updates to use mas-devops

cloudnativetoolkit · cloudnativetoolkit · commit 6bc1c5bcc501 · 2023-10-03T11:27:57.000-04:00
diff --git a/8.11.x/pipeline-masdevops.yaml b/8.11.x/pipeline-masdevops.yaml
@@ -0,0 +1,297 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: mas-masdevops-deploy
+  namespace: default
+spec:
+  workspaces:
+    - name: ws
+  params:
+    - name: namespace
+      type: string
+      default: "maximo-suite"
+    - name: mas-instance-id
+      type: string
+      default: "maximo"
+    - name: mas-workspace-id
+      type: string
+      default: "maxworkspace"
+    - name: mas-workspace-name
+      type: string
+      default: "My Maximo Workspace"
+    - name: mas-catalog-version
+      type: string
+      description: "Do not change this unless you know what you are doing"
+      default: "v8-amd64"
+    - name: mas-channel
+      type: string
+      description: "Controls version of Maximo Operators.  Do not change this unless you know what you are doing."
+      default: "8.11.x"
+    - name: license-file-secret-name
+      description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace.  provide the name of the secret here.  the defaul is false which means the pipeline will attempt to download a techzone license"
+      type: string
+      default: "false"
+    - name: use-letsencrypt-certs
+      description: "use generated letsencrypt certs stored as a secret in the openshift-config namespace under letsencrypt-certs, if false, will generate self-signed certs"
+      type: string
+      default: "true"
+    - name: ibm-entitlement-key
+      description: "IBM entitlement key. If not set, will use secret manager."
+      type: string
+      default: "false"
+    - name: uds-email
+      description: "Contact Email"
+      type: string
+    - name: uds-firstname
+      description: "Contact first name"
+      type: string
+    - name: uds-lastname
+      description: "Contact last name"
+      type: string
+    - name: storage-rwo
+      description: "RWO Storage Class"
+      type: string
+      default: "ocs-storagecluster-cephfs"
+    - name: storage-rwx
+      description: "RWX Storage Class"
+      type: string
+      default: "ocs-storagecluster-cephfs"
+    - name: storage-pipeline
+      description: "Pipeline Storage Class"
+      type: string
+      default: "ocs-storagecluster-cephfs"
+    - name: storage-accessmode
+      description: "Install Pipeline storage class access mode (ReadWriteMany or ReadWriteOnce)"
+      type: string
+      default: "ReadWriteMany"
+  finally:
+    - name: update-configmap-failure
+      when:
+        - input: $(tasks.install-mas.status)
+          operator: notin
+          values: ["Succeeded"]
+      taskRef:
+        kind: Task
+        name: ibm-pak
+      params:
+        - name: SCRIPT
+          value: |
+            oc patch configmap/pipeline-output -p '{"data":{"Status":"Pipeline run failed. See Pipeline run for more details and consider running the pipeline again."}}'
+    - name: update-configmap-success
+      when:
+        - input: $(tasks.install-mas.status)
+          operator: in
+          values: ["Succeeded"]
+      taskRef:
+        kind: Task
+        name: ibm-pak
+      params:
+        - name: SCRIPT
+          value: |
+            # get and echo the pipeline the mas installer created
+            oc patch configmap/pipeline-output -p '{"data":{"Status":"Deployment Pipeline Running."}}'
+  tasks:
+    - name: get-ibm-entitlement-key
+      taskRef:
+        name: ibmcloud-secrets-manager-get
+        kind: Task
+      params:
+        - name: KEY_ID
+          value: 968d7819-f2c5-7b67-c420-3c6bfd51521e
+        - name: SECRETS_MANAGER_ENDPOINT_URL
+          value: >-
+            https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud
+    - name: set-retrieved-entitlement-key
+      when:
+        - input: "$(params.ibm-entitlement-key)"
+          operator: in
+          values: ["false"]
+      runAfter:
+        - get-ibm-entitlement-key
+      params:
+        - name: retrieved-entitlement-key
+          value: $(tasks.get-ibm-entitlement-key.results.secret-value)
+      workspaces:
+        - name: ws
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: retrieved-entitlement-key
+        steps:
+          - name: set-entitlement-key
+            image: quay.io/openshift/origin-cli:4.10
+            script: |
+              #!/usr/bin/env bash
+              echo $(params.retrieved-entitlement-key) > $(workspaces.ws.path)/ek.dat
+              echo "ek.dat created"
+              exit
+    - name: set-provided-entitlement-key
+      workspaces:
+        - name: ws
+      params:
+        - name: provided-entitlement-key
+          value: "$(params.ibm-entitlement-key)"
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: provided-entitlement-key
+        steps:
+          - name: set-entitlement
+            image: quay.io/openshift/origin-cli:4.10
+            script: |
+              #!/usr/bin/env bash
+              echo $(params.provided-entitlement-key) > $(workspaces.ws.path)/ek.dat
+              echo "ek.dat created"
+              exit
+    - name: get-maximo-licensefile
+      workspaces:
+        - name: ws
+      runAfter:
+        - set-provided-entitlement-key
+        - set-retrieved-entitlement-key
+      params:
+        - name: KEY_ID
+          value: 0ae3295c-95dd-c323-82af-1be5587d998f
+        - name: SECRETS_MANAGER_ENDPOINT_URL
+          value: >-
+            https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud
+        - name: LICENSE_FILE_SECRET_NAME
+          value: "$(params.license-file-secret-name)"
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: KEY_ID
+          - name: SECRETS_MANAGER_ENDPOINT_URL
+          - name: LICENSE_FILE_SECRET_NAME
+        steps:
+          - name: write-maximo-licensefile
+            image: quay.io/openshift/origin-cli:4.12
+            script: |
+              #!/usr/bin/env bash
+
+              if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then
+                # Retrieve the IBM Cloud API Key configured in a `deployer` cluster
+                export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d)
+                export AUTH_RESPONSE_JSON=$(curl -s -X POST \
+                  "https://iam.cloud.ibm.com/identity/token" \
+                  --header 'Content-Type: application/x-www-form-urlencoded' \
+                  --header 'Accept: application/json' \
+                  --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \
+                  --data-urlencode "apikey=${IBMCLOUD_API_KEY}")
+                export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$')
+                export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)")
+                echo $SECRET_JSON |  grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat
+
+              else
+                oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n default -o jsonpath='{.data.licensefile}' | base64 -d | base64 -d > $(workspaces.ws.path)/license.dat
+              fi
+
+              cat $(workspaces.ws.path)/license.dat
+    - name: get-tls-certs
+      when:
+        - input: "$(params.use-letsencrypt-certs)"
+          operator: in
+          values: ["true"]
+      retries: 2
+      runAfter:
+        - get-maximo-licensefile
+      workspaces:
+        - name: ws
+      taskSpec:
+        workspaces:
+          - name: ws
+        steps:
+          - name: get-tls-certs
+            image: quay.io/congxdev/ibm-pak-ubi:latest
+            script: |
+              ### this is the method to load certs to the mas installer
+              mkdir -p $(workspaces.ws.path)/masconfig/certs/core/
+              wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/core/ca.crt
+              oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.key
+              oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.crt
+              ls $(workspaces.ws.path)/masconfig/certs/core/
+              cat $(workspaces.ws.path)/masconfig/certs/core/tls.key
+              cat $(workspaces.ws.path)/masconfig/certs/core/tls.crt
+
+              # copy letsencrypt-certs secret to the name where maximo is expecting to find it.
+              if oc get secret -n openshift-ingress router-certs-default; then
+                echo "router-certs-default secret already exists"
+              else
+                oc get secret letsencrypt-certs -n openshift-ingress -o yaml | yq '.metadata["name"]="router-certs-default"' | oc apply -n openshift-ingress -f -
+              fi
+    - name: install-mas
+      retries: 2
+      runAfter:
+        - get-tls-certs
+        - get-maximo-licensefile
+      workspaces:
+        - name: ws
+      params:
+        - name: mas-instance-id
+          value: "$(params.mas-instance-id)"
+        - name: mas-workspace-id
+          value: "$(params.mas-workspace-id)"
+        - name: mas-workspace-name
+          value: "$(params.mas-workspace-name)"
+        - name: mas-catalog-version
+          value: "$(params.mas-catalog-version)"
+        - name: mas-channel
+          value: "$(params.mas-channel)"
+        - name: uds-email
+          value: "$(params.uds-email)"
+        - name: uds-firstname
+          value: "$(params.uds-firstname)"
+        - name: uds-lastname
+          value: "$(params.uds-lastname)"
+        - name: storage-rwo
+          value: "$(params.storage-rwo)"
+        - name: storage-rwx
+          value: "$(params.storage-rwx)"
+        - name: storage-pipeline
+          value: "$(params.storage-pipeline)"
+        - name: storage-accessmode
+          value: "$(params.storage-accessmode)"
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: mas-instance-id
+          - name: mas-workspace-id
+          - name: mas-workspace-name
+          - name: mas-catalog-version
+          - name: mas-channel
+          - name: uds-email
+          - name: uds-firstname
+          - name: uds-lastname
+          - name: storage-rwo
+          - name: storage-rwx
+          - name: storage-pipeline
+          - name: storage-accessmode
+        steps:
+          - name: run-mas-cli
+            image: quay.io/ibmmas/cli:latest
+            script: |
+              #!/usr/bin/env bash
+              # extract license id from license.dat
+              export SLS_LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3)
+              export SLS_LICENSE_FILE=$(workspaces.ws.path)/license.dat
+
+              export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat)
+
+              export MAS_INSTANCE_ID=$(params.mas-instance-id)
+
+              export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig
+              export MAS_MANUAL_CERT_MGMT=True
+
+              export UDS_CONTACT_EMAIL=$(params.uds-email)
+              export UDS_CONTACT_FIRSTNAME=$(params.uds-firstname)
+              export UDS_CONTACT_LASTNAME=$(params.uds-lastname)
+
+              export MAS_WORKSPACE_ID=$(params.mas-workspace-id)
+              export MAS_WORKSPACE_NAME=$(params.mas-workspace-name)
+
+              ansible-playbook ibm.mas_devops.oneclick_core
diff --git a/8.11.x/pipeline-run-masdevops.yaml b/8.11.x/pipeline-run-masdevops.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: pr-mas-devops-
+spec:
+  params:
+    - name: uds-email
+      value: "dev-techzone@ibm.com"
+    - name: uds-firstname
+      value: "TechZone"
+    - name: uds-lastname
+      value: "Developer"
+  workspaces:
+    - name: ws
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteMany
+          resources:
+            requests:
+              storage: 1Gi
+  pipelineRef:
+    name: mas-masdevops-deploy
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
diff --git a/8.11.x/pipeline.yaml b/8.11.x/pipeline.yaml
@@ -206,18 +206,19 @@ spec:
           - name: ws
         steps:
           - name: get-tls-certs
-            image: quay.io/openshift/origin-cli:4.12
+            image: quay.io/congxdev/ibm-pak-ubi:latest
             script: |
-              mkdir -p $(workspaces.ws.path)/masconfig/certs
-              wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/ca.crt
-              oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.key
-              oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.crt
-              echo "certs downloaded to masconfig"
-              ls $(workspaces.ws.path)/masconfig/certs/
-              echo "tls.key:"
-              cat $(workspaces.ws.path)/masconfig/certs/tls.key
-              echo "tls.crt:"
-              cat $(workspaces.ws.path)/masconfig/certs/tls.crt
+              ### this is the method to load certs to the mas installer
+              #mkdir -p $(workspaces.ws.path)/masconfig/certs
+              #wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/ca.crt
+              #oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.key
+              #oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.crt
+              #ls $(workspaces.ws.path)/masconfig/certs/
+              #cat $(workspaces.ws.path)/masconfig/certs/tls.key
+              #cat $(workspaces.ws.path)/masconfig/certs/tls.crt
+
+              # copy letsencrypt-certs secret to the name where maximo is expecting to find it.
+              oc get secret letsencrypt-certs -n openshift-ingress -o yaml | yq '.metadata["name"]="router-certs-default"' | oc apply -n openshift-ingress -f -
     - name: install-mas
       retries: 2
       runAfter:
@@ -276,10 +277,10 @@ spec:
 
               export ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat)
 
-              #this sets things up for manual cert management
+              #possible setup for manual cert management
               # got this via https://github.com/ibm-mas/ansible-devops/pull/501
-              export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig
-              export MAS_MANUAL_CERT_MGMT=True
+              #export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig
+              #export MAS_MANUAL_CERT_MGMT=True
 
               #run mas install non-interactively
               mas install -i $(params.mas-instance-id) \
