge 15 | src: "{{ cp4ba_output_directory }}/bas-secret.yaml" 16 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/bawaut.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=authoring-creating-secrets-protect-sensitive-configuration-data 2 | - name: Add BAWAUT OSs to FNCM Secret 3 | kubernetes.core.k8s: 4 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 5 | host: "{{ cp4ba_k8s_host | default(omit) }}" 6 | state: present 7 | api_version: v1 8 | kind: Secret 9 | name: ibm-fncm-secret 10 | namespace: "{{ cp4ba_project_name }}" 11 | definition: | 12 | data: 13 | {{ item }}DBUsername: {{ item | b64encode }} 14 | {{ item }}DBPassword: {{ cp4ba_postgresql_universal_password | b64encode }} 15 | with_items: 16 | - badocs 17 | - batos 18 | - bados 19 | # Update FNCM secret for new Case History connection. 20 | # Make sure FNCM secret already exists 21 | - ch 22 | 23 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=services-optional-customizing-runtime-server-properties 24 | # Based on https://www.ibm.com/docs/en/baw/20.x?topic=work-configuring-email-notifications 25 | # Based on https://www.ibm.com/docs/en/baw/20.x?topic=configuration-creating-100customxml-file 26 | - name: Prepare yaml file for BAWAUT Secret 27 | ansible.builtin.template: 28 | src: bawaut/bawaut-custom-xml-secret.yaml.j2 29 | dest: "{{ cp4ba_output_directory }}/bawaut-custom-xml-secret.yaml" 30 | mode: u+rwx 31 | 32 | - name: Add BAWAUT Secret 33 | kubernetes.core.k8s: 34 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 35 | host: "{{ cp4ba_k8s_host | default(omit) }}" 36 | state: present 37 | force: false 38 | merge_type: merge 39 | src: "{{ cp4ba_output_directory }}/bawaut-custom-xml-secret.yaml" 40 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/fncm-es.yml: -------------------------------------------------------------------------------- 1 | - name: Create Google TLS secret 2 | block: 3 | 4 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=manager-configuring-identity-provider-connection point 4. 5 | - name: Prepare yaml file for FNCM IDP Secret 6 | ansible.builtin.template: 7 | src: fncm/fncm-google-idp-secret.yaml.j2 8 | dest: "{{ cp4ba_output_directory }}/fncm-google-idp-secret.yaml" 9 | mode: u+rwx 10 | 11 | - name: Add FNCM IDP Secret 12 | kubernetes.core.k8s: 13 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 14 | host: "{{ cp4ba_k8s_host | default(omit) }}" 15 | state: present 16 | force: false 17 | merge_type: merge 18 | src: "{{ cp4ba_output_directory }}/fncm-google-idp-secret.yaml" 19 | 20 | - name: Get the cert from an RDP port 21 | community.crypto.get_certificate: 22 | host: accounts.google.com 23 | port: 443 24 | run_once: true 25 | register: cert 26 | 27 | - name: Set google crt 28 | ansible.builtin.set_fact: 29 | _google_crt: "{{ cert.cert }}" 30 | 31 | - name: Prepare yaml file for FNCM Google TLS Secret 32 | ansible.builtin.template: 33 | src: fncm/fncm-google-tls-secret.yaml.j2 34 | dest: "{{ cp4ba_output_directory }}/fncm-google-tls-secret.yaml" 35 | mode: u+rwx 36 | 37 | - name: Add FNCM Google TLS Secret 38 | kubernetes.core.k8s: 39 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 40 | host: "{{ cp4ba_k8s_host | default(omit) }}" 41 | state: present 42 | force: false 43 | merge_type: merge 44 | src: "{{ cp4ba_output_directory }}/fncm-google-tls-secret.yaml" 45 | 46 | when: cp4ba_external_share_google | bool 47 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/fncm.yml: -------------------------------------------------------------------------------- 1 | # Based on 2 | # https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=fcm-creating-secrets-protect-sensitive-filenet-content-manager-configuration-data 3 | - name: Prepare yaml file for FNCM Secret 4 | ansible.builtin.template: 5 | src: fncm/fncm-secret.yaml.j2 6 | dest: "{{ cp4ba_output_directory }}/fncm-secret.yaml" 7 | mode: u+rwx 8 | 9 | - name: Add FNCM Secret 10 | kubernetes.core.k8s: 11 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 12 | host: "{{ cp4ba_k8s_host | default(omit) }}" 13 | state: present 14 | force: false 15 | merge_type: merge 16 | src: "{{ cp4ba_output_directory }}/fncm-secret.yaml" 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/ier.yml: -------------------------------------------------------------------------------- 1 | # Based on 2 | # https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=fcm-creating-secrets-protect-sensitive-filenet-content-manager-configuration-data 3 | - name: Prepare yaml file for IER Secret 4 | ansible.builtin.template: 5 | src: ier/ier-secret.yaml.j2 6 | dest: "{{ cp4ba_output_directory }}/ier-secret.yaml" 7 | mode: u+rwx 8 | 9 | - name: Add IER Secret 10 | kubernetes.core.k8s: 11 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 12 | host: "{{ cp4ba_k8s_host | default(omit) }}" 13 | state: present 14 | force: false 15 | merge_type: merge 16 | src: "{{ cp4ba_output_directory }}/ier-secret.yaml" 17 | 18 | # Make sure FNCM secret already exists 19 | - name: Add FPOS OS to FNCM Secret 20 | kubernetes.core.k8s: 21 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 22 | host: "{{ cp4ba_k8s_host | default(omit) }}" 23 | state: present 24 | api_version: v1 25 | kind: Secret 26 | name: ibm-fncm-secret 27 | namespace: "{{ cp4ba_project_name }}" 28 | definition: 29 | data: 30 | fposDBUsername: "{{ 'fpos' | b64encode }}" 31 | fposDBPassword: "{{ cp4ba_postgresql_universal_password | b64encode }}" 32 | 33 | - name: Add ROS OS to FNCM Secret 34 | kubernetes.core.k8s: 35 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 36 | host: "{{ cp4ba_k8s_host | default(omit) }}" 37 | state: present 38 | api_version: v1 39 | kind: Secret 40 | name: ibm-fncm-secret 41 | namespace: "{{ cp4ba_project_name }}" 42 | definition: 43 | data: 44 | rosDBUsername: "{{ 'ros' | b64encode }}" 45 | rosDBPassword: "{{ cp4ba_postgresql_universal_password | b64encode }}" 46 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/odm.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=manager-configuring-external-database 2 | - name: Prepare yaml file for ODM DB Secret 3 | ansible.builtin.template: 4 | src: odm/odm-db-secret.yaml.j2 5 | dest: "{{ cp4ba_output_directory }}/odm-db-secret.yaml" 6 | mode: u+rwx 7 | 8 | - name: Add ODM DB Secret 9 | kubernetes.core.k8s: 10 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 11 | host: "{{ cp4ba_k8s_host | default(omit) }}" 12 | state: present 13 | force: false 14 | merge_type: merge 15 | src: "{{ cp4ba_output_directory }}/odm-db-secret.yaml" 16 | 17 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=access-mapping-odm-roles-iam-groups-users 18 | - name: Prepare yaml file for ODM web security Secret 19 | ansible.builtin.template: 20 | src: odm/odm-web-security-secret.yaml.j2 21 | dest: "{{ cp4ba_output_directory }}/odm-web-security-secret.yaml" 22 | mode: u+rwx 23 | 24 | - name: Add ODM web security Secret 25 | kubernetes.core.k8s: 26 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 27 | host: "{{ cp4ba_k8s_host | default(omit) }}" 28 | state: present 29 | force: false 30 | merge_type: merge 31 | src: "{{ cp4ba_output_directory }}/odm-web-security-secret.yaml" 32 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/predeploy/rr.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=engine-creating-secrets-protect-sensitive-configuration-data 2 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=studio-creating-secrets-protect-sensitive-configuration-data 3 | - name: Prepare yaml file for RR Secret 4 | ansible.builtin.template: 5 | src: rr/rr-secret.yaml.j2 6 | dest: "{{ cp4ba_output_directory }}/rr-secret.yaml" 7 | mode: u+rwx 8 | 9 | - name: Add RR Secret 10 | kubernetes.core.k8s: 11 | api_key: "{{ cp4ba_k8s_api_key | default(omit) }}" 12 | host: "{{ cp4ba_k8s_host | default(omit) }}" 13 | state: present 14 | force: false 15 | merge_type: merge 16 | src: "{{ cp4ba_output_directory }}/rr-secret.yaml" 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/tasks/repository.yml: -------------------------------------------------------------------------------- 1 | # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=operator-preparing-log-file-storage 2 | 3 | - name: Download installation repository 4 | ansible.builtin.get_url: 5 | url: https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-automation/{{ cp4ba_case_version }}/ibm-cp-automation-{{ cp4ba_case_version }}.tgz 6 | dest: "{{ cp4ba_output_directory }}/ibm-cp-automation-{{ cp4ba_case_version }}.tgz" 7 | mode: u+rw 8 | retries: 10 9 | delay: 1 10 | 11 | - name: Extract installation repository 12 | ansible.builtin.unarchive: 13 | src: "{{ cp4ba_output_directory }}/ibm-cp-automation-{{ cp4ba_case_version }}.tgz" 14 | dest: "{{ cp4ba_output_directory }}" 15 | 16 | - name: Extract cert k8s repository 17 | ansible.builtin.unarchive: 18 | src: "{{ cp4ba_output_directory }}/ibm-cp-automation/inventory/cp4aOperatorSdk/files/deploy/crs/cert-k8s-{{ cp4ba_case_cert_k8s_version }}.tar" 19 | dest: "{{ cp4ba_output_directory }}" 20 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/aae/aae-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cp4ba-instance1-aae-app-engine-admin-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | AE_DATABASE_PWD: "{{ cp4ba_postgresql_universal_password }}" 9 | AE_DATABASE_USER: aae 10 | REDIS_PASSWORD: "{{ cp4ba_universal_password }}" 11 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/aae/cr-persistence.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | datasource_configuration: 3 | dc_os_datasources: 4 | - dc_database_type: postgresql 5 | dc_os_label: aeos 6 | dc_common_os_datasource_name: AEOS 7 | dc_common_os_xa_datasource_name: AEOSXA 8 | database_servername: "{{ cp4ba_postgresql_hostname }}" 9 | database_name: aeos 10 | database_port: "5432" 11 | initialize_configuration: 12 | ic_obj_store_creation: 13 | object_stores: 14 | - oc_cpe_obj_store_display_name: AEOS 15 | oc_cpe_obj_store_symb_name: AEOS 16 | oc_cpe_obj_store_conn: 17 | name: AEOS_dbconnection 18 | dc_os_datasource_name: AEOS 19 | dc_os_xa_datasource_name: AEOSXA 20 | oc_cpe_obj_store_admin_user_groups: [{% for item in (lc_admin_groups+lc_admin_users) %}'{{ item }}'{{ "," if not loop.last else "" }}{% endfor %}] 21 | oc_cpe_obj_store_asa_name: aeos_asa 22 | oc_cpe_obj_store_asa_file_systems_storage_device_name: aeos_file_system_storage 23 | oc_cpe_obj_store_asa_root_dir_path: /opt/ibm/asa/aeos_storagearea1 24 | ic_icn_init_info: 25 | icn_repos: 26 | - add_repo_id: AEOS 27 | add_repo_os_sym_name: AEOS 28 | add_repo_os_dis_name: AEOS 29 | icn_desktop: 30 | - add_desktop_id: AEOS 31 | add_desktop_name: AEOS 32 | add_desktop_description: AEOS 33 | add_desktop_repo_id: AEOS 34 | verify_configuration: 35 | vc_icn_verification: 36 | - vc_icn_repository: AEOS 37 | vc_icn_desktop_id: AEOS 38 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/aae/cr.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | application_engine_configuration: 3 | - name: instance1 4 | admin_secret_name: cp4ba-instance1-aae-app-engine-admin-secret 5 | admin_user: "{{ lc_principal_admin_user }}" 6 | replica_size: 1 7 | autoscaling: 8 | enabled: false 9 | database: 10 | host: "{{ cp4ba_postgresql_hostname }}" 11 | name: aae 12 | port: "5432" 13 | type: postgresql 14 | data_persistence: 15 | enable: "{{ aae_data_persistence | default(false) }}" 16 | object_store_name: AEOS 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/adp/adp-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: ibm-adp-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | stringData: 7 | serviceUser: "{{ lc_ldap_user_id_attribute }}={{ lc_principal_admin_user }},{{ lc_ldap_user_base_dn }}" 8 | servicePwd: "{{ lc_principal_admin_password }}" 9 | serviceUserBas: "{{ lc_ldap_user_id_attribute }}={{ lc_principal_admin_user }},{{ lc_ldap_user_base_dn }}" 10 | servicePwdBas: "{{ lc_principal_admin_password }}" 11 | serviceUserCa: "{{ lc_ldap_user_id_attribute }}={{ lc_principal_admin_user }},{{ lc_ldap_user_base_dn }}" 12 | servicePwdCa: "{{ lc_principal_admin_password }}" 13 | envOwnerUser: "{{ lc_ldap_user_id_attribute }}={{ lc_principal_admin_user }},{{ lc_ldap_user_base_dn }}" 14 | envOwnerPwd: "{{ lc_principal_admin_password }}" 15 | # TODO Custom Mongo not working and not described 16 | #mongoUri: 'mongodb://{{ cp4ba_mongodb_hostname }}:27017/?authSource=admin&connectTimeoutMS=3000' 17 | #mongoUser: root 18 | #mongoPwd: "{{ cp4ba_universal_password }}" 19 | --- 20 | apiVersion: v1 21 | kind: Secret 22 | metadata: 23 | name: ca-basedb 24 | namespace: "{{ cp4ba_project_name }}" 25 | stringData: 26 | BASE_DB_USER: base 27 | BASE_DB_CONFIG: "{{ cp4ba_db2_universal_password }}" 28 | TENANT1_DB_CONFIG: "{{ cp4ba_db2_universal_password }}" 29 | TENANT2_DB_CONFIG: "{{ cp4ba_db2_universal_password }}" 30 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/ads/ads-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: ibm-dba-ads-runtime-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | decisionServiceUsername: drs 9 | decisionServicePassword: "{{ cp4ba_universal_password }}" 10 | decisionServiceManagerUsername: drsManager 11 | decisionServiceManagerPassword: "{{ cp4ba_universal_password }}" 12 | decisionRuntimeMonitorUsername: drsMonitor 13 | decisionRuntimeMonitorPassword: "{{ cp4ba_universal_password }}" 14 | deploymentSpaceManagerUsername: depManager 15 | deploymentSpaceManagerPassword: "{{ cp4ba_universal_password }}" 16 | asraManagerUsername: asraManager 17 | asraManagerPassword: "{{ cp4ba_universal_password }}" 18 | encryptionKeys: | 19 | {"activeKey":"key1","secretKeyList":[{"secretKeyId":"key1", 20 | "value":"123344566745435"}]} 21 | mlConfig: "" 22 | sslKeystorePassword: "{{ cp4ba_universal_password }}" 23 | --- 24 | apiVersion: v1 25 | kind: Secret 26 | metadata: 27 | name: ibm-dba-ads-mongo-secret 28 | namespace: "{{ cp4ba_project_name }}" 29 | type: Opaque 30 | stringData: 31 | # mongodb+srv switched for mongodb protocol only. srv is for DNS replica resolution which is not in place 32 | gitMongoUri: "mongodb://root:{{ cp4ba_universal_password }}@{{ cp4ba_mongodb_hostname }}:27017/ads-git?retryWrites=true&w=majority&authSource=admin" 33 | mongoUri: "mongodb://root:{{ cp4ba_universal_password }}@{{ cp4ba_mongodb_hostname }}:27017/ads?retryWrites=true&w=majority&authSource=admin" 34 | mongoHistoryUri: "mongodb://root:{{ cp4ba_universal_password }}@{{ cp4ba_mongodb_hostname }}:27017/ads-history?retryWrites=true&w=majority&authSource=admin" 35 | runtimeMongoUri: "mongodb://root:{{ cp4ba_universal_password }}@{{ cp4ba_mongodb_hostname }}:27017/ads-runtime?retryWrites=true&w=majority&authSource=admin" 36 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/ads/cr-designer.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | ads_configuration: 3 | decision_designer: 4 | enabled: true 5 | embedded_build_service: 6 | replica_count: 1 7 | front: 8 | replica_count: 1 9 | download_service: 10 | replica_count: 1 11 | rest_api: 12 | replica_count: 1 13 | credentials_service: 14 | replica_count: 1 15 | resources: 16 | limits: 17 | ephemeral_storage: 1Gi 18 | git_service: 19 | replica_count: 1 20 | parsing_service: 21 | replica_count: 1 22 | resources: 23 | limits: 24 | ephemeral_storage: 1Gi 25 | run_service: 26 | replica_count: 1 27 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/ads/cr-runtime.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | ads_configuration: 3 | decision_runtime: 4 | enabled: true 5 | autoscaling: 6 | enabled: false 7 | admin_secret_name: ibm-dba-ads-runtime-secret 8 | decision_runtime_service: 9 | replica_count: 1 10 | tls: 11 | allow_self_signed: true 12 | autoscaling: 13 | enabled: false 14 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/bai/bai-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: custom-bpc-workforce-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | workforce-insights-configuration.yml: "" 9 | --- 10 | apiVersion: v1 11 | kind: Secret 12 | metadata: 13 | name: custom-bai-secret 14 | namespace: "{{ cp4ba_project_name }}" 15 | type: Opaque 16 | stringData: 17 | kibana-username: "{{ cp4ba_kibana_admin_user }}" 18 | kibana-password: "{{ cp4ba_kibana_universal_password }}" 19 | management-username: "{{ lc_principal_admin_user }}" 20 | management-password: "{{ lc_principal_admin_password }}" 21 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/bai/cr.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | bai_configuration: 3 | bai_secret: custom-bai-secret 4 | settings: 5 | external_kibana_url: "{{ cp4ba_kibana_url }}" 6 | egress: true 7 | flink: 8 | create_route: true 9 | additional_task_managers: 1 10 | business_performance_center: 11 | replicas: 1 12 | workforce_insights_secret: custom-bpc-workforce-secret 13 | management: 14 | replicas: 1 15 | bpmn: 16 | install: true 17 | parallelism: 1 18 | force_elasticsearch_timeseries: true 19 | bawadv: 20 | install: true 21 | parallelism: 1 22 | icm: 23 | install: true 24 | parallelism: 1 25 | odm: 26 | install: true 27 | parallelism: 1 28 | content: 29 | install: true 30 | parallelism: 1 31 | event_forwarder: 32 | install: false 33 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/bai/workforce-insights-config-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: custom-bpc-workforce-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | stringData: 7 | workforce-insights-configuration.yml: |- 8 | - bpmSystemId: {{ system_id }} 9 | url: {{ url}} 10 | username: {{ username }} 11 | password: {{ password }} -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/ban/ban-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: ibm-ban-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | navigatorDBUsername: icndb 9 | navigatorDBPassword: "{{ cp4ba_postgresql_universal_password }}" 10 | keystorePassword: "{{ cp4ba_universal_password }}" 11 | ltpaPassword: "{{ cp4ba_universal_password }}" 12 | appLoginUsername: "{{ lc_principal_admin_user }}" 13 | appLoginPassword: "{{ lc_principal_admin_password }}" 14 | jMailUsername: "{{ lc_principal_admin_user }}@{{ lc_ldap_domain }}" 15 | jMailPassword: "{{ cp4ba_universal_password }}" 16 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/ban/cr.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | datasource_configuration: 3 | dc_icn_datasource: 4 | dc_database_type: postgresql 5 | dc_common_icn_datasource_name: ECMClientDS 6 | database_servername: "{{ cp4ba_postgresql_hostname }}" 7 | database_port: "5432" 8 | database_name: icndb 9 | navigator_configuration: 10 | ban_secret_name: ibm-ban-secret 11 | replica_count: 1 12 | icn_production_setting: 13 | jvm_customize_options: "" 14 | icn_table_space: icndb_tbs 15 | copy_files_to_war: navigator_war_filesources.xml 16 | auto_scaling: 17 | enabled: false 18 | java_mail: 19 | host: "{{ cp4ba_mail_hostname }}" 20 | sender: "system@cp.internal" 21 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/bas/bas-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: bas-admin-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | dbUsername: bas 9 | dbPassword: "{{ cp4ba_postgresql_universal_password }}" 10 | --- 11 | apiVersion: v1 12 | kind: Secret 13 | metadata: 14 | name: playback-server-admin-secret 15 | namespace: "{{ cp4ba_project_name }}" 16 | type: Opaque 17 | stringData: 18 | AE_DATABASE_PWD: "{{ cp4ba_postgresql_universal_password }}" 19 | AE_DATABASE_USER: pb 20 | REDIS_PASSWORD: "{{ cp4ba_universal_password }}" 21 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/bas/cr.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | bastudio_configuration: 3 | admin_secret_name: bas-admin-secret 4 | admin_user: "{{ lc_principal_admin_user }}" 5 | replica_size: 1 6 | database: 7 | type: postgresql 8 | host: "{{ cp4ba_postgresql_hostname }}" 9 | name: bas 10 | port: "5432" 11 | autoscaling: 12 | enabled: false 13 | jms_server: 14 | storage: 15 | persistent: true 16 | use_dynamic_provisioning: true 17 | storage_class: "{{ cp4ba_storage_class_name }}" 18 | playback_server: 19 | admin_secret_name: playback-server-admin-secret 20 | admin_user: "{{ lc_principal_admin_user }}" 21 | replica_size: 1 22 | autoscaling: 23 | enabled: false 24 | database: 25 | host: "{{ cp4ba_postgresql_hostname }}" 26 | name: pb 27 | port: "5432" 28 | type: postgresql 29 | env: 30 | server_env_type: development 31 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/catalogsource.yaml.j2: -------------------------------------------------------------------------------- 1 | # case 4.1.2 / csv 22.2.2 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cp-automation 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: CatalogSource 4 | metadata: 5 | name: ibm-cp4a-operator-catalog 6 | namespace: openshift-marketplace 7 | spec: 8 | displayName: ibm-cp4a-operator 9 | publisher: IBM 10 | sourceType: grpc 11 | image: icr.io/cpopen/ibm-cp-automation-catalog@sha256:56aca04a9be8c9e1354c19fd976c0366ea5aff22f0f3ed30c43d4393d8215b02 12 | updateStrategy: 13 | registryPoll: 14 | interval: 45m 15 | --- 16 | # case 1.3.13 / csv 1.3.13 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cp-automation-foundation 17 | apiVersion: operators.coreos.com/v1alpha1 18 | kind: CatalogSource 19 | metadata: 20 | name: ibm-cp-automation-foundation-catalog 21 | namespace: openshift-marketplace 22 | spec: 23 | displayName: IBM Automation Foundation Operators 24 | publisher: IBM 25 | sourceType: grpc 26 | image: icr.io/cpopen/ibm-cp-automation-foundation-catalog@sha256:1753b1cabf6cdc6d295d8da096ce3f769b6487fdbef5802de63dccbfa7d9a43b 27 | updateStrategy: 28 | registryPoll: 29 | interval: 45m 30 | --- 31 | # case 1.3.13 / csv 1.3.13 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-automation-foundation-core 32 | apiVersion: operators.coreos.com/v1alpha1 33 | kind: CatalogSource 34 | metadata: 35 | name: ibm-automation-foundation-core-catalog 36 | namespace: openshift-marketplace 37 | spec: 38 | displayName: IBM Automation Foundation Core Operators 39 | publisher: IBM 40 | sourceType: grpc 41 | image: icr.io/cpopen/ibm-automation-foundation-core-catalog@sha256:8bd0b52526de4a2adf6b299237f3d295a710e7d0ff538a319226c614ceae618b 42 | updateStrategy: 43 | registryPoll: 44 | interval: 45m 45 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/cp4ba-cr-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cp4ba-cr 5 | namespace: "{{ cp4ba_output_namespace }}" 6 | data: 7 | cp4ba-cr.yaml: |- 8 | {{ cp4ba_cr_content | to_nice_yaml(indent=2, width=1337) | indent(4) }} 9 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/cp4ba-operator-log-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cp4ba-opertor-log 5 | namespace: "{{ cp4ba_output_namespace }}" 6 | data: 7 | cp4ba-operator.log: |- 8 | {{ cp4ba_failed_tasks_content | indent(4) }} 9 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/cr-cmis.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | ecm_configuration: 3 | cmis: 4 | replica_count: 1 5 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/cr-css.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | ecm_configuration: 3 | css: 4 | replica_count: 1 5 | initialize_configuration: 6 | ic_css_creation: 7 | - css_text_search_server_name: "{{ cp4ba_cr_meta_name }}-css-1" 8 | ic_css_index_area: 9 | - object_store_name: OS1 10 | index_area_name: os1_index_area 11 | ic_enable_cbr: 12 | - object_store_name: OS1 13 | verify_configuration: 14 | vc_cpe_verification: 15 | vc_cpe_cbr: 16 | - cbr_cpe_obj_store_name: OS1 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/cr-es-gid.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | shared_configuration: 3 | open_id_connect_providers: 4 | - provider_name: ExShareGID 5 | display_name: Google ID 6 | client_oidc_secret: 7 | es: internal-idp-oidc-google-secret 8 | nav: internal-idp-oidc-google-secret 9 | cpe: internal-idp-oidc-google-secret 10 | graphql: internal-idp-oidc-google-secret 11 | issuer_identifier: https://accounts.google.com 12 | response_type: id_token token 13 | scope: openid email profile 14 | map_identity_to_registry_user: false 15 | authn_session_disabled: false 16 | inbound_propagation: supported 17 | https_required: true 18 | validation_method: introspect 19 | disable_ltpa_cookie: true 20 | signature_algorithm: RS256 21 | user_identifier: email 22 | unique_user_identifier: email 23 | user_identity_to_create_subject: email 24 | discovery_endpoint_url: https://accounts.google.com/.well-known/openid-configuration 25 | jwk_client_oidc_secret: 26 | es: internal-idp-oidc-google-secret 27 | nav: internal-idp-oidc-google-secret 28 | cpe: internal-idp-oidc-google-secret 29 | graphql: internal-idp-oidc-google-secret 30 | token_reuse: true 31 | # TODO Not working due to CPE java API bug, report, wait for fix 32 | # initialize_configuration: 33 | # ic_ldap_managed_realm: 34 | # - managed_realm_name: externalManaged 35 | # managed_realm_base_dn: dc=externalManaged,dc=managed 36 | # managed_realm_principal_cat: External 37 | # managed_realm_exclude_from_auth_user: false 38 | # managed_realm_identity_rules: 39 | # - identity_rule_type: "ALLOW_SELF_REGISTER" 40 | # email_suffix: "gmail.com" 41 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/cr-es.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | ecm_configuration: 3 | es: 4 | replica_count: 1 5 | es_production_setting: 6 | license_model: FNCM.PVUNonProd 7 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/cr-graphql.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | ecm_configuration: 3 | graphql: 4 | replica_count: 1 5 | graphql_production_setting: 6 | license_model: FNCM.PVUNonProd 7 | enable_graph_iql: true 8 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/cr-tm.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | ecm_configuration: 3 | tm: 4 | replica_count: 1 5 | tm_production_setting: 6 | # Based on https://www.ibm.com/docs/en/enterprise-records/5.2.1?topic=in-configuring-content-navigator-task-manager-enterprise-records 7 | tm_job_url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/ier/EnterpriseRecordsPlugin/IERApplicationPlugin.jar" 8 | security_roles_to_group_mapping: 9 | task_admins: 10 | groups: [{% for item in lc_admin_groups %}'{{ item }}'{{ "," if not loop.last else "" }}{% endfor %}] 11 | task_users: 12 | groups: [{% for item in lc_admin_users %}'{{ item }}'{{ "," if not loop.last else "" }}{% endfor %}] 13 | task_auditors: 14 | groups: [{% for item in lc_admin_groups %}'{{ item }}'{{ "," if not loop.last else "" }}{% endfor %}] 15 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/fncm-google-idp-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: internal-idp-oidc-google-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | client_id: "{{ cp4ba_google_client_id }}" 9 | client_secret: "{{ cp4ba_google_client_secret }}" 10 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/fncm-google-tls-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: google-tls 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | tls.crt: | 9 | {{ _google_crt |indent(4) }} 10 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/fncm/fncm-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: ibm-fncm-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | gcdDBUsername: gcd 9 | gcdDBPassword: "{{ cp4ba_postgresql_universal_password }}" 10 | os1DBUsername: os1 11 | os1DBPassword: "{{ cp4ba_postgresql_universal_password }}" 12 | appLoginUsername: "{{ lc_principal_admin_user }}" 13 | appLoginPassword: "{{ lc_principal_admin_password }}" 14 | keystorePassword: "{{ cp4ba_universal_password }}" 15 | ltpaPassword: "{{ cp4ba_universal_password }}" 16 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/iaf/automationuiconfig.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: core.automation.ibm.com/v1beta1 2 | kind: AutomationUIConfig 3 | metadata: 4 | name: iaf-system 5 | namespace: "{{ cp4ba_project_name }}" 6 | spec: 7 | description: automation-ui-config for CP4BA Cartridge 8 | license: 9 | accept: true 10 | zen: true 11 | version: "{{ cp4ba_automation_ui_config_version }}" 12 | tls: 13 | certificateSecret: 14 | secretName: external-tls-secret 15 | caSecret: 16 | secretName: external-tls-secret 17 | key: ca.crt 18 | zenService: 19 | iamIntegration: true 20 | storageClass: "{{ cp4ba_storage_class_name }}" 21 | zenCoreMetaDbStorageClass: "{{ cp4ba_block_storage_class_name }}" 22 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/iaf/es-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: iaf-system-elasticsearch-es-default-user 5 | namespace: "{{ cp4ba_project_name }}" 6 | labels: 7 | app.kubernetes.io/component: es 8 | app.kubernetes.io/instance: iaf-system 9 | app.kubernetes.io/name: elasticsearch 10 | elastic.automation.ibm.com/cr-name: iaf-system 11 | stringData: 12 | password: "{{ cp4ba_elasticsearch_universal_password }}" 13 | username: "{{ cp4ba_elasticsearch_admin_user }}" 14 | type: kubernetes.io/basic-auth 15 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/iaf/global-ca-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: global-ca 5 | namespace: "{{ cp4ba_project_name }}" 6 | data: 7 | tls.crt: "{{ _ca_tls_crt }}" # PFS expects to find Elastic Search CRT in this secret 8 | ca.crt: "{{ _ca_tls_crt }}" 9 | type: Opaque 10 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/iaf/iaf-issuer.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: certmanager.k8s.io/v1alpha1 2 | kind: Issuer 3 | metadata: 4 | name: iaf-issuer 5 | namespace: "{{ cp4ba_project_name }}" 6 | spec: 7 | ca: 8 | secretName: cp4ba-root-ca 9 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/iaf/iaf-tls-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: external-tls-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | data: 7 | cert.key: "{{ _tls_key }}" 8 | cert.crt: "{{ _tls_crt }}" 9 | # TODO Validate that the tls.crt is really required, without it, cp4ba-pfs want initialize as it is expecting tls.crt 10 | tls.crt: "{{ _tls_crt }}" 11 | ca.crt: "{{ _ca_tls_crt }}" 12 | type: Opaque 13 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/iaf/kafkauser-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: "{{ principal_admin_user }}" 5 | namespace: "{{ cp4ba_project_name }}" 6 | stringData: 7 | password: "{{ universal_password }}" 8 | type: Opaque 9 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/iaf/kafkauser.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: ibmevents.ibm.com/v1beta2 2 | kind: KafkaUser 3 | metadata: 4 | name: "{{ principal_admin_user }}" 5 | namespace: "{{ cp4ba_project_name }}" 6 | labels: 7 | ibmevents.ibm.com/cluster: iaf-system 8 | spec: 9 | authentication: 10 | type: scram-sha-512 11 | authorization: 12 | acls: 13 | - host: '*' 14 | operation: All 15 | resource: 16 | name: '*' 17 | patternType: literal 18 | type: topic 19 | - host: '*' 20 | operation: All 21 | resource: 22 | type: cluster 23 | - host: '*' 24 | operation: All 25 | resource: 26 | name: '*' 27 | patternType: literal 28 | type: group 29 | - host: '*' 30 | operation: All 31 | resource: 32 | name: '*' 33 | patternType: literal 34 | type: transactionalId 35 | type: simple 36 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/ier/ier-cpe-route.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Route 3 | metadata: 4 | name: ierconfig 5 | annotations: 6 | haproxy.router.openshift.io/balance: roundrobin 7 | haproxy.router.openshift.io/timeout: 3000s 8 | router.openshift.io/sticky_cookie: -sticky_cookie_annotation 9 | spec: 10 | host: "ierconfig-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}" 11 | to: 12 | kind: Service 13 | name: "{{ cp4ba_cr_meta_name }}-cpe-svc" 14 | port: 15 | targetPort: http 16 | wildcardPolicy: None 17 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/ier/ier-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: ibm-ier-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | keystorePassword: "{{ cp4ba_universal_password }}" 9 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/odm/cr.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | datasource_configuration: 3 | dc_odm_decisioncenter_datasource: 4 | database_type: postgresql 5 | database_servername: "{{ cp4ba_postgresql_hostname }}" 6 | database_port: "5432" 7 | database_name: odmdc 8 | database_instance_secret: odmdc-db-secret 9 | dc_odm_decisionserver_datasource: 10 | database_type: postgresql 11 | database_servername: "{{ cp4ba_postgresql_hostname }}" 12 | database_port: "5432" 13 | database_name: odmres 14 | database_instance_secret: odmres-db-secret 15 | odm_configuration: 16 | customization: 17 | authSecretRef: odm-web-security-secret 18 | livenessProbe: 19 | initialDelaySeconds: 500 20 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/odm/odm-db-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: odmdc-db-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | db-user: odmdc 9 | db-password: "{{ cp4ba_postgresql_universal_password }}" 10 | --- 11 | apiVersion: v1 12 | kind: Secret 13 | metadata: 14 | name: odmres-db-secret 15 | namespace: "{{ cp4ba_project_name }}" 16 | type: Opaque 17 | stringData: 18 | db-user: odmres 19 | db-password: "{{ cp4ba_postgresql_universal_password }}" 20 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/odm/odm-web-security-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: odm-web-security-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | webSecurity.xml: | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/operator/operatorgroup.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | name: operatorgroup 5 | namespace: "{{ cp4ba_project_name }}" 6 | spec: 7 | targetNamespaces: 8 | - "{{ cp4ba_project_name }}" 9 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/operator/subscription.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: ibm-cp4a-operator 5 | namespace: "{{ cp4ba_project_name }}" 6 | spec: 7 | channel: "{{ cp4ba_operator_channel }}" 8 | name: ibm-cp4a-operator 9 | source: ibm-cp4a-operator-catalog 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/postdeploy-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cp4ba-postdeploy 5 | namespace: "{{ cp4ba_output_namespace }}" 6 | data: 7 | postdeploy.md: |- 8 | {{ lookup('file', cp4ba_output_directory+'/postdeploy.md') | indent(4) }} 9 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/rr/cr.yaml.j2: -------------------------------------------------------------------------------- 1 | spec: 2 | resource_registry_configuration: 3 | admin_secret_name: resource-registry-admin-secret 4 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/rr/rr-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: resource-registry-admin-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | rootPassword: "{{ cp4ba_universal_password }}" 9 | readUser: reader 10 | readPassword: "{{ cp4ba_universal_password }}" 11 | writeUser: writer 12 | writePassword: "{{ cp4ba_universal_password }}" 13 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/shared/ldap-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: ldap-bind-secret 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | stringData: 8 | ldapUsername: "{{ lc_bind_admin_user }}" 9 | ldapPassword: "{{ lc_bind_admin_password }}" 10 | -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/shared/ldap-ssl-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: "{{lc_ldap_ssl_secret_name }}" 5 | namespace: "{{ cp4ba_project_name }}" 6 | type: Opaque 7 | data: 8 | tls.crt: "{{ _ldap_ssl_crt }}" -------------------------------------------------------------------------------- /scripts/roles/cp4ba/templates/shared/root-ca-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: cp4ba-root-ca 5 | namespace: "{{ cp4ba_project_name }}" 6 | data: 7 | tls.key: "{{ _ca_tls_key }}" 8 | tls.crt: "{{ _ca_tls_crt }}" 9 | type: kubernetes.io/tls 10 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/defaults/main.yml: -------------------------------------------------------------------------------- 1 | cpfs_action: install 2 | cpfs_base_dir: /tmp 3 | cpfs_dir_name: cpfs 4 | cpfs_k8s_api_key: "" 5 | cpfs_k8s_host: "" 6 | cpfs_operator_channel: v3.23 7 | cpfs_storage_class_name: "" 8 | cpfs_block_storage_class_name: "" 9 | cpfs_wildcard_key_path: "" 10 | cpfs_wildcard_crt_path: "" 11 | cpfs_ca_crt_path: "" 12 | cpfs_universal_password: "" 13 | cpfs_icr_password: "" 14 | cpfs_ldap_hostname: "" 15 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | cpfs_output_directory: "{{ cpfs_base_dir }}/{{ cpfs_dir_name }}" 4 | 5 | - name: Remove CPFS directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ cpfs_output_directory }}" 8 | state: absent 9 | 10 | - name: Install CPFS 11 | include_tasks: install.yml 12 | when: "cpfs_action == 'install'" 13 | 14 | - name: Remove CPFS 15 | include_tasks: remove.yml 16 | when: "cpfs_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/catalogsource.yaml.j2: -------------------------------------------------------------------------------- 1 | # case 1.19.0 / csv 3.23.0 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cp-common-services 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: CatalogSource 4 | metadata: 5 | annotations: 6 | bedrock_catalogsource_priority: '1' 7 | name: opencloud-operators 8 | namespace: openshift-marketplace 9 | spec: 10 | displayName: IBMCS Operators 11 | publisher: IBM 12 | sourceType: grpc 13 | image: icr.io/cpopen/ibm-common-service-catalog@sha256:12744600eaa9d509ecca3d0a7d48f1fe022fade59eacd7c8f646c1d0f1e9dd64 14 | updateStrategy: 15 | registryPoll: 16 | interval: 45m 17 | --- 18 | # case 1.0.13 / csv 3.23.0 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-bts-bundle 19 | apiVersion: operators.coreos.com/v1alpha1 20 | kind: CatalogSource 21 | metadata: 22 | annotations: 23 | bedrock_catalogsource_priority: '1' 24 | name: bts-operator 25 | namespace: openshift-marketplace 26 | spec: 27 | displayName: BTS Operator 28 | publisher: IBM 29 | sourceType: grpc 30 | image: icr.io/cpopen/ibm-bts-operator-catalog@sha256:1cbb05e621a8b0e6eacb720c823814ce4d9d178c9aad98252599e9972f911671 31 | updateStrategy: 32 | registryPoll: 33 | interval: 45m 34 | --- 35 | # case 4.10.0 / csv 1.17.3 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cloud-native-postgresql 36 | apiVersion: operators.coreos.com/v1alpha1 37 | kind: CatalogSource 38 | metadata: 39 | annotations: 40 | bedrock_catalogsource_priority: '1' 41 | name: cloud-native-postgresql-catalog 42 | namespace: openshift-marketplace 43 | spec: 44 | displayName: Cloud Native Postgresql Catalog 45 | publisher: IBM 46 | sourceType: grpc 47 | image: icr.io/cpopen/ibm-cpd-cloud-native-postgresql-operator-catalog@sha256:e76fd2279cc2ffec3921655aa0ee4354f62603362d10f019dae8820f24a21bd1 48 | updateStrategy: 49 | registryPoll: 50 | interval: 45m 51 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/common-service-maps.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: common-service-maps 5 | namespace: kube-public 6 | data: 7 | common-service-maps.yaml: | 8 | controlNamespace: cs-control 9 | namespaceMapping: 10 | - requested-from-namespace: 11 | - {{ cp4ba_project_name }} 12 | map-to-common-service-namespace: ibm-common-services 13 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/ibmlicenseservicereporter.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operator.ibm.com/v1alpha1 2 | kind: IBMLicenseServiceReporter 3 | metadata: 4 | labels: 5 | app.kubernetes.io/instance: ibm-licensing-operator 6 | app.kubernetes.io/managed-by: ibm-licensing-operator 7 | app.kubernetes.io/name: ibm-licensing 8 | operator.ibm.com/opreq-control: 'true' 9 | name: instance 10 | namespace: cs-control 11 | spec: 12 | storageClass: "{{cpfs_storage_class_name}}" 13 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/ldap-connection.json.j2: -------------------------------------------------------------------------------- 1 | { 2 | "LDAP_ID": "LDAP", 3 | "LDAP_URL": "{{ 'ldap' if not lc_ldap_ssl_enabled else 'ldaps' }}://{{ lc_ldap_server }}:{{ lc_ldap_port }}", 4 | "LDAP_BASEDN": "{{ lc_ldap_base_dn }}", 5 | "LDAP_BINDDN": "{{ lc_bind_admin_user }}", 6 | "LDAP_BINDPASSWORD": "{{ lc_bind_admin_password | b64encode }}", 7 | "LDAP_TYPE": "Custom", 8 | "LDAP_USERFILTER": "{{ lc_tds_user_filter if 'IBM Security Directory Server' in lc_selected_ldap_type else (lc_ad_user_filter if 'Microsoft Active Directory' in lc_selected_ldap_type else lc_custom_user_filter) }}", 9 | "LDAP_GROUPFILTER": "{{ lc_tds_group_filter if 'IBM Security Directory Server' in lc_selected_ldap_type else (lc_ad_group_filter if 'Microsoft Active Directory' in lc_selected_ldap_type else lc_custom_group_filter) }}", 10 | "LDAP_USERIDMAP": "{{ lc_ldap_user_name_attribute }}", 11 | "LDAP_GROUPIDMAP": "{{ lc_ldap_group_name_attribute }}", 12 | "LDAP_GROUPMEMBERIDMAP": "{{ lc_ldap_group_member_id_map }}" 13 | } 14 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/license-service-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: ibm-licensing-certs 5 | namespace: cs-control 6 | data: 7 | tls.key: "{{_tls_key}}" 8 | tls.crt: "{{_tls_crt}}" 9 | type: kubernetes.io/tls 10 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/operandrequest.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operator.ibm.com/v1alpha1 2 | kind: OperandRequest 3 | metadata: 4 | name: common-service 5 | namespace: ibm-common-services 6 | spec: 7 | requests: 8 | - operands: 9 | - name: ibm-licensing-operator 10 | - name: ibm-mongodb-operator 11 | - name: ibm-iam-operator 12 | - name: ibm-management-ingress-operator 13 | - name: ibm-platform-api-operator 14 | - name: ibm-commonui-operator 15 | - name: ibm-cert-manager-operator 16 | - name: ibm-healthcheck-operator 17 | registry: common-service 18 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/operatorgroup.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha2 2 | kind: OperatorGroup 3 | metadata: 4 | name: operatorgroup 5 | namespace: ibm-common-services 6 | spec: 7 | targetNamespaces: 8 | - ibm-common-services 9 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/route-tls-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: route-tls-secret 5 | namespace: ibm-common-services 6 | data: 7 | tls.key: "{{_tls_key}}" 8 | tls.crt: "{{_tls_crt}}" 9 | ca.crt: "{{_ca_tls_crt}}" 10 | type: Opaque 11 | -------------------------------------------------------------------------------- /scripts/roles/cpfs/templates/subscription.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: ibm-common-service-operator 5 | namespace: ibm-common-services 6 | spec: 7 | channel: "{{cpfs_operator_channel}}" 8 | name: ibm-common-service-operator 9 | source: opencloud-operators 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /scripts/roles/db2/defaults/main.yml: -------------------------------------------------------------------------------- 1 | db2_action: install 2 | db2_base_dir: /tmp 3 | db2_dir_name: db2 4 | db2_universal_password: "" 5 | db2_storage_class_name: "" 6 | db2_operator_channel: v1.1 7 | db2_version: 11.5.7.0-cn2 8 | db2_icr_password: "" 9 | db2_deployment_platform: "" 10 | -------------------------------------------------------------------------------- /scripts/roles/db2/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | db2_output_directory: "{{ db2_base_dir }}/{{ db2_dir_name }}" 4 | 5 | - name: Remove DB2 directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ db2_output_directory }}" 8 | state: absent 9 | 10 | - name: Install DB2 11 | include_tasks: install.yml 12 | when: "db2_action == 'install'" 13 | 14 | - name: Remove DB2 15 | include_tasks: remove.yml 16 | when: "db2_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/db2/templates/catalogsource.yaml.j2: -------------------------------------------------------------------------------- 1 | # case 4.0.9 / csv 1.1.11 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-db2uoperator 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: CatalogSource 4 | metadata: 5 | name: ibm-db2uoperator-catalog 6 | namespace: db2 7 | spec: 8 | sourceType: grpc 9 | image: icr.io/cpopen/ibm-db2uoperator-catalog@sha256:bb98c93a44172fd9709a4644c639639c2d5a3cf6692e269dd685d87ccaa191c0 10 | displayName: IBM Db2U Catalog 11 | publisher: IBM 12 | updateStrategy: 13 | registryPoll: 14 | interval: 45m 15 | -------------------------------------------------------------------------------- /scripts/roles/db2/templates/daemon-set.yaml.j2: -------------------------------------------------------------------------------- 1 | # Required for the NFS support 2 | # https://www.ibm.com/docs/en/db2/11.5?topic=SSEPGG_11.5.0/com.ibm.db2.luw.db2u_openshift.doc/aese-cfg-nfs-filegold.html 3 | 4 | apiVersion: apps/v1 5 | kind: DaemonSet 6 | metadata: 7 | name: norootsquash 8 | namespace: db2 9 | labels: 10 | tier: management 11 | app: norootsquash 12 | spec: 13 | selector: 14 | matchLabels: 15 | name: norootsquash 16 | template: 17 | metadata: 18 | labels: 19 | name: norootsquash 20 | spec: 21 | serviceAccountName: norootsquash 22 | initContainers: 23 | - resources: 24 | requests: 25 | cpu: 0.1 26 | securityContext: 27 | privileged: true 28 | image: alpine:3.6 29 | name: unrootsquash 30 | command: ["chroot", "/host", "sh", "-c"] 31 | args: 32 | - > 33 | grep "^Domain = slnfsv4.com" /etc/idmapd.conf; 34 | if [ "$?" -ne "0" ] ; then 35 | sed -i 's/.*Domain =.*/Domain = slnfsv4.com/g' /etc/idmapd.conf; 36 | nfsidmap -c; 37 | rpc.idmapd 38 | fi; 39 | volumeMounts: 40 | - name: host 41 | mountPath: /host 42 | containers: 43 | - resources: 44 | requests: 45 | cpu: 0.1 46 | image: alpine:3.6 47 | name: sleep 48 | command: ["/bin/sh", "-c"] 49 | args: 50 | - > 51 | while true; do 52 | sleep 100000; 53 | done 54 | volumes: 55 | - hostPath: 56 | path: / 57 | type: Directory 58 | name: host -------------------------------------------------------------------------------- /scripts/roles/db2/templates/operatorgroup.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | name: operatorgroup 5 | namespace: db2 6 | spec: 7 | targetNamespaces: 8 | - db2 9 | -------------------------------------------------------------------------------- /scripts/roles/db2/templates/privileged-scc-clusterrolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'db2-privileged' 5 | subjects: 6 | - kind: ServiceAccount 7 | name: norootsquash 8 | namespace: db2 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: 'system:openshift:scc:privileged' 13 | -------------------------------------------------------------------------------- /scripts/roles/db2/templates/project.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Project 2 | apiVersion: project.openshift.io/v1 3 | metadata: 4 | name: db2 5 | -------------------------------------------------------------------------------- /scripts/roles/db2/templates/service-account.yaml.j2: -------------------------------------------------------------------------------- 1 | # Required for the NFS support 2 | # https://www.ibm.com/docs/en/db2/11.5?topic=SSEPGG_11.5.0/com.ibm.db2.luw.db2u_openshift.doc/aese-cfg-nfs-filegold.html 3 | 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: norootsquash 8 | namespace: db2 -------------------------------------------------------------------------------- /scripts/roles/db2/templates/subscription.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: db2u-operator 5 | namespace: db2 6 | spec: 7 | channel: "{{ db2_operator_channel }}" 8 | name: db2u-operator 9 | source: ibm-db2uoperator-catalog 10 | sourceNamespace: db2 11 | -------------------------------------------------------------------------------- /scripts/roles/db2mc/defaults/main.yml: -------------------------------------------------------------------------------- 1 | db2mc_action: install 2 | db2mc_base_dir: /tmp 3 | db2mc_dir_name: db2mc 4 | db2mc_k8s_api_key: "" 5 | db2mc_k8s_host: "" 6 | db2mc_image_tag: 3.1.7 # more recent version fails to start because of java memory, logs in /mnt/logs. last tested 3.1.9 7 | db2mc_storage_class_name: "" 8 | db2mc_ca_crt_path: "" 9 | db2mc_wildcard_key_path: "" 10 | db2mc_wildcard_crt_path: "" 11 | db2mc_admin_user: "" 12 | db2mc_universal_password: "" 13 | db2mc_db2_hostname: "" 14 | db2mc_db2_password: "" 15 | -------------------------------------------------------------------------------- /scripts/roles/db2mc/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | db2mc_output_directory: "{{ db2mc_base_dir }}/{{ db2mc_dir_name }}" 4 | 5 | - name: Remove DB2MC directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ db2mc_output_directory }}" 8 | state: absent 9 | 10 | - name: Install DB2MC 11 | include_tasks: install.yml 12 | when: "db2mc_action == 'install'" 13 | 14 | - name: Remove DB2MC 15 | include_tasks: remove.yml 16 | when: "db2mc_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/db2mc/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project db2mc 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ db2mc_k8s_api_key | default(omit) }}" 5 | host: "{{ db2mc_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: db2mc 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | 13 | - name: Remove DB 14 | ansible.builtin.include_role: 15 | name: common 16 | tasks_from: remove-db2-db 17 | vars: 18 | common_k8s_api_key: "{{ db2mc_k8s_api_key | default(omit) }}" 19 | common_k8s_host: "{{ db2mc_k8s_host | default(omit) }}" 20 | common_db2_db_name: DB2MC 21 | -------------------------------------------------------------------------------- /scripts/roles/db2mc/templates/pvc.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: db2mc 5 | namespace: db2mc 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | storageClassName: "{{ db2mc_storage_class_name }}" 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | -------------------------------------------------------------------------------- /scripts/roles/db2mc/templates/route.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Route 2 | apiVersion: route.openshift.io/v1 3 | metadata: 4 | name: db2mc 5 | namespace: db2mc 6 | spec: 7 | host: "db2mc.{{ apps_endpoint_domain }}" 8 | to: 9 | kind: Service 10 | name: db2mc 11 | weight: 100 12 | port: 13 | targetPort: 8443 14 | tls: 15 | termination: reencrypt 16 | certificate: |- 17 | {{ slurped_crt_data.content | b64decode | indent(6) }} 18 | key: |- 19 | {{ slurped_key_data.content | b64decode | indent(6) }} 20 | destinationCACertificate: |- 21 | {{ slurped_ca_crt_data.content | b64decode | indent(6) }} 22 | insecureEdgeTerminationPolicy: Redirect 23 | wildcardPolicy: None 24 | -------------------------------------------------------------------------------- /scripts/roles/db2mc/templates/secrets.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: password 5 | namespace: db2mc 6 | stringData: 7 | password: "{{ db2mc_universal_password }}" 8 | type: Opaque 9 | --- 10 | kind: Secret 11 | apiVersion: v1 12 | metadata: 13 | name: tls 14 | namespace: db2mc 15 | data: 16 | tls.key: "{{_tls_key}}" 17 | tls.crt: "{{_tls_crt}}" 18 | type: Opaque 19 | -------------------------------------------------------------------------------- /scripts/roles/db2mc/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: db2mc 5 | namespace: db2mc 6 | spec: 7 | ports: 8 | - protocol: TCP 9 | port: 8443 10 | targetPort: 8443 11 | selector: 12 | app: db2mc 13 | type: ClusterIP 14 | sessionAffinity: None 15 | -------------------------------------------------------------------------------- /scripts/roles/gitea/defaults/main.yml: -------------------------------------------------------------------------------- 1 | gitea_action: install 2 | gitea_base_dir: /tmp 3 | gitea_dir_name: gitea 4 | gitea_universal_password: "" 5 | gitea_storage_class_name: "" 6 | gitea_ldap_hostname: "" 7 | gitea_chart_version: 6.0.1 8 | gitea_image_tag: 1.17.2 9 | -------------------------------------------------------------------------------- /scripts/roles/gitea/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | gitea_output_directory: "{{ gitea_base_dir }}/{{ gitea_dir_name }}" 4 | 5 | - name: Remove gitea directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ gitea_output_directory }}" 8 | state: absent 9 | 10 | - name: Install gitea 11 | include_tasks: install.yml 12 | when: "gitea_action == 'install'" 13 | 14 | - name: Remove gitea 15 | include_tasks: remove.yml 16 | when: "gitea_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/gitea/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project gitea 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ gitea_k8s_api_key | default(omit) }}" 5 | host: "{{ gitea_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: gitea 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | -------------------------------------------------------------------------------- /scripts/roles/global_ca/defaults/main.yml: -------------------------------------------------------------------------------- 1 | global_ca_action: install 2 | global_ca_base_dir: /tmp 3 | global_ca_dir_name: global-ca 4 | global_ca_k8s_api_key: "" 5 | global_ca_k8s_host: "" 6 | global_ca_output_namespace: "apollo-one-shot" 7 | -------------------------------------------------------------------------------- /scripts/roles/global_ca/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | global_ca_output_directory: "{{ global_ca_base_dir }}/{{ global_ca_dir_name }}" 4 | 5 | - name: Install Global CA 6 | include_tasks: install.yml 7 | when: "global_ca_action == 'install'" 8 | 9 | - name: Remove Global CA 10 | include_tasks: remove.yml 11 | when: "global_ca_action == 'remove'" 12 | -------------------------------------------------------------------------------- /scripts/roles/global_ca/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | # Nothing to do 2 | -------------------------------------------------------------------------------- /scripts/roles/global_ca/templates/secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: apollo-one-shot 5 | namespace: "{{ global_ca_output_namespace }}" 6 | type: Opaque 7 | data: 8 | global_ca_tls.crt: "{{_global_ca_crt}}" 9 | global_ca_tls.key: "{{_global_ca_key}}" 10 | -------------------------------------------------------------------------------- /scripts/roles/kibana/defaults/main.yml: -------------------------------------------------------------------------------- 1 | kibana_action: install 2 | kibana_base_dir: /tmp 3 | kibana_dir_name: kibana 4 | kibana_universal_password: "" 5 | kibana_storage_class_name: "" 6 | kibana_cp4ba_project_name: "" 7 | kibana_image_tag: 7.10.2 8 | -------------------------------------------------------------------------------- /scripts/roles/kibana/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | kibana_output_directory: "{{ kibana_base_dir }}/{{ kibana_dir_name }}" 4 | 5 | - name: Remove kibana directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ kibana_output_directory }}" 8 | state: absent 9 | 10 | - name: Install kibana 11 | include_tasks: install.yml 12 | when: "kibana_action == 'install'" 13 | 14 | - name: Remove kibana 15 | include_tasks: remove.yml 16 | when: "kibana_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/kibana/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project Kibana 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ kibana_k8s_api_key | default(omit) }}" 5 | host: "{{ kibana_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: kibana 9 | namespace: kibana 10 | wait: true 11 | wait_sleep: 15 12 | wait_timeout: 120 13 | -------------------------------------------------------------------------------- /scripts/roles/kibana/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: kibana 5 | spec: 6 | ports: 7 | - name: kibana-ui 8 | protocol: TCP 9 | port: 5601 10 | targetPort: kibana-ui 11 | selector: 12 | app: kibana-app 13 | component: kibana 14 | clusterIP: None 15 | type: ClusterIP 16 | sessionAffinity: None 17 | -------------------------------------------------------------------------------- /scripts/roles/mail/defaults/main.yml: -------------------------------------------------------------------------------- 1 | mail_action: install 2 | mail_base_dir: /tmp 3 | mail_dir_name: mail 4 | mail_k8s_api_key: "" 5 | mail_k8s_host: "" 6 | mail_image_tag: 11.1.0 7 | mail_storage_class_name: "" 8 | mail_ca_key_path: "" 9 | mail_ca_crt_path: "" 10 | mail_universal_password: "" 11 | -------------------------------------------------------------------------------- /scripts/roles/mail/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | mail_output_directory: "{{ mail_base_dir }}/{{ mail_dir_name }}" 4 | 5 | - name: Remove Mail directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ mail_output_directory }}" 8 | state: absent 9 | 10 | - name: Install Mail 11 | include_tasks: install.yml 12 | when: "mail_action == 'install'" 13 | 14 | - name: Remove Mail 15 | include_tasks: remove.yml 16 | when: "mail_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/mail/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project mail 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ mail_k8s_api_key | default(omit) }}" 5 | host: "{{ mail_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: mail 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | 13 | - name: Remove RB mail-privileged 14 | kubernetes.core.k8s: 15 | state: absent 16 | api_key: "{{ cerebro_k8s_api_key | default(omit) }}" 17 | host: "{{ cerebro_k8s_host | default(omit) }}" 18 | api_version: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | name: mail-privileged 21 | wait: true 22 | wait_sleep: 15 23 | wait_timeout: 120 24 | -------------------------------------------------------------------------------- /scripts/roles/mail/templates/privileged-scc-rolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'mail-privileged' 5 | namespace: mail 6 | subjects: 7 | - kind: ServiceAccount 8 | name: default 9 | namespace: mail 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: 'system:openshift:scc:privileged' 14 | -------------------------------------------------------------------------------- /scripts/roles/mail/templates/pvc.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: mail-storage 5 | namespace: mail 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | storageClassName: "{{mail_storage_class_name}}" 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | -------------------------------------------------------------------------------- /scripts/roles/mail/templates/secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: tls 5 | namespace: mail 6 | data: 7 | tls.key: "{{_tls_key}}" 8 | tls.crt: "{{_tls_crt}}" 9 | type: Opaque 10 | -------------------------------------------------------------------------------- /scripts/roles/mail/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: mailserver 5 | namespace: mail 6 | labels: 7 | app: mailserver 8 | spec: 9 | selector: 10 | app: mailserver 11 | ports: 12 | - name: smtp 13 | port: 25 14 | targetPort: smtp 15 | - name: smtp-secure 16 | port: 465 17 | targetPort: smtp-secure 18 | - name: smtp-auth 19 | port: 587 20 | targetPort: smtp-auth 21 | - name: imap 22 | port: 143 23 | targetPort: imap 24 | - name: imap-secure 25 | port: 993 26 | targetPort: imap-secure 27 | -------------------------------------------------------------------------------- /scripts/roles/mongo_express/defaults/main.yml: -------------------------------------------------------------------------------- 1 | mongo_express_action: install 2 | mongo_express_base_dir: /tmp 3 | mongo_express_dir_name: mongo-express 4 | mongo_express_k8s_api_key: "" 5 | mongo_express_k8s_host: "" 6 | mongo_express_image_tag: 0.54.0 7 | mongo_express_ca_crt_path: "" 8 | mongo_express_wildcard_key_path: "" 9 | mongo_express_wildcard_crt_path: "" 10 | mongo_express_universal_password: "" 11 | mongo_express_mongodb_hostname: "" 12 | mongo_express_admin_user: "" 13 | -------------------------------------------------------------------------------- /scripts/roles/mongo_express/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | mongo_express_output_directory: "{{ mongo_express_base_dir }}/{{ mongo_express_dir_name }}" 4 | 5 | - name: Remove Mongo Express directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ mongo_express_output_directory }}" 8 | state: absent 9 | 10 | - name: Install Mongo Express 11 | include_tasks: install.yml 12 | when: "mongo_express_action == 'install'" 13 | 14 | - name: Remove Mongo Express 15 | include_tasks: remove.yml 16 | when: "mongo_express_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/mongo_express/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project mongo_express 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ mongo_express_k8s_api_key | default(omit) }}" 5 | host: "{{ mongo_express_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: mongo-express 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | -------------------------------------------------------------------------------- /scripts/roles/mongo_express/templates/deployment.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: mongo-express 5 | namespace: mongo-express 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | app: mongo-express 11 | template: 12 | metadata: 13 | labels: 14 | app: mongo-express 15 | spec: 16 | containers: 17 | - name: mongo-express 18 | image: "mongo-express:{{ mongo_express_image_tag }}" 19 | imagePullPolicy: IfNotPresent 20 | readinessProbe: 21 | tcpSocket: 22 | port: 8081 23 | initialDelaySeconds: 10 24 | timeoutSeconds: 1 25 | periodSeconds: 10 26 | successThreshold: 1 27 | failureThreshold: 5 28 | livenessProbe: 29 | tcpSocket: 30 | port: 8081 31 | initialDelaySeconds: 10 32 | timeoutSeconds: 1 33 | periodSeconds: 10 34 | successThreshold: 1 35 | failureThreshold: 10 36 | ports: 37 | - name: ui 38 | containerPort: 8081 39 | protocol: TCP 40 | env: 41 | - name: ME_CONFIG_MONGODB_ENABLE_ADMIN 42 | value: "true" 43 | - name: ME_CONFIG_MONGODB_ADMINUSERNAME 44 | value: "root" 45 | - name: ME_CONFIG_MONGODB_ADMINPASSWORD 46 | value: "{{ mongo_express_universal_password }}" 47 | - name: ME_CONFIG_MONGODB_SERVER 48 | value: "{{ mongo_express_mongodb_hostname }}" 49 | - name: ME_CONFIG_BASICAUTH_USERNAME 50 | value: "{{ mongo_express_admin_user }}" 51 | - name: ME_CONFIG_BASICAUTH_PASSWORD 52 | value: "{{ mongo_express_universal_password }}" 53 | -------------------------------------------------------------------------------- /scripts/roles/mongo_express/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: mongo-express 5 | namespace: mongo-express 6 | labels: 7 | app: mongo-express 8 | spec: 9 | selector: 10 | app: mongo-express 11 | ports: 12 | - name: ui 13 | port: 8081 14 | targetPort: ui 15 | -------------------------------------------------------------------------------- /scripts/roles/mongodb/defaults/main.yml: -------------------------------------------------------------------------------- 1 | mongodb_action: install 2 | mongodb_base_dir: /tmp 3 | mongodb_dir_name: mongodb 4 | mongodb_universal_password: "" 5 | mongodb_storage_class_name: "" 6 | mongodb_chart_version: 13.6.1 7 | # specific version bringing 4.2 version for ADS, ADP 8 | mongodb_image_tag: 4.2.18-debian-10-r32 9 | -------------------------------------------------------------------------------- /scripts/roles/mongodb/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | mongodb_output_directory: "{{ mongodb_base_dir }}/{{ mongodb_dir_name }}" 4 | 5 | - name: Remove mongodb directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ mongodb_output_directory }}" 8 | state: absent 9 | 10 | - name: Install mongodb 11 | include_tasks: install.yml 12 | when: "mongodb_action == 'install'" 13 | 14 | - name: Remove mongodb 15 | include_tasks: remove.yml 16 | when: "mongodb_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/mongodb/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project mongodb 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ mongodb_k8s_api_key | default(omit) }}" 5 | host: "{{ mongodb_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: mongodb 9 | namespace: mongodb 10 | wait: true 11 | wait_sleep: 15 12 | wait_timeout: 120 13 | 14 | - name: Remove CRB mongodb-anyuid 15 | kubernetes.core.k8s: 16 | state: absent 17 | api_key: "{{ cerebro_k8s_api_key | default(omit) }}" 18 | host: "{{ cerebro_k8s_host | default(omit) }}" 19 | api_version: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | name: mongodb-anyuid 22 | wait: true 23 | wait_sleep: 15 24 | wait_timeout: 120 25 | -------------------------------------------------------------------------------- /scripts/roles/mongodb/templates/anyuid-scc-clusterrolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'mongodb-anyuid' 5 | subjects: 6 | - kind: ServiceAccount 7 | name: default 8 | namespace: mongodb 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: 'system:openshift:scc:anyuid' 13 | -------------------------------------------------------------------------------- /scripts/roles/mssql/defaults/main.yml: -------------------------------------------------------------------------------- 1 | mssql_action: install 2 | mssql_base_dir: /tmp 3 | mssql_dir_name: mssql 4 | mssql_k8s_api_key: "" 5 | mssql_k8s_host: "" 6 | # From https://mcr.microsoft.com/v2/mssql/rhel/server/tags/list 7 | mssql_image_tag: 2019-CU18-rhel-8.5 8 | mssql_storage_class_name: "" 9 | mssql_universal_password: "" 10 | -------------------------------------------------------------------------------- /scripts/roles/mssql/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | mssql_output_directory: "{{ mssql_base_dir }}/{{ mssql_dir_name }}" 4 | 5 | - name: Remove MSSQL directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ mssql_output_directory }}" 8 | state: absent 9 | 10 | - name: Install MSSQL 11 | include_tasks: install.yml 12 | when: "mssql_action == 'install'" 13 | 14 | - name: Remove MSSQL 15 | include_tasks: remove.yml 16 | when: "mssql_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/mssql/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project mssql 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ mssql_k8s_api_key | default(omit) }}" 5 | host: "{{ mssql_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: mssql 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | -------------------------------------------------------------------------------- /scripts/roles/mssql/templates/deployment.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: mssql 5 | namespace: mssql 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | app: mssql 11 | template: 12 | metadata: 13 | labels: 14 | app: mssql 15 | spec: 16 | terminationGracePeriodSeconds: 10 17 | containers: 18 | - name: mssql 19 | image: "mcr.microsoft.com/mssql/rhel/server:{{ mssql_image_tag }}" 20 | ports: 21 | - name: db 22 | containerPort: 1433 23 | env: 24 | - name: MSSQL_PID 25 | value: "Developer" 26 | - name: ACCEPT_EULA 27 | value: "Y" 28 | - name: MSSQL_SA_PASSWORD 29 | valueFrom: 30 | secretKeyRef: 31 | name: mssql 32 | key: SA_PASSWORD 33 | volumeMounts: 34 | - name: mssqldb 35 | mountPath: /var/opt/mssql 36 | readinessProbe: 37 | tcpSocket: 38 | port: 1433 39 | initialDelaySeconds: 30 40 | timeoutSeconds: 1 41 | periodSeconds: 10 42 | successThreshold: 1 43 | failureThreshold: 5 44 | livenessProbe: 45 | tcpSocket: 46 | port: 1433 47 | initialDelaySeconds: 30 48 | timeoutSeconds: 1 49 | periodSeconds: 10 50 | successThreshold: 1 51 | failureThreshold: 10 52 | volumes: 53 | - name: mssqldb 54 | persistentVolumeClaim: 55 | claimName: mssql-data 56 | -------------------------------------------------------------------------------- /scripts/roles/mssql/templates/pvc.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: mssql-data 5 | namespace: mssql 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | resources: 10 | requests: 11 | storage: 8Gi 12 | storageClassName: "{{ mssql_storage_class_name }}" 13 | -------------------------------------------------------------------------------- /scripts/roles/mssql/templates/secret.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: mssql 5 | namespace: mssql 6 | type: Opaque 7 | stringData: 8 | SA_PASSWORD: '{{ mssql_universal_password }}' 9 | -------------------------------------------------------------------------------- /scripts/roles/mssql/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: mssql 5 | namespace: mssql 6 | spec: 7 | selector: 8 | app: mssql 9 | type: NodePort 10 | ports: 11 | - protocol: TCP 12 | port: 1433 13 | targetPort: db 14 | -------------------------------------------------------------------------------- /scripts/roles/nexus/defaults/main.yml: -------------------------------------------------------------------------------- 1 | nexus_action: install 2 | nexus_base_dir: /tmp 3 | nexus_dir_name: nexus 4 | nexus_universal_password: "" 5 | nexus_storage_class_name: "" 6 | nexus_operator_channel: stable 7 | nexus_ldap_hostname: "" 8 | nexus_output_namespace: "apollo-one-shot" 9 | -------------------------------------------------------------------------------- /scripts/roles/nexus/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | nexus_output_directory: "{{ nexus_base_dir }}/{{ nexus_dir_name }}" 4 | 5 | - name: Remove nexus directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ nexus_output_directory }}" 8 | state: absent 9 | 10 | - name: Install nexus 11 | include_tasks: install.yml 12 | when: "nexus_action == 'install'" 13 | 14 | - name: Remove nexus 15 | include_tasks: remove.yml 16 | when: "nexus_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/nexus/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Get NexusRepo CRD 2 | kubernetes.core.k8s_info: 3 | api_key: "{{ nexus_k8s_api_key | default(omit) }}" 4 | host: "{{ nexus_k8s_host | default(omit) }}" 5 | api_version: apiextensions.k8s.io/v1 6 | kind: CustomResourceDefinition 7 | name: nexusrepos.sonatype.com 8 | register: nexusrepo_crd 9 | retries: 10 10 | delay: 1 11 | 12 | - name: Delete nexus instance 13 | kubernetes.core.k8s: 14 | state: absent 15 | api_key: "{{ nexus_k8s_api_key | default(omit) }}" 16 | host: "{{ nexus_k8s_host | default(omit) }}" 17 | api_version: sonatype.com/v1alpha1 18 | kind: NexusRepo 19 | name: nexusrepo 20 | namespace: nexus 21 | wait: true 22 | wait_sleep: 15 23 | wait_timeout: 120 24 | when: nexusrepo_crd.resources | length != 0 25 | 26 | - name: Remove Project nexus 27 | kubernetes.core.k8s: 28 | state: absent 29 | api_key: "{{ nexus_k8s_api_key | default(omit) }}" 30 | host: "{{ nexus_k8s_host | default(omit) }}" 31 | api_version: project.openshift.io/v1 32 | kind: Project 33 | name: nexus 34 | namespace: nexus 35 | wait: true 36 | wait_sleep: 15 37 | wait_timeout: 120 38 | 39 | - name: Remove nexus-maven-settings Config Map 40 | kubernetes.core.k8s: 41 | api_key: "{{ nexus_k8s_api_key | default(omit) }}" 42 | host: "{{ nexus_k8s_host | default(omit) }}" 43 | state: absent 44 | api_version: v1 45 | kind: ConfigMap 46 | name: nexus-maven-settings 47 | namespace: "{{ nexus_output_namespace }}" 48 | force: false 49 | wait: true 50 | wait_sleep: 15 51 | wait_timeout: 15 52 | -------------------------------------------------------------------------------- /scripts/roles/nexus/templates/ldap-config.json.j2: -------------------------------------------------------------------------------- 1 | { 2 | "name": "LDAP", 3 | "protocol": "{{ 'ldap' if not lc_ldap_ssl_enabled else 'ldaps' }}", 4 | "host": "{{ lc_ldap_server }}", 5 | "port": "{{ lc_ldap_port }}", 6 | "searchBase": "{{ lc_ldap_base_dn }}", 7 | "authScheme": "SIMPLE", 8 | "authRealm": "{{ lc_ldap_domain }}", 9 | "authUsername": "{{ lc_bind_admin_user }}", 10 | "authPassword": "{{ lc_bind_admin_password }}", 11 | "connectionTimeoutSeconds": 30, 12 | "connectionRetryDelaySeconds": 300, 13 | "maxIncidentsCount": 3, 14 | "userBaseDn": "{{ lc_ldap_user_base_dn | regex_replace('^(.+?)(,)(([Oo]|[Dd][Cc])=.*)$', '\\1') }}", 15 | "userSubtree": false, 16 | "userObjectClass": "{{ lc_ldap_user_object_class }}", 17 | "userLdapFilter": "", 18 | "userIdAttribute": "{{ lc_ldap_user_id_attribute }}", 19 | "userRealNameAttribute": "{{ lc_ldap_user_display_name_attr }}", 20 | "userEmailAddressAttribute": "mail", 21 | "userPasswordAttribute": "", 22 | "ldapGroupsAsRoles": true, 23 | "groupType": "static", 24 | "groupBaseDn": "{{ lc_ldap_group_base_dn | regex_replace('^(.+?)(,)(([Oo]|[Dd][Cc])=.*)$', '\\1') | regex_replace() }}", 25 | "groupSubtree": false, 26 | "groupObjectClass": "{{ lc_ldap_group_object_class }}", 27 | "groupIdAttribute": "{{ lc_ldap_group_id_attribute }}", 28 | "groupMemberAttribute": "member", 29 | "groupMemberFormat": "{{ lc_ldap_user_id_attribute }}=${username},{{ lc_ldap_user_base_dn }}" 30 | } -------------------------------------------------------------------------------- /scripts/roles/nexus/templates/nexus-maven-settings-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nexus-maven-settings 5 | namespace: "{{ nexus_output_namespace }}" 6 | data: 7 | settings.xml: |- 8 | {{ lookup('file', nexus_output_directory+'/maven-settings.xml') | indent(4) }} 9 | -------------------------------------------------------------------------------- /scripts/roles/nexus/templates/nexus-role.json.j2: -------------------------------------------------------------------------------- 1 | { 2 | "id": "{{ lc_principal_admin_group }}", 3 | "name": "{{ lc_principal_admin_group }}", 4 | "description": "{{ lc_principal_admin_group }}", 5 | "privileges": [ 6 | "nx-all" 7 | ], 8 | "roles": [ 9 | "nx-admin" 10 | ] 11 | } -------------------------------------------------------------------------------- /scripts/roles/nexus/templates/operatorgroup.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | name: operatorgroup 5 | namespace: nexus 6 | spec: 7 | targetNamespaces: 8 | - nexus 9 | -------------------------------------------------------------------------------- /scripts/roles/nexus/templates/privileged-scc-clusterrolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'nexus-privileged' 5 | subjects: 6 | - kind: ServiceAccount 7 | name: default 8 | namespace: nexus 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: 'system:openshift:scc:privileged' 13 | -------------------------------------------------------------------------------- /scripts/roles/nexus/templates/subscription.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: nxrm-operator-certified 5 | namespace: nexus 6 | spec: 7 | channel: "{{ nexus_operator_channel }}" 8 | installPlanApproval: Manual 9 | name: nxrm-operator-certified 10 | source: certified-operators 11 | sourceNamespace: openshift-marketplace 12 | -------------------------------------------------------------------------------- /scripts/roles/openldap/defaults/main.yml: -------------------------------------------------------------------------------- 1 | openldap_action: install 2 | openldap_base_dir: /tmp 3 | openldap_dir_name: openldap 4 | openldap_universal_password: "" 5 | openldap_storage_class_name: "" 6 | openldap_chart_version: 3.0.2 7 | openldap_hostname: openldap-openldap-stack-ha.openldap.svc.cluster.local 8 | openldap_ca_crt_path: "" 9 | openldap_wildcard_key_path: "" 10 | openldap_wildcard_crt_path: "" 11 | -------------------------------------------------------------------------------- /scripts/roles/openldap/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | openldap_output_directory: "{{ openldap_base_dir }}/{{ openldap_dir_name }}" 4 | 5 | - name: Remove openldap directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ openldap_output_directory }}" 8 | state: absent 9 | 10 | - name: Install openldap 11 | include_tasks: install.yml 12 | when: "openldap_action == 'install'" 13 | 14 | - name: Remove openldap 15 | include_tasks: remove.yml 16 | when: "openldap_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/openldap/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project openldap 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ openldap_k8s_api_key | default(omit) }}" 5 | host: "{{ openldap_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: openldap 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | 13 | - name: Remove RB openldap-anyuid 14 | kubernetes.core.k8s: 15 | state: absent 16 | api_key: "{{ openldap_k8s_api_key | default(omit) }}" 17 | host: "{{ openldap_k8s_host | default(omit) }}" 18 | api_version: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | name: openldap-anyuid 21 | wait: true 22 | wait_sleep: 15 23 | wait_timeout: 120 24 | -------------------------------------------------------------------------------- /scripts/roles/openldap/templates/anyuid-scc-rolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'openldap-anyuid' 5 | namespace: openldap 6 | subjects: 7 | - kind: ServiceAccount 8 | name: default 9 | namespace: openldap 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: 'system:openshift:scc:anyuid' 14 | -------------------------------------------------------------------------------- /scripts/roles/pgadmin/defaults/main.yml: -------------------------------------------------------------------------------- 1 | pgadmin_action: install 2 | pgadmin_base_dir: /tmp 3 | pgadmin_dir_name: pgadmin 4 | pgadmin_k8s_api_key: "" 5 | pgadmin_k8s_host: "" 6 | pgadmin_image_tag: 6.17 7 | pgadmin_storage_class_name: "" 8 | pgadmin_ca_crt_path: "" 9 | pgadmin_wildcard_key_path: "" 10 | pgadmin_wildcard_crt_path: "" 11 | pgadmin_universal_password: "" 12 | pgadmin_postgresql_hostname: "" 13 | pgadmin_postgresql_username: "" 14 | pgadmin_postgresql_password: "" 15 | -------------------------------------------------------------------------------- /scripts/roles/pgadmin/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | pgadmin_output_directory: "{{ pgadmin_base_dir }}/{{ pgadmin_dir_name }}" 4 | 5 | - name: Remove pgadmin directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ pgadmin_output_directory }}" 8 | state: absent 9 | 10 | - name: Install pgadmin 11 | include_tasks: install.yml 12 | when: "pgadmin_action == 'install'" 13 | 14 | - name: Remove pgadmin 15 | include_tasks: remove.yml 16 | when: "pgadmin_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/pgadmin/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project pgadmin 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ pgadmin_k8s_api_key | default(omit) }}" 5 | host: "{{ pgadmin_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: pgadmin 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | -------------------------------------------------------------------------------- /scripts/roles/pgadmin/templates/anyuid-scc-rolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'pgadmin-anyuid' 5 | namespace: pgadmin 6 | subjects: 7 | - kind: ServiceAccount 8 | name: default 9 | namespace: pgadmin 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: 'system:openshift:scc:anyuid' 14 | -------------------------------------------------------------------------------- /scripts/roles/pgadmin/templates/configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: pgadmin-config 5 | namespace: pgadmin 6 | data: 7 | servers.json: | 8 | { 9 | "Servers": { 10 | "1": { 11 | "Name": "CP4BA Instance", 12 | "Group": "Servers", 13 | "Port": 5432, 14 | "Username": "{{ pgadmin_postgresql_username }}", 15 | "Host": "{{ pgadmin_postgresql_hostname }}", 16 | "SSLMode": "disable", 17 | "MaintenanceDB": "postgres" 18 | } 19 | } 20 | } -------------------------------------------------------------------------------- /scripts/roles/pgadmin/templates/pvc.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: pgadmin-data 5 | namespace: pgadmin 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | storageClassName: "{{ pgadmin_storage_class_name }}" 10 | resources: 11 | requests: 12 | storage: 3Gi 13 | -------------------------------------------------------------------------------- /scripts/roles/pgadmin/templates/secrets.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: pgadmin 5 | namespace: pgadmin 6 | type: Opaque 7 | stringData: 8 | pgadmin-password: "{{ pgadmin_universal_password }}" 9 | # --- 10 | # kind: Secret 11 | # apiVersion: v1 12 | # metadata: 13 | # name: pgpassfile 14 | # namespace: pgadmin 15 | # type: Opaque 16 | # stringData: 17 | # pgpassfile: "*:*:*:{{ pgadmin_postgresql_username }}:{{ pgadmin_universal_password }}" 18 | -------------------------------------------------------------------------------- /scripts/roles/pgadmin/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: pgadmin 5 | namespace: pgadmin 6 | spec: 7 | ports: 8 | - protocol: TCP 9 | port: 80 10 | targetPort: http 11 | selector: 12 | app: pgadmin 13 | type: ClusterIP 14 | sessionAffinity: None 15 | -------------------------------------------------------------------------------- /scripts/roles/pm/defaults/main.yml: -------------------------------------------------------------------------------- 1 | pm_action: install 2 | pm_base_dir: /tmp 3 | pm_dir_name: pm 4 | pm_k8s_api_key: "" 5 | pm_k8s_host: "" 6 | pm_operator_channel: v2.0 7 | pm_version: 1.13.2 8 | pm_project_name: cp4ba 9 | pm_storage_class_name: "" 10 | pm_universal_password: "" 11 | pm_db2_hostname: "" 12 | pm_mongodb_hostname: "" 13 | pm_ca_crt_path: "" 14 | pm_wildcard_key_path: "" 15 | pm_wildcard_crt_path: "" 16 | pm_output_namespace: "apollo-one-shot" 17 | -------------------------------------------------------------------------------- /scripts/roles/pm/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | pm_output_directory: "{{ pm_base_dir }}/{{ pm_dir_name }}" 4 | 5 | - name: Remove PM directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ pm_output_directory }}" 8 | state: absent 9 | 10 | - name: Create PM directory for generated files 11 | ansible.builtin.file: 12 | path: "{{ pm_output_directory }}" 13 | state: directory 14 | mode: u+rwx 15 | 16 | - name: Install PM 17 | include_tasks: install.yml 18 | when: "pm_action == 'install'" 19 | 20 | - name: Remove PM 21 | include_tasks: remove.yml 22 | when: "pm_action == 'remove'" 23 | -------------------------------------------------------------------------------- /scripts/roles/pm/templates/catalogsource.yaml.j2: -------------------------------------------------------------------------------- 1 | # case 2.0.0 / csv 2.0.0 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-process-mining 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: CatalogSource 4 | metadata: 5 | name: ibm-automation-processminings 6 | namespace: openshift-marketplace 7 | spec: 8 | displayName: IBM ProcessMining Operators 9 | publisher: IBM 10 | sourceType: grpc 11 | image: icr.io/cpopen/processmining-operator-catalog@sha256:6ce95e4b4bb8f3c19e7ac64a58039bdbf7c1f6990c8a22ec3d88c5b10400eae5 12 | updateStrategy: 13 | registryPoll: 14 | interval: 45m 15 | --- 16 | # case 1.6.3 / csv 1.6.3 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cloud-databases-redis 17 | apiVersion: operators.coreos.com/v1alpha1 18 | kind: CatalogSource 19 | metadata: 20 | name: ibm-cloud-databases-redis-operator-catalog 21 | namespace: openshift-marketplace 22 | spec: 23 | displayName: ibm-cloud-databases-redis-operator-catalog 24 | publisher: IBM 25 | sourceType: grpc 26 | image: icr.io/cpopen/ibm-cloud-databases-redis-catalog@sha256:02d97f4a762f368b05605b64ea0fdbb88e2f513665c8148fa0a407c8fe13c90f 27 | updateStrategy: 28 | registryPoll: 29 | interval: 45m 30 | --- 31 | # case 4.0.9 / csv 1.1.11 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-db2uoperator 32 | apiVersion: operators.coreos.com/v1alpha1 33 | kind: CatalogSource 34 | metadata: 35 | name: ibm-db2uoperator-catalog 36 | namespace: openshift-marketplace 37 | spec: 38 | sourceType: grpc 39 | image: icr.io/cpopen/ibm-db2uoperator-catalog@sha256:bb98c93a44172fd9709a4644c639639c2d5a3cf6692e269dd685d87ccaa191c0 40 | displayName: IBM Db2U Catalog 41 | publisher: IBM 42 | updateStrategy: 43 | registryPoll: 44 | interval: 45m 45 | -------------------------------------------------------------------------------- /scripts/roles/pm/templates/licensing-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: ibm-licensing-bindinfo-ibm-licensing-upload-config 5 | namespace: "{{ pm_project_name }}" 6 | data: 7 | url: >- 8 | https://ibm-licensing-service-instance.cs-control.svc.cluster.local:8080 -------------------------------------------------------------------------------- /scripts/roles/pm/templates/licensing-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: ibm-licensing-bindinfo-ibm-licensing-upload-token 5 | namespace: "{{ pm_project_name }}" 6 | data: 7 | token-upload: "{{ token_upload }}" 8 | type: Opaque -------------------------------------------------------------------------------- /scripts/roles/pm/templates/postdeploy-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: pm-postdeploy 5 | namespace: "{{ pm_output_namespace }}" 6 | data: 7 | postdeploy.md: |- 8 | {{ lookup('file', pm_output_directory+'/postdeploy.md') | indent(4) }} 9 | -------------------------------------------------------------------------------- /scripts/roles/pm/templates/postdeploy.md.j2: -------------------------------------------------------------------------------- 1 | # PM post-deploy 2 | 3 | The following list specifies when you need to perform particular post-deployment steps 4 | - [Task Mining Client](#task-mining-client) - When you want to use Task Mining feature. 5 | 6 | ## Task Mining Client 7 | 8 | Based on https://www.ibm.com/docs/en/process-mining/latest?topic=installation-process-mining-packages 9 | Based on https://www.ibm.com/docs/en/process-mining/latest?topic=optional-installing-task-mining-agent 10 | 11 | You need to download and install Process Mining Client installer from PPA or Fix Central for corresponding version and OS (e.g. M09PTML Process Mining 1.13.2 Client Windows Multilingual). 12 | 13 | Task mining endpoint: https://processmining-tm-{{ pm_project_name }}.{{ apps_endpoint_domain }}/ 14 | Accept untrusted certificates: Yes 15 | -------------------------------------------------------------------------------- /scripts/roles/pm/templates/processmining.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: processmining.ibm.com/v1beta1 2 | kind: ProcessMining 3 | metadata: 4 | name: processmining 5 | namespace: "{{ pm_project_name }}" 6 | spec: 7 | version: "{{ pm_version }}" 8 | license: 9 | accept: true 10 | cloudPak: "IBM Cloud Pak for Business Automation" 11 | defaultStorageClassName: "{{ pm_storage_class_name }}" 12 | processmining: 13 | tls: 14 | ui: 15 | secretname: pm-tls-secret 16 | certificate: tls.crt 17 | key: tls.key 18 | ca: ca.crt 19 | storage: 20 | redis: 21 | install: false 22 | database: 23 | external: 24 | host: "{{ pm_mongodb_hostname }}" 25 | port: 27017 26 | database: processmining 27 | user: root 28 | credential: 29 | secretname: pm-dbs 30 | passwordkey: mongodbPassword 31 | taskmining: 32 | tls: 33 | ui: 34 | secretname: pm-tls-secret 35 | certificate: tls.crt 36 | key: tls.key 37 | ca: ca.crt 38 | storage: 39 | database: 40 | dbtype: db2 41 | external: 42 | credential: 43 | secretname: pm-dbs 44 | passwordkey: db2Password 45 | user: pm 46 | database: pm 47 | host: "{{ pm_db2_hostname }}" 48 | port: 50000 49 | schema: PM 50 | ssl: false 51 | -------------------------------------------------------------------------------- /scripts/roles/pm/templates/secrets.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: pm-dbs 5 | namespace: "{{ pm_project_name }}" 6 | type: Opaque 7 | stringData: 8 | db2Password: "{{ pm_universal_password }}" 9 | mongodbPassword: "{{ pm_universal_password }}" 10 | --- 11 | # Based on https://www.ibm.com/docs/en/cloud-paks/1.0?topic=platform-ssl-certificates 12 | kind: Secret 13 | apiVersion: v1 14 | metadata: 15 | name: pm-tls-secret 16 | namespace: "{{ pm_project_name }}" 17 | data: 18 | tls.key: "{{ _tls_key }}" 19 | tls.crt: "{{ _tls_crt }}" 20 | ca.crt: "{{ _ca_tls_crt }}" 21 | type: Opaque 22 | -------------------------------------------------------------------------------- /scripts/roles/pm/templates/subscription.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: processmining-subscription 5 | namespace: "{{ pm_project_name }}" 6 | spec: 7 | channel: "{{ pm_operator_channel }}" 8 | name: ibm-automation-processmining 9 | source: ibm-automation-processminings 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /scripts/roles/postgresql/defaults/main.yml: -------------------------------------------------------------------------------- 1 | postgresql_action: install 2 | postgresql_base_dir: /tmp 3 | postgresql_dir_name: postgresql 4 | postgresql_k8s_api_key: "" 5 | postgresql_k8s_host: "" 6 | postgresql_image_tag: 14.6-alpine3.17 7 | postgresql_storage_class_name: "" 8 | postgresql_universal_password: "" 9 | -------------------------------------------------------------------------------- /scripts/roles/postgresql/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | postgresql_output_directory: "{{ postgresql_base_dir }}/{{ postgresql_dir_name }}" 4 | 5 | - name: Remove PostgreSQL directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ postgresql_output_directory }}" 8 | state: absent 9 | 10 | - name: Install PostgreSQL 11 | include_tasks: install.yml 12 | when: "postgresql_action == 'install'" 13 | 14 | - name: Remove PostgreSQL 15 | include_tasks: remove.yml 16 | when: "postgresql_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/postgresql/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project postgresql 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ postgresql_k8s_api_key | default(omit) }}" 5 | host: "{{ postgresql_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: postgresql 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | 13 | - name: Remove RB postgresql-privileged 14 | kubernetes.core.k8s: 15 | state: absent 16 | api_key: "{{ cerebro_k8s_api_key | default(omit) }}" 17 | host: "{{ cerebro_k8s_host | default(omit) }}" 18 | api_version: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | name: postgresql-privileged 21 | wait: true 22 | wait_sleep: 15 23 | wait_timeout: 120 24 | -------------------------------------------------------------------------------- /scripts/roles/postgresql/templates/privileged-scc-rolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: postgresql-privileged 5 | namespace: postgresql 6 | subjects: 7 | - kind: ServiceAccount 8 | name: default 9 | namespace: postgresql 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: 'system:openshift:scc:privileged' 14 | -------------------------------------------------------------------------------- /scripts/roles/postgresql/templates/pvc.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: postgresql-data 5 | namespace: postgresql 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | resources: 10 | requests: 11 | storage: 5Gi 12 | storageClassName: "{{ postgresql_storage_class_name }}" 13 | volumeMode: Filesystem 14 | --- 15 | kind: PersistentVolumeClaim 16 | apiVersion: v1 17 | metadata: 18 | name: postgresql-tablespaces 19 | namespace: postgresql 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 5Gi 26 | storageClassName: "{{ postgresql_storage_class_name }}" 27 | volumeMode: Filesystem 28 | -------------------------------------------------------------------------------- /scripts/roles/postgresql/templates/secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: postgresql-config 5 | namespace: postgresql 6 | stringData: 7 | POSTGRES_DB: postgres 8 | POSTGRES_USER: "{{ postgresql_admin_user }}" 9 | POSTGRES_PASSWORD: "{{ postgresql_universal_password }}" 10 | -------------------------------------------------------------------------------- /scripts/roles/postgresql/templates/service.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: postgresql 5 | namespace: postgresql 6 | labels: 7 | app: postgresql 8 | spec: 9 | type: NodePort 10 | ports: 11 | - port: 5432 12 | selector: 13 | app: postgresql 14 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/defaults/main.yml: -------------------------------------------------------------------------------- 1 | roundcube_action: install 2 | roundcube_base_dir: /tmp 3 | roundcube_dir_name: roundcube 4 | roundcube_k8s_api_key: "" 5 | roundcube_k8s_host: "" 6 | roundcube_db_image_tag: 14.5-alpine 7 | roundcube_image_tag: 1.6.0-fpm-alpine 8 | roundcube_nginx_image_tag: 1.23.1-alpine 9 | roundcube_storage_class_name: "" 10 | roundcube_ca_crt_path: "" 11 | roundcube_wildcard_key_path: "" 12 | roundcube_wildcard_crt_path: "" 13 | roundcube_universal_password: "" 14 | roundcube_mail_hostname: "" 15 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | roundcube_output_directory: "{{ roundcube_base_dir }}/{{ roundcube_dir_name }}" 4 | 5 | - name: Remove Roundcube directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ roundcube_output_directory }}" 8 | state: absent 9 | 10 | - name: Install Roundcube 11 | include_tasks: install.yml 12 | when: "roundcube_action == 'install'" 13 | 14 | - name: Remove Roundcube 15 | include_tasks: remove.yml 16 | when: "roundcube_action == 'remove'" 17 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove Project roundcube 2 | kubernetes.core.k8s: 3 | state: absent 4 | api_key: "{{ roundcube_k8s_api_key | default(omit) }}" 5 | host: "{{ roundcube_k8s_host | default(omit) }}" 6 | api_version: project.openshift.io/v1 7 | kind: Project 8 | name: roundcube 9 | wait: true 10 | wait_sleep: 15 11 | wait_timeout: 120 12 | 13 | - name: Remove CRB roundcube-anyuid 14 | kubernetes.core.k8s: 15 | state: absent 16 | api_key: "{{ cerebro_k8s_api_key | default(omit) }}" 17 | host: "{{ cerebro_k8s_host | default(omit) }}" 18 | api_version: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | name: roundcube-anyuid 21 | wait: true 22 | wait_sleep: 15 23 | wait_timeout: 120 24 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/templates/anyuid-scc-clusterrolebinding.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: 'roundcube-anyuid' 5 | subjects: 6 | - kind: ServiceAccount 7 | name: default 8 | namespace: roundcube 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: 'system:openshift:scc:anyuid' 13 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/templates/configmaps.yaml.j2: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: roundcubenginx-config 6 | namespace: roundcube 7 | data: 8 | default.conf: | 9 | server { 10 | listen 80 default_server; 11 | server_name _; 12 | root /var/www/html; 13 | 14 | location / { 15 | try_files $uri /index.php$is_args$args; 16 | } 17 | 18 | location ~ \.php(/|$) { 19 | try_files $uri =404; 20 | fastcgi_pass roundcubemail:9000; 21 | fastcgi_read_timeout 300; 22 | proxy_read_timeout 300; 23 | fastcgi_split_path_info ^(.+\.php)(/.*)$; 24 | include fastcgi_params; 25 | fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; 26 | fastcgi_param DOCUMENT_ROOT $realpath_root; 27 | internal; 28 | } 29 | 30 | client_max_body_size 6m; 31 | 32 | error_log /var/log/nginx/error.log; 33 | access_log /var/log/nginx/access.log; 34 | } 35 | --- 36 | apiVersion: v1 37 | kind: ConfigMap 38 | metadata: 39 | name: roundcubemail-config 40 | namespace: roundcube 41 | data: 42 | custom.php: | 43 | array( 46 | 'verify_peer' => false, 47 | 'verify_peer_name' => false, 48 | ), 49 | ); 50 | $config['imap_conn_options'] = array( 51 | 'ssl' => array( 52 | 'verify_peer' => false, 53 | 'verify_peer_name' => false, 54 | ), 55 | ); 56 | $config['username_domain'] = 'cp.internal'; 57 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/templates/db-deployment.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: roundcubedb 5 | namespace: roundcube 6 | labels: 7 | service: roundcubedb 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | service: roundcubedb 13 | strategy: 14 | type: Recreate 15 | template: 16 | metadata: 17 | labels: 18 | service: roundcubedb 19 | spec: 20 | containers: 21 | - name: roundcubedb 22 | image: "postgres:{{ roundcube_db_image_tag }}" 23 | imagePullPolicy: "" 24 | env: 25 | - name: POSTGRES_DB 26 | value: roundcube 27 | - name: POSTGRES_USER 28 | valueFrom: 29 | secretKeyRef: 30 | name: roundcubemail-shared-secret 31 | key: DB_USER 32 | - name: POSTGRES_PASSWORD 33 | valueFrom: 34 | secretKeyRef: 35 | name: roundcubemail-shared-secret 36 | key: DB_PASSWORD 37 | ports: 38 | - containerPort: 5432 39 | volumeMounts: 40 | - mountPath: /var/lib/postgresql/data 41 | name: roundcubedb-volume 42 | restartPolicy: Always 43 | serviceAccountName: "" 44 | volumes: 45 | - name: roundcubedb-volume 46 | persistentVolumeClaim: 47 | claimName: roundcubedb-volumeclaim 48 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/templates/nginx-deployment.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: roundcubenginx 5 | namespace: roundcube 6 | labels: 7 | service: roundcubenginx 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | service: roundcubenginx 13 | strategy: 14 | type: Recreate 15 | template: 16 | metadata: 17 | labels: 18 | service: roundcubenginx 19 | spec: 20 | containers: 21 | - name: roundcubenginx 22 | image: "nginx:{{ roundcube_nginx_image_tag }}" 23 | imagePullPolicy: "" 24 | env: 25 | - name: NGINX_HOST 26 | value: localhost 27 | - name: NGINX_PHP_CGI 28 | value: roundcubemail:9000 29 | ports: 30 | - containerPort: 80 31 | readinessProbe: 32 | tcpSocket: 33 | port: 80 34 | initialDelaySeconds: 45 35 | timeoutSeconds: 1 36 | periodSeconds: 10 37 | successThreshold: 1 38 | failureThreshold: 5 39 | livenessProbe: 40 | tcpSocket: 41 | port: 80 42 | initialDelaySeconds: 45 43 | timeoutSeconds: 1 44 | periodSeconds: 10 45 | successThreshold: 1 46 | failureThreshold: 10 47 | volumeMounts: 48 | - name: www-data 49 | mountPath: /var/www/html 50 | - name: nginx-config 51 | mountPath: /etc/nginx/conf.d/default.conf 52 | subPath: default.conf 53 | restartPolicy: Always 54 | serviceAccountName: "" 55 | volumes: 56 | - name: www-data 57 | persistentVolumeClaim: 58 | claimName: roundcubemail-www-pvc 59 | - name: nginx-config 60 | configMap: 61 | name: roundcubenginx-config 62 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/templates/pvcs.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: roundcubemail-www-pvc 5 | namespace: roundcube 6 | spec: 7 | storageClassName: "{{ roundcube_storage_class_name }}" 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 200Mi 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolumeClaim 16 | metadata: 17 | name: roundcubemail-temp-pvc 18 | namespace: roundcube 19 | spec: 20 | storageClassName: "{{ roundcube_storage_class_name }}" 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 2Gi 26 | --- 27 | apiVersion: v1 28 | kind: PersistentVolumeClaim 29 | metadata: 30 | name: roundcubedb-volumeclaim 31 | namespace: roundcube 32 | spec: 33 | storageClassName: "{{ roundcube_storage_class_name }}" 34 | accessModes: 35 | - ReadWriteMany 36 | resources: 37 | requests: 38 | storage: 2Gi 39 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/templates/secrets.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | type: Opaque 4 | metadata: 5 | name: roundcubemail-shared-secret 6 | namespace: roundcube 7 | stringData: 8 | DES_KEY: '{{ roundcube_universal_password }}' 9 | DB_USER: roundcube 10 | DB_PASSWORD: '{{ roundcube_universal_password }}' 11 | -------------------------------------------------------------------------------- /scripts/roles/roundcube/templates/services.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: roundcubedb 5 | namespace: roundcube 6 | labels: 7 | service: roundcubedb 8 | spec: 9 | type: NodePort 10 | ports: 11 | - port: 5432 12 | protocol: TCP 13 | selector: 14 | service: roundcubedb 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: roundcubemail 20 | namespace: roundcube 21 | labels: 22 | service: roundcubemail 23 | spec: 24 | type: NodePort 25 | ports: 26 | - port: 9000 27 | protocol: TCP 28 | selector: 29 | service: roundcubemail 30 | --- 31 | apiVersion: v1 32 | kind: Service 33 | metadata: 34 | name: roundcubenginx 35 | namespace: roundcube 36 | labels: 37 | service: roundcubenginx 38 | spec: 39 | ports: 40 | - name: http 41 | port: 8080 42 | targetPort: 80 43 | selector: 44 | service: roundcubenginx 45 | -------------------------------------------------------------------------------- /scripts/roles/rpa/defaults/main.yml: -------------------------------------------------------------------------------- 1 | rpa_action: install 2 | rpa_base_dir: /tmp 3 | rpa_dir_name: rpa 4 | rpa_k8s_api_key: "" 5 | rpa_k8s_host: "" 6 | rpa_operator_channel: v1.9 7 | rpa_version: 1.9.0 8 | rpa_project_name: cp4ba 9 | rpa_storage_class_name: "" 10 | rpa_universal_password: "" 11 | rpa_mssql_hostname: "" 12 | rpa_mail_hostname: "" 13 | rpa_output_namespace: "apollo-one-shot" 14 | -------------------------------------------------------------------------------- /scripts/roles/rpa/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set output directory variable 2 | ansible.builtin.set_fact: 3 | rpa_output_directory: "{{ rpa_base_dir }}/{{ rpa_dir_name }}" 4 | 5 | - name: Remove RPA directory for generated files 6 | ansible.builtin.file: 7 | path: "{{ rpa_output_directory }}" 8 | state: absent 9 | 10 | - name: Create RPA directory for generated files 11 | ansible.builtin.file: 12 | path: "{{ rpa_output_directory }}" 13 | state: directory 14 | mode: u+rwx 15 | 16 | - name: Install RPA 17 | include_tasks: install.yml 18 | when: "rpa_action == 'install'" 19 | 20 | - name: Remove RPA 21 | include_tasks: remove.yml 22 | when: "rpa_action == 'remove'" 23 | -------------------------------------------------------------------------------- /scripts/roles/rpa/templates/catalogsource.yaml.j2: -------------------------------------------------------------------------------- 1 | # case 1.9.0 / csv 1.9.0 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-robotic-process-automation 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: CatalogSource 4 | metadata: 5 | name: ibm-robotic-process-automation-catalog 6 | namespace: openshift-marketplace 7 | spec: 8 | displayName: IBM Robotic Process Automation Catalog 9 | publisher: IBM 10 | sourceType: grpc 11 | image: icr.io/cpopen/ibm-rpa-operator-catalog@sha256:88c3fbe709f4cb21886f63a56aebc35a80371503075d3a76d3c6b58a211a1453 12 | updateStrategy: 13 | registryPoll: 14 | interval: 45m 15 | --- 16 | # case 1.6.3 / csv 1.6.3 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cloud-databases-redis 17 | apiVersion: operators.coreos.com/v1alpha1 18 | kind: CatalogSource 19 | metadata: 20 | name: ibm-cloud-databases-redis-operator-catalog 21 | namespace: openshift-marketplace 22 | spec: 23 | displayName: ibm-cloud-databases-redis-operator-catalog 24 | publisher: IBM 25 | sourceType: grpc 26 | image: icr.io/cpopen/ibm-cloud-databases-redis-catalog@sha256:02d97f4a762f368b05605b64ea0fdbb88e2f513665c8148fa0a407c8fe13c90f 27 | updateStrategy: 28 | registryPoll: 29 | interval: 45m 30 | --- 31 | # case 1.8.2 / csv 1.8.2 / https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-mq 32 | apiVersion: operators.coreos.com/v1alpha1 33 | kind: CatalogSource 34 | metadata: 35 | name: ibmmq-operator-catalogsource 36 | namespace: openshift-marketplace 37 | spec: 38 | displayName: IBM MQ 39 | publisher: IBM 40 | sourceType: grpc 41 | image: icr.io/cpopen/ibm-mq-operator-catalog@sha256:8775212f7d592a7971f8baf20898551dce6e9e5a984abad8658e18cf8bc76cb1 42 | updateStrategy: 43 | registryPoll: 44 | interval: 45m 45 | -------------------------------------------------------------------------------- /scripts/roles/rpa/templates/licensing-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: rpa-server-rpa-license-config 5 | namespace: "{{ rpa_project_name }}" 6 | data: 7 | url: >- 8 | https://ibm-licensing-service-instance.cs-control.svc.cluster.local:8080 -------------------------------------------------------------------------------- /scripts/roles/rpa/templates/licensing-secret.yaml.j2: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | apiVersion: v1 3 | metadata: 4 | name: rpa-server-rpa-license-token 5 | namespace: "{{ rpa_project_name }}" 6 | data: 7 | token-upload: "{{ token_upload }}" 8 | type: Opaque -------------------------------------------------------------------------------- /scripts/roles/rpa/templates/postdeploy-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: rpa-postdeploy 5 | namespace: "{{ rpa_output_namespace }}" 6 | data: 7 | postdeploy.md: |- 8 | {{ lookup('file', rpa_output_directory+'/postdeploy.md') | indent(4) }} 9 | -------------------------------------------------------------------------------- /scripts/roles/rpa/templates/roboticprocessautomation.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: rpa.automation.ibm.com/v1beta1 2 | kind: RoboticProcessAutomation 3 | metadata: 4 | name: rpa 5 | namespace: "{{ rpa_project_name }}" 6 | spec: 7 | license: 8 | accept: true 9 | version: "{{ rpa_version }}" 10 | tls: 11 | issuerRef: 12 | name: iaf-issuer 13 | kind: Issuer 14 | caSecret: 15 | secretName: global-ca 16 | key: ca.crt 17 | systemQueueProvider: 18 | storage: 19 | class: "{{ rpa_storage_class_name }}" 20 | api: 21 | externalConnection: 22 | secretName: rpa-db 23 | firstTenant: 24 | name: ibm 25 | owner: 26 | ownersecret: 27 | secretName: rpa-first-tenant-owner 28 | replicas: 1 29 | smtp: 30 | port: 587 31 | server: "{{ rpa_mail_hostname }}" 32 | userSecret: 33 | secretName: rpa-smtp 34 | storage: 35 | hot: 36 | size: 7Gi 37 | class: "{{ rpa_storage_class_name }}" 38 | archive: 39 | size: 11Gi 40 | class: "{{ rpa_storage_class_name }}" 41 | template: 42 | pod: 43 | spec: 44 | containers: 45 | - name: rpa-server 46 | readinessProbe: 47 | initialDelaySeconds: 300 48 | livenessProbe: 49 | initialDelaySeconds: 300 50 | ui: 51 | replicas: 1 52 | ocr: 53 | replicas: 1 54 | antivirus: 55 | replicas: 1 56 | template: 57 | pod: 58 | spec: 59 | containers: 60 | - name: clam-av-api 61 | readinessProbe: 62 | initialDelaySeconds: 300 63 | livenessProbe: 64 | initialDelaySeconds: 300 65 | audit: 66 | forwardingEnabled: false 67 | nlp: 68 | replicas: 1 69 | -------------------------------------------------------------------------------- /scripts/roles/rpa/templates/subscription.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: rpa-subscription 5 | namespace: "{{ rpa_project_name }}" 6 | spec: 7 | channel: "{{ rpa_operator_channel }}" 8 | name: ibm-automation-rpa 9 | source: ibm-robotic-process-automation-catalog 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /scripts/roles/usage/defaults/main.yml: -------------------------------------------------------------------------------- 1 | usage_action: install 2 | -------------------------------------------------------------------------------- /scripts/roles/usage/tasks/install.yml: -------------------------------------------------------------------------------- 1 | - name: Get OCP Apps domain 2 | ansible.builtin.include_role: 3 | name: common 4 | tasks_from: apps-endpoint 5 | vars: 6 | common_k8s_api_key: "{{ ocp_cluster_token | default(omit) }}" 7 | common_k8s_host: "{{ ocp_api_endpoint | default(omit) }}" 8 | common_output_to_var: "apps_endpoint_domain" 9 | 10 | - name: Set path to usage.md 11 | ansible.builtin.set_fact: 12 | usage_path: "{{ generic_directory }}/usage.md" 13 | 14 | - name: Prepare Usage md 15 | ansible.builtin.template: 16 | src: usage.md.j2 17 | dest: "{{ usage_path }}" 18 | mode: u+rwx 19 | 20 | - name: Prepare usage Config Map 21 | ansible.builtin.template: 22 | src: usage-configmap.yaml.j2 23 | dest: "{{ generic_directory }}/usage-configmap.yaml" 24 | mode: u+rwx 25 | 26 | - name: Add the usage config map 27 | kubernetes.core.k8s: 28 | api_key: "{{ ocp_cluster_token | default(omit) }}" 29 | host: "{{ ocp_api_endpoint | default(omit) }}" 30 | state: present 31 | force: false 32 | merge_type: strategic-merge 33 | src: "{{ generic_directory }}/usage-configmap.yaml" 34 | wait: true 35 | wait_sleep: 15 36 | wait_timeout: 15 37 | -------------------------------------------------------------------------------- /scripts/roles/usage/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Install Usage 2 | include_tasks: install.yml 3 | when: "usage_action == 'install'" 4 | 5 | - name: Remove Usage 6 | include_tasks: remove.yml 7 | when: "usage_action == 'remove'" 8 | -------------------------------------------------------------------------------- /scripts/roles/usage/tasks/remove.yml: -------------------------------------------------------------------------------- 1 | - name: Remove usage Config Map 2 | kubernetes.core.k8s: 3 | api_key: "{{ ocp_cluster_token | default(omit) }}" 4 | host: "{{ ocp_api_endpoint | default(omit) }}" 5 | state: absent 6 | api_version: v1 7 | kind: ConfigMap 8 | name: usage 9 | namespace: apollo-one-shot 10 | force: false 11 | wait: true 12 | wait_sleep: 15 13 | wait_timeout: 15 14 | -------------------------------------------------------------------------------- /scripts/roles/usage/templates/usage-configmap.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: usage 5 | namespace: apollo-one-shot 6 | data: 7 | usage.md: |- 8 | {{ lookup('file', usage_path) | indent(4) }} 9 | {% if git_commit_id is defined %} 10 | z-git-commit: | 11 | ## Version 12 | 13 | For the reference and to know which version of the Apollo one-shot deployment was used, bellow you can find the sha hash of the used commit. 14 | 15 | - Apollo one-shot used commit sha hash: {{ git_commit_id }} 16 | {% endif %} 17 | {% if zen_api_key_new is defined %} 18 | zen-api-key: {{ zen_api_key_new }} 19 | {% endif %} -------------------------------------------------------------------------------- /scripts/roles/validations/tasks/boolean-variables.yml: -------------------------------------------------------------------------------- 1 | - name: Validate True/False Entries 2 | ansible.builtin.fail: 3 | msg: "The {{ item.name }} variable has to be boolean" 4 | when: "item.value | type_debug != 'bool'" 5 | with_items: 6 | - name: openldap_enabled 7 | value: "{{ openldap_enabled }}" 8 | - name: pm_enabled 9 | value: "{{ pm_enabled }}" 10 | - name: asset_repo_enabled 11 | value: "{{ asset_repo_enabled }}" 12 | - name: rpa_enabled 13 | value: "{{ rpa_enabled }}" 14 | - name: akhq_enabled 15 | value: "{{ akhq_enabled }}" 16 | - name: cerebro_enabled 17 | value: "{{ cerebro_enabled }}" 18 | - name: db2mc_enabled 19 | value: "{{ db2mc_enabled }}" 20 | - name: pgadmin_enabled 21 | value: "{{ pgadmin_enabled }}" 22 | - name: cloudbeaver_enabled 23 | value: "{{ cloudbeaver_enabled }}" 24 | - name: roundcube_enabled 25 | value: "{{ roundcube_enabled }}" 26 | - name: mongo_express_enabled 27 | value: "{{ mongo_express_enabled }}" 28 | -------------------------------------------------------------------------------- /scripts/roles/validations/tasks/choice-list-variables.yml: -------------------------------------------------------------------------------- 1 | - name: Validate value is one of the provided options 2 | ansible.builtin.fail: 3 | msg: "The {{ item.name }} variable value is not one of the following {{ item.accepted_values }}" 4 | when: "not item.value or item.value == None or item.value not in item.accepted_values" 5 | with_items: 6 | - name: deployment_platform 7 | value: "{{ deployment_platform }}" 8 | accepted_values: 9 | - ROKS 10 | - OCP 11 | -------------------------------------------------------------------------------- /scripts/roles/validations/tasks/empty-variables.yml: -------------------------------------------------------------------------------- 1 | - name: Validate filled in Entries 2 | ansible.builtin.fail: 3 | msg: "The {{ item.name }} variable has to be defined and have a value" 4 | when: "not item.value or item.value == None or item.value | length == 0" 5 | with_items: 6 | - name: storage_class_name 7 | value: "{{ storage_class_name }}" 8 | - name: block_storage_class_name 9 | value: "{{ block_storage_class_name }}" 10 | -------------------------------------------------------------------------------- /scripts/roles/validations/tasks/icr-password.yml: -------------------------------------------------------------------------------- 1 | - name: ICR Password should be defined 2 | ansible.builtin.fail: 3 | msg: "The icr_password variable has to be defined." 4 | when: icr_password is not defined 5 | 6 | - name: ICR Password should not be empty 7 | ansible.builtin.fail: 8 | msg: "The icr_password is not correct, it shouldn't be empty." 9 | when: not icr_password or icr_password | length == 0 10 | 11 | - name: ICR Password should not be TODO_ICR_PASSWORD 12 | ansible.builtin.fail: 13 | msg: "The icr_password is not correct, it shouldn't be TODO_ICR_PASSWORD." 14 | when: icr_password is regex(".*TODO_ICR_PASSWORD.*") 15 | 16 | - name: ICR Password registry login validation call 17 | ansible.builtin.uri: 18 | url: "https://cp.icr.io/oauth/token" 19 | method: GET 20 | user: cp 21 | password: "{{ icr_password }}" 22 | status_code: 23 | - 200 24 | - 401 25 | register: icr_login_response 26 | 27 | - name: ICR Password registry login validation 28 | ansible.builtin.fail: 29 | msg: "The icr_password is not correct, we've got unauthorized from the cp.icr.io registry, please verify the icr_password." 30 | when: icr_login_response.status != 200 31 | -------------------------------------------------------------------------------- /scripts/roles/validations/tasks/input-validations.yml: -------------------------------------------------------------------------------- 1 | - name: ICR Password 2 | include_tasks: icr-password.yml 3 | 4 | - name: Universal Password 5 | include_tasks: universal-password.yml 6 | 7 | - name: Boolean Variables 8 | include_tasks: boolean-variables.yml 9 | 10 | - name: Empty Variables 11 | include_tasks: empty-variables.yml 12 | 13 | - name: Choice List Variables 14 | include_tasks: choice-list-variables.yml 15 | 16 | - name: OCP Access 17 | include_tasks: ocp-access.yml 18 | -------------------------------------------------------------------------------- /scripts/roles/validations/tasks/ocp-access.yml: -------------------------------------------------------------------------------- 1 | - name: Get OCP Version 2 | ansible.builtin.uri: 3 | url: "{{ ocp_api_endpoint | default(omit) }}/version" 4 | method: GET 5 | timeout: 10 6 | register: validate_ocp_api_endpoint 7 | failed_when: false 8 | when: ocp_api_endpoint is defined 9 | 10 | - name: OCP API Endpoint url should be reachable 11 | ansible.builtin.fail: 12 | msg: "Incorrect url provided as the OCP API Endpoint" 13 | when: ocp_api_endpoint is defined and validate_ocp_api_endpoint.status and not (200 <= validate_ocp_api_endpoint.status < 300) 14 | 15 | - name: Validate if the given OCP credentials work, get namespaces 16 | kubernetes.core.k8s_info: 17 | api_key: "{{ ocp_cluster_token | default(omit) }}" 18 | host: "{{ ocp_api_endpoint | default(omit) }}" 19 | kind: Namespace 20 | wait: true 21 | wait_sleep: 2 22 | wait_timeout: 5 23 | register: validate_ocp_namespaces 24 | failed_when: false 25 | 26 | - name: OCP API Endpoint url should be reachable 27 | ansible.builtin.fail: 28 | msg: "Incorrect url provided as the OCP API Endpoint" 29 | when: 30 | validate_ocp_namespaces is not defined or 31 | ("msg" in validate_ocp_namespaces and ("Error" in validate_ocp_namespaces.msg or 32 | (validate_ocp_namespaces.msg is search('.*Exception.*') and validate_ocp_namespaces.msg is search('.*NewConnectionError.*')))) 33 | 34 | - name: OCP Cluster Token has to be valid 35 | ansible.builtin.fail: 36 | msg: "Incorrect or outdated token provided as the OCP Cluster Token" 37 | when: 38 | validate_ocp_namespaces is not defined or 39 | "msg" in validate_ocp_namespaces and 40 | (validate_ocp_namespaces.msg is search('.*Exception.*') and validate_ocp_namespaces.msg is search('.*Unauthorized.*')) 41 | -------------------------------------------------------------------------------- /scripts/roles/validations/tasks/universal-password.yml: -------------------------------------------------------------------------------- 1 | - name: Universal Password should be defined 2 | ansible.builtin.fail: 3 | msg: "The universal_password variable has to be defined." 4 | when: universal_password is not defined 5 | 6 | - name: Universal Password should not be empty 7 | ansible.builtin.fail: 8 | msg: "The universal_password is not correct, it shouldn't be empty." 9 | when: not universal_password or icr_password | length == 0 10 | 11 | - name: Universal Password should be alphanumeric only 12 | ansible.builtin.fail: 13 | msg: "The universal_password is not correct, it should be alphanumeric, no special characters allowed." 14 | when: universal_password is not regex("^[a-zA-Z0-9]*$") 15 | -------------------------------------------------------------------------------- /scripts/servicing-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | generateName: apollo-one-shot-servicing- 5 | namespace: apollo-one-shot 6 | labels: 7 | app: apollo-one-shot-servicing 8 | spec: 9 | containers: 10 | - name: apollo-one-shot 11 | image: ubi9/ubi:9.0.0 12 | command: ["/bin/bash"] 13 | args: 14 | ["-c","cd /usr; yum install git -y && git clone --depth 1 --shallow-submodules --branch ${GIT_BRANCH} ${GIT_REPOSITORY}; cd ./ibm-cp4ba-enterprise-deployment/scripts; chmod u+x servicing.sh; ./servicing.sh; while true; do echo 'Apollo one-shot servicing pod - Ready - Enter it via Terminal and \"bash -l\" - Delete it after you are done.'; sleep 300; done"] 15 | imagePullPolicy: IfNotPresent 16 | env: 17 | - name: GIT_REPOSITORY 18 | valueFrom: 19 | configMapKeyRef: 20 | name: apollo-one-shot 21 | key: git_repository 22 | - name: GIT_BRANCH 23 | valueFrom: 24 | configMapKeyRef: 25 | name: apollo-one-shot 26 | key: git_branch 27 | - name: CONTAINER_RUN_MODE 28 | value: "true" 29 | volumeMounts: 30 | - name: config 31 | mountPath: /config/ 32 | volumes: 33 | - name: config 34 | configMap: 35 | name: apollo-one-shot 36 | -------------------------------------------------------------------------------- /scripts/servicing.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ $CONTAINER_RUN_MODE == "true" ]]; then 4 | echo 5 | echo ">>>>Copy variables.yml" 6 | cp /config/variables.yml variables.yml 7 | fi 8 | 9 | find . -type f \( -iname \*.sh \) | xargs chmod u+x 10 | 11 | echo 12 | echo ">>>>Source functions" 13 | . functions.sh 14 | 15 | echo 16 | echo ">>>>Update HOME to internal folder" 17 | echo "HOME=`pwd`" >> ~/.bash_profile 18 | echo "export HOME" >> ~/.bash_profile 19 | ORIGINAL_HOME=$HOME 20 | # Set HOME now to set context for Python packages install via Pip in tooling 21 | HOME=`pwd` 22 | 23 | cd tooling 24 | ./install.sh 25 | exit_test $? "Install Tooling Failed" 26 | cd .. 27 | 28 | echo 29 | echo ">>>>$(print_timestamp) Install oc" 30 | cd tooling 31 | curl -k https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz --output oc.tar 32 | exit_test $? "Download oc Failed" 33 | tar -xvf oc.tar oc 34 | chmod u+x oc 35 | ./oc version 36 | exit_test $? "oc setup Failed" 37 | cd .. 38 | 39 | echo 40 | echo ">>>>Update PATH to include new tooling" 41 | REAL_PATH=`realpath tooling` 42 | echo "PATH=`python3 -m site --user-base`/bin:$REAL_PATH:$PATH" >> $ORIGINAL_HOME/.bash_profile 43 | echo "export PATH" >> $ORIGINAL_HOME/.bash_profile 44 | 45 | echo 46 | echo ">>>>Add aliases" 47 | echo "alias ll='ls -la'" >> $ORIGINAL_HOME/.bash_profile 48 | -------------------------------------------------------------------------------- /scripts/storage-class/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nfs-client-provisioner 5 | labels: 6 | app: nfs-client-provisioner 7 | namespace: nfs-client-provisioner 8 | spec: 9 | replicas: 1 10 | strategy: 11 | type: Recreate 12 | selector: 13 | matchLabels: 14 | app: nfs-client-provisioner 15 | template: 16 | metadata: 17 | labels: 18 | app: nfs-client-provisioner 19 | spec: 20 | serviceAccountName: nfs-client-provisioner 21 | containers: 22 | - name: nfs-client-provisioner 23 | image: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 24 | volumeMounts: 25 | - name: nfs-client-root 26 | mountPath: /persistentvolumes 27 | env: 28 | - name: PROVISIONER_NAME 29 | value: k8s-sigs.io/nfs-subdir-external-provisioner 30 | - name: NFS_SERVER 31 | value: "{{NFS_HOSTNAME}}" 32 | - name: NFS_PATH 33 | value: /nfs/storage 34 | volumes: 35 | - name: nfs-client-root 36 | nfs: 37 | server: "{{NFS_HOSTNAME}}" 38 | path: /nfs/storage 39 | -------------------------------------------------------------------------------- /scripts/storage-class/make-default.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo 4 | echo ">>>>Source internal variables" 5 | . ../internal-variables.sh 6 | 7 | echo 8 | echo ">>>>Source variables" 9 | . ../variables.sh 10 | 11 | echo 12 | echo ">>>>Source functions" 13 | . ../functions.sh 14 | 15 | echo 16 | echo ">>>>$(print_timestamp) Make Storage Class default install started" 17 | 18 | echo 19 | echo ">>>>Init env" 20 | . ../init.sh 21 | 22 | echo 23 | echo ">>>>$(print_timestamp) Set Storage Class as default " 24 | # Based on https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/ 25 | oc get storageclass -o name | xargs oc patch -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}' 26 | oc patch storageclass ${STORAGE_CLASS_NAME} -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' 27 | 28 | echo 29 | echo ">>>>$(print_timestamp) Make Storage Class default install completed" 30 | -------------------------------------------------------------------------------- /scripts/storage-class/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: nfs-client-provisioner 5 | namespace: nfs-client-provisioner 6 | --- 7 | kind: ClusterRole 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | metadata: 10 | name: nfs-client-provisioner-runner 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["persistentvolumes"] 14 | verbs: ["get", "list", "watch", "create", "delete"] 15 | - apiGroups: [""] 16 | resources: ["persistentvolumeclaims"] 17 | verbs: ["get", "list", "watch", "update"] 18 | - apiGroups: ["storage.k8s.io"] 19 | resources: ["storageclasses"] 20 | verbs: ["get", "list", "watch"] 21 | - apiGroups: [""] 22 | resources: ["events"] 23 | verbs: ["create", "update", "patch"] 24 | --- 25 | kind: ClusterRoleBinding 26 | apiVersion: rbac.authorization.k8s.io/v1 27 | metadata: 28 | name: run-nfs-client-provisioner 29 | subjects: 30 | - kind: ServiceAccount 31 | name: nfs-client-provisioner 32 | namespace: nfs-client-provisioner 33 | roleRef: 34 | kind: ClusterRole 35 | name: nfs-client-provisioner-runner 36 | apiGroup: rbac.authorization.k8s.io 37 | --- 38 | kind: Role 39 | apiVersion: rbac.authorization.k8s.io/v1 40 | metadata: 41 | name: leader-locking-nfs-client-provisioner 42 | namespace: nfs-client-provisioner 43 | rules: 44 | - apiGroups: [""] 45 | resources: ["endpoints"] 46 | verbs: ["get", "list", "watch", "create", "update", "patch"] 47 | --- 48 | kind: RoleBinding 49 | apiVersion: rbac.authorization.k8s.io/v1 50 | metadata: 51 | name: leader-locking-nfs-client-provisioner 52 | namespace: nfs-client-provisioner 53 | subjects: 54 | - kind: ServiceAccount 55 | name: nfs-client-provisioner 56 | namespace: nfs-client-provisioner 57 | roleRef: 58 | kind: Role 59 | name: leader-locking-nfs-client-provisioner 60 | apiGroup: rbac.authorization.k8s.io 61 | -------------------------------------------------------------------------------- /scripts/storage-class/storageclass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: managed-nfs-storage 5 | provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME' 6 | parameters: 7 | archiveOnDelete: "false" 8 | -------------------------------------------------------------------------------- /scripts/tooling/remove.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo 4 | echo ">>>>Source internal variables" 5 | . ../internal-variables.sh 6 | 7 | echo 8 | echo ">>>>Source variables" 9 | . ../variables.sh 10 | 11 | echo 12 | echo ">>>>Source functions" 13 | . ../functions.sh 14 | 15 | echo 16 | echo ">>>>$(print_timestamp) Tooling remove started" 17 | 18 | # Nothing to do here, tooling is fully local 19 | 20 | echo 21 | echo ">>>>$(print_timestamp) Tooling remove completed" 22 | --------------------------------------------------------------------------------