Skip to content
Snippets Groups Projects
Commit 7148c282 authored by František Dvořák's avatar František Dvořák
Browse files

Initial import

parents
No related branches found
No related tags found
No related merge requests found
Showing
with 506 additions and 0 deletions
---
- name: Sonatype Nexus deployment
hosts: master
vars:
nexus_url: "https://{{ nexus_hostname }}/service/rest/v1"
nexus_admin_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_admin_password:value', token_validate=false) }}"
nexus_binder_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_binder_password:value', token_validate=false) }}"
nexus_notebooks_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_notebooks_password:value',
token_validate=false) }}"
nexus_writer_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_writer_password:value', token_validate=false) }}"
nexus_blobstore_name: default
nexus_blobstore_type: file
nexus_repository_name: container-notebooks
nexus_docker_port: 8082
become: true
tasks:
- name: Create Nexus configuration file on master
vars:
name: nexus
template:
src: templates/nexus.yaml
dest: /tmp/nexus.yaml
mode: 0600
- name: Deploy/update Nexus instance
command: kubectl apply -f /tmp/nexus.yaml
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
- name: Wait for Nexus pod ready
command: kubectl wait pod --all --namespace nexus --for condition=ready --timeout=5m
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
changed_when: false
when: true
- name: Wait for Nexus REST API
uri:
url: "{{ nexus_url }}/status"
status_code: 200
method: GET
register: _result
until: _result.status == 200
retries: 120
delay: 15
- name: Check the admin password
uri:
url: "{{ nexus_url }}/status"
force_basic_auth: true
method: HEAD
user: 'admin'
password: "{{ nexus_admin_password }}"
status_code: 200, 401
register: nexus_admin_password_check
- name: Admin password setup
when:
- nexus_admin_password_check.status == 401
block:
- name: Get initial admin password
shell: 'kubectl exec -it -n nexus $(kubectl get pod -n nexus -l app=sonatype-nexus -o name) -- cat /nexus-data/admin.password'
register: nexus_admin_password_initial
changed_when: false
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
- name: Set the admin password
uri:
url: "{{ nexus_url }}/security/users/admin/change-password"
force_basic_auth: true
headers:
Content-Type: text/plain
method: PUT
user: 'admin'
password: "{{ nexus_admin_password_initial.stdout }}"
body: "{{ nexus_admin_password }}"
body_format: raw
status_code: [200, 204]
- name: Check blobstore
uri:
url: "{{ nexus_url }}/blobstores/{{ nexus_blobstore_type }}/{{ nexus_blobstore_name }}"
force_basic_auth: true
user: 'admin'
password: "{{ nexus_admin_password }}"
# XXX: workaround REST API bug for S3 (Nexus 3.33.0-01)
status_code: [200, 400, 404, 500]
register: nexus_blobstore_check
# XXX: REST API bug II - needs to be created manually
- name: Create blobstore
when: &blobstore_changed
- nexus_blobstore_check.status == 404 or nexus_blobstore_check.status == 400
uri:
url: "{{ nexus_url }}/blobstores/{{ nexus_blobstore_type }}"
force_basic_auth: true
method: POST
user: 'admin'
password: "{{ nexus_admin_password }}"
body: "{{ lookup('template', 'templates/nexus-blobstore.yaml') | from_yaml }}"
body_format: json
status_code: [200, 201]
changed_when: *blobstore_changed
- name: Check binder repository
uri:
url: "{{ nexus_url }}/repositories/docker/hosted/{{ nexus_repository_name }}"
force_basic_auth: true
user: 'admin'
password: "{{ nexus_admin_password }}"
status_code: [200, 404]
register: nexus_repository_check
- name: Delete original repositories
when: &repositories_deleted
- nexus_repository_check.status == 404
uri:
url: "{{ nexus_url }}/repositories/{{ item }}"
force_basic_auth: true
method: DELETE
user: 'admin'
password: "{{ nexus_admin_password }}"
status_code: [200, 204, 404]
register: _result
loop:
- maven-central
- maven-public
- maven-releases
- maven-snapshots
- nuget-group
- nuget-hosted
- nuget.org-proxy
changed_when: _result.status == 200 or _result.status == 204
- name: Create repositories
include_tasks: subtasks/nexus-repository.yaml
loop:
- name: "{{ nexus_repository_name }}"
type: docker/hosted
- name: registry
type: docker/hosted
- name: Create roles
include_tasks: subtasks/nexus-role.yaml
loop:
- anonymous
- binder
- registry-read
- registry-write
- name: Create users
include_tasks: subtasks/nexus-user.yaml
loop:
- binder
- notebooks
- writer
- name: Check security realms
uri:
url: "{{ nexus_url }}/security/realms/active"
force_basic_auth: true
user: 'admin'
password: "{{ nexus_admin_password }}"
return_content: true
register: nexus_realms_check
- name: Update securty realms
when: &realms_changed
- '"DockerToken" not in nexus_realms_check.content'
uri:
url: "{{ nexus_url }}/security/realms/active"
force_basic_auth: true
headers:
accept: application/json
Content-Type: application/json
method: PUT
user: 'admin'
password: "{{ nexus_admin_password }}"
body: "{{ lookup('template', 'templates/nexus-realms.yaml') | from_yaml }}"
body_format: json
status_code: [200, 204]
changed_when: *realms_changed
---
- name: Check repository {{ item.name }}
uri:
url: "{{ nexus_url }}/repositories/{{ item.type }}/{{ item.name }}"
force_basic_auth: true
user: 'admin'
password: "{{ nexus_admin_password }}"
status_code: [200, 404]
register: nexus_repository_check
- name: Create repository {{ item.name }}
when: &repository_created
- nexus_repository_check.status == 404
uri:
url: "{{ nexus_url }}/repositories/{{ item.type }}"
force_basic_auth: true
method: POST
user: 'admin'
password: "{{ nexus_admin_password }}"
body: "{{ lookup('template', 'templates/nexus-repository-' + item.name + '.yaml') | from_yaml }}"
body_format: json
status_code: [200, 201]
changed_when: *repository_created
---
- name: Check role {{ item }}
uri:
url: "{{ nexus_url }}/security/roles/{{ item }}"
force_basic_auth: true
user: 'admin'
password: "{{ nexus_admin_password }}"
status_code: [200, 404]
register: nexus_role_check
- name: Create role {{ item }}
when: &role_created
- nexus_role_check.status == 404
uri:
url: "{{ nexus_url }}/security/roles"
force_basic_auth: true
method: POST
user: 'admin'
password: "{{ nexus_admin_password }}"
body: "{{ lookup('template', 'templates/nexus-role-' + item + '.yaml') | from_yaml }}"
body_format: json
status_code: [200, 201]
changed_when: *role_created
---
- name: Check user {{ item }}
uri:
url: "{{ nexus_url }}/security/users?userId={{ item }}"
force_basic_auth: true
user: 'admin'
password: "{{ nexus_admin_password }}"
return_content: true
status_code: [200, 404]
register: nexus_user_check
- name: Create user {{ item }}
when: &user_created
- item not in nexus_user_check.content
uri:
url: "{{ nexus_url }}/security/users"
force_basic_auth: true
headers:
accept: application/json
Content-Type: application/json
method: POST
user: 'admin'
password: "{{ nexus_admin_password }}"
body: "{{ lookup('template', 'templates/nexus-user-' + item + '.yaml') | from_yaml }}"
body_format: json
status_code: [200, 201]
changed_when: *user_created
# export the NFS directory to all the cluster members
/exports {% for host in groups['allnodes'] -%}{{ host }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
---
name: {{ nexus_blobstore_name }}
# CESNET OpenStack - container object storage
# bucketConfiguration:
# bucket:
# name: binder-repository
# expiration: 3
# region: storage
# bucketSecurity:
# accessKeyId: XXXX
# secretAccessKey: XXXX
# advancedBucketConnection:
# endpoint: https://object-store.cloud.muni.cz
# forcePathStyle: true
# default
path: default
---
- NexusAuthenticatingRealm
- DockerToken
---
name: {{ nexus_repository_name }}
online: true
storage:
blobStoreName: {{ nexus_blobstore_name }}
strictContentTypeValidation: true
writePolicy: allow
docker:
v1Enabled: false
# basic-auth worked only with binder 0.2.0-n577.h14cc6c7 + jupyterhub 0.11.1
forceBasicAuth: false
httpPort: {{ nexus_docker_port }}
---
name: registry
online: true
storage:
blobStoreName: {{ nexus_blobstore_name }}
strictContentTypeValidation: true
writePolicy: allow
docker:
v1Enabled: false
forceBasicAuth: true
httpPort: {{ nexus_docker_port + 1 }}
---
id: anonymous
name: anonymous
description: Anonymous Role for Notebooks repository manager
# only explicit repository read roles to avoid access to the internal repository
privileges:
- nx-healthcheck-read
- nx-repository-view-docker-{{ nexus_repository_name }}-browse
- nx-repository-view-docker-{{ nexus_repository_name }}-read
- nx-search-read
---
id: binder
name: binder
description: EGI Notebooks Binder
privileges:
- nx-repository-view-docker-{{ nexus_repository_name }}-add
- nx-repository-view-docker-{{ nexus_repository_name }}-edit
- nx-repository-view-docker-{{ nexus_repository_name }}-read
roles:
- anonymous
---
id: registry-read
name: registry-read
description: EGI Notebooks internal repositories read access
privileges:
- nx-repository-view-docker-registry-browse
- nx-repository-view-docker-registry-read
---
id: registry-write
name: registry-write
description: EGI Notebooks internal repositories write access
privileges:
- nx-repository-view-docker-registry-add
- nx-repository-view-docker-registry-browse
- nx-repository-view-docker-registry-delete
- nx-repository-view-docker-registry-edit
- nx-repository-view-docker-registry-read
---
userId: binder
firstName: EGI
lastName: Binder
emailAddress: valtri@civ.zcu.cz
password: {{ nexus_binder_password }}
status: active
roles:
- binder
---
userId: notebooks
firstName: EGI
lastName: Notebooks
emailAddress: valtri@civ.zcu.cz
password: {{ nexus_notebooks_password }}
status: active
roles:
- registry-read
---
userId: writer
firstName: EGI
lastName: Writer
emailAddress: valtri@civ.zcu.cz
password: {{ nexus_writer_password }}
status: active
roles:
- registry-write
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ name }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nexus-pvc
namespace: {{ name }}
labels:
app: sonatype-nexus
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nexus
namespace: {{ name }}
labels:
app: sonatype-nexus
spec:
replicas: 1
selector:
matchLabels:
app: sonatype-nexus
template:
metadata:
labels:
app: sonatype-nexus
spec:
containers:
- image: sonatype/nexus3
imagePullPolicy: Always
name: nexus
ports:
- containerPort: 8081
- containerPort: {{ nexus_docker_port }}
- containerPort: {{ nexus_docker_port + 1 }}
resources:
limits:
cpu: 4
volumeMounts:
- mountPath: /nexus-data
name: nexus-data-volume
volumes:
- name: nexus-data-volume
persistentVolumeClaim:
claimName: nexus-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nexus
namespace: {{ name }}
spec:
ports:
- port: 80
targetPort: 8081
protocol: TCP
name: http
- port: 5000
targetPort: {{ nexus_docker_port }}
protocol: TCP
name: docker-container-notebooks
- port: 5001
targetPort: {{ nexus_docker_port + 1 }}
protocol: TCP
name: docker-repository
selector:
app: sonatype-nexus
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nexus-ingress
namespace: nexus
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
spec:
tls:
- hosts:
- {{ nexus_hostname }}
- {{ docker_hostname }}
- {{ docker2_hostname }}
secretName: acme-tls-{{ name }}
rules:
- host: {{ nexus_hostname }}
http:
paths:
- backend:
service:
name: nexus
port:
number: 80
path: /
pathType: Prefix
- host: {{ docker_hostname }}
http:
paths:
- backend:
service:
name: nexus
port:
number: 5000
path: /
pathType: Prefix
- host: {{ docker2_hostname }}
http:
paths:
- backend:
service:
name: nexus
port:
number: 5001
path: /
pathType: Prefix
# direct access without nginx layer and SSL (for debugging)
# ---
# apiVersion: v1
# kind: Service
# metadata:
# name: nexus-repository-direct
# namespace: {{ name }}
# spec:
# type: NodePort
# selector:
# app: sonatype-nexus
# ports:
# - port: 5002
# targetPort: {{ nexus_docker_port + 1 }}
# protocol: TCP
# nodePort: 31444
# externalIPs: {{ groups['ingress'] }}
../../cesnet-central/playbooks/files/calico.yaml
\ No newline at end of file
../../cesnet-central/playbooks/files/helm_repos.fact
\ No newline at end of file
../../cesnet-central/playbooks/files/k8s-cheats.sh
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment