|
| 1 | +--- |
| 2 | +apiVersion: tekton.dev/v1beta1 |
| 3 | +kind: Pipeline |
| 4 | +metadata: |
| 5 | + name: mas-cli-deploy |
| 6 | + namespace: default |
| 7 | +spec: |
| 8 | + workspaces: |
| 9 | + - name: ws |
| 10 | + params: |
| 11 | + - name: namespace |
| 12 | + type: string |
| 13 | + default: "maximo-suite" |
| 14 | + - name: mas-instance-id |
| 15 | + type: string |
| 16 | + default: "inst1" |
| 17 | + - name: mas-workspace-id |
| 18 | + type: string |
| 19 | + default: "maxworkspace" |
| 20 | + - name: mas-workspace-name |
| 21 | + type: string |
| 22 | + default: "My Maximo Workspace" |
| 23 | + - name: mas-catalog-version |
| 24 | + type: string |
| 25 | + description: "Do not change this unless you know what you are doing" |
| 26 | + default: "v8-amd64" |
| 27 | + - name: mas-channel |
| 28 | + type: string |
| 29 | + description: "Controls version of Maximo Operators. Do not change this unless you know what you are doing." |
| 30 | + default: "8.11.x" |
| 31 | + - name: license-file-secret-name |
| 32 | + description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace. provide the name of the secret here. the defaul is false which means the pipeline will attempt to download a techzone license" |
| 33 | + type: string |
| 34 | + default: "false" |
| 35 | + - name: use-letsencrypt-certs |
| 36 | + description: "use generated letsencrypt certs stored as a secret in the openshift-config namespace under letsencrypt-certs, if false, will generate self-signed certs" |
| 37 | + type: string |
| 38 | + default: "true" |
| 39 | + - name: ibm-entitlement-key |
| 40 | + description: "IBM entitlement key. If not set, will use secret manager." |
| 41 | + type: string |
| 42 | + default: "false" |
| 43 | + - name: uds-email |
| 44 | + description: "Contact Email" |
| 45 | + type: string |
| 46 | + - name: uds-firstname |
| 47 | + description: "Contact first name" |
| 48 | + type: string |
| 49 | + - name: uds-lastname |
| 50 | + description: "Contact last name" |
| 51 | + type: string |
| 52 | + - name: storage-rwo |
| 53 | + description: "RWO Storage Class" |
| 54 | + type: string |
| 55 | + default: "ocs-storagecluster-cephfs" |
| 56 | + - name: storage-rwx |
| 57 | + description: "RWX Storage Class" |
| 58 | + type: string |
| 59 | + default: "ocs-storagecluster-cephfs" |
| 60 | + - name: storage-pipeline |
| 61 | + description: "Pipeline Storage Class" |
| 62 | + type: string |
| 63 | + default: "ocs-storagecluster-cephfs" |
| 64 | + - name: storage-accessmode |
| 65 | + description: "Install Pipeline storage class access mode (ReadWriteMany or ReadWriteOnce)" |
| 66 | + type: string |
| 67 | + default: "ReadWriteMany" |
| 68 | + finally: |
| 69 | + - name: update-configmap-failure |
| 70 | + when: |
| 71 | + - input: $(tasks.install-mas.status) |
| 72 | + operator: notin |
| 73 | + values: ["Succeeded"] |
| 74 | + taskRef: |
| 75 | + kind: Task |
| 76 | + name: ibm-pak |
| 77 | + params: |
| 78 | + - name: SCRIPT |
| 79 | + value: | |
| 80 | + oc patch configmap/pipeline-output -p '{"data":{"Status":"Pipeline run failed. See Pipeline run for more details and consider running the pipeline again."}}' |
| 81 | + - name: update-configmap-success |
| 82 | + when: |
| 83 | + - input: $(tasks.install-mas.status) |
| 84 | + operator: in |
| 85 | + values: ["Succeeded"] |
| 86 | + taskRef: |
| 87 | + kind: Task |
| 88 | + name: ibm-pak |
| 89 | + params: |
| 90 | + - name: SCRIPT |
| 91 | + value: | |
| 92 | + # get and echo the pipeline the mas installer created |
| 93 | + oc patch configmap/pipeline-output -p '{"data":{"Status":"Deployment Pipeline Running."}}' |
| 94 | + tasks: |
| 95 | + - name: get-ibm-entitlement-key |
| 96 | + taskRef: |
| 97 | + name: ibmcloud-secrets-manager-get |
| 98 | + kind: Task |
| 99 | + params: |
| 100 | + - name: KEY_ID |
| 101 | + value: 968d7819-f2c5-7b67-c420-3c6bfd51521e |
| 102 | + - name: SECRETS_MANAGER_ENDPOINT_URL |
| 103 | + value: >- |
| 104 | + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud |
| 105 | + - name: set-retrieved-entitlement-key |
| 106 | + when: |
| 107 | + - input: "$(params.ibm-entitlement-key)" |
| 108 | + operator: in |
| 109 | + values: ["false"] |
| 110 | + runAfter: |
| 111 | + - get-ibm-entitlement-key |
| 112 | + params: |
| 113 | + - name: retrieved-entitlement-key |
| 114 | + value: $(tasks.get-ibm-entitlement-key.results.secret-value) |
| 115 | + workspaces: |
| 116 | + - name: ws |
| 117 | + taskSpec: |
| 118 | + workspaces: |
| 119 | + - name: ws |
| 120 | + params: |
| 121 | + - name: retrieved-entitlement-key |
| 122 | + steps: |
| 123 | + - name: set-entitlement-key |
| 124 | + image: quay.io/openshift/origin-cli:4.10 |
| 125 | + script: | |
| 126 | + #!/usr/bin/env bash |
| 127 | + echo $(params.retrieved-entitlement-key) > $(workspaces.ws.path)/ek.dat |
| 128 | + echo "ek.dat created" |
| 129 | + exit |
| 130 | + - name: set-provided-entitlement-key |
| 131 | + workspaces: |
| 132 | + - name: ws |
| 133 | + params: |
| 134 | + - name: provided-entitlement-key |
| 135 | + value: "$(params.ibm-entitlement-key)" |
| 136 | + taskSpec: |
| 137 | + workspaces: |
| 138 | + - name: ws |
| 139 | + params: |
| 140 | + - name: provided-entitlement-key |
| 141 | + steps: |
| 142 | + - name: set-entitlement |
| 143 | + image: quay.io/openshift/origin-cli:4.10 |
| 144 | + script: | |
| 145 | + #!/usr/bin/env bash |
| 146 | + echo $(params.provided-entitlement-key) > $(workspaces.ws.path)/ek.dat |
| 147 | + echo "ek.dat created" |
| 148 | + exit |
| 149 | + - name: get-maximo-licensefile |
| 150 | + workspaces: |
| 151 | + - name: ws |
| 152 | + runAfter: |
| 153 | + - set-provided-entitlement-key |
| 154 | + - set-retrieved-entitlement-key |
| 155 | + params: |
| 156 | + - name: KEY_ID |
| 157 | + value: 0ae3295c-95dd-c323-82af-1be5587d998f |
| 158 | + - name: SECRETS_MANAGER_ENDPOINT_URL |
| 159 | + value: >- |
| 160 | + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud |
| 161 | + - name: LICENSE_FILE_SECRET_NAME |
| 162 | + value: "$(params.license-file-secret-name)" |
| 163 | + taskSpec: |
| 164 | + workspaces: |
| 165 | + - name: ws |
| 166 | + params: |
| 167 | + - name: KEY_ID |
| 168 | + - name: SECRETS_MANAGER_ENDPOINT_URL |
| 169 | + - name: LICENSE_FILE_SECRET_NAME |
| 170 | + steps: |
| 171 | + - name: write-maximo-licensefile |
| 172 | + image: quay.io/openshift/origin-cli:4.12 |
| 173 | + script: | |
| 174 | + #!/usr/bin/env bash |
| 175 | +
|
| 176 | + if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then |
| 177 | + # Retrieve the IBM Cloud API Key configured in a `deployer` cluster |
| 178 | + export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d) |
| 179 | + export AUTH_RESPONSE_JSON=$(curl -s -X POST \ |
| 180 | + "https://iam.cloud.ibm.com/identity/token" \ |
| 181 | + --header 'Content-Type: application/x-www-form-urlencoded' \ |
| 182 | + --header 'Accept: application/json' \ |
| 183 | + --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \ |
| 184 | + --data-urlencode "apikey=${IBMCLOUD_API_KEY}") |
| 185 | + export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') |
| 186 | + export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)") |
| 187 | + echo $SECRET_JSON | grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat |
| 188 | +
|
| 189 | + else |
| 190 | + oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n default -o jsonpath='{.data.licensefile}' | base64 -d | base64 -d > $(workspaces.ws.path)/license.dat |
| 191 | + fi |
| 192 | +
|
| 193 | + cat $(workspaces.ws.path)/license.dat |
| 194 | + - name: get-tls-certs |
| 195 | + when: |
| 196 | + - input: "$(params.use-letsencrypt-certs)" |
| 197 | + operator: in |
| 198 | + values: ["true"] |
| 199 | + retries: 2 |
| 200 | + runAfter: |
| 201 | + - get-maximo-licensefile |
| 202 | + workspaces: |
| 203 | + - name: ws |
| 204 | + taskSpec: |
| 205 | + workspaces: |
| 206 | + - name: ws |
| 207 | + steps: |
| 208 | + - name: get-tls-certs |
| 209 | + image: quay.io/openshift/origin-cli:4.12 |
| 210 | + script: | |
| 211 | + mkdir -p $(workspaces.ws.path)/masconfig/certs |
| 212 | + wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/ca.crt |
| 213 | + oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.key |
| 214 | + oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.crt |
| 215 | + echo "certs downloaded to masconfig" |
| 216 | + ls $(workspaces.ws.path)/masconfig/certs/ |
| 217 | + echo "tls.key:" |
| 218 | + cat $(workspaces.ws.path)/masconfig/certs/tls.key |
| 219 | + echo "tls.crt:" |
| 220 | + cat $(workspaces.ws.path)/masconfig/certs/tls.crt |
| 221 | + - name: install-mas |
| 222 | + retries: 2 |
| 223 | + runAfter: |
| 224 | + - get-tls-certs |
| 225 | + - get-maximo-licensefile |
| 226 | + workspaces: |
| 227 | + - name: ws |
| 228 | + params: |
| 229 | + - name: mas-instance-id |
| 230 | + value: "$(params.mas-instance-id)" |
| 231 | + - name: mas-workspace-id |
| 232 | + value: "$(params.mas-workspace-id)" |
| 233 | + - name: mas-workspace-name |
| 234 | + value: "$(params.mas-workspace-name)" |
| 235 | + - name: mas-catalog-version |
| 236 | + value: "$(params.mas-catalog-version)" |
| 237 | + - name: mas-channel |
| 238 | + value: "$(params.mas-channel)" |
| 239 | + - name: uds-email |
| 240 | + value: "$(params.uds-email)" |
| 241 | + - name: uds-firstname |
| 242 | + value: "$(params.uds-firstname)" |
| 243 | + - name: uds-lastname |
| 244 | + value: "$(params.uds-lastname)" |
| 245 | + - name: storage-rwo |
| 246 | + value: "$(params.storage-rwo)" |
| 247 | + - name: storage-rwx |
| 248 | + value: "$(params.storage-rwx)" |
| 249 | + - name: storage-pipeline |
| 250 | + value: "$(params.storage-pipeline)" |
| 251 | + - name: storage-accessmode |
| 252 | + value: "$(params.storage-accessmode)" |
| 253 | + taskSpec: |
| 254 | + workspaces: |
| 255 | + - name: ws |
| 256 | + params: |
| 257 | + - name: mas-instance-id |
| 258 | + - name: mas-workspace-id |
| 259 | + - name: mas-workspace-name |
| 260 | + - name: mas-catalog-version |
| 261 | + - name: mas-channel |
| 262 | + - name: uds-email |
| 263 | + - name: uds-firstname |
| 264 | + - name: uds-lastname |
| 265 | + - name: storage-rwo |
| 266 | + - name: storage-rwx |
| 267 | + - name: storage-pipeline |
| 268 | + - name: storage-accessmode |
| 269 | + steps: |
| 270 | + - name: run-mas-cli |
| 271 | + image: quay.io/ibmmas/cli:latest |
| 272 | + script: | |
| 273 | + #!/usr/bin/env bash |
| 274 | + # extract license id from license.dat |
| 275 | + export LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3) |
| 276 | +
|
| 277 | + export ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) |
| 278 | +
|
| 279 | + #this sets things up for manual cert management |
| 280 | + # got this via https://github.com/ibm-mas/ansible-devops/pull/501 |
| 281 | + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig |
| 282 | + export MAS_MANUAL_CERT_MGMT=True |
| 283 | +
|
| 284 | + #run mas install non-interactively |
| 285 | + mas install -i $(params.mas-instance-id) \ |
| 286 | + --accept-license \ |
| 287 | + -w $(params.mas-workspace-id) \ |
| 288 | + -W "$(params.mas-workspace-name)" \ |
| 289 | + -c $(params.mas-catalog-version) \ |
| 290 | + --mas-channel $(params.mas-channel) \ |
| 291 | + --ibm-entitlement-key $ENTITLEMENT_KEY \ |
| 292 | + --license-id $LICENSE_ID --license-file $(workspaces.ws.path)/license.dat \ |
| 293 | + --uds-email $(params.uds-email) --uds-firstname $(params.uds-firstname) --uds-lastname $(params.uds-lastname) \ |
| 294 | + --storage-rwo $(params.storage-rwo) --storage-rwx $(params.storage-rwx) \ |
| 295 | + --storage-pipeline $(params.storage-pipeline) --storage-accessmode $(params.storage-accessmode) \ |
| 296 | + --no-confirm |
0 commit comments