-
Notifications
You must be signed in to change notification settings - Fork 1
/
quay-setup.yml
201 lines (174 loc) · 6.46 KB
/
quay-setup.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
---
- name: Setup Quay non-production
hosts: registry
vars_files:
- vars/quay-registry-vars.yml
environment:
REGISTRY_AUTH_FILE: "{{ cloud_secret }}"
tasks:
- name: Install required packages
when: quay_host_connected
become: yes
package:
name: "{{ required_pkgs }}"
state: present
- name: Setup base directory
file:
path: "{{ item }}"
state: directory
loop:
- "{{ base_dir }}"
- "{{ postgresql_dir }}"
- "{{ quay_config_dir }}"
- "{{ quay_config_dir }}/extra_ca_certs"
- "{{ quay_storage_dir }}"
- name: Set ACLs for permissions on storage directories
acl:
path: "{{ item.dir }}"
entity: "{{ item.uid }}"
etype: user
permissions: "{{ item.perms }}"
state: present
loop:
- { dir: "{{ postgresql_dir }}", uid: '26', perms: '-wx' }
- { dir: "{{ quay_storage_dir }}", uid: '1001', perms: '-wx' }
- name: Get services status
service_facts:
- name: Configure firewall if running
when: ansible_facts.services['firewalld.service'].state == "running"
become: yes
firewalld:
port: "{{ item }}/tcp"
immediate: yes
permanent: yes
state: enabled
loop:
- "{{ quay_config_port }}"
- "{{ quay_port }}"
- "{{ postgresql_port }}"
- "{{ redis_port }}"
- name: Create self-signed certificate if no signed certs exist
when: use_self_signed
block:
- name: Create a SAN cert config file
template:
src: ssl-ca.cnf.j2
dest: "{{ quay_config_dir }}/ssl-ca.cnf"
- name: Create a self-signed certificate with CA
command:
cmd: openssl req -newkey rsa:4096 -nodes -sha256 -keyout ssl.key -x509 -days 365 -out ssl.cert -config ssl-ca.cnf
chdir: "{{ quay_config_dir }}"
creates: ssl.cert
- name: Adjust cert and key perms to what Quay wants
file:
path: "{{ quay_config_dir }}/{{ item }}"
mode: 0775
loop:
- ssl.cert
- ssl.key
- name: Copy certificate to trust-store
become: yes
copy:
src: "{{ quay_config_dir }}/ssl.cert"
remote_src: yes
dest: /etc/pki/ca-trust/source/anchors/ssl.cert
register: copy_cert
- name: Update trust store
when: copy_cert.changed
become: yes
command: update-ca-trust
- name: Copy signed ssl cert and key if exists
when: not use_self_signed
block:
- name: Make sure cert and key are defined
assert:
that:
- ssl_cert is defined
- ssl_key is defined
fail_msg: "Failed to define path to ssl_cert or ssl_key"
- name: Copy signed cert
copy:
src: "{{ ssl_cert }}"
dest: "{{ quay_config_dir }}/ssl.cert"
mode: 0775
- name: Copy private key
copy:
src: "{{ ssl_key }}"
dest: "{{ quay_config_dir }}/ssl.key"
mode: 0775
- name: Check if postgresql-quay container is running
become: yes
command: podman ps -f name='^postgresql-quay$' --format "{{ '{{' }} .Names {{ '}}' }}"
register: postgresql_status
changed_when: postgresql_status.rc != 0
- name: Set fact for state of postgresql-quay
set_fact:
postgresql_quay_is_running: yes
when:
- postgresql_status.stdout_lines|count == 1
- postgresql_status.stdout == "postgresql-quay"
- name: Run podman postgresql container
become: yes
when: postgresql_quay_is_running is not defined or not postgresql_quay_is_running
command: >
podman run -d --name postgresql-quay {% if postgresql_ip is defined %} --ip {{ postgresql_ip }} {% endif %}
-e POSTGRESQL_USER={{ postgresql_user }} -e POSTGRESQL_PASSWORD={{ postgresql_pass }}
-e POSTGRESQL_DATABASE={{ postgresql_db }} -e POSTGRESQL_ADMIN_PASSWORD={{ postgresql_admin_pass }}
-p {{ postgresql_port }}:{{ postgresql_port }}
-v {{ base_dir }}/postgresql-quay:/var/lib/pgsql/data:Z
registry.redhat.io/rhel8/postgresql-10:1
register: postgresql_quay_started
- name: Pause to give database a change to start
when: postgresql_quay_started.changed
pause:
seconds: 5
- name: Set pg_trgm extension in postgresql
become: yes
command: >
podman exec -it postgresql-quay /bin/bash
-c 'echo "CREATE EXTENSION IF NOT EXISTS" pg_trgm | psql -d {{ postgresql_db }} -U postgres'
register: postgresql_add_extension
changed_when: "'already exists' not in postgresql_add_extension.stdout"
- name: Check if redis container is running
become: yes
command: podman ps -f name='^redis$' --format "{{ '{{' }} .Names {{ '}}' }}"
register: redis_status
changed_when: redis_status.rc != 0
- name: Set fact for state of redis
set_fact:
redis_is_running: yes
when:
- redis_status.stdout_lines|count == 1
- redis_status.stdout == "redis"
- name: Run podman redis container
become: yes
when: redis_is_running is not defined or not redis_is_running
command: >
podman run -d --name redis {% if redis_ip is defined %} --ip {{ redis_ip }} {% endif %}
-e REDIS_PASSWORD={{ redis_password }} -p {{ redis_port }}:{{ redis_port }}
registry.redhat.io/rhel8/redis-5:1
register: redis_started
- name: Setup quay config.yaml
template:
src: config.yaml.j2
dest: "{{ quay_config_dir }}/config.yaml"
- name: Check if quay container is running
become: yes
command: podman ps -f name='^quay$' --format "{{ '{{' }} .Names {{ '}}' }}"
register: quay_status
changed_when: quay_status.rc != 0
- name: Set fact for state of quay
set_fact:
quay_is_running: yes
when:
- quay_status.stdout_lines|count == 1
- quay_status.stdout == "quay"
- name: Run podman quay container
become: yes
when: quay_is_running is not defined or not quay_is_running
command: >
podman run -d -p {{ quay_port }}:{{ quay_port }}
--name quay -v {{ quay_config_dir }}:/conf/stack:Z
-v {{ quay_storage_dir }}:/datastorage:Z
registry.redhat.io/quay/quay-rhel8:v3.4.3
register: quay_started