New folder organization and bombastic-api (trustification#36)

* New folder organization and bombastic-api

* Cleanup

* Disable tls for now

* Ansible linter : follow postgresql move

* Fix readme

* Wrap oidc configmap per component

* Add missing file and fix too many empty lines

* Add envar for oidc ids and url with default empty value

* update README

* Fix default for varenvs; Update task fail_msg

* Make compent_auth more generic

* register needs hard values

* Restore storage access key and secret names

* Trying quotes for task name with variables

* Skip list for template[name]

* Add missing EOF line

* cleanup

.ansible-lint

@@ -3,4 +3,6 @@ exclude_paths:
   - .github
   - vm-testing
   - input-template
-  - roles/tpa_single_node/tasks/podman/postgresql.yml
+  - roles/tpa_single_node/tasks/infra/postgresql.yml
+skip_list:
+  - name[template]

README.md

@@ -96,9 +96,12 @@ Copy your certificate files in `./certs` directory using following names:
 6. Create Environment Variables with S3 and OIDC credentails
 
 ```
-export TPA_S3_ACCESS_KEY=<S3 Storage Access Key>
-export TPA_S3_SECRET_KEY=<S3 Storage Secret Key>
-export TPA_OIDC_WALKER_SECRET=<OIDC Walker Secret>
+export TPA_STORAGE_ACCESS_KEY=<Storage Access Key>
+export TPA_STORAGE_SECRET_KEY=<Storage Secret Key>
+export TPA_STORAGE_OIDC_ISSUER_URL=<Issuer URL with endpoint auth/realms/chicken>
+export TPA_STORAGE_OIDC_FRONTEND_ID=<OIDC Frontend Id>
+export TPA_OIDC_PROVIDER_CLIENT_ID=<OIDC Walker Id>
+export TPA_OIDC_PROVIDER_CLIENT_SECRET=<OIDC Walker Secret>
 ```
 
 7. Execute the following command (NOTE: you will have to provide credentials to authenticate to registry.redhat.io: https://access.redhat.com/RegistryAuthentication):

roles/tpa_single_node/tasks/bombastic/api.yml

@@ -0,0 +1,18 @@
+---
+- name: Create configmap auth for bombastic-api
+  ansible.builtin.include_tasks: infra/component_auth.yml
+  vars:
+    component:
+      name: "bombastic"
+      type: "api"
+
+- name: Deploy bombastic-api
+  ansible.builtin.include_tasks: install_manifest.yml
+  vars:
+    podman_spec:
+      state: started
+      systemd_file: bombastic-api
+      network: "{{ tpa_single_node_podman_network }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/bombastic/api/Deployment.yaml.j2') | from_yaml }}"
+      configmap: "{{ tpa_single_node_kube_manifest_dir }}/bombastic-api-configmap.yml"
+      configmap_changed: oidc_configmap_result.changed

roles/tpa_single_node/tasks/podman/guac_collectsub.yml → roles/tpa_single_node/tasks/guac/guac_collectsub.yml

@@ -11,7 +11,7 @@
     state: started
 
 - name: Deploy guac-collectsub Pod
-  ansible.builtin.include_tasks: podman/install_manifest.yml
+  ansible.builtin.include_tasks: install_manifest.yml
   vars:
     podman_spec:
       state: started

roles/tpa_single_node/tasks/podman/guac_graphql.yml → roles/tpa_single_node/tasks/guac/guac_graphql.yml

@@ -11,7 +11,7 @@
     state: started
 
 - name: Deploy guac-graphql Pod
-  ansible.builtin.include_tasks: podman/install_manifest.yml
+  ansible.builtin.include_tasks: install_manifest.yml
   vars:
     podman_spec:
       state: started

roles/tpa_single_node/tasks/guac/main.yml

@@ -0,0 +1,16 @@
+---
+# Init Guac DBMS
+- name: Configure and initialize Guac DBMS
+  ansible.builtin.include_tasks: guac/init.yml
+
+- name: Provision Guac collectsub
+  ansible.builtin.include_tasks: guac/guac_collectsub.yml
+  vars:
+    tpa_single_node_guac_csub_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_pem_path) }}"
+    tpa_single_node_guac_csub_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_key_path) }}"
+
+- name: Provision Guac graphql
+  ansible.builtin.include_tasks: guac/guac_graphql.yml
+  vars:
+    tpa_single_node_guac_graphql_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_pem_path) }}"
+    tpa_single_node_guac_graphql_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_key_path) }}"

roles/tpa_single_node/tasks/infra/component_auth.yml

@@ -0,0 +1,13 @@
+---
+- name: Generate OIDC auth ConfigMap manifest for {{ component.name }}-{{ component.type }}
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/infra/Configmap-{{ oidc }}.yaml.j2"
+    dest: "{{ tpa_single_node_kube_manifest_dir }}/{{ component.name }}-{{ component.type }}-configmap.yml"
+    mode: "0600"
+  register: oidc_configmap_result
+
+- name: Retrieve the checksum of the ConfigMap
+  ansible.builtin.stat:
+    path: "{{ tpa_single_node_kube_manifest_dir }}/{{ component.name }}-{{ component.type }}-configmap.yml"
+    checksum_algorithm: sha256
+  register: oidc_configmap_checksum

roles/tpa_single_node/tasks/infra/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Configure and deploy Postgres
+  ansible.builtin.include_tasks: infra/postgresql.yml
+  args:
+    apply:
+      become: true
+
+- name: Configure OIDC
+  ansible.builtin.include_tasks: infra/oidc.yml
+
+- name: Configure Storage
+  ansible.builtin.include_tasks: infra/storage.yml

roles/tpa_single_node/tasks/infra/oidc.yml

@@ -0,0 +1,16 @@
+---
+- name: Set OIDC variable
+  ansible.builtin.set_fact:
+    oidc: keycloak
+
+- name: Overwrite OIDC variable
+  ansible.builtin.set_fact:
+    oidc: cognito
+  when: "'cognito' in (tpa_single_node_oidc_issuer_url | string | safe)"
+
+- name: Check OIDC Walker is defined
+  ansible.builtin.assert:
+    that:
+      - tpa_single_node_oidc_provider_client_secret is defined
+      - tpa_single_node_oidc_provider_client_secret != ""
+    fail_msg: OIDC Walker Secret is not defined

roles/tpa_single_node/tasks/infra/storage.yml

@@ -0,0 +1,20 @@
+---
+- name: Check storage access and key secrets are defined
+  ansible.builtin.assert:
+    that:
+      - tpa_single_node_storage_access_key is defined
+      - tpa_single_node_storage_access_key != ""
+      - tpa_single_node_storage_secret_key is defined
+      - tpa_single_node_storage_secret_key != ""
+    fail_msg: Storage Access Key and Secret is not defined
+
+- name: Generate storage secret manifest
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/infra/Secret-storage.yaml.j2"
+    dest: "{{ tpa_single_node_storage_secret }}"
+    mode: "0600"
+
+- name: Apply storage secret manifest
+  containers.podman.podman_play:
+    kube_file: "{{ tpa_single_node_storage_secret }}"
+    state: started

roles/tpa_single_node/tasks/main.yml

@@ -13,3 +13,38 @@
   vars:
     tpa_single_node_registry_username: "{{ lookup('env', 'TPA_SINGLE_NODE_REGISTRY_USERNAME') }}"
     tpa_single_node_registry_password: "{{ lookup('env', 'TPA_SINGLE_NODE_REGISTRY_PASSWORD') }}"
+
+# 1 Configuring external services, DB, SSO, SQS, S3
+- name: Configure infra dependencies
+  ansible.builtin.include_tasks: infra/main.yml
+  args:
+    apply:
+      become: true
+
+# Step 4, 6 and 7
+- name: Configure and deploy Guac
+  ansible.builtin.include_tasks: guac/main.yml
+  args:
+    apply:
+      become: true
+
+# Step 5
+- name: Configure/Deploy v11y walker
+  ansible.builtin.include_tasks: v11y/walker.yml
+  args:
+    apply:
+      become: true
+
+# Step 8
+- name: Configure/Deploy v11y api
+  ansible.builtin.include_tasks: v11y/api.yml
+  args:
+    apply:
+      become: true
+
+# Step 9
+- name: Configure/Deploy bombastic api
+  ansible.builtin.include_tasks: bombastic/api.yml
+  args:
+    apply:
+      become: true

roles/tpa_single_node/tasks/podman.yml

@@ -38,39 +38,3 @@
     - ansible_facts['distribution_major_version'] == '9'
   containers.podman.podman_image:
     name: "{{ tpa_single_node_guac_image }}"
-
-  # 1 Configuring external services, DB, SSO, SQS, S3
-
-# @postgres-remove
-- name: Configure/Deploy Postgres
-  ansible.builtin.include_tasks: podman/postgresql.yml
-
-# SQS
-# S3
-# SSO
-
-# 2 Init DB for Guac
-- name: Configure/Deploy guac init
-  ansible.builtin.include_tasks: podman/init_guac.yml
-
-# 3 V11y Walker
-- name: Configure/Deploy v11y walker
-  ansible.builtin.include_tasks: podman/v11y_walker.yml
-
-# 4 Guac Collectsub
-- name: Provision Guac collectsub
-  ansible.builtin.include_tasks: podman/guac_collectsub.yml
-  vars:
-    tpa_single_node_guac_csub_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_pem_path) }}"
-    tpa_single_node_guac_csub_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_key_path) }}"
-
-# 5 Guac Graphql
-- name: Provision Guac graphql
-  ansible.builtin.include_tasks: podman/guac_graphql.yml
-  vars:
-    tpa_single_node_guac_graphql_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_pem_path) }}"
-    tpa_single_node_guac_graphql_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_key_path) }}"
-
-# 6 V11y api
-- name: Configure/Deploy v11y api
-  ansible.builtin.include_tasks: podman/v11y_api.yml

roles/tpa_single_node/tasks/v11y/api.yml

@@ -0,0 +1,18 @@
+---
+- name: Create configmap auth for v11y-api
+  ansible.builtin.include_tasks: infra/component_auth.yml
+  vars:
+    component:
+      name: "v11y"
+      type: "api"
+
+- name: Deploy v11y-api
+  ansible.builtin.include_tasks: install_manifest.yml
+  vars:
+    podman_spec:
+      state: started
+      systemd_file: v11y-api
+      network: "{{ tpa_single_node_podman_network }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/v11y/api/Deployment.yaml.j2') | from_yaml }}"
+      configmap: "{{ tpa_single_node_kube_manifest_dir }}/v11y-api-configmap.yml"
+      configmap_changed: oidc_configmap_result.changed

roles/tpa_single_node/tasks/podman/v11y_walker.yml → roles/tpa_single_node/tasks/v11y/walker.yml

@@ -26,7 +26,7 @@
     state: present
 
 - name: Deploy v11walker Pod
-  ansible.builtin.include_tasks: podman/install_manifest.yml
+  ansible.builtin.include_tasks: install_manifest.yml
   vars:
     podman_spec:
       state: stopped