diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 49054719a..c2ae59ef7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -137,7 +137,7 @@ jobs: vagrant ssh quadlet -- sudo systemctl restart fapolicyd - name: Run image pull run: | - ./foremanctl pull-images + ./foremanctl pull-images ${{ matrix.database == 'external' && '--database-mode=external' || '' }} - name: Run deployment run: | ./foremanctl deploy \ diff --git a/docs/developer/deployment.md b/docs/developer/deployment.md index 263305de2..92d834e48 100644 --- a/docs/developer/deployment.md +++ b/docs/developer/deployment.md @@ -52,23 +52,119 @@ IOP (Insights Operating Platform) deploys on-premise Insights services for advis See [IOP Architecture](iop.md) for details on the services deployed and configuration options. -### Authenticated Registry Handling +### Image Management -If you need to pull images from private or authenticated container registries, you can configure registry authentication using Podman's auth file. +foremanctl uses Podman quadlet `.image` units to separate image sourcing from container definitions. Each unique container image (foreman, candlepin, pulp, etc.) gets a corresponding `.image` file deployed to `/etc/containers/systemd/`. Container roles reference these by name rather than by full image URL: -#### Setting up Registry Authentication +```ini +# /etc/containers/systemd/foreman.image +[Image] +Image=quay.io/foreman/foreman:nightly +``` -1. **Login to your registry** using Podman and save credentials to the default auth file location: -```bash -podman login --authfile=/etc/foreman/registry-auth.json +```ini +# /etc/containers/systemd/foreman.container (excerpt) +[Container] +Image=foreman.image ``` -2. **Deploy as usual** - foremanctl will automatically detect and use the authentication file: -```bash -./foremanctl deploy +All containers that share a base image (e.g., foreman, dynflow-sidekiq, foreman-recurring) reference the same `.image` unit. systemd ensures the image is pulled before any dependent container starts. + +#### Image Overrides via Drop-ins + +foremanctl uses quadlet's native drop-in mechanism for image overrides. Each `.image` file has a corresponding `.image.d/` directory. Drop-in `.conf` files placed there are merged on top of the base in lexicographic order — last wins. + +The quadlet generator reads from two directory tiers, with `/etc/` taking precedence over `/usr/share/`: + +``` +/usr/share/containers/systemd/ + foreman.image.d/ + 10-product.conf # vendor/RPM layer + 20-archive.conf # ISO/archive layer + +/etc/containers/systemd/ + foreman.image # base, always generated by foremanctl + foreman.image.d/ + 90-user.conf # user override layer ``` -This approach integrates seamlessly with both the happy path and advanced deployment paths described above. The authentication is handled transparently during image pulling operations. +Precedence (last wins): + +1. `foreman.image` — foremanctl default from `images.yml` +2. `10-product.conf` — vendor/RPM provided +3. `20-archive.conf` — ISO or archive extraction provided +4. `90-user.conf` — user provided (highest priority) + +#### Use Cases + +##### Upstream default (no user action) + +foremanctl generates `.image` files from its built-in `images.yml`: + +```ini +# /etc/containers/systemd/foreman.image (generated by foremanctl) +[Image] +Image=quay.io/foreman/foreman:nightly +``` + +##### RPM-provided images + +A product RPM ships numbered drop-ins to `/usr/share/containers/systemd/` pointing at the product registry. No user action required beyond installing the RPM: + +```ini +# /usr/share/containers/systemd/foreman.image.d/10-product.conf (from RPM) +[Image] +Image=registry.example.com/org/foreman:6.17 +AuthFile=/etc/foreman/registry-auth.json +``` + +##### Disconnected install from ISO + +The ISO extraction adds a higher-numbered drop-in alongside the RPM layer, redirecting pulls to local archives: + +```ini +# /usr/share/containers/systemd/foreman.image.d/20-archive.conf (from ISO) +[Image] +Image=docker-archive:/opt/foreman/images/foreman-6.17.tar +``` + +##### User's own registry + +For redirecting all images to a private registry that mirrors upstream image names, use a `registries.conf.d` entry — one file covers all images: + +```ini +# /etc/containers/registries.conf.d/50-foremanctl-mirror.conf +[[registry]] +prefix = "quay.io/theforeman" +location = "katello.example.com/Default_Organization" +``` + +If image names or tags differ from upstream, use per-image drop-ins instead: + +```ini +# /etc/containers/systemd/foreman.image.d/90-user.conf +[Image] +Image=katello.example.com/Default_Organization/foreman:6.17 +AuthFile=/etc/foreman/registry-auth.json +``` + +##### Developer testing a container build + +The developer creates a `90-user.conf` drop-in for the image under test. All other images are unaffected: + +```ini +# /etc/containers/systemd/foreman.image.d/90-user.conf +[Image] +Image=quay.io/foreman/foreman:pr-12345 +``` + +#### Authenticated Registry Handling + +foremanctl configures all image units to use `/etc/foreman/registry-auth.json` as the credential file. When pulling images from an authenticated registry, log in once before deploying: + +```bash +podman login --authfile=/etc/foreman/registry-auth.json +``` ## Deployer Stages @@ -81,7 +177,7 @@ Some of the stages will be made available to the user to run independently. a. system requirements b. tuning requirements c. certificate requirements - 4. Place `.container` files + 4. Place `.image` and `.container` files 5. Create podman secrets 6. Reload systemd 7. (re)start services @@ -103,7 +199,9 @@ When the user provides parameters to alter the deployment, the deployment utilit ## Container changes (Upgrades) -When the running containers change because the stream was changed in the configuration, the deployment utility will pull the new images and use the new images when starting services. +When the running containers change because the stream was changed in the configuration, the deployment utility regenerates `.image` units with the new image references and restarts services to pull and use the updated images. + +User drop-in overrides in `.image.d/90-user.conf` take precedence over the base `.image` values — if a user-provided drop-in pins a specific tag, it will not be changed by an upgrade. As there is currently no way for the deployment utility to verify which image version is used by a running service, the user is advised to stop all services before performing an upgrade. diff --git a/src/playbooks/pull-images/pull-images.yaml b/src/playbooks/pull-images/pull-images.yaml index 3eb4e74d2..62239acff 100644 --- a/src/playbooks/pull-images/pull-images.yaml +++ b/src/playbooks/pull-images/pull-images.yaml @@ -11,27 +11,49 @@ roles: - role: pre_install post_tasks: - - name: Pull an image - containers.podman.podman_image: + - name: Deploy core image units + ansible.builtin.include_role: name: "{{ item }}" - environment: - REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" - loop: "{{ images }}" + tasks_from: image.yaml + loop: + - foreman + - candlepin + - pulp + - redis - - name: Pull foreman_proxy images - containers.podman.podman_image: - name: "{{ item }}" - environment: - REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" - loop: "{{ foreman_proxy_images }}" - when: - - "'foreman-proxy' in enabled_features" + - name: Deploy database image units + ansible.builtin.include_role: + name: postgresql + tasks_from: image.yaml + when: database_mode == 'internal' + + - name: Deploy proxy image units + ansible.builtin.include_role: + name: foreman_proxy + tasks_from: image.yaml + when: "'foreman-proxy' in enabled_features" - - name: Pull database images - containers.podman.podman_image: + - name: Deploy IOP image units + ansible.builtin.include_role: name: "{{ item }}" - environment: - REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" - loop: "{{ database_images }}" - when: - - database_mode == 'internal' + tasks_from: image.yaml + loop: + - iop_kafka + - iop_ingress + - iop_puptoo + - iop_yuptoo + - iop_engine + - iop_gateway + - iop_inventory + - iop_advisor + - iop_remediation + - iop_vmaas + - iop_vulnerability + - iop_advisor_frontend + - iop_inventory_frontend + - iop_vulnerability_frontend + when: "'iop' in enabled_features" + + - name: Run daemon reload + ansible.builtin.systemd: + daemon_reload: true diff --git a/src/roles/candlepin/defaults/main.yml b/src/roles/candlepin/defaults/main.yml index a0a8b15b4..716dc6887 100644 --- a/src/roles/candlepin/defaults/main.yml +++ b/src/roles/candlepin/defaults/main.yml @@ -14,7 +14,6 @@ candlepin_ciphers: - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 candlepin_container_image: quay.io/foreman/candlepin candlepin_container_tag: "4.4.14" -candlepin_registry_auth_file: /etc/foreman/registry-auth.json candlepin_database_host: localhost candlepin_database_port: 5432 diff --git a/src/roles/candlepin/tasks/image.yaml b/src/roles/candlepin/tasks/image.yaml new file mode 100644 index 000000000..92eda8277 --- /dev/null +++ b/src/roles/candlepin/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy candlepin image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: candlepin + image: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml index 3d8b4b518..b66a99986 100644 --- a/src/roles/candlepin/tasks/main.yml +++ b/src/roles/candlepin/tasks/main.yml @@ -1,4 +1,7 @@ --- +- name: Deploy candlepin image + ansible.builtin.include_tasks: image.yaml + - name: Create log directories ansible.builtin.file: path: "{{ item }}" @@ -55,17 +58,10 @@ notify: - Restart candlepin -- name: Pull the Candlepin container image - containers.podman.podman_image: - name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ candlepin_registry_auth_file }}" - - name: Deploy Candlepin quadlet containers.podman.podman_container: name: "candlepin" - image: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" + image: candlepin.image state: quadlet network: host hostname: "{{ ansible_facts['hostname'] }}.local" diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml index fad6b1161..c15d41a37 100644 --- a/src/roles/foreman/defaults/main.yaml +++ b/src/roles/foreman/defaults/main.yaml @@ -1,7 +1,6 @@ --- foreman_container_image: "quay.io/foreman/foreman" foreman_container_tag: "nightly" -foreman_registry_auth_file: /etc/foreman/registry-auth.json foreman_database_name: foreman foreman_database_user: foreman diff --git a/src/roles/foreman/tasks/image.yaml b/src/roles/foreman/tasks/image.yaml new file mode 100644 index 000000000..77217905d --- /dev/null +++ b/src/roles/foreman/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy foreman image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: foreman + image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index f08ac17f9..bc6ede04e 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull the Foreman container image - containers.podman.podman_image: - name: "{{ foreman_container_image }}:{{ foreman_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ foreman_registry_auth_file }}" +- name: Deploy foreman image + ansible.builtin.include_tasks: image.yaml - name: Create secret for DATABASE_URL containers.podman.podman_secret: @@ -98,7 +94,7 @@ - name: Deploy Foreman Container containers.podman.podman_container: name: "foreman" - image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" + image: foreman.image state: quadlet sdnotify: true network: host @@ -136,7 +132,7 @@ containers.podman.podman_container: name: "dynflow-sidekiq-%i" quadlet_filename: "dynflow-sidekiq@" - image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" + image: foreman.image state: quadlet sdnotify: true network: host @@ -191,7 +187,7 @@ name: "foreman-recurring-{{ item.instance }}" quadlet_filename: "foreman-recurring@{{ item.instance }}" state: quadlet - image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" + image: foreman.image sdnotify: false network: host hostname: "{{ ansible_facts['hostname'] }}.local" diff --git a/src/roles/foreman_proxy/defaults/main.yaml b/src/roles/foreman_proxy/defaults/main.yaml index cb62496ac..4791507b1 100644 --- a/src/roles/foreman_proxy/defaults/main.yaml +++ b/src/roles/foreman_proxy/defaults/main.yaml @@ -1,7 +1,6 @@ --- foreman_proxy_container_image: "quay.io/foreman/foreman-proxy" foreman_proxy_container_tag: "nightly" -foreman_proxy_registry_auth_file: /etc/foreman/registry-auth.json foreman_proxy_name: "{{ ansible_facts['fqdn'] }}" foreman_proxy_https_port: 8443 diff --git a/src/roles/foreman_proxy/tasks/image.yaml b/src/roles/foreman_proxy/tasks/image.yaml new file mode 100644 index 000000000..73aab8df6 --- /dev/null +++ b/src/roles/foreman_proxy/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy foreman-proxy image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: foreman-proxy + image: "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" diff --git a/src/roles/foreman_proxy/tasks/main.yaml b/src/roles/foreman_proxy/tasks/main.yaml index fa36f7f26..8033c9457 100644 --- a/src/roles/foreman_proxy/tasks/main.yaml +++ b/src/roles/foreman_proxy/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull the Foreman Proxy container image - containers.podman.podman_image: - name: "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ foreman_proxy_registry_auth_file }}" +- name: Deploy foreman-proxy image + ansible.builtin.include_tasks: image.yaml - name: Create config secrets ansible.builtin.include_tasks: configs.yaml @@ -15,7 +11,7 @@ - name: Deploy Foreman Proxy Container containers.podman.podman_container: name: "foreman-proxy" - image: "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" + image: foreman-proxy.image state: quadlet sdnotify: true network: host diff --git a/src/roles/images/defaults/main.yaml b/src/roles/images/defaults/main.yaml new file mode 100644 index 000000000..761cf4eda --- /dev/null +++ b/src/roles/images/defaults/main.yaml @@ -0,0 +1,3 @@ +--- +images_quadlet_dir: /etc/containers/systemd +images_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/images/tasks/deploy_image.yaml b/src/roles/images/tasks/deploy_image.yaml new file mode 100644 index 000000000..dcd9ea5aa --- /dev/null +++ b/src/roles/images/tasks/deploy_image.yaml @@ -0,0 +1,17 @@ +--- +- name: Generate image file for {{ images_definition.name }} + containers.podman.podman_image: + name: "{{ images_definition.image }}" + state: quadlet + quadlet_dir: "{{ images_quadlet_dir }}" + quadlet_filename: "{{ images_definition.name }}" + quadlet_file_mode: "0644" + quadlet_options: + - "Policy=missing" + - "Environment=REGISTRY_AUTH_FILE={{ images_registry_auth_file }}" + +- name: Create drop-in directory for {{ images_definition.name }} + ansible.builtin.file: + path: "{{ images_quadlet_dir }}/{{ images_definition.name }}.image.d" + state: directory + mode: "0755" diff --git a/src/roles/iop_advisor/defaults/main.yaml b/src/roles/iop_advisor/defaults/main.yaml index 52645e1d1..a3beb1188 100644 --- a/src/roles/iop_advisor/defaults/main.yaml +++ b/src/roles/iop_advisor/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_advisor_container_image: "quay.io/iop/advisor-backend" iop_advisor_container_tag: "foreman-3.18" -iop_advisor_registry_auth_file: /etc/foreman/registry-auth.json iop_advisor_database_name: advisor_db iop_advisor_database_user: advisor_user diff --git a/src/roles/iop_advisor/tasks/image.yaml b/src/roles/iop_advisor/tasks/image.yaml new file mode 100644 index 000000000..b22eeafe4 --- /dev/null +++ b/src/roles/iop_advisor/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-advisor image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-advisor + image: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" diff --git a/src/roles/iop_advisor/tasks/main.yaml b/src/roles/iop_advisor/tasks/main.yaml index 74d7a6773..6c10b4dd0 100644 --- a/src/roles/iop_advisor/tasks/main.yaml +++ b/src/roles/iop_advisor/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Advisor Backend container image - containers.podman.podman_image: - name: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_advisor_registry_auth_file }}" +- name: Deploy iop-advisor image + ansible.builtin.include_tasks: image.yaml - name: Create podman secret for advisor database username containers.podman.podman_secret: @@ -39,7 +35,7 @@ - name: Deploy Advisor Backend API Container containers.podman.podman_container: name: iop-service-advisor-backend-api - image: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" + image: iop-advisor.image state: quadlet command: sh -c "./container_init.sh && api/app.sh" network: @@ -62,7 +58,6 @@ INVENTORY_SERVER_URL: "http://iop-core-host-inventory-api:8081/api/inventory/v1" ADVISOR_DB_SSL_MODE: "disable" PORT: "8000" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-service-advisor-backend-database-username,type=env,target=ADVISOR_DB_USER' - 'iop-service-advisor-backend-database-password,type=env,target=ADVISOR_DB_PASSWORD' @@ -83,7 +78,7 @@ - name: Deploy Advisor Backend Service Container containers.podman.podman_container: name: iop-service-advisor-backend-service - image: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" + image: iop-advisor.image state: quadlet command: pipenv run python service/service.py network: @@ -92,7 +87,6 @@ BOOTSTRAP_SERVERS: "iop-core-kafka:9092" ADVISOR_DB_SSL_MODE: "disable" DISABLE_WEB_SERVER: "true" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-service-advisor-backend-database-username,type=env,target=ADVISOR_DB_USER' - 'iop-service-advisor-backend-database-password,type=env,target=ADVISOR_DB_PASSWORD' diff --git a/src/roles/iop_advisor_frontend/defaults/main.yaml b/src/roles/iop_advisor_frontend/defaults/main.yaml index fa5a98b15..d7584d876 100644 --- a/src/roles/iop_advisor_frontend/defaults/main.yaml +++ b/src/roles/iop_advisor_frontend/defaults/main.yaml @@ -1,6 +1,5 @@ --- iop_advisor_frontend_container_image: "quay.io/iop/advisor-frontend" iop_advisor_frontend_container_tag: "foreman-3.18" -iop_advisor_frontend_registry_auth_file: /etc/foreman/registry-auth.json iop_advisor_frontend_assets_path: "/var/www/iop/assets/apps/advisor" iop_advisor_frontend_source_path: "/srv/dist/." diff --git a/src/roles/iop_advisor_frontend/tasks/image.yaml b/src/roles/iop_advisor_frontend/tasks/image.yaml new file mode 100644 index 000000000..79e79ce93 --- /dev/null +++ b/src/roles/iop_advisor_frontend/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-advisor-frontend image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-advisor-frontend + image: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}" diff --git a/src/roles/iop_advisor_frontend/tasks/main.yaml b/src/roles/iop_advisor_frontend/tasks/main.yaml index 1c0b785ad..a10b8a7c4 100644 --- a/src/roles/iop_advisor_frontend/tasks/main.yaml +++ b/src/roles/iop_advisor_frontend/tasks/main.yaml @@ -1,10 +1,15 @@ --- -- name: Pull Advisor Frontend container image - containers.podman.podman_image: - name: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_advisor_frontend_registry_auth_file }}" +- name: Deploy iop-advisor-frontend image + ansible.builtin.include_tasks: image.yaml + +- name: Run daemon reload for image unit + ansible.builtin.systemd: + daemon_reload: true + +- name: Pull Advisor Frontend image via quadlet unit + ansible.builtin.systemd: + name: iop-advisor-frontend-image.service + state: started - name: Ensure parent assets directory exists ansible.builtin.file: diff --git a/src/roles/iop_engine/defaults/main.yaml b/src/roles/iop_engine/defaults/main.yaml index f2d210e3e..bc9af4f64 100644 --- a/src/roles/iop_engine/defaults/main.yaml +++ b/src/roles/iop_engine/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_engine_container_image: "quay.io/iop/insights-engine" iop_engine_container_tag: "foreman-3.18" -iop_engine_registry_auth_file: /etc/foreman/registry-auth.json iop_engine_packages: - "insights.specs.default" diff --git a/src/roles/iop_engine/tasks/image.yaml b/src/roles/iop_engine/tasks/image.yaml new file mode 100644 index 000000000..324bd1531 --- /dev/null +++ b/src/roles/iop_engine/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-engine image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-engine + image: "{{ iop_engine_container_image }}:{{ iop_engine_container_tag }}" diff --git a/src/roles/iop_engine/tasks/main.yaml b/src/roles/iop_engine/tasks/main.yaml index e92c111ec..0e97f7fed 100644 --- a/src/roles/iop_engine/tasks/main.yaml +++ b/src/roles/iop_engine/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Engine container image - containers.podman.podman_image: - name: "{{ iop_engine_container_image }}:{{ iop_engine_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_engine_registry_auth_file }}" +- name: Deploy iop-engine image + ansible.builtin.include_tasks: image.yaml - name: Create Engine config secret containers.podman.podman_secret: @@ -16,7 +12,7 @@ - name: Deploy Engine container containers.podman.podman_container: name: iop-core-engine - image: "{{ iop_engine_container_image }}:{{ iop_engine_container_tag }}" + image: iop-engine.image state: quadlet command: insights-core-engine /var/config.yml secrets: @@ -32,7 +28,6 @@ After=iop-core-kafka.service iop-core-ingress.service iop-core-puptoo.service Wants=iop-core-kafka.service iop-core-ingress.service iop-core-puptoo.service [Service] - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json Restart=on-failure [Install] WantedBy=default.target diff --git a/src/roles/iop_gateway/defaults/main.yaml b/src/roles/iop_gateway/defaults/main.yaml index 0e6209e98..e09d37c3d 100644 --- a/src/roles/iop_gateway/defaults/main.yaml +++ b/src/roles/iop_gateway/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_gateway_container_image: "quay.io/iop/gateway" iop_gateway_container_tag: "foreman-3.18" -iop_gateway_registry_auth_file: /etc/foreman/registry-auth.json iop_gateway_server_certificate: "/root/certificates/certs/localhost.crt" iop_gateway_server_key: "/root/certificates/private/localhost.key" diff --git a/src/roles/iop_gateway/tasks/image.yaml b/src/roles/iop_gateway/tasks/image.yaml new file mode 100644 index 000000000..abac5bcb3 --- /dev/null +++ b/src/roles/iop_gateway/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-gateway image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-gateway + image: "{{ iop_gateway_container_image }}:{{ iop_gateway_container_tag }}" diff --git a/src/roles/iop_gateway/tasks/main.yaml b/src/roles/iop_gateway/tasks/main.yaml index ca168b66c..1be38f938 100644 --- a/src/roles/iop_gateway/tasks/main.yaml +++ b/src/roles/iop_gateway/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Gateway container image - containers.podman.podman_image: - name: "{{ iop_gateway_container_image }}:{{ iop_gateway_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_gateway_registry_auth_file }}" +- name: Deploy iop-gateway image + ansible.builtin.include_tasks: image.yaml - name: Create Gateway server certificate secret containers.podman.podman_secret: @@ -58,14 +54,12 @@ - name: Deploy Gateway container containers.podman.podman_container: name: iop-core-gateway - image: "{{ iop_gateway_container_image }}:{{ iop_gateway_container_tag }}" + image: iop-gateway.image state: quadlet network: - iop-core-network publish: - "127.0.0.1:24443:8443" - env: - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-gateway-server-cert,target=/etc/nginx/certs/nginx.crt,mode=0440,uid=998,gid=998,type=mount' - 'iop-core-gateway-server-key,target=/etc/nginx/certs/nginx.key,mode=0440,uid=998,gid=998,type=mount' diff --git a/src/roles/iop_ingress/defaults/main.yaml b/src/roles/iop_ingress/defaults/main.yaml index e930e2634..8bce99a9b 100644 --- a/src/roles/iop_ingress/defaults/main.yaml +++ b/src/roles/iop_ingress/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_ingress_container_image: "quay.io/iop/ingress" iop_ingress_container_tag: "foreman-3.18" -iop_ingress_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_ingress/tasks/image.yaml b/src/roles/iop_ingress/tasks/image.yaml new file mode 100644 index 000000000..1524f716c --- /dev/null +++ b/src/roles/iop_ingress/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-ingress image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-ingress + image: "{{ iop_ingress_container_image }}:{{ iop_ingress_container_tag }}" diff --git a/src/roles/iop_ingress/tasks/main.yaml b/src/roles/iop_ingress/tasks/main.yaml index 0b49daadc..303f0adfd 100644 --- a/src/roles/iop_ingress/tasks/main.yaml +++ b/src/roles/iop_ingress/tasks/main.yaml @@ -1,15 +1,11 @@ --- -- name: Pull Ingress container image - containers.podman.podman_image: - name: "{{ iop_ingress_container_image }}:{{ iop_ingress_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_ingress_registry_auth_file }}" +- name: Deploy iop-ingress image + ansible.builtin.include_tasks: image.yaml - name: Deploy Ingress container containers.podman.podman_container: name: iop-core-ingress - image: "{{ iop_ingress_container_image }}:{{ iop_ingress_container_tag }}" + image: iop-ingress.image state: quadlet env: INGRESS_VALID_UPLOAD_TYPES: "advisor,compliance,qpc,rhv,tower,leapp-reporting,xavier,playbook,playbook-sat,malware-detection,tasks" diff --git a/src/roles/iop_inventory/defaults/main.yaml b/src/roles/iop_inventory/defaults/main.yaml index b287bbf78..ce4991b76 100644 --- a/src/roles/iop_inventory/defaults/main.yaml +++ b/src/roles/iop_inventory/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_inventory_container_image: "quay.io/iop/host-inventory" iop_inventory_container_tag: "foreman-3.18" -iop_inventory_registry_auth_file: /etc/foreman/registry-auth.json iop_inventory_database_name: inventory_db iop_inventory_database_user: inventory_admin diff --git a/src/roles/iop_inventory/tasks/image.yaml b/src/roles/iop_inventory/tasks/image.yaml new file mode 100644 index 000000000..43caefdc6 --- /dev/null +++ b/src/roles/iop_inventory/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-inventory image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-inventory + image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" diff --git a/src/roles/iop_inventory/tasks/main.yaml b/src/roles/iop_inventory/tasks/main.yaml index 158007f83..1c575170c 100644 --- a/src/roles/iop_inventory/tasks/main.yaml +++ b/src/roles/iop_inventory/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Host Inventory container image - containers.podman.podman_image: - name: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_inventory_registry_auth_file }}" +- name: Deploy iop-inventory image + ansible.builtin.include_tasks: image.yaml - name: Create podman secret for inventory database username containers.podman.podman_secret: @@ -39,7 +35,7 @@ - name: Deploy Host Inventory Database Migration Container containers.podman.podman_container: name: iop-core-host-inventory-migrate - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: make upgrade_db network: @@ -48,7 +44,6 @@ KAFKA_BOOTSTRAP_SERVERS: "PLAINTEXT://iop-core-kafka:9092" USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' @@ -68,7 +63,7 @@ - name: Deploy Host Inventory MQ Service Container containers.podman.podman_container: name: iop-core-host-inventory - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: make run_inv_mq_service network: @@ -77,7 +72,6 @@ KAFKA_BOOTSTRAP_SERVERS: "PLAINTEXT://iop-core-kafka:9092" USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' @@ -98,7 +92,7 @@ - name: Deploy Host Inventory API Container containers.podman.podman_container: name: iop-core-host-inventory-api - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: python run_gunicorn.py network: @@ -109,7 +103,6 @@ BYPASS_RBAC: "true" USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' @@ -128,7 +121,7 @@ - name: Deploy Host Inventory Cleanup Container containers.podman.podman_container: name: iop-core-host-inventory-cleanup - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: make run_host_delete_access_tags network: @@ -138,7 +131,6 @@ USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" PYTHONPATH: "/opt/app-root/src" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' diff --git a/src/roles/iop_inventory_frontend/defaults/main.yaml b/src/roles/iop_inventory_frontend/defaults/main.yaml index cd2964b62..2448a31e6 100644 --- a/src/roles/iop_inventory_frontend/defaults/main.yaml +++ b/src/roles/iop_inventory_frontend/defaults/main.yaml @@ -1,6 +1,5 @@ --- iop_inventory_frontend_container_image: "quay.io/iop/host-inventory-frontend" iop_inventory_frontend_container_tag: "foreman-3.18" -iop_inventory_frontend_registry_auth_file: /etc/foreman/registry-auth.json iop_inventory_frontend_assets_path: "/var/www/iop/assets/apps/inventory" iop_inventory_frontend_source_path: "/srv/dist/." diff --git a/src/roles/iop_inventory_frontend/tasks/image.yaml b/src/roles/iop_inventory_frontend/tasks/image.yaml new file mode 100644 index 000000000..251b7ea9a --- /dev/null +++ b/src/roles/iop_inventory_frontend/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-inventory-frontend image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-inventory-frontend + image: "{{ iop_inventory_frontend_container_image }}:{{ iop_inventory_frontend_container_tag }}" diff --git a/src/roles/iop_inventory_frontend/tasks/main.yaml b/src/roles/iop_inventory_frontend/tasks/main.yaml index 6d2e5be3f..12c73b678 100644 --- a/src/roles/iop_inventory_frontend/tasks/main.yaml +++ b/src/roles/iop_inventory_frontend/tasks/main.yaml @@ -1,10 +1,15 @@ --- -- name: Pull Inventory Frontend container image - containers.podman.podman_image: - name: "{{ iop_inventory_frontend_container_image }}:{{ iop_inventory_frontend_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_inventory_frontend_registry_auth_file }}" +- name: Deploy iop-inventory-frontend image + ansible.builtin.include_tasks: image.yaml + +- name: Run daemon reload for image unit + ansible.builtin.systemd: + daemon_reload: true + +- name: Pull Inventory Frontend image via quadlet unit + ansible.builtin.systemd: + name: iop-inventory-frontend-image.service + state: started - name: Ensure parent assets directory exists ansible.builtin.file: diff --git a/src/roles/iop_kafka/defaults/main.yaml b/src/roles/iop_kafka/defaults/main.yaml index 71b5179e8..176858bc7 100644 --- a/src/roles/iop_kafka/defaults/main.yaml +++ b/src/roles/iop_kafka/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_kafka_container_image: "quay.io/strimzi/kafka" iop_kafka_container_tag: "latest-kafka-3.7.1" -iop_kafka_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_kafka/tasks/image.yaml b/src/roles/iop_kafka/tasks/image.yaml new file mode 100644 index 000000000..ad5f6ecad --- /dev/null +++ b/src/roles/iop_kafka/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-kafka image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-kafka + image: "{{ iop_kafka_container_image }}:{{ iop_kafka_container_tag }}" diff --git a/src/roles/iop_kafka/tasks/main.yaml b/src/roles/iop_kafka/tasks/main.yaml index 8906b5417..b2c996549 100644 --- a/src/roles/iop_kafka/tasks/main.yaml +++ b/src/roles/iop_kafka/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Kafka container image - containers.podman.podman_image: - name: "{{ iop_kafka_container_image }}:{{ iop_kafka_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_kafka_registry_auth_file }}" +- name: Deploy iop-kafka image + ansible.builtin.include_tasks: image.yaml - name: Create Kafka init script secret containers.podman.podman_secret: @@ -35,7 +31,7 @@ - name: Deploy Kafka container containers.podman.podman_container: name: iop-core-kafka - image: "{{ iop_kafka_container_image }}:{{ iop_kafka_container_tag }}" + image: iop-kafka.image state: quadlet command: sh bin/init-start.sh network: diff --git a/src/roles/iop_puptoo/defaults/main.yaml b/src/roles/iop_puptoo/defaults/main.yaml index c49eb8f74..8a6d20828 100644 --- a/src/roles/iop_puptoo/defaults/main.yaml +++ b/src/roles/iop_puptoo/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_puptoo_container_image: "quay.io/iop/puptoo" iop_puptoo_container_tag: "foreman-3.18" -iop_puptoo_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_puptoo/tasks/image.yaml b/src/roles/iop_puptoo/tasks/image.yaml new file mode 100644 index 000000000..60206a801 --- /dev/null +++ b/src/roles/iop_puptoo/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-puptoo image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-puptoo + image: "{{ iop_puptoo_container_image }}:{{ iop_puptoo_container_tag }}" diff --git a/src/roles/iop_puptoo/tasks/main.yaml b/src/roles/iop_puptoo/tasks/main.yaml index c219f6dfd..eb114a93a 100644 --- a/src/roles/iop_puptoo/tasks/main.yaml +++ b/src/roles/iop_puptoo/tasks/main.yaml @@ -1,15 +1,11 @@ --- -- name: Pull Puptoo container image - containers.podman.podman_image: - name: "{{ iop_puptoo_container_image }}:{{ iop_puptoo_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_puptoo_registry_auth_file }}" +- name: Deploy iop-puptoo image + ansible.builtin.include_tasks: image.yaml - name: Deploy Puptoo container containers.podman.podman_container: name: iop-core-puptoo - image: "{{ iop_puptoo_container_image }}:{{ iop_puptoo_container_tag }}" + image: iop-puptoo.image state: quadlet env: BOOTSTRAP_SERVERS: "iop-core-kafka:9092" diff --git a/src/roles/iop_remediation/defaults/main.yaml b/src/roles/iop_remediation/defaults/main.yaml index 99bceb8e9..29710f735 100644 --- a/src/roles/iop_remediation/defaults/main.yaml +++ b/src/roles/iop_remediation/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_remediation_container_image: "quay.io/iop/remediations" iop_remediation_container_tag: "foreman-3.18" -iop_remediation_registry_auth_file: /etc/foreman/registry-auth.json iop_remediation_database_name: remediations_db iop_remediation_database_user: remediations_user diff --git a/src/roles/iop_remediation/tasks/image.yaml b/src/roles/iop_remediation/tasks/image.yaml new file mode 100644 index 000000000..c40cf6338 --- /dev/null +++ b/src/roles/iop_remediation/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-remediation image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-remediation + image: "{{ iop_remediation_container_image }}:{{ iop_remediation_container_tag }}" diff --git a/src/roles/iop_remediation/tasks/main.yaml b/src/roles/iop_remediation/tasks/main.yaml index dc50d4de8..00b6ae6e3 100644 --- a/src/roles/iop_remediation/tasks/main.yaml +++ b/src/roles/iop_remediation/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Remediation container image - containers.podman.podman_image: - name: "{{ iop_remediation_container_image }}:{{ iop_remediation_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_remediation_registry_auth_file }}" +- name: Deploy iop-remediation image + ansible.builtin.include_tasks: image.yaml - name: Create Remediation database username secret containers.podman.podman_secret: @@ -44,7 +40,7 @@ - name: Deploy Remediation API container containers.podman.podman_container: name: iop-service-remediations-api - image: "{{ iop_remediation_container_image }}:{{ iop_remediation_container_tag }}" + image: iop-remediation.image state: quadlet network: - iop-core-network @@ -56,7 +52,6 @@ ADVISOR_HOST: "http://iop-service-advisor-backend-api:8000" INVENTORY_HOST: "http://iop-core-host-inventory-api:8081" DB_SSL_ENABLED: "false" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-service-remediations-db-username,type=env,target=DB_USERNAME' - 'iop-service-remediations-db-password,type=env,target=DB_PASSWORD' diff --git a/src/roles/iop_vmaas/defaults/main.yaml b/src/roles/iop_vmaas/defaults/main.yaml index 2d5f0511f..0ba603ee1 100644 --- a/src/roles/iop_vmaas/defaults/main.yaml +++ b/src/roles/iop_vmaas/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_vmaas_container_image: "quay.io/iop/vmaas" iop_vmaas_container_tag: "foreman-3.18" -iop_vmaas_registry_auth_file: /etc/foreman/registry-auth.json iop_vmaas_database_name: vmaas_db iop_vmaas_database_user: vmaas_admin diff --git a/src/roles/iop_vmaas/tasks/image.yaml b/src/roles/iop_vmaas/tasks/image.yaml new file mode 100644 index 000000000..5e6bb2991 --- /dev/null +++ b/src/roles/iop_vmaas/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-vmaas image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-vmaas + image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" diff --git a/src/roles/iop_vmaas/tasks/main.yaml b/src/roles/iop_vmaas/tasks/main.yaml index 3b1b7ec5a..2292561e3 100644 --- a/src/roles/iop_vmaas/tasks/main.yaml +++ b/src/roles/iop_vmaas/tasks/main.yaml @@ -1,17 +1,13 @@ --- +- name: Deploy iop-vmaas image + ansible.builtin.include_tasks: image.yaml + - name: Create VMAAS client CA certificate secret containers.podman.podman_secret: state: present name: iop-service-vmaas-reposcan-client-ca-cert path: "{{ iop_vmaas_client_ca_certificate }}" -- name: Pull VMAAS container image - containers.podman.podman_image: - name: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_vmaas_registry_auth_file }}" - - name: Create VMAAS database secrets containers.podman.podman_secret: name: "{{ item.name }}" @@ -39,7 +35,7 @@ - name: Deploy VMAAS Reposcan container containers.podman.podman_container: name: iop-service-vmaas-reposcan - image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" + image: iop-vmaas.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -72,14 +68,13 @@ Description=VMAAS Reposcan Service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target - name: Deploy VMAAS Webapp-Go container containers.podman.podman_container: name: iop-service-vmaas-webapp-go - image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" + image: iop-vmaas.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -104,7 +99,6 @@ After=iop-service-vmaas-reposcan.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target diff --git a/src/roles/iop_vulnerability/defaults/main.yaml b/src/roles/iop_vulnerability/defaults/main.yaml index 4811acf93..0c9923a4f 100644 --- a/src/roles/iop_vulnerability/defaults/main.yaml +++ b/src/roles/iop_vulnerability/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_vulnerability_container_image: "quay.io/iop/vulnerability-engine" iop_vulnerability_container_tag: "foreman-3.18" -iop_vulnerability_registry_auth_file: /etc/foreman/registry-auth.json iop_vulnerability_database_name: vulnerability_db iop_vulnerability_database_user: vulnerability_admin diff --git a/src/roles/iop_vulnerability/tasks/image.yaml b/src/roles/iop_vulnerability/tasks/image.yaml new file mode 100644 index 000000000..e1468a83d --- /dev/null +++ b/src/roles/iop_vulnerability/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-vulnerability image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-vulnerability + image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" diff --git a/src/roles/iop_vulnerability/tasks/main.yaml b/src/roles/iop_vulnerability/tasks/main.yaml index 5b4f21e2a..0ad8067bd 100644 --- a/src/roles/iop_vulnerability/tasks/main.yaml +++ b/src/roles/iop_vulnerability/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Vulnerability container image - containers.podman.podman_image: - name: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_vulnerability_registry_auth_file }}" +- name: Deploy iop-vulnerability image + ansible.builtin.include_tasks: image.yaml - name: Create vulnerability database secrets containers.podman.podman_secret: @@ -47,7 +43,7 @@ - name: Deploy Vulnerability Database Upgrade container containers.podman.podman_container: name: iop-service-vuln-dbupgrade - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -69,7 +65,6 @@ [Service] Type=oneshot RemainAfterExit=true - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability dbupgrade @@ -78,7 +73,7 @@ - name: Deploy Vulnerability Manager container containers.podman.podman_container: name: iop-service-vuln-manager - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -101,7 +96,6 @@ Requires=iop-service-vuln-dbupgrade.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability manager @@ -110,7 +104,7 @@ - name: Deploy Vulnerability Taskomatic container containers.podman.podman_container: name: iop-service-vuln-taskomatic - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -135,7 +129,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability taskomatic @@ -144,7 +137,7 @@ - name: Deploy Vulnerability Grouper container containers.podman.podman_container: name: iop-service-vuln-grouper - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -173,7 +166,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability grouper @@ -182,7 +174,7 @@ - name: Deploy Vulnerability Listener container containers.podman.podman_container: name: iop-service-vuln-listener - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -211,7 +203,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability listener @@ -220,7 +211,7 @@ - name: Deploy Vulnerability Evaluator (Recalc) container containers.podman.podman_container: name: iop-service-vuln-evaluator-recalc - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -249,7 +240,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability evaluator-recalc @@ -258,7 +248,7 @@ - name: Deploy Vulnerability Evaluator (Upload) container containers.podman.podman_container: name: iop-service-vuln-evaluator-upload - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -287,7 +277,6 @@ After=iop-service-vuln-grouper.service iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability evaluator-upload @@ -296,7 +285,7 @@ - name: Deploy Vulnerability VMAAS Sync container containers.podman.podman_container: name: iop-service-vuln-vmaas-sync - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -322,7 +311,6 @@ After=iop-service-vmaas-webapp-go.service iop-service-vuln-manager.service [Service] Type=oneshot - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json - name: Create VMAAS Sync systemd timer ansible.builtin.copy: diff --git a/src/roles/iop_vulnerability_frontend/defaults/main.yaml b/src/roles/iop_vulnerability_frontend/defaults/main.yaml index 0b8bf79c0..5b4b6cb3c 100644 --- a/src/roles/iop_vulnerability_frontend/defaults/main.yaml +++ b/src/roles/iop_vulnerability_frontend/defaults/main.yaml @@ -1,6 +1,5 @@ --- iop_vulnerability_frontend_container_image: "quay.io/iop/vulnerability-frontend" iop_vulnerability_frontend_container_tag: "foreman-3.18" -iop_vulnerability_frontend_registry_auth_file: /etc/foreman/registry-auth.json iop_vulnerability_frontend_assets_path: "/var/www/iop/assets/apps/vulnerability" iop_vulnerability_frontend_source_path: "/srv/dist/." diff --git a/src/roles/iop_vulnerability_frontend/tasks/image.yaml b/src/roles/iop_vulnerability_frontend/tasks/image.yaml new file mode 100644 index 000000000..b442eb41d --- /dev/null +++ b/src/roles/iop_vulnerability_frontend/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-vulnerability-frontend image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-vulnerability-frontend + image: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}" diff --git a/src/roles/iop_vulnerability_frontend/tasks/main.yaml b/src/roles/iop_vulnerability_frontend/tasks/main.yaml index c21cd053a..216b283b0 100644 --- a/src/roles/iop_vulnerability_frontend/tasks/main.yaml +++ b/src/roles/iop_vulnerability_frontend/tasks/main.yaml @@ -1,10 +1,15 @@ --- -- name: Pull Vulnerability Frontend container image - containers.podman.podman_image: - name: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_vulnerability_frontend_registry_auth_file }}" +- name: Deploy iop-vulnerability-frontend image + ansible.builtin.include_tasks: image.yaml + +- name: Run daemon reload for image unit + ansible.builtin.systemd: + daemon_reload: true + +- name: Pull Vulnerability Frontend image via quadlet unit + ansible.builtin.systemd: + name: iop-vulnerability-frontend-image.service + state: started - name: Ensure parent assets directory exists ansible.builtin.file: diff --git a/src/roles/iop_yuptoo/defaults/main.yaml b/src/roles/iop_yuptoo/defaults/main.yaml index 4d983f61f..28ff3a78c 100644 --- a/src/roles/iop_yuptoo/defaults/main.yaml +++ b/src/roles/iop_yuptoo/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_yuptoo_container_image: "quay.io/iop/yuptoo" iop_yuptoo_container_tag: "foreman-3.18" -iop_yuptoo_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_yuptoo/tasks/image.yaml b/src/roles/iop_yuptoo/tasks/image.yaml new file mode 100644 index 000000000..e5b0f17f3 --- /dev/null +++ b/src/roles/iop_yuptoo/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-yuptoo image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-yuptoo + image: "{{ iop_yuptoo_container_image }}:{{ iop_yuptoo_container_tag }}" diff --git a/src/roles/iop_yuptoo/tasks/main.yaml b/src/roles/iop_yuptoo/tasks/main.yaml index 007e5ebad..35b9cf6b7 100644 --- a/src/roles/iop_yuptoo/tasks/main.yaml +++ b/src/roles/iop_yuptoo/tasks/main.yaml @@ -1,15 +1,11 @@ --- -- name: Pull Yuptoo container image - containers.podman.podman_image: - name: "{{ iop_yuptoo_container_image }}:{{ iop_yuptoo_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_yuptoo_registry_auth_file }}" +- name: Deploy iop-yuptoo image + ansible.builtin.include_tasks: image.yaml - name: Deploy Yuptoo container containers.podman.podman_container: name: iop-core-yuptoo - image: "{{ iop_yuptoo_container_image }}:{{ iop_yuptoo_container_tag }}" + image: iop-yuptoo.image state: quadlet command: python -m main env: @@ -22,7 +18,6 @@ [Unit] Description=IOP Core Yuptoo Container [Service] - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json Restart=on-failure [Install] WantedBy=default.target diff --git a/src/roles/postgresql/defaults/main.yml b/src/roles/postgresql/defaults/main.yml index 7c80c3a68..0530ec787 100644 --- a/src/roles/postgresql/defaults/main.yml +++ b/src/roles/postgresql/defaults/main.yml @@ -1,7 +1,6 @@ --- postgresql_container_image: quay.io/sclorg/postgresql-13-c9s postgresql_container_tag: "latest" -postgresql_registry_auth_file: /etc/foreman/registry-auth.json postgresql_container_name: postgresql postgresql_network: host postgresql_restart_policy: always diff --git a/src/roles/postgresql/tasks/image.yaml b/src/roles/postgresql/tasks/image.yaml new file mode 100644 index 000000000..418d6635f --- /dev/null +++ b/src/roles/postgresql/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy postgresql image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: postgresql + image: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" diff --git a/src/roles/postgresql/tasks/main.yml b/src/roles/postgresql/tasks/main.yml index fe13649ed..ec860a69a 100644 --- a/src/roles/postgresql/tasks/main.yml +++ b/src/roles/postgresql/tasks/main.yml @@ -1,10 +1,6 @@ --- -- name: Pull PostgreSQL container image - containers.podman.podman_image: - name: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ postgresql_registry_auth_file }}" +- name: Deploy postgresql image + ansible.builtin.include_tasks: image.yaml - name: Create PostgreSQL storage directory ansible.builtin.file: @@ -24,7 +20,7 @@ - name: Deploy PostgreSQL container containers.podman.podman_container: name: "{{ postgresql_container_name }}" - image: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" + image: postgresql.image state: quadlet healthcheck: pg_isready sdnotify: healthy diff --git a/src/roles/pulp/defaults/main.yaml b/src/roles/pulp/defaults/main.yaml index a4b9fa44a..ff22558db 100644 --- a/src/roles/pulp/defaults/main.yaml +++ b/src/roles/pulp/defaults/main.yaml @@ -1,7 +1,6 @@ --- pulp_container_image: quay.io/foreman/pulp pulp_container_tag: "3.73" -pulp_registry_auth_file: /etc/foreman/registry-auth.json pulp_api_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" pulp_content_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" pulp_worker_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" diff --git a/src/roles/pulp/tasks/image.yaml b/src/roles/pulp/tasks/image.yaml new file mode 100644 index 000000000..6e69de249 --- /dev/null +++ b/src/roles/pulp/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy pulp image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: pulp + image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" diff --git a/src/roles/pulp/tasks/main.yaml b/src/roles/pulp/tasks/main.yaml index 66dcad042..ebf115e33 100644 --- a/src/roles/pulp/tasks/main.yaml +++ b/src/roles/pulp/tasks/main.yaml @@ -1,24 +1,6 @@ --- -- name: Pull the Pulp API container image - containers.podman.podman_image: - name: "{{ pulp_api_image }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" - -- name: Pull the Pulp Content container image - containers.podman.podman_image: - name: "{{ pulp_content_image }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" - -- name: Pull the Pulp Worker container image - containers.podman.podman_image: - name: "{{ pulp_worker_image }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" +- name: Deploy pulp image + ansible.builtin.include_tasks: image.yaml - name: Create Pulp storage ansible.builtin.file: @@ -97,7 +79,7 @@ - name: Deploy Pulp API Container containers.podman.podman_container: name: "{{ pulp_api_container_name }}" - image: "{{ pulp_api_image }}" + image: pulp.image state: quadlet sdnotify: true command: pulp-api @@ -128,7 +110,7 @@ - name: Deploy Pulp Content Container containers.podman.podman_container: name: "{{ pulp_content_container_name }}" - image: "{{ pulp_content_image }}" + image: pulp.image state: quadlet sdnotify: true command: pulp-content @@ -160,7 +142,7 @@ containers.podman.podman_container: name: "{{ pulp_worker_container_name }}-%i" quadlet_filename: "{{ pulp_worker_container_name }}@" - image: "{{ pulp_worker_image }}" + image: pulp.image state: quadlet command: pulp-worker network: host diff --git a/src/roles/redis/defaults/main.yml b/src/roles/redis/defaults/main.yml index 1b0e2af3f..5c0c3e140 100644 --- a/src/roles/redis/defaults/main.yml +++ b/src/roles/redis/defaults/main.yml @@ -1,4 +1,3 @@ --- redis_container_image: quay.io/sclorg/redis-6-c9s redis_container_tag: "latest" -redis_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/redis/tasks/image.yaml b/src/roles/redis/tasks/image.yaml new file mode 100644 index 000000000..789a307be --- /dev/null +++ b/src/roles/redis/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy redis image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: redis + image: "{{ redis_container_image }}:{{ redis_container_tag }}" diff --git a/src/roles/redis/tasks/main.yaml b/src/roles/redis/tasks/main.yaml index 93837c90c..76a96378e 100644 --- a/src/roles/redis/tasks/main.yaml +++ b/src/roles/redis/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Redis container image - containers.podman.podman_image: - name: "{{ redis_container_image }}:{{ redis_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ redis_registry_auth_file }}" +- name: Deploy redis image + ansible.builtin.include_tasks: image.yaml - name: Create directory for Redis data ansible.builtin.file: @@ -17,7 +13,7 @@ - name: Run Redis as a container containers.podman.podman_container: name: redis - image: "{{ redis_container_image }}:{{ redis_container_tag }}" + image: redis.image state: quadlet network: host sdnotify: true diff --git a/src/vars/images.yml b/src/vars/images.yml index 65356335f..e51c0ed58 100644 --- a/src/vars/images.yml +++ b/src/vars/images.yml @@ -1,23 +1,4 @@ -registry_auth_file: /etc/foreman/registry-auth.json -candlepin_registry_auth_file: "{{ registry_auth_file }}" -foreman_registry_auth_file: "{{ registry_auth_file }}" -foreman_proxy_registry_auth_file: "{{ registry_auth_file }}" -postgresql_registry_auth_file: "{{ registry_auth_file }}" -pulp_registry_auth_file: "{{ registry_auth_file }}" -redis_registry_auth_file: "{{ registry_auth_file }}" -iop_kafka_registry_auth_file: "{{ registry_auth_file }}" -iop_vmaas_registry_auth_file: "{{ registry_auth_file }}" -iop_vulnerability_registry_auth_file: "{{ registry_auth_file }}" -iop_inventory_registry_auth_file: "{{ registry_auth_file }}" -iop_remediation_registry_auth_file: "{{ registry_auth_file }}" -iop_advisor_registry_auth_file: "{{ registry_auth_file }}" -iop_gateway_registry_auth_file: "{{ registry_auth_file }}" -iop_engine_registry_auth_file: "{{ registry_auth_file }}" -iop_yuptoo_registry_auth_file: "{{ registry_auth_file }}" -iop_puptoo_registry_auth_file: "{{ registry_auth_file }}" -iop_ingress_registry_auth_file: "{{ registry_auth_file }}" -iop_vulnerability_frontend_registry_auth_file: "{{ registry_auth_file }}" -iop_advisor_frontend_registry_auth_file: "{{ registry_auth_file }}" +images_registry_auth_file: /etc/foreman/registry-auth.json container_tag_stream: "nightly" candlepin_container_image: quay.io/foreman/candlepin @@ -33,15 +14,3 @@ pulp_container_image: quay.io/foreman/pulp pulp_container_tag: "foreman-{{ container_tag_stream }}" redis_container_image: quay.io/sclorg/redis-6-c9s redis_container_tag: "latest" - -images: - - "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" - - "{{ foreman_container_image }}:{{ foreman_container_tag }}" - - "{{ pulp_container_image }}:{{ pulp_container_tag }}" - - "{{ redis_container_image }}:{{ redis_container_tag }}" - -database_images: - - "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" - -foreman_proxy_images: - - "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" diff --git a/tests/images_test.py b/tests/images_test.py new file mode 100644 index 000000000..b6f9b786b --- /dev/null +++ b/tests/images_test.py @@ -0,0 +1,36 @@ +import pytest + +CORE_IMAGES = [ + "foreman", + "candlepin", + "pulp", + "redis", +] + + +@pytest.fixture(params=CORE_IMAGES) +def core_image(request): + return request.param + + +def test_image_file_exists(server, core_image): + image_file = server.file(f"/etc/containers/systemd/{core_image}.image") + assert image_file.exists and image_file.is_file + + +def test_image_dropin_directory_exists(server, core_image): + dropin_dir = server.file(f"/etc/containers/systemd/{core_image}.image.d") + assert dropin_dir.exists and dropin_dir.is_directory + + +def test_image_service_exists(server, core_image): + service = server.service(f"{core_image}-image") + assert service.exists + + +def test_postgresql_image_file(server, database_mode): + image_file = server.file("/etc/containers/systemd/postgresql.image") + if database_mode == 'external': + assert not (image_file.exists and image_file.is_file) + else: + assert image_file.exists and image_file.is_file diff --git a/tests/iop/images_test.py b/tests/iop/images_test.py new file mode 100644 index 000000000..bafa4e433 --- /dev/null +++ b/tests/iop/images_test.py @@ -0,0 +1,26 @@ +import pytest + +pytestmark = pytest.mark.feature("iop") + +IOP_IMAGES = [ + "iop-kafka", + "iop-ingress", + "iop-puptoo", + "iop-yuptoo", + "iop-engine", + "iop-gateway", + "iop-inventory", + "iop-advisor", + "iop-remediation", + "iop-vmaas", + "iop-vulnerability", + "iop-advisor-frontend", + "iop-inventory-frontend", + "iop-vulnerability-frontend", +] + + +@pytest.mark.parametrize("image_name", IOP_IMAGES) +def test_iop_image_file_exists(server, image_name): + image_file = server.file(f"/etc/containers/systemd/{image_name}.image") + assert image_file.exists and image_file.is_file diff --git a/tests/target_lifecycle_test.py b/tests/target_lifecycle_test.py index f834ffc97..618f0873f 100644 --- a/tests/target_lifecycle_test.py +++ b/tests/target_lifecycle_test.py @@ -1,6 +1,6 @@ import time -FOREMAN_PING_RETRIES = 60 +FOREMAN_PING_RETRIES = 90 FOREMAN_PING_DELAY = 10 CURL_CMD = "curl --silent --output /dev/null"