From b1ecca45bed257b43ed860890535208b3bc15582 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Tue, 24 Sep 2024 17:45:59 +0200 Subject: [PATCH] New folder organization and bombastic-api (#36) * New folder organization and bombastic-api * Cleanup * Disable tls for now * Ansible linter : follow postgresql move * Fix readme * Wrap oidc configmap per component * Add missing file and fix too many empty lines * Add envar for oidc ids and url with default empty value * update README * Fix default for varenvs; Update task fail_msg * Make compent_auth more generic * register needs hard values * Restore storage access key and secret names * Trying quotes for task name with variables * Skip list for template[name] * Add missing EOF line * cleanup --- .ansible-lint | 4 +- README.md | 9 +- roles/tpa_single_node/tasks/bombastic/api.yml | 18 ++++ .../{podman => guac}/guac_collectsub.yml | 2 +- .../tasks/{podman => guac}/guac_graphql.yml | 2 +- .../{podman/init_guac.yml => guac/init.yml} | 0 roles/tpa_single_node/tasks/guac/main.yml | 16 ++++ .../tasks/infra/component_auth.yml | 13 +++ roles/tpa_single_node/tasks/infra/main.yml | 12 +++ roles/tpa_single_node/tasks/infra/oidc.yml | 16 ++++ .../tasks/{podman => infra}/postgresql.yml | 0 roles/tpa_single_node/tasks/infra/storage.yml | 20 +++++ .../tasks/{podman => }/install_manifest.yml | 0 roles/tpa_single_node/tasks/main.yml | 35 ++++++++ roles/tpa_single_node/tasks/podman.yml | 36 -------- .../tpa_single_node/tasks/podman/v11y_api.yml | 60 ------------- roles/tpa_single_node/tasks/v11y/api.yml | 18 ++++ .../v11y_walker.yml => v11y/walker.yml} | 2 +- .../bombastic/api/020-ConfigMap-auth.yaml | 19 ---- ...030-Deployment.yaml => Deployment.yaml.j2} | 87 ++++++++++--------- .../api => infra}/Configmap-cognito.yaml.j2 | 13 ++- .../api => infra}/Configmap-keycloak.yaml.j2 | 12 ++- .../manifests/infra/Secret-storage.yaml.j2 | 9 ++ ...ployment-s3.yaml.j2 => Deployment.yaml.j2} | 31 +++---- .../manifests/v11y/api/Secret.yaml.j2 | 9 -- .../manifests/v11y/walker/Deployment.yaml | 6 +- roles/tpa_single_node/vars/main.yml | 32 +++---- 27 files changed, 257 insertions(+), 224 deletions(-) create mode 100644 roles/tpa_single_node/tasks/bombastic/api.yml rename roles/tpa_single_node/tasks/{podman => guac}/guac_collectsub.yml (92%) rename roles/tpa_single_node/tasks/{podman => guac}/guac_graphql.yml (92%) rename roles/tpa_single_node/tasks/{podman/init_guac.yml => guac/init.yml} (100%) create mode 100644 roles/tpa_single_node/tasks/guac/main.yml create mode 100644 roles/tpa_single_node/tasks/infra/component_auth.yml create mode 100644 roles/tpa_single_node/tasks/infra/main.yml create mode 100644 roles/tpa_single_node/tasks/infra/oidc.yml rename roles/tpa_single_node/tasks/{podman => infra}/postgresql.yml (100%) create mode 100644 roles/tpa_single_node/tasks/infra/storage.yml rename roles/tpa_single_node/tasks/{podman => }/install_manifest.yml (100%) delete mode 100644 roles/tpa_single_node/tasks/podman/v11y_api.yml create mode 100644 roles/tpa_single_node/tasks/v11y/api.yml rename roles/tpa_single_node/tasks/{podman/v11y_walker.yml => v11y/walker.yml} (94%) delete mode 100644 roles/tpa_single_node/templates/manifests/bombastic/api/020-ConfigMap-auth.yaml rename roles/tpa_single_node/templates/manifests/bombastic/api/{030-Deployment.yaml => Deployment.yaml.j2} (71%) rename roles/tpa_single_node/templates/manifests/{v11y/api => infra}/Configmap-cognito.yaml.j2 (79%) rename roles/tpa_single_node/templates/manifests/{v11y/api => infra}/Configmap-keycloak.yaml.j2 (69%) create mode 100644 roles/tpa_single_node/templates/manifests/infra/Secret-storage.yaml.j2 rename roles/tpa_single_node/templates/manifests/v11y/api/{Deployment-s3.yaml.j2 => Deployment.yaml.j2} (81%) delete mode 100644 roles/tpa_single_node/templates/manifests/v11y/api/Secret.yaml.j2 diff --git a/.ansible-lint b/.ansible-lint index 3b3c97d7..1ef85d96 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,4 +3,6 @@ exclude_paths: - .github - vm-testing - input-template - - roles/tpa_single_node/tasks/podman/postgresql.yml + - roles/tpa_single_node/tasks/infra/postgresql.yml +skip_list: + - name[template] diff --git a/README.md b/README.md index 9f6258b3..5ef5d81c 100644 --- a/README.md +++ b/README.md @@ -96,9 +96,12 @@ Copy your certificate files in `./certs` directory using following names: 6. Create Environment Variables with S3 and OIDC credentails ``` -export TPA_S3_ACCESS_KEY= -export TPA_S3_SECRET_KEY= -export TPA_OIDC_WALKER_SECRET= +export TPA_STORAGE_ACCESS_KEY= +export TPA_STORAGE_SECRET_KEY= +export TPA_STORAGE_OIDC_ISSUER_URL= +export TPA_STORAGE_OIDC_FRONTEND_ID= +export TPA_OIDC_PROVIDER_CLIENT_ID= +export TPA_OIDC_PROVIDER_CLIENT_SECRET= ``` 7. Execute the following command (NOTE: you will have to provide credentials to authenticate to registry.redhat.io: https://access.redhat.com/RegistryAuthentication): diff --git a/roles/tpa_single_node/tasks/bombastic/api.yml b/roles/tpa_single_node/tasks/bombastic/api.yml new file mode 100644 index 00000000..a4a5fa0c --- /dev/null +++ b/roles/tpa_single_node/tasks/bombastic/api.yml @@ -0,0 +1,18 @@ +--- +- name: Create configmap auth for bombastic-api + ansible.builtin.include_tasks: infra/component_auth.yml + vars: + component: + name: "bombastic" + type: "api" + +- name: Deploy bombastic-api + ansible.builtin.include_tasks: install_manifest.yml + vars: + podman_spec: + state: started + systemd_file: bombastic-api + network: "{{ tpa_single_node_podman_network }}" + kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/bombastic/api/Deployment.yaml.j2') | from_yaml }}" + configmap: "{{ tpa_single_node_kube_manifest_dir }}/bombastic-api-configmap.yml" + configmap_changed: oidc_configmap_result.changed diff --git a/roles/tpa_single_node/tasks/podman/guac_collectsub.yml b/roles/tpa_single_node/tasks/guac/guac_collectsub.yml similarity index 92% rename from roles/tpa_single_node/tasks/podman/guac_collectsub.yml rename to roles/tpa_single_node/tasks/guac/guac_collectsub.yml index 9b031f33..0daa37b4 100644 --- a/roles/tpa_single_node/tasks/podman/guac_collectsub.yml +++ b/roles/tpa_single_node/tasks/guac/guac_collectsub.yml @@ -11,7 +11,7 @@ state: started - name: Deploy guac-collectsub Pod - ansible.builtin.include_tasks: podman/install_manifest.yml + ansible.builtin.include_tasks: install_manifest.yml vars: podman_spec: state: started diff --git a/roles/tpa_single_node/tasks/podman/guac_graphql.yml b/roles/tpa_single_node/tasks/guac/guac_graphql.yml similarity index 92% rename from roles/tpa_single_node/tasks/podman/guac_graphql.yml rename to roles/tpa_single_node/tasks/guac/guac_graphql.yml index e63422e9..207ebf4b 100644 --- a/roles/tpa_single_node/tasks/podman/guac_graphql.yml +++ b/roles/tpa_single_node/tasks/guac/guac_graphql.yml @@ -11,7 +11,7 @@ state: started - name: Deploy guac-graphql Pod - ansible.builtin.include_tasks: podman/install_manifest.yml + ansible.builtin.include_tasks: install_manifest.yml vars: podman_spec: state: started diff --git a/roles/tpa_single_node/tasks/podman/init_guac.yml b/roles/tpa_single_node/tasks/guac/init.yml similarity index 100% rename from roles/tpa_single_node/tasks/podman/init_guac.yml rename to roles/tpa_single_node/tasks/guac/init.yml diff --git a/roles/tpa_single_node/tasks/guac/main.yml b/roles/tpa_single_node/tasks/guac/main.yml new file mode 100644 index 00000000..00d8f7d2 --- /dev/null +++ b/roles/tpa_single_node/tasks/guac/main.yml @@ -0,0 +1,16 @@ +--- +# Init Guac DBMS +- name: Configure and initialize Guac DBMS + ansible.builtin.include_tasks: guac/init.yml + +- name: Provision Guac collectsub + ansible.builtin.include_tasks: guac/guac_collectsub.yml + vars: + tpa_single_node_guac_csub_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_pem_path) }}" + tpa_single_node_guac_csub_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_key_path) }}" + +- name: Provision Guac graphql + ansible.builtin.include_tasks: guac/guac_graphql.yml + vars: + tpa_single_node_guac_graphql_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_pem_path) }}" + tpa_single_node_guac_graphql_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_key_path) }}" diff --git a/roles/tpa_single_node/tasks/infra/component_auth.yml b/roles/tpa_single_node/tasks/infra/component_auth.yml new file mode 100644 index 00000000..4ebfac69 --- /dev/null +++ b/roles/tpa_single_node/tasks/infra/component_auth.yml @@ -0,0 +1,13 @@ +--- +- name: Generate OIDC auth ConfigMap manifest for {{ component.name }}-{{ component.type }} + ansible.builtin.template: + src: "{{ role_path }}/templates/manifests/infra/Configmap-{{ oidc }}.yaml.j2" + dest: "{{ tpa_single_node_kube_manifest_dir }}/{{ component.name }}-{{ component.type }}-configmap.yml" + mode: "0600" + register: oidc_configmap_result + +- name: Retrieve the checksum of the ConfigMap + ansible.builtin.stat: + path: "{{ tpa_single_node_kube_manifest_dir }}/{{ component.name }}-{{ component.type }}-configmap.yml" + checksum_algorithm: sha256 + register: oidc_configmap_checksum diff --git a/roles/tpa_single_node/tasks/infra/main.yml b/roles/tpa_single_node/tasks/infra/main.yml new file mode 100644 index 00000000..58a2e362 --- /dev/null +++ b/roles/tpa_single_node/tasks/infra/main.yml @@ -0,0 +1,12 @@ +--- +- name: Configure and deploy Postgres + ansible.builtin.include_tasks: infra/postgresql.yml + args: + apply: + become: true + +- name: Configure OIDC + ansible.builtin.include_tasks: infra/oidc.yml + +- name: Configure Storage + ansible.builtin.include_tasks: infra/storage.yml diff --git a/roles/tpa_single_node/tasks/infra/oidc.yml b/roles/tpa_single_node/tasks/infra/oidc.yml new file mode 100644 index 00000000..f6983882 --- /dev/null +++ b/roles/tpa_single_node/tasks/infra/oidc.yml @@ -0,0 +1,16 @@ +--- +- name: Set OIDC variable + ansible.builtin.set_fact: + oidc: keycloak + +- name: Overwrite OIDC variable + ansible.builtin.set_fact: + oidc: cognito + when: "'cognito' in (tpa_single_node_oidc_issuer_url | string | safe)" + +- name: Check OIDC Walker is defined + ansible.builtin.assert: + that: + - tpa_single_node_oidc_provider_client_secret is defined + - tpa_single_node_oidc_provider_client_secret != "" + fail_msg: OIDC Walker Secret is not defined diff --git a/roles/tpa_single_node/tasks/podman/postgresql.yml b/roles/tpa_single_node/tasks/infra/postgresql.yml similarity index 100% rename from roles/tpa_single_node/tasks/podman/postgresql.yml rename to roles/tpa_single_node/tasks/infra/postgresql.yml diff --git a/roles/tpa_single_node/tasks/infra/storage.yml b/roles/tpa_single_node/tasks/infra/storage.yml new file mode 100644 index 00000000..77cdd7bf --- /dev/null +++ b/roles/tpa_single_node/tasks/infra/storage.yml @@ -0,0 +1,20 @@ +--- +- name: Check storage access and key secrets are defined + ansible.builtin.assert: + that: + - tpa_single_node_storage_access_key is defined + - tpa_single_node_storage_access_key != "" + - tpa_single_node_storage_secret_key is defined + - tpa_single_node_storage_secret_key != "" + fail_msg: Storage Access Key and Secret is not defined + +- name: Generate storage secret manifest + ansible.builtin.template: + src: "{{ role_path }}/templates/manifests/infra/Secret-storage.yaml.j2" + dest: "{{ tpa_single_node_storage_secret }}" + mode: "0600" + +- name: Apply storage secret manifest + containers.podman.podman_play: + kube_file: "{{ tpa_single_node_storage_secret }}" + state: started diff --git a/roles/tpa_single_node/tasks/podman/install_manifest.yml b/roles/tpa_single_node/tasks/install_manifest.yml similarity index 100% rename from roles/tpa_single_node/tasks/podman/install_manifest.yml rename to roles/tpa_single_node/tasks/install_manifest.yml diff --git a/roles/tpa_single_node/tasks/main.yml b/roles/tpa_single_node/tasks/main.yml index 3073ef4c..d43b843a 100644 --- a/roles/tpa_single_node/tasks/main.yml +++ b/roles/tpa_single_node/tasks/main.yml @@ -13,3 +13,38 @@ vars: tpa_single_node_registry_username: "{{ lookup('env', 'TPA_SINGLE_NODE_REGISTRY_USERNAME') }}" tpa_single_node_registry_password: "{{ lookup('env', 'TPA_SINGLE_NODE_REGISTRY_PASSWORD') }}" + +# 1 Configuring external services, DB, SSO, SQS, S3 +- name: Configure infra dependencies + ansible.builtin.include_tasks: infra/main.yml + args: + apply: + become: true + +# Step 4, 6 and 7 +- name: Configure and deploy Guac + ansible.builtin.include_tasks: guac/main.yml + args: + apply: + become: true + +# Step 5 +- name: Configure/Deploy v11y walker + ansible.builtin.include_tasks: v11y/walker.yml + args: + apply: + become: true + +# Step 8 +- name: Configure/Deploy v11y api + ansible.builtin.include_tasks: v11y/api.yml + args: + apply: + become: true + +# Step 9 +- name: Configure/Deploy bombastic api + ansible.builtin.include_tasks: bombastic/api.yml + args: + apply: + become: true diff --git a/roles/tpa_single_node/tasks/podman.yml b/roles/tpa_single_node/tasks/podman.yml index 5bfe388b..e258e781 100644 --- a/roles/tpa_single_node/tasks/podman.yml +++ b/roles/tpa_single_node/tasks/podman.yml @@ -38,39 +38,3 @@ - ansible_facts['distribution_major_version'] == '9' containers.podman.podman_image: name: "{{ tpa_single_node_guac_image }}" - - # 1 Configuring external services, DB, SSO, SQS, S3 - -# @postgres-remove -- name: Configure/Deploy Postgres - ansible.builtin.include_tasks: podman/postgresql.yml - -# SQS -# S3 -# SSO - -# 2 Init DB for Guac -- name: Configure/Deploy guac init - ansible.builtin.include_tasks: podman/init_guac.yml - -# 3 V11y Walker -- name: Configure/Deploy v11y walker - ansible.builtin.include_tasks: podman/v11y_walker.yml - -# 4 Guac Collectsub -- name: Provision Guac collectsub - ansible.builtin.include_tasks: podman/guac_collectsub.yml - vars: - tpa_single_node_guac_csub_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_pem_path) }}" - tpa_single_node_guac_csub_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_csub_tls_cert_key_path) }}" - -# 5 Guac Graphql -- name: Provision Guac graphql - ansible.builtin.include_tasks: podman/guac_graphql.yml - vars: - tpa_single_node_guac_graphql_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_pem_path) }}" - tpa_single_node_guac_graphql_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_key_path) }}" - -# 6 V11y api -- name: Configure/Deploy v11y api - ansible.builtin.include_tasks: podman/v11y_api.yml diff --git a/roles/tpa_single_node/tasks/podman/v11y_api.yml b/roles/tpa_single_node/tasks/podman/v11y_api.yml deleted file mode 100644 index aac04bf0..00000000 --- a/roles/tpa_single_node/tasks/podman/v11y_api.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- -- name: Set OIDC variable - ansible.builtin.set_fact: - oidc: keycloak - -- name: Overwrite OIDC variable - ansible.builtin.set_fact: - oidc: cognito - when: "'cognito' in (tpa_single_node_oidc_issuer_url | string | safe)" - -- name: Check S3 Access key and Secret is defined - ansible.builtin.assert: - that: - - tpa_single_node_s3_access_key is defined - - tpa_single_node_s3_access_key != "" - - tpa_single_node_s3_secret_key is defined - - tpa_single_node_s3_secret_key != "" - fail_msg: S3 Access Key and Secret is not defined - -- name: Check OIDC Walker is defined - ansible.builtin.assert: - that: - - tpa_single_node_oidc_walker_secret is defined - - tpa_single_node_oidc_walker_secret != "" - fail_msg: OIDC Walker Secret is not defined - -- name: Generate v11y API secret manifest - ansible.builtin.template: - src: "{{ role_path }}/templates/manifests/v11y/api/Secret.yaml.j2" - dest: "{{ tpa_single_node_v11y_api_secret }}" - mode: "0600" - -- name: Play v11y API secret manifest - containers.podman.podman_play: - kube_file: "{{ tpa_single_node_v11y_api_secret }}" - state: started - -- name: Generate OIDC auth ConfigMap manifest - ansible.builtin.template: - src: "{{ role_path }}/templates/manifests/v11y/api/Configmap-{{ oidc }}.yaml.j2" - dest: "{{ tpa_single_node_v11y_api_config }}" - mode: "0600" - register: configmap_result - -- name: Retrieve the checksum of the ConfigMap - ansible.builtin.stat: - path: "{{ tpa_single_node_v11y_api_config }}" - checksum_algorithm: sha256 - register: cm_checksum - -- name: Deploy v11y-api Deployment - ansible.builtin.include_tasks: podman/install_manifest.yml - vars: - podman_spec: - state: started - systemd_file: v11y-api - network: "{{ tpa_single_node_podman_network }}" - kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/v11y/api/Deployment-s3.yaml.j2') | from_yaml }}" - configmap: "{{ tpa_single_node_v11y_api_config }}" - configmap_changed: "{{ configmap_result.changed }}" diff --git a/roles/tpa_single_node/tasks/v11y/api.yml b/roles/tpa_single_node/tasks/v11y/api.yml new file mode 100644 index 00000000..634c110b --- /dev/null +++ b/roles/tpa_single_node/tasks/v11y/api.yml @@ -0,0 +1,18 @@ +--- +- name: Create configmap auth for v11y-api + ansible.builtin.include_tasks: infra/component_auth.yml + vars: + component: + name: "v11y" + type: "api" + +- name: Deploy v11y-api + ansible.builtin.include_tasks: install_manifest.yml + vars: + podman_spec: + state: started + systemd_file: v11y-api + network: "{{ tpa_single_node_podman_network }}" + kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/v11y/api/Deployment.yaml.j2') | from_yaml }}" + configmap: "{{ tpa_single_node_kube_manifest_dir }}/v11y-api-configmap.yml" + configmap_changed: oidc_configmap_result.changed diff --git a/roles/tpa_single_node/tasks/podman/v11y_walker.yml b/roles/tpa_single_node/tasks/v11y/walker.yml similarity index 94% rename from roles/tpa_single_node/tasks/podman/v11y_walker.yml rename to roles/tpa_single_node/tasks/v11y/walker.yml index 01792e4a..7a6c5a8c 100644 --- a/roles/tpa_single_node/tasks/podman/v11y_walker.yml +++ b/roles/tpa_single_node/tasks/v11y/walker.yml @@ -26,7 +26,7 @@ state: present - name: Deploy v11walker Pod - ansible.builtin.include_tasks: podman/install_manifest.yml + ansible.builtin.include_tasks: install_manifest.yml vars: podman_spec: state: stopped diff --git a/roles/tpa_single_node/templates/manifests/bombastic/api/020-ConfigMap-auth.yaml b/roles/tpa_single_node/templates/manifests/bombastic/api/020-ConfigMap-auth.yaml deleted file mode 100644 index 984d311b..00000000 --- a/roles/tpa_single_node/templates/manifests/bombastic/api/020-ConfigMap-auth.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: bombastic-api-auth - labels: - app.kubernetes.io/name: bombastic-api-auth - app.kubernetes.io/component: bombastic - app.kubernetes.io/instance: redhat-trusted-profile-analyzer - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/part-of: trusted-profile-analyzer -data: - auth.yaml: "\nauthentication:\n clients:\n\n - clientId: frontend\n \ - \ issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n scopeMappings:\ - \ &keycloakScopeMappings\n \"create:document\": [ \"create.sbom\",\ - \ \"create.vex\" ]\n \"read:document\": [ \"read.sbom\", \"read.vex\"\ - \ ]\n \"update:document\": [ \"update.sbom\", \"update.vex\" ]\n \ - \ \"delete:document\": [ \"delete.sbom\", \"delete.vex\" ]\n\n - clientId:\ - \ walker\n issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n \ - \ scopeMappings: *keycloakScopeMappings\n" diff --git a/roles/tpa_single_node/templates/manifests/bombastic/api/030-Deployment.yaml b/roles/tpa_single_node/templates/manifests/bombastic/api/Deployment.yaml.j2 similarity index 71% rename from roles/tpa_single_node/templates/manifests/bombastic/api/030-Deployment.yaml rename to roles/tpa_single_node/templates/manifests/bombastic/api/Deployment.yaml.j2 index 0a1ca979..afc823b2 100644 --- a/roles/tpa_single_node/templates/manifests/bombastic/api/030-Deployment.yaml +++ b/roles/tpa_single_node/templates/manifests/bombastic/api/Deployment.yaml.j2 @@ -1,13 +1,14 @@ +apiVersion: apps/v1 kind: Deployment metadata: name: bombastic-api + namespace: "{{ tpa_single_node_namespace }}" labels: app.kubernetes.io/name: bombastic-api app.kubernetes.io/component: bombastic app.kubernetes.io/instance: redhat-trusted-profile-analyzer app.kubernetes.io/version: 1.1.1 app.kubernetes.io/part-of: trusted-profile-analyzer - annotations: null spec: replicas: 1 selector: @@ -24,27 +25,23 @@ spec: annotations: configHash/auth: f1603b2e10b24822d2b2ae28973e973fb20d68559f0caff8327d5a9a7326b106 spec: + volumes: + - name: config-auth + configMap: + name: bombastic-api-auth + - name: tls + secret: + secretName: storage_secret containers: - name: service - image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e83 + image: "{{ tpa_single_node_trustification_image }}" imagePullPolicy: IfNotPresent - livenessProbe: - initialDelaySeconds: 2 - httpGet: - path: /health/live - port: 9010 - readinessProbe: - initialDelaySeconds: 2 - httpGet: - path: /health/ready - port: 9010 - command: - - /trust + command: ["/trust"] args: - bombastic - api - -p - - '8080' + - "8080" - --validator - sbom - --index-mode @@ -52,48 +49,53 @@ spec: - --auth-configuration - /etc/config/auth.yaml env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace +# - name: NAMESPACE +# valueFrom: +# fieldRef: +# fieldPath: metadata.namespace - name: RUST_LOG value: info - name: INFRASTRUCTURE_ENABLED - value: 'true' + value: "true" - name: INFRASTRUCTURE_BIND - value: '[::]:9010' + value: "[::]:9010" - name: HTTP_SERVER_BIND_ADDR - value: '::' + value: "::" - name: HTTP_SERVER_TLS_ENABLED - value: 'true' + value: 'false' - name: HTTP_SERVER_TLS_KEY_FILE value: /etc/tls/tls.key - name: HTTP_SERVER_TLS_CERTIFICATE_FILE value: /etc/tls/tls.crt - name: OIDC_PROVIDER_CLIENT_ID - value: walker + value: "{{ tpa_single_node_oidc_provider_client_id }}" - name: OIDC_PROVIDER_CLIENT_SECRET - value: 6560cc91-4e20-4edd-881c-b15b169f8a80 + valueFrom: + secretKeyRef: + key: client_secret + name: storage_secret - name: OIDC_PROVIDER_ISSUER_URL - value: https://sso$APP_DOMAIN_URL/realms/chicken + value: "{{ tpa_single_node_oidc_issuer_url }}" - name: STORAGE_ACCESS_KEY valueFrom: secretKeyRef: - key: root-user - name: infrastructure-minio + key: storage_access_key + name: storage_secret - name: STORAGE_SECRET_KEY valueFrom: secretKeyRef: - key: root-password - name: infrastructure-minio + key: storage_secret_key + name: storage_secret +{% if tpa_single_node_storage_endpoint is defined %} - name: STORAGE_ENDPOINT - value: http://infrastructure-minio:9000 + value: "{{ tpa_single_node_storage_endpoint }}" +{% endif %} - name: STORAGE_REGION - value: eu-west-1 + value: "{{ tpa_single_node_storage_region }}" - name: STORAGE_BUCKET - value: bombastic-default + value: "{{ tpa_single_node_storage_bombastic_bucket }}" - name: SWAGGER_UI_OIDC_ISSUER_URL - value: https://sso$APP_DOMAIN_URL/realms/chicken + value: "{{ tpa_single_node_oidc_issuer_url }}" - name: INDEX_SYNC_INTERVAL value: 1m ports: @@ -110,10 +112,13 @@ spec: - name: config-auth mountPath: /etc/config/auth.yaml subPath: auth.yaml - volumes: - - name: tls - secret: - secretName: bombastic-api-tls - - name: config-auth - configMap: - name: bombastic-api-auth + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/live + port: 9010 + readinessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/ready + port: 9010 diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/Configmap-cognito.yaml.j2 b/roles/tpa_single_node/templates/manifests/infra/Configmap-cognito.yaml.j2 similarity index 79% rename from roles/tpa_single_node/templates/manifests/v11y/api/Configmap-cognito.yaml.j2 rename to roles/tpa_single_node/templates/manifests/infra/Configmap-cognito.yaml.j2 index fa3a5403..ee248efc 100644 --- a/roles/tpa_single_node/templates/manifests/v11y/api/Configmap-cognito.yaml.j2 +++ b/roles/tpa_single_node/templates/manifests/infra/Configmap-cognito.yaml.j2 @@ -1,17 +1,16 @@ kind: ConfigMap apiVersion: v1 metadata: - name: v11y_api_config + name: "{{ component.name }}-{{ component.type }}-auth" namespace: "{{ tpa_single_node_namespace }}" labels: - app: v11y-api - component: v11y - + app: "{{ component.name }}-{{ component.type }}" + component: "{{ component.name }}" data: auth.yaml: | authentication: clients: - - clientId: "{{ tpa_single_node_oidc_frontend }}" + - clientId: "{{ tpa_single_node_oidc_frontend_id }}" issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}" additionalPermissions: - "read.sbom" @@ -26,9 +25,7 @@ data: - "update.vex" - "delete.sbom" - "delete.vex" - - - - clientId: "{{ tpa_single_node_oidc_walker }}" + - clientId: "{{ tpa_single_node_oidc_provider_client_id }}" issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}" scopeMappings: "trustification/bombastic": diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/Configmap-keycloak.yaml.j2 b/roles/tpa_single_node/templates/manifests/infra/Configmap-keycloak.yaml.j2 similarity index 69% rename from roles/tpa_single_node/templates/manifests/v11y/api/Configmap-keycloak.yaml.j2 rename to roles/tpa_single_node/templates/manifests/infra/Configmap-keycloak.yaml.j2 index 7ce9af45..68f9236b 100644 --- a/roles/tpa_single_node/templates/manifests/v11y/api/Configmap-keycloak.yaml.j2 +++ b/roles/tpa_single_node/templates/manifests/infra/Configmap-keycloak.yaml.j2 @@ -1,24 +1,22 @@ kind: ConfigMap apiVersion: v1 metadata: - name: v11y_api_config + name: "{{ component.name }}-{{ component.type }}-auth" namespace: "{{ tpa_single_node_namespace }}" labels: - app: v11y-api - component: v11y - + app: "{{ component.name }}-{{ component.type }}" + component: "{{ component.name }}" data: auth.yaml: | authentication: clients: - - clientId: "{{ tpa_single_node_oidc_frontend }}" + - clientId: "{{ tpa_single_node_oidc_frontend_id }}" issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}" scopeMappings: &keycloakScopeMappings "create:document": [ "create.sbom", "create.vex" ] "read:document": [ "read.sbom", "read.vex" ] "update:document": [ "update.sbom", "update.vex" ] "delete:document": [ "delete.sbom", "delete.vex" ] - - - clientId: "{{ tpa_single_node_oidc_walker }}" + - clientId: "{{ tpa_single_node_oidc_provider_client_id }}" issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}" scopeMappings: *keycloakScopeMappings diff --git a/roles/tpa_single_node/templates/manifests/infra/Secret-storage.yaml.j2 b/roles/tpa_single_node/templates/manifests/infra/Secret-storage.yaml.j2 new file mode 100644 index 00000000..cab0a64d --- /dev/null +++ b/roles/tpa_single_node/templates/manifests/infra/Secret-storage.yaml.j2 @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: storage_secret +data: + client_secret: "{{ tpa_single_node_oidc_provider_client_secret | b64encode }}" + storage_access_key: "{{ tpa_single_node_storage_access_key | b64encode }}" + storage_secret_key: "{{ tpa_single_node_storage_secret_key | b64encode }}" diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/Deployment-s3.yaml.j2 b/roles/tpa_single_node/templates/manifests/v11y/api/Deployment.yaml.j2 similarity index 81% rename from roles/tpa_single_node/templates/manifests/v11y/api/Deployment-s3.yaml.j2 rename to roles/tpa_single_node/templates/manifests/v11y/api/Deployment.yaml.j2 index 516777ae..bcfb2945 100644 --- a/roles/tpa_single_node/templates/manifests/v11y/api/Deployment-s3.yaml.j2 +++ b/roles/tpa_single_node/templates/manifests/v11y/api/Deployment.yaml.j2 @@ -25,15 +25,15 @@ spec: app.kubernetes.io/component: v11y app.kubernetes.io/instance: redhat-trusted-profile-analyzer annotations: - config/checksum: "{{ cm_checksum.stat.checksum }}" + config/checksum: "{{ oidc_configmap_checksum.stat.checksum }}" spec: volumes: - name: config-auth configMap: - name: v11y_api_config + name: v11y-api-auth - name: v11yapisecret secret: - secretName: v11y_api_secret + secretName: storage_secret containers: - image: "{{ tpa_single_node_trustification_image }}" imagePullPolicy: IfNotPresent @@ -48,7 +48,6 @@ spec: - "file" - "--auth-configuration" - "/etc/config/auth.yaml" - ports: - containerPort: 9010 protocol: TCP @@ -56,7 +55,6 @@ spec: - containerPort: 8080 name: endpoint protocol: TCP - volumeMounts: - name: config-auth mountPath: /etc/config/auth.yaml @@ -68,13 +66,11 @@ spec: httpGet: path: /health/live port: 9010 - readinessProbe: initialDelaySeconds: 2 httpGet: path: /health/ready port: 9010 - env: - name: RUST_LOG value: "info" @@ -86,31 +82,30 @@ spec: value: "::" - name: INDEX_SYNC_INTERVAL value: 1m - - name: OIDC_PROVIDER_ISSUER_URL value: "{{ tpa_single_node_oidc_issuer_url }}" - name: OIDC_PROVIDER_CLIENT_ID - value: "{{ tpa_single_node_oidc_walker }}" + value: "{{ tpa_single_node_oidc_provider_client_id }}" - name: OIDC_PROVIDER_CLIENT_SECRET valueFrom: secretKeyRef: key: client_secret - name: v11y_api_secret -{% if tpa_single_node_s3_minio_endpoint is defined %} + name: storage_secret +{% if tpa_single_node_storage_endpoint is defined %} - name: STORAGE_ENDPOINT - value: "{{ tpa_single_node_s3_minio_endpoint }}" + value: "{{ tpa_single_node_storage_endpoint }}" {% endif %} - name: STORAGE_REGION - value: "{{ tpa_single_node_s3_storage_region }}" + value: "{{ tpa_single_node_storage_region }}" - name: STORAGE_BUCKET - value: "{{ tpa_single_node_s3_v11y_bucket }}" + value: "{{ tpa_single_node_storage_v11y_bucket }}" - name: STORAGE_ACCESS_KEY valueFrom: secretKeyRef: - key: s3_access_key - name: v11y_api_secret + key: storage_access_key + name: storage_secret - name: STORAGE_SECRET_KEY valueFrom: secretKeyRef: - key: s3_secret_key - name: v11y_api_secret + key: storage_secret_key + name: storage_secret diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/Secret.yaml.j2 b/roles/tpa_single_node/templates/manifests/v11y/api/Secret.yaml.j2 deleted file mode 100644 index 96454a89..00000000 --- a/roles/tpa_single_node/templates/manifests/v11y/api/Secret.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: v11y_api_secret -data: - client_secret: "{{ tpa_single_node_oidc_walker_secret | b64encode }}" - s3_access_key: "{{ tpa_single_node_s3_access_key | b64encode }}" - s3_secret_key: "{{ tpa_single_node_s3_secret_key | b64encode }}" diff --git a/roles/tpa_single_node/templates/manifests/v11y/walker/Deployment.yaml b/roles/tpa_single_node/templates/manifests/v11y/walker/Deployment.yaml index ffd1a011..27c9c542 100644 --- a/roles/tpa_single_node/templates/manifests/v11y/walker/Deployment.yaml +++ b/roles/tpa_single_node/templates/manifests/v11y/walker/Deployment.yaml @@ -56,11 +56,11 @@ spec: - name: INFRASTRUCTURE_BIND value: "[::]:9010" - name: STORAGE_ACCESS_KEY - value: "{{ tpa_single_node_s3_access_key }}" + value: "{{ tpa_single_node_storage_access_key }}" - name: STORAGE_SECRET_KEY - value: "{{ tpa_single_node_s3_secret_key }}" + value: "{{ tpa_single_node_storage_secret_key }}" - name: STORAGE_ENDPOINT - value: "{{ tpa_single_node_s3_minio_endpoint }}" + value: "{{ tpa_single_node_storage_endpoint }}" - name: STORAGE_REGION value: "eu-west-1" # just a dummy value - name: STORAGE_BUCKET diff --git a/roles/tpa_single_node/vars/main.yml b/roles/tpa_single_node/vars/main.yml index 39cf2919..87ecb9ae 100644 --- a/roles/tpa_single_node/vars/main.yml +++ b/roles/tpa_single_node/vars/main.yml @@ -8,9 +8,9 @@ tpa_single_node_namespace: trustification tpa_single_node_podman_network: tcnet tpa_single_node_skip_os_install: true tpa_single_node_systemd_directory: /etc/systemd/system +tpa_single_node_default_empty: "" # DB_SERVICE -# TODO - Workaround for PostgreSQL PG_HBA issue tpa_single_node_pg_host: 192.168.121.60 tpa_single_node_pg_port: 5432 tpa_single_node_pg_db: guac @@ -18,21 +18,22 @@ tpa_single_node_pg_user: guac tpa_single_node_pg_user_passwd: guac1234 tpa_single_node_pg_ssl_mode: disable -# S3_SERVICE -tpa_single_node_s3_url: -tpa_single_node_s3_access_key: "{{ lookup('env', 'TPA_S3_ACCESS_KEY') }}" # Export S3 access key -tpa_single_node_s3_secret_key: "{{ lookup('env', 'TPA_S3_SECRET_KEY') }}" # Export S3 Secret key -tpa_single_node_s3_v11y_bucket: # -tpa_single_node_s3_storage_region: # # For Minio just keep us-west-1 -tpa_single_node_s3_minio_endpoint: # +# Storage Service (S3 or Minio) +tpa_single_node_storage_endpoint: # +tpa_single_node_storage_region: # # For Minio just keep us-west-1 +tpa_single_node_storage_access_key: "{{ lookup('env', 'TPA_STORAGE_ACCESS_KEY') }}" +tpa_single_node_storage_secret_key: "{{ lookup('env', 'TPA_STORAGE_SECRET_KEY') }}" +tpa_single_node_storage_bombastic_bucket: bombastic-default # +tpa_single_node_storage_v11y_bucket: v11y-default # # SQS_SERVICE -# SSO_SERVICE -tpa_single_node_oidc_issuer_url: # -tpa_single_node_oidc_frontend: # -tpa_single_node_oidc_walker: # -tpa_single_node_oidc_walker_secret: "{{ lookup('env', 'TPA_OIDC_WALKER_SECRET') }}" # Export AWS Cognito or Keycloak walker Secret +# SSO_SERVICE - Keycloak or AWS Cognito +# Issuer URL with endpoint auth/realms/chicken +tpa_single_node_oidc_issuer_url: "{{ lookup('env', 'TPA_STORAGE_OIDC_ISSUER_URL') | default('tpa_single_node_default_empty', true) }}" +tpa_single_node_oidc_frontend_id: "{{ lookup('env', 'TPA_STORAGE_OIDC_FRONTEND_ID') | default('tpa_single_node_default_empty', true) }}" +tpa_single_node_oidc_provider_client_id: "{{ lookup('env', 'TPA_STORAGE_OIDC_PROVIDER_CLIENT_ID') | default('tpa_single_node_default_empty', true) }}" +tpa_single_node_oidc_provider_client_secret: "{{ lookup('env', 'TPA_OIDC_PROVIDER_CLIENT_SECRET') | default('tpa_single_node_default_empty', true) }}" # TSL Certificates tpa_single_node_guac_csub_tls_cert_pem_path: "{{ tpa_single_node_certificates_dir }}/guac-collectsub-tls-certificate.pem" @@ -40,6 +41,5 @@ tpa_single_node_guac_csub_tls_cert_key_path: "{{ tpa_single_node_certificates_di tpa_single_node_guac_graphql_tls_cert_pem_path: "{{ tpa_single_node_certificates_dir }}/guac-graphql-tls-certificate.pem" tpa_single_node_guac_graphql_tls_cert_key_path: "{{ tpa_single_node_certificates_dir }}/guac-graphql-tls-certificate.key" -# Secret, certs and Configmap locations -tpa_single_node_v11y_api_config: "{{ tpa_single_node_kube_manifest_dir }}/v11y-api-configmap.yaml" -tpa_single_node_v11y_api_secret: "{{ tpa_single_node_kube_manifest_dir }}/v11y-api-secret.yaml" +# Target node(s) - Secret and Configmap locations +tpa_single_node_storage_secret: "{{ tpa_single_node_kube_manifest_dir }}/storage-secret.yaml"