diff --git a/maximo-pipeline-run.yaml b/8.10.x/pipeline-run.yaml similarity index 52% rename from maximo-pipeline-run.yaml rename to 8.10.x/pipeline-run.yaml index 6eda35c..4f8c0e4 100644 --- a/maximo-pipeline-run.yaml +++ b/8.10.x/pipeline-run.yaml @@ -2,19 +2,26 @@ apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: - generateName: pr-mas-core- + generateName: pr-mas-cli- spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" workspaces: - - name: shared-workspace + - name: ws volumeClaimTemplate: spec: accessModes: - - ReadWriteOnce + - ReadWriteMany resources: requests: storage: 1Gi pipelineRef: - name: mas-core-deploy + name: mas-cli-deploy podTemplate: securityContext: fsGroup: 65532 diff --git a/8.10.x/pipeline.yaml b/8.10.x/pipeline.yaml new file mode 100644 index 0000000..b2be0c2 --- /dev/null +++ b/8.10.x/pipeline.yaml @@ -0,0 +1,296 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: mas-cli-deploy + namespace: default +spec: + workspaces: + - name: ws + params: + - name: namespace + type: string + default: "maximo-suite" + - name: mas-instance-id + type: string + default: "inst1" + - name: mas-workspace-id + type: string + default: "maxworkspace" + - name: mas-workspace-name + type: string + default: "My Maximo Workspace" + - name: mas-catalog-version + type: string + description: "Do not change this unless you know what you are doing" + default: "v8-amd64" + - name: mas-channel + type: string + description: "Controls version of Maximo Operators. Do not change this unless you know what you are doing." + default: "8.10.x" + - name: license-file-secret-name + description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace. provide the name of the secret here. the defaul is false which means the pipeline will attempt to download a techzone license" + type: string + default: "false" + - name: use-letsencrypt-certs + description: "use generated letsencrypt certs stored as a secret in the openshift-config namespace under letsencrypt-certs, if false, will generate self-signed certs" + type: string + default: "true" + - name: ibm-entitlement-key + description: "IBM entitlement key. If not set, will use secret manager." + type: string + default: "false" + - name: uds-email + description: "Contact Email" + type: string + - name: uds-firstname + description: "Contact first name" + type: string + - name: uds-lastname + description: "Contact last name" + type: string + - name: storage-rwo + description: "RWO Storage Class" + type: string + default: "ocs-storagecluster-cephfs" + - name: storage-rwx + description: "RWX Storage Class" + type: string + default: "ocs-storagecluster-cephfs" + - name: storage-pipeline + description: "Pipeline Storage Class" + type: string + default: "ocs-storagecluster-cephfs" + - name: storage-accessmode + description: "Install Pipeline storage class access mode (ReadWriteMany or ReadWriteOnce)" + type: string + default: "ReadWriteMany" + finally: + - name: update-configmap-failure + when: + - input: $(tasks.install-mas.status) + operator: notin + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + oc patch configmap/pipeline-output -p '{"data":{"Status":"Pipeline run failed. See Pipeline run for more details and consider running the pipeline again."}}' + - name: update-configmap-success + when: + - input: $(tasks.install-mas.status) + operator: in + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + # get and echo the pipeline the mas installer created + oc patch configmap/pipeline-output -p '{"data":{"Status":"Deployment Pipeline Running."}}' + tasks: + - name: get-ibm-entitlement-key + taskRef: + name: ibmcloud-secrets-manager-get + kind: Task + params: + - name: KEY_ID + value: 968d7819-f2c5-7b67-c420-3c6bfd51521e + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: set-retrieved-entitlement-key + when: + - input: "$(params.ibm-entitlement-key)" + operator: in + values: ["false"] + runAfter: + - get-ibm-entitlement-key + params: + - name: retrieved-entitlement-key + value: $(tasks.get-ibm-entitlement-key.results.secret-value) + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + params: + - name: retrieved-entitlement-key + steps: + - name: set-entitlement-key + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.retrieved-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: set-provided-entitlement-key + workspaces: + - name: ws + params: + - name: provided-entitlement-key + value: "$(params.ibm-entitlement-key)" + taskSpec: + workspaces: + - name: ws + params: + - name: provided-entitlement-key + steps: + - name: set-entitlement + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.provided-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: get-maximo-licensefile + workspaces: + - name: ws + runAfter: + - set-provided-entitlement-key + - set-retrieved-entitlement-key + params: + - name: KEY_ID + value: 0ae3295c-95dd-c323-82af-1be5587d998f + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: LICENSE_FILE_SECRET_NAME + value: "$(params.license-file-secret-name)" + taskSpec: + workspaces: + - name: ws + params: + - name: KEY_ID + - name: SECRETS_MANAGER_ENDPOINT_URL + - name: LICENSE_FILE_SECRET_NAME + steps: + - name: write-maximo-licensefile + image: quay.io/openshift/origin-cli:4.12 + script: | + #!/usr/bin/env bash + + if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then + # Retrieve the IBM Cloud API Key configured in a `deployer` cluster + export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d) + export AUTH_RESPONSE_JSON=$(curl -s -X POST \ + "https://iam.cloud.ibm.com/identity/token" \ + --header 'Content-Type: application/x-www-form-urlencoded' \ + --header 'Accept: application/json' \ + --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \ + --data-urlencode "apikey=${IBMCLOUD_API_KEY}") + export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') + export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)") + echo $SECRET_JSON | grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat + + else + oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n default -o jsonpath='{.data.licensefile}' | base64 -d | base64 -d > $(workspaces.ws.path)/license.dat + fi + + cat $(workspaces.ws.path)/license.dat + - name: get-tls-certs + when: + - input: "$(params.use-letsencrypt-certs)" + operator: in + values: ["true"] + retries: 2 + runAfter: + - get-maximo-licensefile + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + steps: + - name: get-tls-certs + image: quay.io/openshift/origin-cli:4.12 + script: | + mkdir -p $(workspaces.ws.path)/masconfig/certs + wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/ca.crt + oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.key + oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.crt + echo "certs downloaded to masconfig" + ls $(workspaces.ws.path)/masconfig/certs/ + echo "tls.key:" + cat $(workspaces.ws.path)/masconfig/certs/tls.key + echo "tls.crt:" + cat $(workspaces.ws.path)/masconfig/certs/tls.crt + - name: install-mas + retries: 2 + runAfter: + - get-tls-certs + - get-maximo-licensefile + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: mas-workspace-name + value: "$(params.mas-workspace-name)" + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: uds-email + value: "$(params.uds-email)" + - name: uds-firstname + value: "$(params.uds-firstname)" + - name: uds-lastname + value: "$(params.uds-lastname)" + - name: storage-rwo + value: "$(params.storage-rwo)" + - name: storage-rwx + value: "$(params.storage-rwx)" + - name: storage-pipeline + value: "$(params.storage-pipeline)" + - name: storage-accessmode + value: "$(params.storage-accessmode)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: mas-workspace-name + - name: mas-catalog-version + - name: mas-channel + - name: uds-email + - name: uds-firstname + - name: uds-lastname + - name: storage-rwo + - name: storage-rwx + - name: storage-pipeline + - name: storage-accessmode + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + # extract license id from license.dat + export LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3) + + export ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + + #this sets things up for manual cert management + # got this via https://github.com/ibm-mas/ansible-devops/pull/501 + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export MAS_MANUAL_CERT_MGMT=True + + #run mas install non-interactively + mas install -i $(params.mas-instance-id) \ + --accept-license \ + -w $(params.mas-workspace-id) \ + -W "$(params.mas-workspace-name)" \ + -c $(params.mas-catalog-version) \ + --mas-channel $(params.mas-channel) \ + --ibm-entitlement-key $ENTITLEMENT_KEY \ + --license-id $LICENSE_ID --license-file $(workspaces.ws.path)/license.dat \ + --uds-email $(params.uds-email) --uds-firstname $(params.uds-firstname) --uds-lastname $(params.uds-lastname) \ + --storage-rwo $(params.storage-rwo) --storage-rwx $(params.storage-rwx) \ + --storage-pipeline $(params.storage-pipeline) --storage-accessmode $(params.storage-accessmode) \ + --no-confirm diff --git a/8.11.x/pipeline-cli.yaml b/8.11.x/pipeline-cli.yaml new file mode 100644 index 0000000..aae7153 --- /dev/null +++ b/8.11.x/pipeline-cli.yaml @@ -0,0 +1,297 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: mas-cli-deploy + namespace: default +spec: + workspaces: + - name: ws + params: + - name: namespace + type: string + default: "maximo-suite" + - name: mas-instance-id + type: string + default: "inst1" + - name: mas-workspace-id + type: string + default: "maxworkspace" + - name: mas-workspace-name + type: string + default: "My Maximo Workspace" + - name: mas-catalog-version + type: string + description: "Do not change this unless you know what you are doing" + default: "v8-amd64" + - name: mas-channel + type: string + description: "Controls version of Maximo Operators. Do not change this unless you know what you are doing." + default: "8.11.x" + - name: license-file-secret-name + description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace. provide the name of the secret here. the defaul is false which means the pipeline will attempt to download a techzone license" + type: string + default: "false" + - name: use-letsencrypt-certs + description: "use generated letsencrypt certs stored as a secret in the openshift-config namespace under letsencrypt-certs, if false, will generate self-signed certs" + type: string + default: "true" + - name: ibm-entitlement-key + description: "IBM entitlement key. If not set, will use secret manager." + type: string + default: "false" + - name: uds-email + description: "Contact Email" + type: string + - name: uds-firstname + description: "Contact first name" + type: string + - name: uds-lastname + description: "Contact last name" + type: string + - name: storage-rwo + description: "RWO Storage Class" + type: string + default: "ocs-storagecluster-cephfs" + - name: storage-rwx + description: "RWX Storage Class" + type: string + default: "ocs-storagecluster-cephfs" + - name: storage-pipeline + description: "Pipeline Storage Class" + type: string + default: "ocs-storagecluster-cephfs" + - name: storage-accessmode + description: "Install Pipeline storage class access mode (ReadWriteMany or ReadWriteOnce)" + type: string + default: "ReadWriteMany" + finally: + - name: update-configmap-failure + when: + - input: $(tasks.install-mas.status) + operator: notin + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + oc patch configmap/pipeline-output -p '{"data":{"Status":"Pipeline run failed. See Pipeline run for more details and consider running the pipeline again."}}' + - name: update-configmap-success + when: + - input: $(tasks.install-mas.status) + operator: in + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + # get and echo the pipeline the mas installer created + oc patch configmap/pipeline-output -p '{"data":{"Status":"Deployment Pipeline Running."}}' + tasks: + - name: get-ibm-entitlement-key + taskRef: + name: ibmcloud-secrets-manager-get + kind: Task + params: + - name: KEY_ID + value: 968d7819-f2c5-7b67-c420-3c6bfd51521e + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: set-retrieved-entitlement-key + when: + - input: "$(params.ibm-entitlement-key)" + operator: in + values: ["false"] + runAfter: + - get-ibm-entitlement-key + params: + - name: retrieved-entitlement-key + value: $(tasks.get-ibm-entitlement-key.results.secret-value) + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + params: + - name: retrieved-entitlement-key + steps: + - name: set-entitlement-key + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.retrieved-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: set-provided-entitlement-key + workspaces: + - name: ws + params: + - name: provided-entitlement-key + value: "$(params.ibm-entitlement-key)" + taskSpec: + workspaces: + - name: ws + params: + - name: provided-entitlement-key + steps: + - name: set-entitlement + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.provided-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: get-maximo-licensefile + workspaces: + - name: ws + runAfter: + - set-provided-entitlement-key + - set-retrieved-entitlement-key + params: + - name: KEY_ID + value: 0ae3295c-95dd-c323-82af-1be5587d998f + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: LICENSE_FILE_SECRET_NAME + value: "$(params.license-file-secret-name)" + taskSpec: + workspaces: + - name: ws + params: + - name: KEY_ID + - name: SECRETS_MANAGER_ENDPOINT_URL + - name: LICENSE_FILE_SECRET_NAME + steps: + - name: write-maximo-licensefile + image: quay.io/openshift/origin-cli:4.12 + script: | + #!/usr/bin/env bash + + if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then + # Retrieve the IBM Cloud API Key configured in a `deployer` cluster + export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d) + export AUTH_RESPONSE_JSON=$(curl -s -X POST \ + "https://iam.cloud.ibm.com/identity/token" \ + --header 'Content-Type: application/x-www-form-urlencoded' \ + --header 'Accept: application/json' \ + --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \ + --data-urlencode "apikey=${IBMCLOUD_API_KEY}") + export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') + export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)") + echo $SECRET_JSON | grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat + + else + oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n default -o jsonpath='{.data.licensefile}' | base64 -d | base64 -d > $(workspaces.ws.path)/license.dat + fi + + cat $(workspaces.ws.path)/license.dat + - name: get-tls-certs + when: + - input: "$(params.use-letsencrypt-certs)" + operator: in + values: ["true"] + retries: 2 + runAfter: + - get-maximo-licensefile + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + steps: + - name: get-tls-certs + image: quay.io/congxdev/ibm-pak-ubi:latest + script: | + ### this is the method to load certs to the mas installer + #mkdir -p $(workspaces.ws.path)/masconfig/certs + #wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/ca.crt + #oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.key + #oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/tls.crt + #ls $(workspaces.ws.path)/masconfig/certs/ + #cat $(workspaces.ws.path)/masconfig/certs/tls.key + #cat $(workspaces.ws.path)/masconfig/certs/tls.crt + + # copy letsencrypt-certs secret to the name where maximo is expecting to find it. + oc get secret letsencrypt-certs -n openshift-ingress -o yaml | yq '.metadata["name"]="router-certs-default"' | oc apply -n openshift-ingress -f - + - name: install-mas + retries: 2 + runAfter: + - get-tls-certs + - get-maximo-licensefile + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: mas-workspace-name + value: "$(params.mas-workspace-name)" + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: uds-email + value: "$(params.uds-email)" + - name: uds-firstname + value: "$(params.uds-firstname)" + - name: uds-lastname + value: "$(params.uds-lastname)" + - name: storage-rwo + value: "$(params.storage-rwo)" + - name: storage-rwx + value: "$(params.storage-rwx)" + - name: storage-pipeline + value: "$(params.storage-pipeline)" + - name: storage-accessmode + value: "$(params.storage-accessmode)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: mas-workspace-name + - name: mas-catalog-version + - name: mas-channel + - name: uds-email + - name: uds-firstname + - name: uds-lastname + - name: storage-rwo + - name: storage-rwx + - name: storage-pipeline + - name: storage-accessmode + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + # extract license id from license.dat + export LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3) + + export ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + + #possible setup for manual cert management + # got this via https://github.com/ibm-mas/ansible-devops/pull/501 + #export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + #export MAS_MANUAL_CERT_MGMT=True + + #run mas install non-interactively + mas install -i $(params.mas-instance-id) \ + --accept-license \ + -w $(params.mas-workspace-id) \ + -W "$(params.mas-workspace-name)" \ + -c $(params.mas-catalog-version) \ + --mas-channel $(params.mas-channel) \ + --ibm-entitlement-key $ENTITLEMENT_KEY \ + --license-id $LICENSE_ID --license-file $(workspaces.ws.path)/license.dat \ + --uds-email $(params.uds-email) --uds-firstname $(params.uds-firstname) --uds-lastname $(params.uds-lastname) \ + --storage-rwo $(params.storage-rwo) --storage-rwx $(params.storage-rwx) \ + --storage-pipeline $(params.storage-pipeline) --storage-accessmode $(params.storage-accessmode) \ + --no-confirm diff --git a/8.11.x/pipeline-run-cli.yaml b/8.11.x/pipeline-run-cli.yaml new file mode 100644 index 0000000..4f8c0e4 --- /dev/null +++ b/8.11.x/pipeline-run-cli.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: pr-mas-cli- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + pipelineRef: + name: mas-cli-deploy + podTemplate: + securityContext: + fsGroup: 65532 diff --git a/8.11.x/pipeline-run-manage-iot-monitor.yaml b/8.11.x/pipeline-run-manage-iot-monitor.yaml new file mode 100644 index 0000000..200762e --- /dev/null +++ b/8.11.x/pipeline-run-manage-iot-monitor.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pr-mas-devops- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + - name: mas-install-cp4d-manage + value: "true" + - name: mas-install-iot + value: "true" + - name: mas-install-monitor + value: "true" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + timeouts: + pipeline: "0" + tasks: "9h" + pipelineRef: + name: mas-masdevops-deploy diff --git a/8.11.x/pipeline-run-manage.yaml b/8.11.x/pipeline-run-manage.yaml new file mode 100644 index 0000000..3e2056f --- /dev/null +++ b/8.11.x/pipeline-run-manage.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pr-mas-devops- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + timeouts: + pipeline: "0" + tasks: "9h" + pipelineRef: + name: mas-masdevops-deploy diff --git a/8.11.x/pipeline-run.yaml b/8.11.x/pipeline-run.yaml new file mode 100644 index 0000000..34ac4c8 --- /dev/null +++ b/8.11.x/pipeline-run.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pr-mas-devops- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + timeouts: + pipeline: "0" + tasks: "6h" + pipelineRef: + name: mas-masdevops-deploy diff --git a/8.11.x/pipeline.yaml b/8.11.x/pipeline.yaml new file mode 100644 index 0000000..47c3a56 --- /dev/null +++ b/8.11.x/pipeline.yaml @@ -0,0 +1,471 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: mas-masdevops-deploy + namespace: default +spec: + workspaces: + - name: ws + params: + - name: mas-instance-id + type: string + default: "inst1" + - name: mas-workspace-id + type: string + default: "masupiwork" + - name: mas-install-cp4d-manage + type: string + description: "controls whether Maximo Manage and CP4D+Cognos is installed" + default: "false" + - name: mas-install-iot + type: string + description: "install MAS iot" + default: "false" + - name: mas-install-monitor + type: string + description: "install MAS Monitor" + default: "false" + - name: install-demo-data + type: string + description: "install demo data, adds 2+ hours to install time" + default: "true" + - name: license-file-secret-name + description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace. provide the name of the secret here. the defaul is false which means the pipeline will attempt to download a techzone license" + type: string + default: "false" + - name: use-letsencrypt-certs + description: "use generated letsencrypt certs stored as a secret in the openshift-config namespace under letsencrypt-certs, if false, will generate self-signed certs" + type: string + default: "true" + - name: ibm-entitlement-key + description: "IBM entitlement key. If not set, will use secret manager." + type: string + default: "false" + - name: uds-email + description: "Contact Email" + type: string + - name: uds-firstname + description: "Contact first name" + type: string + - name: uds-lastname + description: "Contact last name" + type: string + - name: rwx-storageclass + description: "desired RWX storageclass" + type: string + default: "ocs-storagecluster-cephfs" + - name: "rwo-storageclass" + description: "desired RWO storageclass" + type: string + default: "ocs-storagecluster-cephfs" + finally: + - name: update-configmap-failure + when: + - input: $(tasks.install-mas.status) + operator: notin + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + oc patch configmap/pipeline-output -p '{"data":{"Status":"Pipeline run failed. See Pipeline run for more details and consider running the pipeline again."}}' + - name: update-configmap-success + when: + - input: $(tasks.install-mas.status) + operator: in + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + # get and echo the pipeline the mas installer created + oc patch configmap/pipeline-output -p '{"data":{"Status":"Deployment Pipeline Running."}}' + tasks: + - name: get-ibm-entitlement-key + taskRef: + name: ibmcloud-secrets-manager-get + kind: Task + params: + - name: KEY_ID + value: 968d7819-f2c5-7b67-c420-3c6bfd51521e + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: set-retrieved-entitlement-key + when: + - input: "$(params.ibm-entitlement-key)" + operator: in + values: ["false"] + runAfter: + - get-ibm-entitlement-key + params: + - name: retrieved-entitlement-key + value: $(tasks.get-ibm-entitlement-key.results.secret-value) + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + params: + - name: retrieved-entitlement-key + steps: + - name: set-entitlement-key + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.retrieved-entitlement-key) + echo $(params.retrieved-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: set-provided-entitlement-key + workspaces: + - name: ws + params: + - name: provided-entitlement-key + value: "$(params.ibm-entitlement-key)" + taskSpec: + workspaces: + - name: ws + params: + - name: provided-entitlement-key + steps: + - name: set-entitlement + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.provided-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: get-maximo-licensefile + workspaces: + - name: ws + runAfter: + - set-provided-entitlement-key + - set-retrieved-entitlement-key + params: + - name: KEY_ID + value: 2d52b201-117a-35ea-71f0-9781a93fbed4 + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: LICENSE_FILE_SECRET_NAME + value: "$(params.license-file-secret-name)" + taskSpec: + workspaces: + - name: ws + params: + - name: KEY_ID + - name: SECRETS_MANAGER_ENDPOINT_URL + - name: LICENSE_FILE_SECRET_NAME + steps: + - name: write-maximo-licensefile + image: quay.io/openshift/origin-cli:4.12 + script: | + #!/usr/bin/env bash + + if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then + # Retrieve the IBM Cloud API Key configured in a `deployer` cluster + export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d) + export AUTH_RESPONSE_JSON=$(curl -s -X POST \ + "https://iam.cloud.ibm.com/identity/token" \ + --header 'Content-Type: application/x-www-form-urlencoded' \ + --header 'Accept: application/json' \ + --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \ + --data-urlencode "apikey=${IBMCLOUD_API_KEY}") + export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') + export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)") + echo $SECRET_JSON | grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat + + else + oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n default -o jsonpath='{.data.licensefile}' | base64 -d | base64 -d > $(workspaces.ws.path)/license.dat + fi + + cat $(workspaces.ws.path)/license.dat + - name: get-tls-certs + when: + - input: "$(params.use-letsencrypt-certs)" + operator: in + values: ["true"] + retries: 2 + runAfter: + - get-maximo-licensefile + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + steps: + - name: get-tls-certs + image: quay.io/congxdev/ibm-pak-ubi:latest + script: | + ### this is the method to load certs to the mas installer + mkdir -p $(workspaces.ws.path)/masconfig/certs/core/ + wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/core/ca.crt + oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.key + oc get secret letsencrypt-certs -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.crt + ls $(workspaces.ws.path)/masconfig/certs/core/ + cat $(workspaces.ws.path)/masconfig/certs/core/tls.key + cat $(workspaces.ws.path)/masconfig/certs/core/tls.crt + + # copy to app directories + echo "copying to app directories..." + mkdir -p $(workspaces.ws.path)/masconfig/certs/iot/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/manage/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/monitor/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/add/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/assist/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/optimizer/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/visualinspection/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/iot/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/manage/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/monitor/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/add/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/assist/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/optimizer/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/visualinspection/ + + # copy letsencrypt-certs secret to the name where maximo is expecting to find it. + if oc get secret -n openshift-ingress router-certs-default; then + echo "router-certs-default secret already exists" + else + oc get secret letsencrypt-certs -n openshift-ingress -o yaml | yq '.metadata["name"]="router-certs-default"' | oc apply -n openshift-ingress -f - + fi + - name: install-mas + retries: 2 + timeout: "6h" + runAfter: + - get-tls-certs + - get-maximo-licensefile + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: uds-email + value: "$(params.uds-email)" + - name: uds-firstname + value: "$(params.uds-firstname)" + - name: uds-lastname + value: "$(params.uds-lastname)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + - name: rwx-storageclass + value: "$(params.rwx-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: uds-email + - name: uds-firstname + - name: uds-lastname + - name: rwo-storageclass + - name: rwx-storageclass + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:8.2.1 + script: | + #!/usr/bin/env bash + # extract license id from license.dat + export SLS_LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3) + export SLS_LICENSE_FILE=$(workspaces.ws.path)/license.dat + + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + + export MAS_INSTANCE_ID=$(params.mas-instance-id) + #export MAS_ WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export MAS_MANUAL_CERT_MGMT=True + + export DRO_ACTION=install-dro + export BAS_PROVIDER=DRO + export DRO_CONTACT_EMAIL=$(params.uds-email) + export DRO_CONTACT_FIRSTNAME=$(params.uds-firstname) + export DRO_CONTACT_LASTNAME=$(params.uds-lastname) + + export PROMETHEUS_ALERTMGR_STORAGE_CLASS=$(params.rwx-storageclass) + export PROMETHEUS_STORAGE_CLASS=$(params.rwo-storageclass) + export PROMETHEUS_USERWORKLOAD_STORAGE_CLASS=$(params.rwo-storageclass) + export GRAFANA_INSTANCE_STORAGE_CLASS=$(params.rwo-storageclass) + export MONGODB_STORAGE_CLASS=$(params.rwo-storageclass) + export UDS_STORAGE_CLASS=$(params.rwo-storageclass) + export DRO_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_core + - name: install-cp4d-manage + when: + - input: "$(params.mas-install-cp4d-manage)" + operator: in + values: ["true"] + retries: 2 + timeout: "6h" + runAfter: + - install-mas + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: install-demo-data + value: "$(params.install-demo-data)" + - name: rwx-storageclass + value: "$(params.rwx-storageclass)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: install-demo-data + - name: rwx-storageclass + - name: rwo-storageclass + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:8.2.1 + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + #export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=wsapp + export MAS_APPWS_BINDINGS_JDBC=workspace-application + + export DB2_LDAP_USERNAME=monitor + export DB2_LDAP_PASSWORD=passw0rd + + export DB2_INSTANCE_NAME=db2wh-manage + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_DBNAME=BLUDB + export DB2_NODE_LABEL=db2wh + export DB2_META_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_META_STORAGE_SIZE=100Gi + export DB2_META_STORAGE_ACCESSMODE=ReadWriteMany + export DB2_DATA_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_DATA_STORAGE_SIZE=100Gi + export DB2_DATA_STORAGE_ACCESSMODE=ReadWriteOnce + xport DB2_BACKUP_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_BACKUP_STORAGE_SIZE=100Gi + export DB2_BACKUP_STORAGE_ACCESSMODE=ReadWriteMany + export DB2_TEMP_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_TEMP_STORAGE_SIZE=50Gi + export DB2_TEMP_STORAGE_ACCESSMODE=ReadWriteOnce + #export DB2_CPU_REQUESTS=6000m + #export DB2_CPU_LIMITS=10000m + #export DB2_MEMORY_REQUESTS=10Gi + #export DB2_MEMORY_LIMITS=20Gi + + export MAS_APP_SETTINGS_PERSISTENT_VOLUMES_FLAG=true + export MAS_APP_SETTINGS_BASE_LANG=EN + export MAS_APP_SETTINGS_SECONDARY_LANGS='DE' + export MAS_APP_SETTINGS_SERVER_BUNDLES_SIZE=jms + export MAS_MANAGE_ATTACHMENTS_PROVIDER=filestorage + export MAS_APP_SETTINGS_ATTACHMENTS_MOUNT_PATH=/DOCLINKS + export MANAGE_AIO_FLAG=false + export MAS_APP_ID=manage + + #export MAS_APPWS_COMPONENTS="base=latest,health=latest" + export MAS_APP_SETTINGS_DEMODATA=$(params.install-demo-data) + + export CPD_INSTALL_PLATFORM="true" + export CPD_INSTALL_COGNOS="true" + export CPD_PRODUCT_VERSION="4.8.0" + export CPD_PRIMARY_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_METADATA_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_SERVICE_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_SERVICE_BLOCK_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_add_manage + - name: install-iot + when: + - input: "$(params.mas-install-iot)" + operator: in + values: ["true"] + retries: 2 + timeout: "6h" + runAfter: + - install-mas + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: rwo-storageclass + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:8.2.1 + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + #export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=system + export MAS_APPWS_BINDINGS_JDBC=system + + export MAS_APP_SETTINGS_IOT_FPL_PVC_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_add_iot + - name: install-monitor + when: + - input: "$(params.mas-install-monitor)" + operator: in + values: ["true"] + retries: 2 + timeout: "6h" + runAfter: + - install-iot + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:8.2.1 + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=system + export MAS_APPWS_BINDINGS_JDBC=system + + ansible-playbook ibm.mas_devops.oneclick_add_monitor + + + + diff --git a/8.11.x/test-run.yaml b/8.11.x/test-run.yaml new file mode 100644 index 0000000..ea9b955 --- /dev/null +++ b/8.11.x/test-run.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: pr-mas-devops- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + - name: mas-install-cp4d-manage + value: "true" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + pipelineRef: + name: mas-masdevops-deploy +# podTemplate: +# securityContext: +# fsGroup: 65532 diff --git a/9.0.x-v1/pipeline-run-manage-iot-monitor.yaml b/9.0.x-v1/pipeline-run-manage-iot-monitor.yaml new file mode 100644 index 0000000..57a6ab8 --- /dev/null +++ b/9.0.x-v1/pipeline-run-manage-iot-monitor.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pr-mas-devops- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + - name: mas-install-cp4d-manage + value: "true" + - name: mas-install-monitor + value: "true" + - name: mas-install-iot + value: "true" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + timeouts: + pipeline: "0" + tasks: "9h" + pipelineRef: + name: mas-masdevops-deploy diff --git a/9.0.x-v1/pipeline-run-manage.yaml b/9.0.x-v1/pipeline-run-manage.yaml new file mode 100644 index 0000000..0a54e4f --- /dev/null +++ b/9.0.x-v1/pipeline-run-manage.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pr-mas-devops- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + - name: mas-install-cp4d-manage + value: "true" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + timeouts: + pipeline: "0" + tasks: "9h" + pipelineRef: + name: mas-masdevops-deploy diff --git a/9.0.x-v1/pipeline-run.yaml b/9.0.x-v1/pipeline-run.yaml new file mode 100644 index 0000000..8d2c487 --- /dev/null +++ b/9.0.x-v1/pipeline-run.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pr-mas-devops- +spec: + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + workspaces: + - name: ws + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + timeouts: + pipeline: "0" + tasks: "6h" + pipelineRef: + name: mas-masdevops-deploy diff --git a/9.0.x-v1/pipeline.yaml b/9.0.x-v1/pipeline.yaml new file mode 100644 index 0000000..a58de59 --- /dev/null +++ b/9.0.x-v1/pipeline.yaml @@ -0,0 +1,517 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: mas-masdevops-deploy + namespace: default +spec: + workspaces: + - name: ws + params: + - name: mas-instance-id + type: string + default: "inst1" + - name: mas-workspace-id + type: string + default: "masupiwork" + - name: mas-install-cp4d-manage + type: string + description: "controls whether Maximo Manage and CP4D+Cognos is installed" + default: "false" + - name: mas-install-iot + type: string + description: "install MAS iot" + default: "false" + - name: mas-install-monitor + type: string + description: "install MAS Monitor" + default: "false" + - name: install-demo-data + type: string + description: "install demo data, adds 2+ hours to install time" + default: "true" + - name: license-file-secret-name + description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace. provide the name of the secret here. the defaul is false which means the pipeline will attempt to download a techzone license" + type: string + default: "false" + - name: use-letsencrypt-certs + description: "use generated letsencrypt certs stored as a secret in the openshift-config namespace under letsencrypt-certs, if false, will generate self-signed certs" + type: string + default: "true" + - name: ibm-entitlement-key + description: "IBM entitlement key. If not set, will use secret manager." + type: string + default: "false" + - name: uds-email + description: "Contact Email" + type: string + - name: uds-firstname + description: "Contact first name" + type: string + - name: uds-lastname + description: "Contact last name" + type: string + - name: rwx-storageclass + description: "desired RWX storageclass" + type: string + default: "ocs-storagecluster-cephfs" + - name: "rwo-storageclass" + description: "desired RWO storageclass" + type: string + default: "ocs-storagecluster-cephfs" + - name: "tlscert-secret" + description: "location of TLS certs in openshift-config namespace" + type: string + default: "letsencrypt-certs" + - name: "mas-catalog-version" + description: "Maximo operator catalog version" + type: string + default: "v9-240625-amd64" + - name: "mas-channel" + description: "channel to subscribe to" + type: string + default: "9.0.x" + finally: + - name: update-configmap-failure + when: + - input: $(tasks.install-mas.status) + operator: notin + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + oc patch configmap/pipeline-output -p '{"data":{"Status":"Pipeline run failed. See Pipeline run for more details and consider running the pipeline again."}}' + - name: update-configmap-success + when: + - input: $(tasks.install-mas.status) + operator: in + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + # get and echo the pipeline the mas installer created + oc patch configmap/pipeline-output -p '{"data":{"Status":"Deployment Pipeline Running."}}' + tasks: + - name: get-ibm-entitlement-key + taskRef: + name: ibmcloud-secrets-manager-get + kind: Task + params: + - name: KEY_ID + value: 968d7819-f2c5-7b67-c420-3c6bfd51521e + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: set-retrieved-entitlement-key + when: + - input: "$(params.ibm-entitlement-key)" + operator: in + values: ["false"] + runAfter: + - get-ibm-entitlement-key + params: + - name: retrieved-entitlement-key + value: $(tasks.get-ibm-entitlement-key.results.secret-value) + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + params: + - name: retrieved-entitlement-key + steps: + - name: set-entitlement-key + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.retrieved-entitlement-key) + echo $(params.retrieved-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: set-provided-entitlement-key + workspaces: + - name: ws + params: + - name: provided-entitlement-key + value: "$(params.ibm-entitlement-key)" + taskSpec: + workspaces: + - name: ws + params: + - name: provided-entitlement-key + steps: + - name: set-entitlement + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + echo $(params.provided-entitlement-key) > $(workspaces.ws.path)/ek.dat + echo "ek.dat created" + exit + - name: get-maximo-licensefile + workspaces: + - name: ws + runAfter: + - set-provided-entitlement-key + - set-retrieved-entitlement-key + params: + - name: KEY_ID + value: 5ef410aa-bd48-3339-0096-d2b11e91cb57 + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: LICENSE_FILE_SECRET_NAME + value: "$(params.license-file-secret-name)" + taskSpec: + workspaces: + - name: ws + params: + - name: KEY_ID + - name: SECRETS_MANAGER_ENDPOINT_URL + - name: LICENSE_FILE_SECRET_NAME + steps: + - name: write-maximo-licensefile + image: quay.io/openshift/origin-cli:4.12 + script: | + #!/usr/bin/env bash + + if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then + # Retrieve the IBM Cloud API Key configured in a `deployer` cluster + export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d) + export AUTH_RESPONSE_JSON=$(curl -s -X POST \ + "https://iam.cloud.ibm.com/identity/token" \ + --header 'Content-Type: application/x-www-form-urlencoded' \ + --header 'Accept: application/json' \ + --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \ + --data-urlencode "apikey=${IBMCLOUD_API_KEY}") + export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') + export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)") + echo $SECRET_JSON | grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat + + else + oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n default -o jsonpath='{.data.licensefile}' | base64 -d | base64 -d > $(workspaces.ws.path)/license.dat + fi + + cat $(workspaces.ws.path)/license.dat + - name: get-tls-certs + when: + - input: "$(params.use-letsencrypt-certs)" + operator: in + values: ["true"] + retries: 2 + runAfter: + - get-maximo-licensefile + params: + - name: TLSCERT_SECRET_LOCATION + value: "$(params.tlscert-secret)" + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + params: + - name: TLSCERT_SECRET_LOCATION + steps: + - name: get-tls-certs + image: quay.io/congxdev/ibm-pak-ubi:latest + script: | + ### this is the method to load certs to the mas installer + mkdir -p $(workspaces.ws.path)/masconfig/certs/core/ + wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/core/ca.crt + oc get secret $(params.TLSCERT_SECRET_LOCATION) -n openshift-config -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.key + oc get secret $(params.TLSCERT_SECRET_LOCATION) -n openshift-config -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.crt + ls $(workspaces.ws.path)/masconfig/certs/core/ + cat $(workspaces.ws.path)/masconfig/certs/core/tls.key + cat $(workspaces.ws.path)/masconfig/certs/core/tls.crt + + # copy to app directories + echo "copying to app directories..." + mkdir -p $(workspaces.ws.path)/masconfig/certs/iot/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/manage/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/monitor/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/add/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/assist/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/optimizer/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/visualinspection/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/iot/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/manage/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/monitor/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/add/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/assist/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/optimizer/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/visualinspection/ + + # copy letsencrypt-certs secret to the name where maximo is expecting to find it. + if oc get secret -n openshift-ingress router-certs-default; then + echo "router-certs-default secret already exists" + else + oc get secret letsencrypt-certs -n openshift-ingress -o yaml | yq '.metadata["name"]="router-certs-default"' | oc apply -n openshift-ingress -f - + fi + - name: install-mas + retries: 2 + timeout: "6h" + runAfter: + - get-tls-certs + - get-maximo-licensefile + workspaces: + - name: ws + params: + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: uds-email + value: "$(params.uds-email)" + - name: uds-firstname + value: "$(params.uds-firstname)" + - name: uds-lastname + value: "$(params.uds-lastname)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + - name: rwx-storageclass + value: "$(params.rwx-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-catalog-version + - name: mas-channel + - name: mas-instance-id + - name: mas-workspace-id + - name: uds-email + - name: uds-firstname + - name: uds-lastname + - name: rwo-storageclass + - name: rwx-storageclass + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + # extract license id from license.dat + export SLS_LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3) + export SLS_LICENSE_FILE=$(workspaces.ws.path)/license.dat + + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + + export MAS_INSTANCE_ID=$(params.mas-instance-id) + #export MAS_ WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export MAS_MANUAL_CERT_MGMT=True + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + export DRO_ACTION=install-dro + export BAS_PROVIDER=DRO + export DRO_CONTACT_EMAIL=$(params.uds-email) + export DRO_CONTACT_FIRSTNAME=$(params.uds-firstname) + export DRO_CONTACT_LASTNAME=$(params.uds-lastname) + + export PROMETHEUS_ALERTMGR_STORAGE_CLASS=$(params.rwx-storageclass) + export PROMETHEUS_STORAGE_CLASS=$(params.rwo-storageclass) + export PROMETHEUS_USERWORKLOAD_STORAGE_CLASS=$(params.rwo-storageclass) + export GRAFANA_INSTANCE_STORAGE_CLASS=$(params.rwo-storageclass) + export MONGODB_STORAGE_CLASS=$(params.rwo-storageclass) + export UDS_STORAGE_CLASS=$(params.rwo-storageclass) + export DRO_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_core + - name: install-cp4d-manage + when: + - input: "$(params.mas-install-cp4d-manage)" + operator: in + values: ["true"] + retries: 2 + timeout: "6h" + runAfter: + - install-mas + workspaces: + - name: ws + params: + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: install-demo-data + value: "$(params.install-demo-data)" + - name: rwx-storageclass + value: "$(params.rwx-storageclass)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: mas-catalog-version + - name: mas-channel + - name: install-demo-data + - name: rwx-storageclass + - name: rwo-storageclass + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + #export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=wsapp + export MAS_APPWS_BINDINGS_JDBC=workspace-application + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + export DB2_INSTANCE_NAME=db2wh-manage + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_DBNAME=BLUDB + export DB2_NODE_LABEL=db2wh + export DB2_META_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_META_STORAGE_SIZE=100Gi + export DB2_META_STORAGE_ACCESSMODE=ReadWriteMany + export DB2_DATA_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_DATA_STORAGE_SIZE=100Gi + export DB2_DATA_STORAGE_ACCESSMODE=ReadWriteOnce + xport DB2_BACKUP_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_BACKUP_STORAGE_SIZE=100Gi + export DB2_BACKUP_STORAGE_ACCESSMODE=ReadWriteMany + export DB2_TEMP_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_TEMP_STORAGE_SIZE=50Gi + export DB2_TEMP_STORAGE_ACCESSMODE=ReadWriteOnce + #export DB2_CPU_REQUESTS=6000m + #export DB2_CPU_LIMITS=10000m + #export DB2_MEMORY_REQUESTS=10Gi + #export DB2_MEMORY_LIMITS=20Gi + + export MAS_APP_SETTINGS_PERSISTENT_VOLUMES_FLAG=true + export MAS_APP_SETTINGS_BASE_LANG=EN + export MAS_APP_SETTINGS_SECONDARY_LANGS='DE' + export MAS_APP_SETTINGS_SERVER_BUNDLES_SIZE=jms + export MAS_MANAGE_ATTACHMENTS_PROVIDER=filestorage + export MAS_APP_SETTINGS_ATTACHMENTS_MOUNT_PATH=/DOCLINKS + export MANAGE_AIO_FLAG=false + export MAS_APP_ID=manage + + #export MAS_APPWS_COMPONENTS="base=latest,health=latest" + export MAS_APP_SETTINGS_DEMODATA=$(params.install-demo-data) + + export CPD_INSTALL_PLATFORM="true" + export CPD_INSTALL_COGNOS="true" + export CPD_PRODUCT_VERSION="4.8.0" + export CPD_PRIMARY_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_METADATA_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_SERVICE_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_SERVICE_BLOCK_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_add_manage + - name: install-iot + when: + - input: "$(params.mas-install-iot)" + operator: in + values: ["true"] + retries: 2 + timeout: "6h" + runAfter: + - install-mas + workspaces: + - name: ws + params: + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-catalog-version + - name: mas-channel + - name: mas-instance-id + - name: mas-workspace-id + - name: rwo-storageclass + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + #export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=system + export MAS_APPWS_BINDINGS_JDBC=system + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + export MAS_APP_SETTINGS_IOT_FPL_PVC_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_add_iot + - name: install-monitor + when: + - input: "$(params.mas-install-monitor)" + operator: in + values: ["true"] + retries: 2 + timeout: "6h" + runAfter: + - install-iot + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: mas-catalog-version + - name: mas-channel + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=system + export MAS_APPWS_BINDINGS_JDBC=system + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + ansible-playbook ibm.mas_devops.oneclick_add_monitor + + + + diff --git a/9.0.x/pipeline-run.yaml b/9.0.x/pipeline-run.yaml new file mode 100644 index 0000000..24d2e18 --- /dev/null +++ b/9.0.x/pipeline-run.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pr-mas-deploy- + namespace: default +spec: + pipelineRef: + name: mas-devops-deploy + params: + - name: uds-email + value: "dev-techzone@ibm.com" + - name: uds-firstname + value: "TechZone" + - name: uds-lastname + value: "Developer" + - name: use-letsencrypt-certs + value: "true" + #lets encrypt secret location and namespace + - name: tlscert-secret + value: "user-serving-cert-000" + - name: tlscert-namespace + value: "openshift-kube-apiserver" + - name: ibm-entitlement-key + value: "false" + #mas-license-secret + - name: license-file-secret-name + value: "false" + # Optionally change storageclass for ocpv + - name: rwx-storageclass + value: ocs-external-storagecluster-cephfs + - name: rwo-storageclass + value: ocs-external-storagecluster-cephfs + + # install MAS Core. This task may be skipped once done successfully + - name: mas-install-core + value: "true" + + # install MAS Manage, depending on MAS Core, optionally CP4D/DB2 + - name: mas-install-manage + value: "false" + - name: mas-install-demo-data + value: "false" + - name: mas-cp4d-install-cognos + value: "false" + + # install MAS Optimizer + - name: mas-install-optimizer + value: "false" + + # install MAS Visual Inspection + - name: mas-install-visualinspection + value: "false" + + - name: run-kafka-fix + value: "false" + # install MAS IoT and Monitor, depending on MAS Core + - name: mas-install-iot + value: "false" + - name: mas-install-monitor + value: "false" + + # install MAS Predict, depending on MAS Core, Health, IoT and Monitor, optionally CP4D services + - name: mas-install-predict + value: "false" + - name: cpd-platform-components + value: "false" + - name: cpd-install-spss + value: "false" + - name: cpd-wsl-projectname + value: "maspredictproject" + - name: cpd-wml-url + value: "xxx" + - name: cpd-admin-url + value: "xxx" + - name: cpd-admin-username + value: "admin" + - name: cpd-admin-password + value: "xxx" + + # install MAS AI Broker, depending on MAS Core, Manage, IoT and Monitor + - name: mas-install-aibroker + value: "false" + - name: artifactory_username + value: "xxx" + - name: artifactory_token + value: "xxx" + - name: mas_airbroker_watsonxai_apikey + value: "xxx" + - name: mas_airbroker_watsonxai_url + value: "https://us-south.ml.cloud.ibm.com" + - name: mas_airbroker_watsonxai_project_id + value: "xxx" + - name: mas_aibroker_channel + value: "9.0.x" + + workspaces: + - name: ws + volumeClaimTemplate: + spec: + storageClassName: ocs-external-storagecluster-cephfs + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + timeouts: + pipeline: "0" + tasks: "24h" \ No newline at end of file diff --git a/9.0.x/pipeline.yaml b/9.0.x/pipeline.yaml new file mode 100644 index 0000000..ed75553 --- /dev/null +++ b/9.0.x/pipeline.yaml @@ -0,0 +1,1063 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: mas-devops-deploy + namespace: default +spec: + workspaces: + - name: ws + params: + - name: mas-instance-id + type: string + default: "inst1" + - name: mas-workspace-id + type: string + default: "masdev" + - name: mas-install-core + type: string + description: "install MAS core" + default: "true" + - name: mas-cp4d-version + type: string + description: "Supported CP4D version for MAS on OpenShift" + default: "5.0.0" + - name: mas-install-manage + type: string + description: "controls whether Maximo Manage and CP4D is installed" + default: "true" + - name: mas-appws-components + type: string + description: "controls what appws components are loaded for manage" + default: "base=latest" + - name: mas-cp4d-install-cognos + type: string + default: "false" + - name: mas-install-optimizer + type: string + default: "false" + - name: mas-install-visualinspection + type: string + default: "false" + - name: run-kafka-fix + type: string + description: "Fix Strimzi Operator" + default: "false" + - name: mas-install-iot + type: string + description: "install MAS iot" + default: "false" + - name: mas-install-monitor + type: string + description: "install MAS Monitor" + default: "false" + - name: mas-install-predict + type: string + description: "install MAS Predict" + default: "false" + - name: install-demo-data + type: string + description: "install demo data, adds 2+ hours to install time" + default: "true" + - name: license-file-secret-name + description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace. provide the name of the secret here. the defaul is false which means the pipeline will attempt to download a techzone license" + type: string + default: "false" + - name: use-letsencrypt-certs + description: "use generated letsencrypt certs stored as a secret must specify secret and namespace to locate certs" + type: string + default: "true" + - name: "tlscert-secret" + description: "location of TLS cert secret" + type: string + default: letsencrypt-certs + - name: "tlscert-namespace" + description: "namespace of TLS cert secret" + type: string + default: openshift-config + - name: ibm-entitlement-key + description: "IBM entitlement key. If not set, will use secret manager." + type: string + default: "false" + - name: uds-email + description: "Contact Email" + type: string + - name: uds-firstname + description: "Contact first name" + type: string + - name: uds-lastname + description: "Contact last name" + type: string + - name: rwx-storageclass + description: "desired RWX storageclass" + type: string + default: "ocs-storagecluster-cephfs" + - name: rwo-storageclass + description: "desired RWO storageclass" + type: string + default: ocs-storagecluster-cephfs + - name: "mas-catalog-version" + description: "Maximo operator catalog version. Check https://ibm-mas.github.io/cli/catalogs/" + type: string + default: v9-250501-amd64 + - name: mas-channel + description: "channel to subscribe to" + type: string + default: "9.0.x" + - name: cpd-platform-services + type: string + description: "Install CP4D, including WS, WML, OpenScale, Spark in the cluster" + default: "true" + - name: cpd-install-spss + type: string + description: "Install SPSS in the cluster" + default: "true" + - name: cpd-wsl-projectname + type: string + description: "Watson Studio Project Name" + default: "maspredictproject" + - name: cpd-wml-url + type: string + default: "xxx" + - name: cpd-admin-url + type: string + default: "xxx" + - name: cpd-admin-username + type: string + default: "admin" + - name: cpd-admin-password + type: string + default: "xxx" + - name: mas-install-aibroker + description: "Install AI Broker" + type: string + default: "false" + - name: artifactory_username + type: string + - name: artifactory_token + type: string + - name: mas_airbroker_watsonxai_apikey + type: string + - name: mas_airbroker_watsonxai_url + type: string + default: "https://us-south.ml.cloud.ibm.com" + - name: mas_airbroker_watsonxai_project_id + type: string + - name: mas_aibroker_channel + type: string + default: "9.0.x" + + finally: + - name: update-configmap-failure + when: + - input: $(tasks.install-mas-core.status) + operator: notin + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + oc patch configmap/pipeline-output -p '{"data":{"Status":"Pipeline run failed/skipped to install mas core. See Pipeline run for more details and consider running the pipeline again."}}' + - name: update-configmap-success + when: + - input: $(tasks.install-mas-core.status) + operator: in + values: ["Succeeded"] + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + # get and echo the pipeline the mas installer created + oc patch configmap/pipeline-output -p '{"data":{"Status":"Deployment Pipeline completed to install mas core."}}' + tasks: + - name: check-container-registry + taskRef: + kind: Task + name: ibm-pak + params: + - name: SCRIPT + value: | + status=$(oc get configs.imageregistry.operator.openshift.io cluster -o jsonpath='{.status.conditions[?(@.type=="Available")].reason}') + + TIMEOUT_SECONDS=300 + while [[ "$status" != "Ready" ]] && [[ $SECONDS -lt $TIMEOUT_SECONDS ]]; do + echo "OpenShift Container Registry is not ready. Current status: $status" + + # Apply the patch commands + oc patch config.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"storage":{"emptyDir":{}}}}' + oc patch config.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"managementState":"Managed"}}' + + # Check status after a short delay to avoid overwhelming the server + sleep 10 + + # Update status + status=$(oc get configs.imageregistry.operator.openshift.io cluster -o jsonpath='{.status.conditions[?(@.type=="Available")].reason}') + done + + if [[ "$status" == "Ready" ]]; then + echo "OpenShift Container Registry is ready" + exit 0 + else + echo "OpenShift Container Registry failed to become ready after $TIMEOUT_SECONDS seconds." >&2 + exit 1 + fi + - name: get-ibm-entitlement-key + when: + - input: "$(params.ibm-entitlement-key)" + operator: in + values: ["false"] + taskRef: + name: ibmcloud-secrets-manager-get + kind: Task + retries: 2 + params: + - name: KEY_ID + value: 968d7819-f2c5-7b67-c420-3c6bfd51521e + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: set-ibm-entitlement-key + runAfter: + - get-ibm-entitlement-key + params: + - name: ibm-entitlement-key + value: "$(params.ibm-entitlement-key)" + retries: 3 + taskSpec: + workspaces: + - name: ws + params: + - name: ibm-entitlement-key + steps: + - name: copy-entitlement-key-to-ws + image: quay.io/openshift/origin-cli:4.10 + script: | + #!/usr/bin/env bash + if [ $(params.ibm-entitlement-key) == "false" ]; then + echo "Use TechZone provided entitlement key" + echo $(tasks.get-ibm-entitlement-key.results.secret-value) + echo $(tasks.get-ibm-entitlement-key.results.secret-value) > $(workspaces.ws.path)/ek.dat + else + echo "Use user provided entitlement key" + echo $(params.ibm-entitlement-key) + echo $(params.ibm-entitlement-key) > $(workspaces.ws.path)/ek.dat + fi + echo "ek.dat created" + exit + - name: get-maximo-licensefile + retries: 2 + workspaces: + - name: ws + params: + - name: KEY_ID + value: 2d52b201-117a-35ea-71f0-9781a93fbed4 + - name: SECRETS_MANAGER_ENDPOINT_URL + value: >- + https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud + - name: LICENSE_FILE_SECRET_NAME + value: "$(params.license-file-secret-name)" + taskSpec: + workspaces: + - name: ws + params: + - name: KEY_ID + - name: SECRETS_MANAGER_ENDPOINT_URL + - name: LICENSE_FILE_SECRET_NAME + steps: + - name: write-maximo-licensefile + image: quay.io/openshift/origin-cli:4.12 + script: | + #!/usr/bin/env bash + + if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then + # Retrieve the IBM Cloud API Key configured in a `deployer` cluster + export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d) + export AUTH_RESPONSE_JSON=$(curl -s -X POST \ + "https://iam.cloud.ibm.com/identity/token" \ + --header 'Content-Type: application/x-www-form-urlencoded' \ + --header 'Accept: application/json' \ + --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \ + --data-urlencode "apikey=${IBMCLOUD_API_KEY}") + export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') + export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)") + echo $SECRET_JSON | grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat + + else + oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n default -o jsonpath='{.data.licensefile}' | base64 -d | base64 -d > $(workspaces.ws.path)/license.dat + fi + + cat $(workspaces.ws.path)/license.dat + exit + - name: get-tls-certs + runAfter: + - set-ibm-entitlement-key + - get-maximo-licensefile + when: + - input: "$(params.use-letsencrypt-certs)" + operator: in + values: ["true"] + retries: 3 + params: + - name: TLSCERT_SECRET_LOCATION + value: "$(params.tlscert-secret)" + - name: TLSCERT_SECRET_NAMESPACE + value: "$(params.tlscert-namespace)" + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + params: + - name: TLSCERT_SECRET_LOCATION + - name: TLSCERT_SECRET_NAMESPACE + steps: + - name: get-tls-certs + image: quay.io/congxdev/ibm-pak-ubi:latest + script: | + ### this is the method to load certs to the mas installer + mkdir -p $(workspaces.ws.path)/masconfig/certs/core/ + wget -qO - https://letsencrypt.org/certs/lets-encrypt-r3.pem > $(workspaces.ws.path)/masconfig/certs/core/ca.crt + oc get secret $(params.TLSCERT_SECRET_LOCATION) -n $(params.TLSCERT_SECRET_NAMESPACE) -o jsonpath="{.data['tls\.key']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.key + oc get secret $(params.TLSCERT_SECRET_LOCATION) -n $(params.TLSCERT_SECRET_NAMESPACE) -o jsonpath="{.data['tls\.crt']}" | base64 -d > $(workspaces.ws.path)/masconfig/certs/core/tls.crt + ls $(workspaces.ws.path)/masconfig/certs/core/ + cat $(workspaces.ws.path)/masconfig/certs/core/tls.key + cat $(workspaces.ws.path)/masconfig/certs/core/tls.crt + + # copy to app directories + echo "copying to app directories..." + mkdir -p $(workspaces.ws.path)/masconfig/certs/iot/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/manage/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/monitor/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/add/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/assist/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/optimizer/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/visualinspection/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/predict/ + mkdir -p $(workspaces.ws.path)/masconfig/certs/aibroker/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/iot/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/manage/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/monitor/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/add/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/assist/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/optimizer/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/visualinspection/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/predict/ + cp $(workspaces.ws.path)/masconfig/certs/core/* $(workspaces.ws.path)/masconfig/certs/aibroker/ + + exit + - name: install-mas-core + when: + - input: "$(params.mas-install-core)" + operator: in + values: ["true"] + retries: 3 + timeout: "12h" + runAfter: + - get-tls-certs + - check-container-registry + workspaces: + - name: ws + params: + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: mas-install-core + value: "$(params.mas-install-core)" + - name: uds-email + value: "$(params.uds-email)" + - name: uds-firstname + value: "$(params.uds-firstname)" + - name: uds-lastname + value: "$(params.uds-lastname)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + - name: rwx-storageclass + value: "$(params.rwx-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-catalog-version + - name: mas-channel + - name: mas-instance-id + - name: mas-workspace-id + - name: uds-email + - name: uds-firstname + - name: uds-lastname + - name: rwo-storageclass + - name: rwx-storageclass + - name: mas-install-core + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + # extract license id from license.dat + export SLS_LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3) + export SLS_LICENSE_FILE=$(workspaces.ws.path)/license.dat + + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_ WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export MAS_MANUAL_CERT_MGMT=True + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + export DRO_ACTION=install-dro + export DRO_CONTACT_EMAIL=$(params.uds-email) + export DRO_CONTACT_FIRSTNAME=$(params.uds-firstname) + export DRO_CONTACT_LASTNAME=$(params.uds-lastname) + + export PROMETHEUS_ALERTMGR_STORAGE_CLASS=$(params.rwx-storageclass) + export PROMETHEUS_STORAGE_CLASS=$(params.rwo-storageclass) + export PROMETHEUS_USERWORKLOAD_STORAGE_CLASS=$(params.rwo-storageclass) + export GRAFANA_INSTANCE_STORAGE_CLASS=$(params.rwo-storageclass) + export MONGODB_STORAGE_CLASS=$(params.rwo-storageclass) + export UDS_STORAGE_CLASS=$(params.rwo-storageclass) + export DRO_STORAGE_CLASS=$(params.rwo-storageclass) + + #check ai broker public cert + #cat ansible-devops/roles/suite_certs/defaults/main.yml + wget -qO - "https://raw.githubusercontent.com/zxue/ansible-devops/master/ibm/mas_devops/roles/suite_certs/defaults/main.yml" > ansible-devops/roles/suite_certs/defaults/main.yml + #cat ansible-devops/roles/suite_certs/defaults/main.yml + + ansible-playbook ibm.mas_devops.oneclick_core + + - name: install-manage + when: + - input: "$(params.mas-install-manage)" + operator: in + values: ["true"] + retries: 3 + timeout: "12h" + runAfter: + - install-mas-core + workspaces: + - name: ws + params: + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-cp4d-version + value: "$(params.mas-cp4d-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: install-demo-data + value: "$(params.install-demo-data)" + - name: mas-cp4d-install-cognos + value: "$(params.mas-cp4d-install-cognos)" + - name: rwx-storageclass + value: "$(params.rwx-storageclass)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + - name: mas-appws-components + value: "$(params.mas-appws-components)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: mas-catalog-version + - name: mas-cp4d-version + - name: mas-channel + - name: install-demo-data + - name: mas-cp4d-install-cognos + - name: rwx-storageclass + - name: rwo-storageclass + - name: mas-appws-components + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=wsapp + export MAS_APPWS_BINDINGS_JDBC=workspace-application + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + export DB2_INSTANCE_NAME=db2wh-manage + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_DBNAME=BLUDB + export DB2_NODE_LABEL=db2wh + export DB2_META_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_META_STORAGE_SIZE=100Gi + export DB2_META_STORAGE_ACCESSMODE=ReadWriteMany + export DB2_DATA_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_DATA_STORAGE_SIZE=100Gi + export DB2_DATA_STORAGE_ACCESSMODE=ReadWriteOnce + export DB2_BACKUP_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_BACKUP_STORAGE_SIZE=100Gi + export DB2_BACKUP_STORAGE_ACCESSMODE=ReadWriteMany + export DB2_TEMP_STORAGE_CLASS=$(params.rwx-storageclass) + export DB2_TEMP_STORAGE_SIZE=50Gi + export DB2_TEMP_STORAGE_ACCESSMODE=ReadWriteOnce + #export DB2_CPU_REQUESTS=6000m + #export DB2_CPU_LIMITS=10000m + #export DB2_MEMORY_REQUESTS=10Gi + #export DB2_MEMORY_LIMITS=20Gi + + export MAS_APP_SETTINGS_PERSISTENT_VOLUMES_FLAG=true + export MAS_APP_SETTINGS_BASE_LANG=EN + export MAS_APP_SETTINGS_SECONDARY_LANGS='DE' + export MAS_APP_SETTINGS_SERVER_BUNDLES_SIZE=jms + export MAS_MANAGE_ATTACHMENTS_PROVIDER=filestorage + export MAS_APP_SETTINGS_ATTACHMENTS_MOUNT_PATH=/DOCLINKS + export MANAGE_AIO_FLAG=false + export MAS_APP_ID=manage + + export MAS_APPWS_COMPONENTS="$(params.mas-appws-components)" + + export MAS_APP_SETTINGS_DEMODATA=$(params.install-demo-data) + + export CPD_INSTALL_PLATFORM="true" + export CPD_INSTALL_COGNOS=$(params.mas-cp4d-install-cognos) + export CPD_PRODUCT_VERSION=$(params.mas-cp4d-version) + export CPD_PRIMARY_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_METADATA_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_SERVICE_STORAGE_CLASS=$(params.rwx-storageclass) + export CPD_SERVICE_BLOCK_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_add_manage + + - name: install-optimizer + when: + - input: "$(params.mas-install-optimizer)" + operator: in + values: ["true"] + retries: 3 + timeout: "12h" + runAfter: + - install-manage + workspaces: + - name: ws + params: + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: mas-catalog-version + - name: mas-channel + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_ENTITLEMENT_KEY=$IBM_ENTITLEMENT_KEY + export MAS_CONFIG_SCOPE=system + export MAS_APPWS_BINDINGS_JDBC=system + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + ansible-playbook ibm.mas_devops.oneclick_add_optimizer + + - name: install-visualinspection + when: + - input: "$(params.mas-install-visualinspection)" + operator: in + values: ["true"] + retries: 3 + timeout: "12h" + runAfter: + - install-mas-core + workspaces: + - name: ws + params: + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: rwx-storageclass + value: "$(params.rwx-storageclass)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + - name: uds-email + value: "$(params.uds-email)" + - name: uds-firstname + value: "$(params.uds-firstname)" + - name: uds-lastname + value: "$(params.uds-lastname)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-instance-id + - name: mas-workspace-id + - name: mas-catalog-version + - name: mas-channel + - name: rwx-storageclass + - name: rwo-storageclass + - name: uds-email + - name: uds-firstname + - name: uds-lastname + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=wsapp + export MAS_APPWS_BINDINGS_JDBC=workspace-application + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + + export DRO_CONTACT_EMAIL=$(params.uds-email) + export DRO_CONTACT_FIRSTNAME=$(params.uds-firstname) + export DRO_CONTACT_LASTNAME=$(params.uds-lastname) + export DRO_NAMESPACE=ibm-dro + + export GPU_DRIVER_VERSION=565.57.01 + + ansible-playbook ibm.mas_devops.oneclick_add_visualinspection + + - name: install-iot + when: + - input: "$(params.mas-install-iot)" + operator: in + values: ["true"] + retries: 3 + timeout: "12h" + runAfter: + - install-mas-core + workspaces: + - name: ws + params: + - name: mas-catalog-version + value: "$(params.mas-catalog-version)" + - name: mas-channel + value: "$(params.mas-channel)" + - name: mas-instance-id + value: "$(params.mas-instance-id)" + - name: mas-workspace-id + value: "$(params.mas-workspace-id)" + - name: rwo-storageclass + value: "$(params.rwo-storageclass)" + taskSpec: + workspaces: + - name: ws + params: + - name: mas-catalog-version + - name: mas-channel + - name: mas-instance-id + - name: mas-workspace-id + - name: rwo-storageclass + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_WORKSPACE_ID=$(params.mas-workspace-id) + export MAS_CONFIG_DIR=$(workspaces.ws.path)/masconfig + export IBM_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export DB2_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + export MAS_CONFIG_SCOPE=system + export MAS_APPWS_BINDINGS_JDBC=system + export MAS_CATALOG_VERSION=$(params.mas-catalog-version) + export MAS_CHANNEL=$(params.mas-channel) + export DB2_INSTANCE_NAME="db2w-shared" + + export MAS_APP_SETTINGS_IOT_FPL_PVC_STORAGE_CLASS=$(params.rwo-storageclass) + + ansible-playbook ibm.mas_devops.oneclick_add_iot + - name: run-kafka-fix + when: + - input: "$(params.run-kafka-fix)" + operator: in + values: ["true"] + retries: 3 + timeout: "12h" + runAfter: + - install-mas-core + workspaces: + - name: ws + taskSpec: + workspaces: + - name: ws + steps: + - name: run-mas-cli + image: quay.io/ibmmas/cli:latest + script: | + #!/usr/bin/env bash + NAMESPACE="strimzi" + SUBSCRIPTION_NAME="strimzi-kafka-operator" + CSV_NAME="strimzi-cluster-operator.v0.46.0" + TARGET_CHANNEL="strimzi-0.45.x" + MAX_DURATION_SECONDS=$((40 * 60)) # 40 minutes + INTERVAL_SECONDS=5 + ELAPSED_SECONDS=0 + + echo "Starting subscription monitor for '$SUBSCRIPTION_NAME' in namespace '$NAMESPACE' (timeout: 40 minutes)..." + + while [ $ELAPSED_SECONDS -lt $MAX_DURATION_SECONDS ]; do + if oc get subscriptions.operators.coreos.com "$SUBSCRIPTION_NAME" -n "$NAMESPACE" > /dev/null 2>&1; then + CURRENT_CHANNEL=$(oc get subscriptions.operators.coreos.com "$SUBSCRIPTION_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.channel}") + + echo "[$(date +'%H:%M:%S')] Subscription found. Current channel: $CURRENT_CHANNEL" + + if [ "$CURRENT_CHANNEL" == "stable" ]; then + echo "Subscription is using 'stable' channel. Deleting subscription and operator..." + + # Delete the Subscription + oc delete subscriptions.operators.coreos.com "$SUBSCRIPTION_NAME" -n "$NAMESPACE" + echo "Waiting 5 minutes for the CSV." + sleep 3m + # Delete the Operator CSV (find the installed CSV for this operator) + + if [ -n "$CSV_NAME" ]; then + echo "Deleting ClusterServiceVersion '$CSV_NAME'..." + oc delete csv "$CSV_NAME" -n "$NAMESPACE" + else + echo "No ClusterServiceVersion found for operator '$SUBSCRIPTION_NAME'." + fi + + # Wait until both are deleted + echo "Waiting for subscription deletion..." + while oc get subscriptions.operators.coreos.com "$SUBSCRIPTION_NAME" -n "$NAMESPACE" > /dev/null 2>&1; do + sleep 2 + done + + if [ -n "$CSV_NAME" ]; then + echo "Waiting for operator (CSV) deletion..." + while oc get csv "$CSV_NAME" -n "$NAMESPACE" > /dev/null 2>&1; do + sleep 2 + done + fi + + echo "Subscription and Operator deleted." + + # Recreate the Subscription with target channel + echo "Recreating subscription with channel '$TARGET_CHANNEL'..." + cat < $(workspaces.ws.path)/masconfig/minio/kustomization.yaml + wget -qO - "$MINIO_FOLDER"minio.yaml > $(workspaces.ws.path)/masconfig/minio/minio.yaml + wget -qO - "$MINIO_FOLDER"pvc.yaml > $(workspaces.ws.path)/masconfig/minio/pvc.yaml + + wget -qO - "$MARIADB_FOLDER"mariadb-deploy.sh > $(workspaces.ws.path)/masconfig/mariadb/mariadb-deploy.sh + wget -qO - "$MARIADB_FOLDER"mariadb-deployment.yml > $(workspaces.ws.path)/masconfig/mariadb/mariadb-deployment.yml + wget -qO - "$MARIADB_FOLDER"mariadb-np.yml > $(workspaces.ws.path)/masconfig/mariadb/mariadb-np.yml + wget -qO - "$MARIADB_FOLDER"mariadb-ns.yml > $(workspaces.ws.path)/masconfig/mariadb/mariadb-ns.yml + wget -qO - "$MARIADB_FOLDER"mariadb-pvc.yml > $(workspaces.ws.path)/masconfig/mariadb/mariadb-pvc.yml + wget -qO - "$MARIADB_FOLDER"mariadb-sa.yml > $(workspaces.ws.path)/masconfig/mariadb/mariadb-sa.yml + wget -qO - "$MARIADB_FOLDER"mariadb-secret.yml > $(workspaces.ws.path)/masconfig/mariadb/mariadb-secret.yml + wget -qO - "$MARIADB_FOLDER"mariadb-service.yml > $(workspaces.ws.path)/masconfig/mariadb/mariadb-service.yml + + # run oc command lines to create minio storage and mariadb + cd $(workspaces.ws.path)/masconfig + chmod 777 $(workspaces.ws.path)/masconfig/mariadb/mariadb-deploy.sh + oc apply -k minio + ./mariadb/mariadb-deploy.sh + + # ARTIFACTORY credentials to access dev images. (This section will be optional once the images are publicly available.) + export ARTIFACTORY_USERNAME=$(params.artifactory_username) + export ARTIFACTORY_TOKEN=$(params.artifactory_token) + export MAS_ICR_CP="docker-na-public.artifactory.swg-devops.com/wiotp-docker-local" + export MAS_ICR_CPOPEN="docker-na-public.artifactory.swg-devops.com/wiotp-docker-local/cpopen" + + #MAS + export MAS_INSTANCE_ID=$(params.mas-instance-id) + export MAS_ENTITLEMENT_USERNAME=$(params.uds-email) + export MAS_ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat) + + # MINIO + export MAS_AIBROKER_STORAGE_ACCESSKEY="minio123" + export MAS_AIBROKER_STORAGE_SECRETKEY="minio123" + export MAS_AIBROKER_STORAGE_SSL="false" + export MAS_AIBROKER_STORAGE_PROVIDER="minio" + #export MAS_AIBROKER_STORAGE_REGION="storage provider region" + export MAS_AIBROKER_STORAGE_PORT="9000" + export MAS_AIBROKER_STORAGE_HOST="minio-service.minio.svc.cluster.local" + export MAS_AIBROKER_STORAGE_PIPELINES_BUCKET="km-pipelines" + export MAS_AIBROKER_STORAGE_TENANTS_BUCKET="km-tenants" + export MAS_AIBROKER_STORAGE_TEMPLATES_BUCKET="km-templates" + + # WATSONX AI + export MAS_AIBROKER_WATSONXAI_APIKEY=$(params.mas_airbroker_watsonxai_apikey) + export MAS_AIBROKER_WATSONXAI_URL=$(params.mas_airbroker_watsonxai_url) + export MAS_AIBROKER_WATSONXAI_PROJECT_ID=$(params.mas_airbroker_watsonxai_project_id) + export MAS_AIBROKER_CHANNEL=$(params.mas_aibroker_channel) + + # database + export MAS_AIBROKER_DB_HOST="mariadb-instance.mariadb.svc.cluster.local" + export MAS_AIBROKER_DB_PORT="3306" + export MAS_AIBROKER_DB_USER="mariadb" + export MAS_AIBROKER_DB_DATABASE="kmpipeline" + export MAS_AIBROKER_DB_SECRET_NAME="ds-pipeline-db-instance" + export MAS_AIBROKER_DB_SECRET_VALUE="mariadb" + + ansible-playbook ibm.mas_devops.oneclick_add_aibroker \ No newline at end of file diff --git a/9.0.x/sample deployer params/mas-params-ocpv-core.json b/9.0.x/sample deployer params/mas-params-ocpv-core.json new file mode 100644 index 0000000..516af3a --- /dev/null +++ b/9.0.x/sample deployer params/mas-params-ocpv-core.json @@ -0,0 +1,30 @@ +{ + "deployer": { + "package": "deployer-mas-9.0-v2", + "params": { + "rwx-storageclass": "ocs-external-storagecluster-cephfs", + "rwo-storageclass": "ocs-external-storagecluster-cephfs", + "use-letsencrypt-certs": "true", + "mas-catalog-version": "v9-250306-amd64", + "tlscert-secret": "user-serving-cert-000", + "tlscert-namespace": "openshift-kube-apiserver", + "mas-install-core": "true" + } + }, + "certs": { + "SAN": [ + "*.inst1.apps", + "*.home.inst1.apps", + "*.iot.inst1.apps", + "*.messaging.iot.inst1.apps", + "*.edgeconfig.iot.inst1.apps", + "*.edgeconfigapi.iot.inst1.apps", + "*.monitor.inst1.apps", + "*.api.monitor.inst1.apps", + "*.manage.inst1.apps", + "*.health.inst1.apps", + "*.optimizer.inst1.apps", + "*.api.optimizer.inst1.apps" + ] + } +} \ No newline at end of file diff --git a/9.0.x/sample deployer params/mas-params-ocpv-manage-full.json b/9.0.x/sample deployer params/mas-params-ocpv-manage-full.json new file mode 100644 index 0000000..aced671 --- /dev/null +++ b/9.0.x/sample deployer params/mas-params-ocpv-manage-full.json @@ -0,0 +1,34 @@ +{ + "deployer": { + "package": "deployer-mas-9.0-v3", + "params": { + "rwx-storageclass": "ocs-external-storagecluster-cephfs", + "rwo-storageclass": "ocs-external-storagecluster-cephfs", + "use-letsencrypt-certs": "true", + "mas-catalog-version": "v9-250501-amd64", + "tlscert-secret": "user-serving-cert-000", + "tlscert-namespace": "openshift-kube-apiserver", + "mas-install-core": "true", + "mas-install-manage": "true", + "mas-install-demo-data": "true", + "mas-install-optimizer": "true", + "mas-appws-components": "base=latest,health=latest,spatial=latest,strategize=latest,utilities=latest,transportation=latest,serviceprovider=latest,hse=latest" + } + }, + "certs": { + "SAN": [ + "*.inst1.apps", + "*.home.inst1.apps", + "*.iot.inst1.apps", + "*.messaging.iot.inst1.apps", + "*.edgeconfig.iot.inst1.apps", + "*.edgeconfigapi.iot.inst1.apps", + "*.monitor.inst1.apps", + "*.api.monitor.inst1.apps", + "*.manage.inst1.apps", + "*.health.inst1.apps", + "*.optimizer.inst1.apps", + "*.api.optimizer.inst1.apps" + ] + } +} \ No newline at end of file diff --git a/9.0.x/sample deployer params/mas-params-ocpv-manage.json b/9.0.x/sample deployer params/mas-params-ocpv-manage.json new file mode 100644 index 0000000..647a87d --- /dev/null +++ b/9.0.x/sample deployer params/mas-params-ocpv-manage.json @@ -0,0 +1,33 @@ +{ + "deployer": { + "package": "deployer-mas-9.0-v3", + "params": { + "rwx-storageclass": "ocs-external-storagecluster-cephfs", + "rwo-storageclass": "ocs-external-storagecluster-cephfs", + "use-letsencrypt-certs": "true", + "mas-catalog-version": "v9-250501-amd64", + "tlscert-secret": "user-serving-cert-000", + "tlscert-namespace": "openshift-kube-apiserver", + "mas-install-core": "true", + "mas-install-manage": "true", + "mas-install-demo-data": "true", + "mas-appws-components": "base=latest,health=latest,spatial=latest,strategize=latest,utilities=latest,transportation=latest,serviceprovider=latest,hse=latest" + } + }, + "certs": { + "SAN": [ + "*.inst1.apps", + "*.home.inst1.apps", + "*.iot.inst1.apps", + "*.messaging.iot.inst1.apps", + "*.edgeconfig.iot.inst1.apps", + "*.edgeconfigapi.iot.inst1.apps", + "*.monitor.inst1.apps", + "*.api.monitor.inst1.apps", + "*.manage.inst1.apps", + "*.health.inst1.apps", + "*.optimizer.inst1.apps", + "*.api.optimizer.inst1.apps" + ] + } +} \ No newline at end of file diff --git a/README.md b/README.md index 1c1abad..6402efc 100644 --- a/README.md +++ b/README.md @@ -1,40 +1,70 @@ -# Notice +# Techzone Deployer for the Maximo Application Suite -This repo will be deprecated in favor of a cli driven pipeline at https://github.com/cloud-native-toolkit/deployer-mas-cli +This repository contains a Tekton pipelines to deploy Maximo using [mas-ansible](https://ibm-mas.github.io/ansible-devops/). +## Pre-requisites +### Deployer Cluster -# Techzone Deployer for the Maximo Operator +An IBM Technology Zone `deployer` cluster is assumed to be configured with an appropriate Red Hat OpenShift version for the Maximo version you wish to deploy, with appropriate sizing. Refer to [Maximo Product Documentation](https://www.ibm.com/docs/en/mas-cd/continuous-delivery?topic=planning) for more information. -This repository contains a Tekton pipelines to deploy the [Maximo Operator](https://github.com/cloud-native-toolkit/operator-masauto) that packages [mas-ansible](https://ibm-mas.github.io/ansible-devops/). +A deployer cluster can be created by installing the Deployer Operator from TechZone -## Pre-requisites -An IBM Technology Zone `deployer` cluster is assumed to be configured with an appropriate Red Hat OpenShift version for the Maximo version you wish to deploy, with appropriate sizing. Refer to [Maximo Product Documentation](https://www.ibm.com/docs/en/mas-cd/continuous-delivery?topic=planning) for more information. +### Entitlement key -A `deployer` cluster is configured with the following items: +If deploying on TechZone the entitlement key is provided from the TechZone Secrets Repo. If deploying in a non-techzone cluster you will need to provide an entitlement key for the pipelinerun. -- ExternalSecrets operator deployed with a ClusterSecretStore configured. The remote ExternalSecrets secret store must include an IBM Entitlement Key. -- Techzone Deployer Tekton tasks deployed ([deploy YAML](https://github.com/cloud-native-toolkit/deployer-tekton-tasks/blob/main/argocd.yaml)). -- OpenShift GitOps configured with [One Touch Provisioning ArgoCD instance](https://github.com/one-touch-provisioning/otp-gitops), and any relevant RBAC rules. -- OpenShift Pipelines operator deployed. -- deployer pipelines tasks and cluster tasks +Documentation for obtaining an entitlement key here: https://www.ibm.com/docs/en/cloud-paks/1.0?topic=clusters-obtaining-your-entitlement-key -## Pipelines organisation +### Maximo License + +To activate Maximo you will need a valid license key which is a text file that contains software authorizations and entitlements. This pipeline in order to run automatically will need this file to be base64 encoded and saved in a kubernetes secret. + +1. save the license file to a file locally such as license.dat. +2. Use a tool to base64 encode the file such as " + +``` +cat license.dat | base64 > license.dat.b64 +``` + +3. copy the output into an OpenShift secret in the default namespace + +``` +oc create secret generic maximolicense --from-file=licensefile=license.dat.b64 -n default +``` + +remember the name of the secret for the pipeline run. ( in the example above "maximolicense" is the name) -Maximo is deployed with a Tekton Pipeline that is defined in maximo-pipeline.yaml +## Pipelines organisation + +Maximo is deployed with a Tekton Pipeline that is defined in pipeline.yaml -## Tasks +the pipeline runs the MAS DevOps playbooks and can be modified or extended using other roles and playbooks. -Currently uses oc client, git clone, and helm-update-from-source from tekton hub +Consult the documentation for MAS DevOps [here](https://ibm-mas.github.io/ansible-devops/) ## Usage + ### +switch to version directory of choice and run these commands ``` -oc apply -f maximo-pipeline.yaml - -tkn pipeline start mas-core-deploy --pod-template pod-template.yaml -w name=shared-workspace,volumeClaimTemplateFile=workspace-template.yaml +oc apply -f pipeline.yaml +oc create -f pipeline-run.yaml ``` + +# Known Issues + +## Time to install + +In testing we have seen the pipeline take from 2-6 hours to progress from installation of operators to active instances of the software. please be patient. + +The pipeline is fully idempotent and can be restarted as needed. + + +## TLS certs + +the pipeline looks for a lets-encrypt cert previously generated by upstream automation and if found uses this cert for maximo public routes. This cert may not have all maximo paths enabled by default. If you encounter a non-trusted certificate you may have to open the path in a separate browser window and accept the cert. \ No newline at end of file diff --git a/deploy.sh b/deploy.sh deleted file mode 100644 index c0919cb..0000000 --- a/deploy.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -#prerequisites -# openshift pipelines installed -# deployer cluster tasks -# OpenShift client - oc -# tekton client - tkn -oc apply -f https://raw.githubusercontent.com/cloud-native-toolkit/deployer-operator-masauto/main/maximo-pipeline.yaml -sleep 20 -oc apply -f https://raw.githubusercontent.com/cloud-native-toolkit/deployer-operator-masauto/main/maximo-pipeline-run.yaml -#tkn pipeline start mas-core-deploy \ -# $PARAM_STRING \ -# --pod-template https://raw.githubusercontent.com/cloud-native-toolkit/deployer-operator-masauto/main/pod-template.yaml \ -# -w name=shared-workspace,volumeClaimTemplateFile=https://raw.githubusercontent.com/cloud-native-toolkit/deployer-operator-masauto/main/workspace-template.yaml diff --git a/maximo-pipeline.yaml b/maximo-pipeline.yaml deleted file mode 100644 index ffe105b..0000000 --- a/maximo-pipeline.yaml +++ /dev/null @@ -1,186 +0,0 @@ ---- -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: mas-core-deploy - namespace: default -spec: - workspaces: - - name: shared-workspace - params: - - name: namespace - type: string - default: "masauto-operator-system" - - name: operatorGroup - type: string - default: "masauto-operator-system-operator-group" - tasks: - - name: add-namespace - TaskRef: - kind: Task - name: ibm-pak - params: - - name: SCRIPT - value: | - oc apply -f - <- - https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud - - name: add-entitlement-key - taskRef: - kind: Task - name: ibm-pak - runAfter: - - get-ibm-entitlement-key - params: - - name: SCRIPT - value: | - oc apply -f - </dev/null - - diff --git a/pod-template.yaml b/pod-template.yaml deleted file mode 100644 index ebb9a5d..0000000 --- a/pod-template.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -securityContext: - fsGroup: 65532 \ No newline at end of file diff --git a/scripts/deploy.sh b/scripts/deploy.sh new file mode 100644 index 0000000..0f58f25 --- /dev/null +++ b/scripts/deploy.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +#prerequisites +# openshift pipelines installed +# deployer cluster tasks +# OpenShift client - oc +oc apply -f https://raw.githubusercontent.com/cloud-native-toolkit/deployer-mas-cli/v0.27/8.11.x/pipeline.yaml +sleep 20 +oc create -f https://raw.githubusercontent.com/cloud-native-toolkit/deployer-mas-cli/v0.27/8.11.x/pipeline-run.yaml diff --git a/workspace-template.yaml b/workspace-template.yaml deleted file mode 100644 index 54dccc4..0000000 --- a/workspace-template.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi \ No newline at end of file