From aab86c0f61723efa520c9aac10ed4c2f0000a3f5 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Tue, 6 Aug 2024 16:13:45 -0400 Subject: [PATCH 01/15] enhance overlay ordering controls --- roles/vdm/library/overlay_facts.py | 26 ++++++++------------ roles/vdm/library/siteconfig_info.py | 18 ++++++++------ roles/vdm/tasks/kustomize.yaml | 16 +++--------- roles/vdm/templates/kustomization.yaml | 34 ++++++-------------------- 4 files changed, 32 insertions(+), 62 deletions(-) diff --git a/roles/vdm/library/overlay_facts.py b/roles/vdm/library/overlay_facts.py index 74cc039b..160f882c 100644 --- a/roles/vdm/library/overlay_facts.py +++ b/roles/vdm/library/overlay_facts.py @@ -13,6 +13,7 @@ def main(): "existing": {"required": True, "type": dict}, "cadence_number": {"default": "0.0.0", "type": str}, "cadence_name": {"default": "lts", "type": str}, + "customizations": {"default": {}, "type": dict} } results = dict( @@ -42,8 +43,7 @@ def main(): if ((existingVersion < minVersion) and module.params["cadence_name"].lower() != "fast") or (existingVersion > maxVersion): continue - priority = str(overlay.setdefault("priority", 1)) - phase = "pre" if int(priority) < 50 else "post" + priority = str(overlay.setdefault("priority", 10)) overlay.pop("priority", None) overlay_type = list(overlay.keys())[0] @@ -52,24 +52,18 @@ def main(): overlay_path = os.path.join(folderPath, overlay[overlay_type]) module.params['existing'].setdefault(overlay_type, {}) - module.params['existing'][overlay_type].setdefault(phase, {}) + module.params['existing'][overlay_type].setdefault(priority, []) - if priority in module.params['existing'][overlay_type][phase]: - if overlay_path not in module.params['existing'][overlay_type][phase][priority]: - module.params['existing'][overlay_type][phase][priority].append(overlay_path) - else: - module.params['existing'][overlay_type][phase].update({priority: [overlay_path]}) + # duplicate check + if overlay_path not in module.params['existing'][overlay_type][priority]: + module.params['existing'][overlay_type][priority].append(overlay_path) results['ansible_facts'] = {"vdm_overlays": module.params['existing']} module.exit_json(**results) - else: - for resource_type, phases in module.params['existing'].items(): - results['result'][resource_type] = {} - for phase in phases: - results['result'][resource_type][phase] = [] - for priority in sorted(module.params['existing'][resource_type][phase]): - results['result'][resource_type][phase] += module.params['existing'][resource_type][phase][priority] - module.exit_json(**results) + # else: + # results['result'] = set(module.params['existing']).union(module.params['customizations']['overlays']) + # module.fail_json(results) + # module.exit_json(**results) except Exception as e: module.fail_json(error=e, msg="Error occurred") raise diff --git a/roles/vdm/library/siteconfig_info.py b/roles/vdm/library/siteconfig_info.py index 01304793..1b5baaaf 100644 --- a/roles/vdm/library/siteconfig_info.py +++ b/roles/vdm/library/siteconfig_info.py @@ -6,6 +6,7 @@ import glob import yaml import os +import re from enum import Enum, auto class Overlay(Enum): @@ -16,15 +17,17 @@ class Overlay(Enum): TRANSFORMER = "transformers" class siteConfig(object): - def __init__(self, basedir): - self._overlays = dict() + def __init__(self, basedir, _overlays): + self._overlays = _overlays self._basedir = os.path.join(basedir, '') def add_overlays(self, overlay_type: Overlay, config: str): - if overlay_type.value in self._overlays: - self._overlays[overlay_type.value].append(self.remove_basedir(config)) - else: - self._overlays[overlay_type.value] = [self.remove_basedir(config)] + match = re.search(r"^(\d{1,2})", os.path.basename(config)) + priority = match.group(1) if match else 50 + + self._overlays.setdefault(overlay_type.value, {}) + self._overlays[overlay_type.value].setdefault(priority, []) + self._overlays[overlay_type.value][priority].append(self.remove_basedir(config)) def get_overlays(self) -> dict: return self._overlays @@ -104,10 +107,11 @@ def main(): fields = { "path": {"required": True, "type": "str"}, "exclude": {"default": [], "type": list}, + "existing": {"default": {}, "type": dict} } module = AnsibleModule(argument_spec=fields) try: - sc = siteConfig(module.params['path']) + sc = siteConfig(module.params['path'], module.params['existing']) scFolder = os.path.join(module.params['path'], 'site-config') _, folders, _ = next(os.walk(scFolder)) for folder in folders: diff --git a/roles/vdm/tasks/kustomize.yaml b/roles/vdm/tasks/kustomize.yaml index 80f99fa0..dc3327ea 100644 --- a/roles/vdm/tasks/kustomize.yaml +++ b/roles/vdm/tasks/kustomize.yaml @@ -37,22 +37,14 @@ - name: Kustomize - Get user's customizations siteconfig_info: + existing: "{{ vdm_overlays }}" path: "{{ DEPLOY_DIR }}" exclude: - vdm - multi-tenant - sas-tenant-job - operator-deploy - register: user_customizations - tags: - - install - - uninstall - - update - -- name: Kustomize - Ordered overlays - overlay_facts: - existing: "{{ vdm_overlays }}" - register: ordered_overlays + register: unified_overlays tags: - install - uninstall @@ -62,8 +54,8 @@ include_tasks: copy_overlay.yaml vars: resource: "{{ item.key }}" - overlays: "{{ item.value.pre | default([], true) + item.value.post | default([], true) }}" - with_dict: "{{ ordered_overlays.result }}" + overlays: "{{ item.value | default([], true) }}" + with_dict: "{{ unified_overlays['overlays'] }}" tags: - install - uninstall diff --git a/roles/vdm/templates/kustomization.yaml b/roles/vdm/templates/kustomization.yaml index 1fc802c7..e47c5496 100644 --- a/roles/vdm/templates/kustomization.yaml +++ b/roles/vdm/templates/kustomization.yaml @@ -3,34 +3,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 namespace: {{ NAMESPACE }} -{% for resource in ordered_overlays.result %} +{% for resource in unified_overlays['overlays'] %} {{ resource }}: -{% if 'pre' in ordered_overlays.result[resource] and ordered_overlays.result[resource]['pre']|length > 0 %} -## vdm defined {{ resource }} (pre) -{% for overlay in ordered_overlays.result[resource]['pre'] %} -- {{ overlay |dirname }}/{{ overlay | basename | regex_replace('\\..*\\.yaml$', '.yaml') }} +{% for priority in unified_overlays['overlays'][resource]|sort %} +{% for overlay in unified_overlays['overlays'][resource][priority] %} +{% set dirname = (overlay |dirname ) %} +{% set source = 'vdm' if (dirname.startswith('sas-bases') or dirname.startswith('site-config/vdm')) else 'user' %} +- {{ dirname}}/{{ overlay | basename | regex_replace('\\..*\\.yaml$', '.yaml') }} # source: {{ source }}, priority: {{ priority }} {% endfor %} -{% endif %} -{% if resource in user_customizations.overlays %} -## user defined {{ resource }} -{% for item in user_customizations.overlays[resource]|sort %} -- {{ item }} {% endfor %} -{% endif %} -{% if 'post' in ordered_overlays.result[resource] and ordered_overlays.result[resource]['post']|length > 0 %} -## vdm defined {{ resource }} (post) -{% for overlay in ordered_overlays.result[resource]['post'] %} -- {{ overlay |dirname }}/{{ overlay | basename | regex_replace('\\..*\\.yaml$', '.yaml') }} -{% endfor %} -{% endif %} -{% endfor %} -{% if "components" not in ordered_overlays.result %} -{% if "components" in user_customizations.overlays %} -components: -## user defined components -{% for item in user_customizations.overlays['components']|sort %} -- {{ item }} -{% endfor %} -{% endif %} -{% endif %} +{% endfor %} \ No newline at end of file From fadd6c0faae4f73d35ac848febddcac16e58de2e Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Tue, 6 Aug 2024 16:25:00 -0400 Subject: [PATCH 02/15] remvoe unused block and variable --- roles/vdm/library/overlay_facts.py | 54 +++++++++++++----------------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/roles/vdm/library/overlay_facts.py b/roles/vdm/library/overlay_facts.py index 160f882c..f7dd00ac 100644 --- a/roles/vdm/library/overlay_facts.py +++ b/roles/vdm/library/overlay_facts.py @@ -13,7 +13,6 @@ def main(): "existing": {"required": True, "type": dict}, "cadence_number": {"default": "0.0.0", "type": str}, "cadence_name": {"default": "lts", "type": str}, - "customizations": {"default": {}, "type": dict} } results = dict( @@ -31,39 +30,34 @@ def main(): module.exit_json(**results) try: - if len(module.params['add']) > 0: - for overlay in module.params['add']: - - # Version checks - minVersion = parse_version(str(overlay.setdefault("min", "0.0.0"))) - if "max" in overlay and module.params["cadence_name"].lower() == "fast": - continue - maxVersion = parse_version(str(overlay.setdefault("max", "9999.9999.9999"))) - existingVersion = parse_version(module.params['cadence_number']) - if ((existingVersion < minVersion) and module.params["cadence_name"].lower() != "fast") or (existingVersion > maxVersion): - continue + for overlay in module.params['add']: + + # Version checks + minVersion = parse_version(str(overlay.setdefault("min", "0.0.0"))) + if "max" in overlay and module.params["cadence_name"].lower() == "fast": + continue + maxVersion = parse_version(str(overlay.setdefault("max", "9999.9999.9999"))) + existingVersion = parse_version(module.params['cadence_number']) + if ((existingVersion < minVersion) and module.params["cadence_name"].lower() != "fast") or (existingVersion > maxVersion): + continue - priority = str(overlay.setdefault("priority", 10)) - overlay.pop("priority", None) - overlay_type = list(overlay.keys())[0] + priority = str(overlay.setdefault("priority", 10)) + overlay.pop("priority", None) + overlay_type = list(overlay.keys())[0] - # set correct path for vdm or sas-bases patches - folderPath = os.path.join("site-config/vdm", overlay_type) if bool(overlay.setdefault("vdm", False)) else "sas-bases/" - overlay_path = os.path.join(folderPath, overlay[overlay_type]) - - module.params['existing'].setdefault(overlay_type, {}) - module.params['existing'][overlay_type].setdefault(priority, []) + # set correct path for vdm or sas-bases patches + folderPath = os.path.join("site-config/vdm", overlay_type) if bool(overlay.setdefault("vdm", False)) else "sas-bases/" + overlay_path = os.path.join(folderPath, overlay[overlay_type]) + + module.params['existing'].setdefault(overlay_type, {}) + module.params['existing'][overlay_type].setdefault(priority, []) - # duplicate check - if overlay_path not in module.params['existing'][overlay_type][priority]: - module.params['existing'][overlay_type][priority].append(overlay_path) + # duplicate check + if overlay_path not in module.params['existing'][overlay_type][priority]: + module.params['existing'][overlay_type][priority].append(overlay_path) - results['ansible_facts'] = {"vdm_overlays": module.params['existing']} - module.exit_json(**results) - # else: - # results['result'] = set(module.params['existing']).union(module.params['customizations']['overlays']) - # module.fail_json(results) - # module.exit_json(**results) + results['ansible_facts'] = {"vdm_overlays": module.params['existing']} + module.exit_json(**results) except Exception as e: module.fail_json(error=e, msg="Error occurred") raise From 66e1bb46b191d1885a761f874f98bd1dc650bc7b Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Tue, 6 Aug 2024 16:41:56 -0400 Subject: [PATCH 03/15] fix vdm copy overlays --- roles/vdm/tasks/kustomize.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vdm/tasks/kustomize.yaml b/roles/vdm/tasks/kustomize.yaml index dc3327ea..1d032b44 100644 --- a/roles/vdm/tasks/kustomize.yaml +++ b/roles/vdm/tasks/kustomize.yaml @@ -54,7 +54,7 @@ include_tasks: copy_overlay.yaml vars: resource: "{{ item.key }}" - overlays: "{{ item.value | default([], true) }}" + overlays: "{{ item.value.values() | default([], true) }}" with_dict: "{{ unified_overlays['overlays'] }}" tags: - install From b1756f93d5ebd42c7f650940edf194df17c8a4b3 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Wed, 7 Aug 2024 09:54:06 -0400 Subject: [PATCH 04/15] fail if user defined overlay is 0 --- roles/vdm/library/siteconfig_info.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/vdm/library/siteconfig_info.py b/roles/vdm/library/siteconfig_info.py index 1b5baaaf..a491d4ba 100644 --- a/roles/vdm/library/siteconfig_info.py +++ b/roles/vdm/library/siteconfig_info.py @@ -17,14 +17,19 @@ class Overlay(Enum): TRANSFORMER = "transformers" class siteConfig(object): - def __init__(self, basedir, _overlays): - self._overlays = _overlays + def __init__(self, basedir, overlays, fail_json): + self._overlays = overlays self._basedir = os.path.join(basedir, '') + self._fail_json = fail_json def add_overlays(self, overlay_type: Overlay, config: str): match = re.search(r"^(\d{1,2})", os.path.basename(config)) - priority = match.group(1) if match else 50 - + priority = 50 + if match: + if int(match.group(1)) == 0: + self._fail_json(f"User defined overlay cannot be priority 0, {config}") + else: + priority = int(match.group(1)) self._overlays.setdefault(overlay_type.value, {}) self._overlays[overlay_type.value].setdefault(priority, []) self._overlays[overlay_type.value][priority].append(self.remove_basedir(config)) @@ -111,7 +116,7 @@ def main(): } module = AnsibleModule(argument_spec=fields) try: - sc = siteConfig(module.params['path'], module.params['existing']) + sc = siteConfig(module.params['path'], module.params['existing'], module.fail_json) scFolder = os.path.join(module.params['path'], 'site-config') _, folders, _ = next(os.walk(scFolder)) for folder in folders: From 665d8bd061e85f71e2a0203e17adcae1a9c433fd Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Thu, 12 Sep 2024 10:56:29 -0400 Subject: [PATCH 05/15] basic ocp support --- docs/CONFIG-VARS.md | 27 +++- roles/vdm/defaults/main.yaml | 14 ++ roles/vdm/library/overlay_facts.py | 2 +- roles/vdm/tasks/cas.yaml | 14 +- roles/vdm/tasks/connect.yaml | 2 +- roles/vdm/tasks/helpers/add_if_exists.yaml | 56 +++++++ .../vdm/tasks/{ => helpers}/copy_overlay.yaml | 0 roles/vdm/tasks/kustomize.yaml | 4 +- roles/vdm/tasks/main.yaml | 33 ++-- roles/vdm/tasks/message_broker.yaml | 2 +- roles/vdm/tasks/mirror.yaml | 6 +- roles/vdm/tasks/openshift.yaml | 142 ++++++++++++++++++ .../tasks/postgres/gcp-cloud-sql-proxy.yaml | 2 +- .../vdm/tasks/postgres/postgres-instance.yaml | 12 +- .../postgres-multi-tenant-config.yaml | 12 +- roles/vdm/tasks/postgres/postgres.yaml | 14 +- roles/vdm/tasks/start_stop.yaml | 2 +- roles/vdm/tasks/storage.yaml | 12 +- roles/vdm/tasks/tls.yaml | 97 ++++++++---- roles/vdm/tasks/workload_orchestrator.yaml | 4 +- roles/vdm/templates/copy_if_exists.yaml.j2 | 14 ++ .../templates/resources/cas-server-scc.yaml | 43 ++++++ ...openssl-generated-ingress-certificate.yaml | 7 +- .../vdm/templates/resources/pyconfig-scc.yaml | 41 +++++ .../templates/resources/sas-watchdog-scc.yaml | 43 ++++++ .../scc-sas-airflow-create-user-job.yaml | 126 ++++++++++++++++ .../resources/scc-sas-cas-server.yaml | 28 ++++ .../resources/scc-sas-connect-spawner.yaml | 28 ++++ .../resources/scc-sas-esp-project.yaml | 28 ++++ .../scc-sas-microanalytic-score.yaml | 28 ++++ .../scc-sas-model-publish-kaniko.yaml | 28 ++++ .../resources/scc-sas-model-repository.yaml | 28 ++++ .../scc-sas-programming-environment.yaml | 28 ++++ .../templates/resources/scc-sas-pyconfig.yaml | 28 ++++ .../templates/resources/scc-sas-watchdog.yaml | 28 ++++ roles/vdm/vars/main.yaml | 34 ++++- 36 files changed, 928 insertions(+), 89 deletions(-) create mode 100644 roles/vdm/tasks/helpers/add_if_exists.yaml rename roles/vdm/tasks/{ => helpers}/copy_overlay.yaml (100%) create mode 100644 roles/vdm/tasks/openshift.yaml create mode 100644 roles/vdm/templates/copy_if_exists.yaml.j2 create mode 100644 roles/vdm/templates/resources/cas-server-scc.yaml create mode 100644 roles/vdm/templates/resources/pyconfig-scc.yaml create mode 100644 roles/vdm/templates/resources/sas-watchdog-scc.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-cas-server.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-connect-spawner.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-esp-project.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-model-repository.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-programming-environment.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-pyconfig.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-watchdog.yaml diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 32374f66..53d1cb0f 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -26,6 +26,7 @@ Supported configuration variables are listed in the table below. All variables - [CONNECT](#connect) - [Workload Orchestrator](#workload-orchestrator) - [Miscellaneous](#miscellaneous) + - [Openshift](#openshift) - [Third-Party Tools](#third-party-tools) - [Cert-manager](#cert-manager) - [Cluster Autoscaler](#cluster-autoscaler) @@ -35,6 +36,7 @@ Supported configuration variables are listed in the table below. All variables - [NFS Client](#nfs-client) - [Postgres NFS Client](#postgres-nfs-client) + ## BASE | Name | Description | Type | Default | Required | Notes | Tasks | @@ -359,6 +361,29 @@ Notes: - For example, defining `V4_CFG_VIYA_STOP_SCHEDULE` and not `V4_CFG_VIYA_START_SCHEDULE` will result in a Viya stop job that runs on a schedule and a suspended Viya start job that you will be able to manually trigger. - Defining both `V4_CFG_VIYA_START_SCHEDULE` and `V4_CFG_VIYA_STOP_SCHEDULE` will result in a non-suspended Viya start and stop job that runs on the schedule you defined. +## Openshift + +This tool has basic support for Openshift. It will configure routes, TLS, remove seccomp profile, and can **optionally** setup SecurityContextConstraints (SCC) and dependant RBAC permissions. + +Notes: + - must be set to "route" + - This tool does **not** handle the configurations needed for sas-opendistro or OpenSearch needed when running on Openshift. + +| Name | Description | Type | Default | Required | Notes | Tasks | +| :--- | ---: | ---: | ---: | ---: | ---: | ---: | +| V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED | Globally setting to enable SCC configuration and dependent RBAC creation | bool | false | false | Can be overridden with individual settings below | viya | +| V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE | CAS server mode | string | standard | false | Supported values: [`standard`, `sssd`, `host`] | viya | +| V4_CFG_OPENSHIFT_SCC_AIRFLOW | Configure SCC and dependent RBAC for sas-airflow | bool | | false | Only applicable if deployment includes SAS Airflow | viya | +| V4_CFG_OPENSHIFT_SCC_ESP_PROJECT | Configure SCC and dependent RBAC for sas-esp-project | bool | | false | Only applicable if deployment includes SAS Event Stream Processing | viya | +| V4_CFG_OPENSHIFT_SCC_MICROANALYTIC_SCORE | Configure SCC and dependent RBAC for sas-microanalytic-score | bool | | false | Only applicable if deployment includes SAS Microanalytic Score | viya | +| V4_CFG_OPENSHIFT_SCC_MODEL_PUBLISH_KANIKO | Configure SCC and dependent RBAC for sas-model-publish-kaniko | bool | | false | Required to be set to **true** if you plan to publish models with SAS Model Manager or SAS Intelligent Decisioning to containers using kaniko | viya | +| V4_CFG_OPENSHIFT_SCC_MODEL_REPOSITORY | Configure SCC and dependent RBAC for sas-model-repository | bool | | false | Only applicable if deployment includes SAS Model Repository | viya | +| V4_CFG_OPENSHIFT_SCC_PYCONFIG | Configure SCC and dependent RBAC for sas-pyconfig | bool | | false | | viya | +| V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT | Configure SCC and dependent RBAC for sas-programming-environment | bool | | false | This or should be set true but not both | viya | +| V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT_HOSTPATH | Does this deployment use hostPath volume mounts | bool | false | false | | viya | +| V4_CFG_OPENSHIFT_SCC_CONNECT_SPAWNER | Configure SCC and dependent RBAC for sas-connect-spawner | bool | | false | Required to be set to **true** only if you intend to launch your SAS/CONNECT servers in the Spawner pod, rather than in their own pods | viya | +| V4_CFG_OPENSHIFT_SCC_WATCHDOG | Configure SCC and dependent RBAC for sas-watchdog | bool | false | false | This or should be set true but not both.
Required to be set to **true** if you are deploying SAS Watchdog | viya | + ## Third-Party Tools ### Cert-manager @@ -450,4 +475,4 @@ The Postgres NFS client is currently supported by the nfs-subdir-external-provis | PG_NFS_CLIENT_CHART_URL | nfs-subdir-external-provisioner Helm chart URL | string | Go [here](https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/) for more information. | false | | baseline | | PG_NFS_CLIENT_CHART_NAME | nfs-subdir-external-provisioner Helm chart name | string | nfs-subdir-external-provisioner | false | | baseline | | PG_NFS_CLIENT_CHART_VERSION | nfs-subdir-external-provisioner Helm chart version | string | 4.0.18| false | | baseline | -| PG_NFS_CLIENT_CONFIG | nfs-subdir-external-provisioner Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline | +| PG_NFS_CLIENT_CONFIG | nfs-subdir-external-provisioner Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline | \ No newline at end of file diff --git a/roles/vdm/defaults/main.yaml b/roles/vdm/defaults/main.yaml index 38cddcc6..2110f525 100644 --- a/roles/vdm/defaults/main.yaml +++ b/roles/vdm/defaults/main.yaml @@ -114,3 +114,17 @@ V4_CFG_MESSAGE_BROKER_PASSWORD: null ## SAS Workload Orchestrator V4_WORKLOAD_ORCHESTRATOR_ENABLED: true + +## Openshift +V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED: false +V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE: standard # standard, ssd, host +V4_CFG_OPENSHIFT_SCC_AIRFLOW: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_ESP_PROJECT: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_MICROANALYTIC_SCORE: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_MODEL_PUBLISH_KANIKO: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_MODEL_REPOSITORY: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_PYCONFIG: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED if not V4_CFG_OPENSHIFT_SCC_WATCHDOG else false }}" +V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT_HOSTPATH: false +V4_CFG_OPENSHIFT_SCC_CONNECT_SPAWNER: false +V4_CFG_OPENSHIFT_SCC_WATCHDOG: false \ No newline at end of file diff --git a/roles/vdm/library/overlay_facts.py b/roles/vdm/library/overlay_facts.py index f7dd00ac..3f496ff1 100644 --- a/roles/vdm/library/overlay_facts.py +++ b/roles/vdm/library/overlay_facts.py @@ -46,7 +46,7 @@ def main(): overlay_type = list(overlay.keys())[0] # set correct path for vdm or sas-bases patches - folderPath = os.path.join("site-config/vdm", overlay_type) if bool(overlay.setdefault("vdm", False)) else "sas-bases/" + folderPath = "sas-bases/" if ("/" in overlay[overlay_type] or overlay[overlay_type] == "base") else os.path.join("site-config/vdm", overlay_type) overlay_path = os.path.join(folderPath, overlay[overlay_type]) module.params['existing'].setdefault(overlay_type, {}) diff --git a/roles/vdm/tasks/cas.yaml b/roles/vdm/tasks/cas.yaml index 698e0651..3a86efc2 100644 --- a/roles/vdm/tasks/cas.yaml +++ b/roles/vdm/tasks/cas.yaml @@ -39,8 +39,8 @@ existing: "{{ vdm_overlays }}" add: - { transformers: overlays/cas-server/cas-sssd-sidecar.yaml, priority: 0 } - - { transformers: cas-sssd.yaml, vdm: true } - - { generators: sas-sssd-config.yaml, vdm: true } + - { transformers: cas-sssd.yaml } + - { generators: sas-sssd-config.yaml } - name: CAS - backup controller overlay_facts: @@ -48,7 +48,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-manage-backup.yaml, vdm: true } + - { transformers: cas-manage-backup.yaml } when: - V4_CFG_CAS_ENABLE_BACKUP_CONTROLLER tags: @@ -77,7 +77,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-manage-cpu-and-memory.yaml, vdm: true } + - { transformers: cas-manage-cpu-and-memory.yaml } when: - V4_CFG_CAS_RAM is not none - V4_CFG_CAS_CORES is not none @@ -92,7 +92,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-manage-workers.yaml, vdm: true } + - { transformers: cas-manage-workers.yaml } when: - V4_CFG_CAS_WORKER_COUNT |int > 1 tags: @@ -106,7 +106,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-enable-external-services.yaml, vdm: true } + - { transformers: cas-enable-external-services.yaml } when: - V4_CFG_CAS_ENABLE_LOADBALANCER tags: @@ -120,7 +120,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-auto-restart.yaml, vdm: true, min: "2021.2" } + - { transformers: cas-auto-restart.yaml, min: "2021.2" } when: - V4_DEPLOYMENT_OPERATOR_ENABLED - V4_CFG_CAS_ENABLE_AUTO_RESTART diff --git a/roles/vdm/tasks/connect.yaml b/roles/vdm/tasks/connect.yaml index 6c235f45..59726750 100644 --- a/roles/vdm/tasks/connect.yaml +++ b/roles/vdm/tasks/connect.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: sas-connect-spawner-enable-loadbalancer.yaml, vdm: true } + - { resources: sas-connect-spawner-enable-loadbalancer.yaml } when: - V4_CFG_CONNECT_ENABLE_LOADBALANCER tags: diff --git a/roles/vdm/tasks/helpers/add_if_exists.yaml b/roles/vdm/tasks/helpers/add_if_exists.yaml new file mode 100644 index 00000000..968fb1ba --- /dev/null +++ b/roles/vdm/tasks/helpers/add_if_exists.yaml @@ -0,0 +1,56 @@ +# Copyright © 2020-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +--- +- name: Check if file exists - {{ resource }} + stat: + path: "{{ DEPLOY_DIR }}/sas-bases/{{ resource }}" + register: resource_check + tags: + - install + - uninstall + - update + +- block: + - set_fact: + copy_overlay_item: "{{ lookup('template', 'copy_if_exists.yaml.j2') | from_yaml }}" + loop : "{{ overlays |flatten(levels=1) }}" + register: copy_overlay_result + + - set_fact: + copy_overlays: "{{ copy_overlay_result.results | map(attribute='ansible_facts.copy_overlay_item') | list }}" + tags: + - install + - uninstall + - update + + - copy: + src: "{{ DEPLOY_DIR }}/sas-bases/{{ item.path }}" + dest: "{{ role_path }}/templates/{{ item.type }}/" + mode: "0660" + with_items: + - "{{ copy_overlays }}" + when: "item.path.startswith('examples')" + tags: + - install + - uninstall + - update + + - overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - "{{ [[item.type, item.filename], ['priority', item.priority]] | community.general.dict }}" + with_items: + - "{{ copy_overlays }}" + tags: + - install + - uninstall + - update + + when: resource_check.stat.exists + tags: + - install + - uninstall + - update \ No newline at end of file diff --git a/roles/vdm/tasks/copy_overlay.yaml b/roles/vdm/tasks/helpers/copy_overlay.yaml similarity index 100% rename from roles/vdm/tasks/copy_overlay.yaml rename to roles/vdm/tasks/helpers/copy_overlay.yaml diff --git a/roles/vdm/tasks/kustomize.yaml b/roles/vdm/tasks/kustomize.yaml index 1d032b44..04a4ab13 100644 --- a/roles/vdm/tasks/kustomize.yaml +++ b/roles/vdm/tasks/kustomize.yaml @@ -29,7 +29,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: sas-deployment-buildinfo.yaml, vdm: true } + - { resources: sas-deployment-buildinfo.yaml } tags: - install - uninstall @@ -51,7 +51,7 @@ - update - name: Kustomize - Copy VDM overlays - include_tasks: copy_overlay.yaml + include_tasks: helpers/copy_overlay.yaml vars: resource: "{{ item.key }}" overlays: "{{ item.value.values() | default([], true) }}" diff --git a/roles/vdm/tasks/main.yaml b/roles/vdm/tasks/main.yaml index b3fcb44f..97b68781 100644 --- a/roles/vdm/tasks/main.yaml +++ b/roles/vdm/tasks/main.yaml @@ -53,11 +53,11 @@ - { resources: overlays/update-checker } - { configurations: overlays/required/kustomizeconfig.yaml, priority: 51 } - { transformers: overlays/required/transformers.yaml, priority: 60 } - - { generators: sas-license.yaml, vdm: true } - - { generators: sas-shared-config.yaml, vdm: true } - - { generators: sas-consul-config.yaml, vdm: true, max: "2021.1" } - - { generators: sas-consul-config-secret.yaml, vdm: true, min: 2021.1.1 } - - { generators: ingress-input.yaml, vdm: true } + - { generators: sas-license.yaml } + - { generators: sas-shared-config.yaml } + - { generators: sas-consul-config.yaml, max: "2021.1" } + - { generators: sas-consul-config-secret.yaml, min: 2021.1.1 } + - { generators: ingress-input.yaml } tags: - install - uninstall @@ -82,7 +82,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: sas-image-pull-secrets.yaml, vdm: true } + - { generators: sas-image-pull-secrets.yaml } - name: Include Mirror include_tasks: mirror.yaml @@ -92,6 +92,15 @@ - uninstall - update +- name: Include Openshift + include_tasks: openshift.yaml + when: + - V4_CFG_INGRESS_TYPE == "route" + tags: + - install + - uninstall + - update + - name: Include MultiTenant include_tasks: multi_tenant.yaml when: V4MT_ENABLE @@ -120,9 +129,9 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: openldap.yaml, vdm: true } - - { transformers: openldap.yaml, vdm: true } - - { generators: openldap-bootstrap-config.yaml, vdm: true } + - { resources: openldap.yaml } + - { transformers: openldap.yaml } + - { generators: openldap-bootstrap-config.yaml } when: - not V4MT_ENABLE - V4_CFG_EMBEDDED_LDAP_ENABLE @@ -137,9 +146,9 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: openldap.yaml, vdm: true } - - { transformers: openldap.yaml, vdm: true } - - { generators: openldap-bootstrap-mt-config.yaml, vdm: true } + - { resources: openldap.yaml } + - { transformers: openldap.yaml } + - { generators: openldap-bootstrap-mt-config.yaml } when: - V4MT_ENABLE - V4_CFG_EMBEDDED_LDAP_ENABLE diff --git a/roles/vdm/tasks/message_broker.yaml b/roles/vdm/tasks/message_broker.yaml index 18a23c8c..e7624c56 100644 --- a/roles/vdm/tasks/message_broker.yaml +++ b/roles/vdm/tasks/message_broker.yaml @@ -78,7 +78,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "rabbitmq-node-count.yaml", vdm: true} + - { transformers: "rabbitmq-node-count.yaml"} when: rabbitmq_config.stat.exists tags: - install diff --git a/roles/vdm/tasks/mirror.yaml b/roles/vdm/tasks/mirror.yaml index cf70db6d..2c2d9529 100644 --- a/roles/vdm/tasks/mirror.yaml +++ b/roles/vdm/tasks/mirror.yaml @@ -28,9 +28,9 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: mirror.yaml, vdm: true, priority: 65 } - - { generators: mirror.yaml, vdm: true, max: "2022.09" } - - { generators: mirror.v2.yaml, vdm: true, min: "2022.10" } + - { transformers: mirror.yaml, priority: 65 } + - { generators: mirror.yaml, max: "2022.09" } + - { generators: mirror.v2.yaml, min: "2022.10" } tags: - install - uninstall diff --git a/roles/vdm/tasks/openshift.yaml b/roles/vdm/tasks/openshift.yaml new file mode 100644 index 00000000..75444a13 --- /dev/null +++ b/roles/vdm/tasks/openshift.yaml @@ -0,0 +1,142 @@ +# Copyright © 2020-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +--- +- name: Openshift - seccomp + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/security/remove-seccomp-transformer.yaml, priority: 99 } + tags: + - install + - uninstall + - update + +- name: Openshift SCC - airflow + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-airflow/README.md" + overlays: + - { resources: scc-sas-airflow-create-user-job.yaml } + when: V4_CFG_OPENSHIFT_SCC_AIRFLOW + tags: + - install + - uninstall + - update + +- name: Openshift SCC - cas-server + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/cas/configure/cas-server-scc{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]['filesuffix'] }}.yaml" + overlays: + - { resources: "examples/cas/configure/cas-server-scc{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]['filesuffix'] }}.yaml" } + - { resources: scc-sas-cas-server.yaml } + when: V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-connect-spawner + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-connect-spawner/openshift/sas-connect-spawner-scc.yaml" + overlays: + - { resources: examples/sas-connect-spawner/openshift/sas-connect-spawner-scc.yaml } + - { resources: scc-sas-connect-spawner.yaml } + when: V4_CFG_OPENSHIFT_SCC_CONNECT_SPAWNER + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-esp-project + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-esp-operator/README.md" + overlays: + - { resources: scc-esp-project.yaml } + when: V4_CFG_OPENSHIFT_SCC_ESP_PROJECT + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-microanalytic-score + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "overlays/sas-microanalytic-score/service-account/README.md" + overlays: + - { resources: overlays/sas-microanalytic-score/service-account/sas-microanalytic-score-scc.yaml } + - { resources: scc-sas-microanalytic-score.yaml } + when: V4_CFG_OPENSHIFT_SCC_MICROANALYTIC_SCORE + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-model-publish-kaniko + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-model-publish/kaniko/README.md" + overlays: + - { resources: scc-sas-model-publish-kaniko.yaml } + when: V4_CFG_OPENSHIFT_SCC_MODEL_PUBLISH_KANIKO + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-model-repository + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "overlays/sas-model-repository/service-account/README.md" + overlays: + - { resources: overlays/sas-model-repository/service-account/sas-model-repository-scc.yaml } + - { resources: scc-sas-model-repository.yaml } + when: V4_CFG_OPENSHIFT_SCC_MODEL_REPOSITORY + tags: + - install + - uninstall + - update + +- name: Openshift SCC - pyconfig + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-pyconfig/pyconfig-scc.yaml" + overlays: + - { resources: examples/sas-pyconfig/pyconfig-scc.yaml } + - { resources: scc-sas-pyconfig.yaml } + when: V4_CFG_OPENSHIFT_SCC_PYCONFIG + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-watchdog + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "overlays/sas-programming-environment/watchdog/README.md" + overlays: + - { resources: examples/sas-programming-environment/watchdog/sas-watchdog-scc.yaml } + - { resources: scc-sas-watchdog.yaml } + when: V4_CFG_OPENSHIFT_SCC_WATCHDOG + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-programming-environment + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { resources: sas-programming-environment.yaml } + when: V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT + tags: + - install + - uninstall + - update diff --git a/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml b/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml index 8bf16493..47262ad9 100644 --- a/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml +++ b/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml @@ -41,6 +41,6 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "cloud-sql-proxy-{{ role }}-instance.yaml", vdm: true } + - { resources: "cloud-sql-proxy-{{ role }}-instance.yaml" } - { transformers: overlays/external-postgres/googlecloud-full-stack-tls-transformer.yaml, priority: 55, max: "2022.09" } - { transformers: overlays/postgres/external-postgres/gcp-tls-transformer.yaml, priority: 55, min: "2022.10" } diff --git a/roles/vdm/tasks/postgres/postgres-instance.yaml b/roles/vdm/tasks/postgres/postgres-instance.yaml index 9d68f4c4..a1182175 100644 --- a/roles/vdm/tasks/postgres/postgres-instance.yaml +++ b/roles/vdm/tasks/postgres/postgres-instance.yaml @@ -195,7 +195,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "{{ role }}-crunchy-storage-transformer.yaml", min: "2022.10", vdm: true } + - { transformers: "{{ role }}-crunchy-storage-transformer.yaml", min: "2022.10" } - name: Postgres instance - set immutable storage transformer values block: - name: Postgres instance - save role storage map values @@ -300,8 +300,8 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "{{ role }}-dataserver-transformer.yaml", min: "2022.10", vdm: true } - - { generators: "postgres-{{ role }}-secrets.yaml", min: "2022.10", vdm: true } + - { transformers: "{{ role }}-dataserver-transformer.yaml", min: "2022.10" } + - { generators: "postgres-{{ role }}-secrets.yaml", min: "2022.10" } - name: Postgres instance - external post 2022.10 - additional servers when: @@ -325,7 +325,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "platform-postgres-{{ role }}-dataserver.yaml", min: "2022.10", vdm: true } + - { resources: "platform-postgres-{{ role }}-dataserver.yaml", min: "2022.10" } # TODO Fix Logic for tasks below @@ -349,7 +349,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "postgres-{{ role }}-instance.yaml", vdm: true } + - { resources: "postgres-{{ role }}-instance.yaml" } - name: Postgres instance - external pre 2022.10 when: @@ -372,4 +372,4 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "postgres-{{ role }}-instance.yaml", vdm: true } + - { resources: "postgres-{{ role }}-instance.yaml" } diff --git a/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml b/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml index 03fd5f7e..880168e9 100644 --- a/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml +++ b/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml @@ -78,8 +78,8 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config-transformer.yaml", vdm: true, priority: 65 } - - { resources: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config.yaml", vdm: true } + - { transformers: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config-transformer.yaml", priority: 65 } + - { resources: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config.yaml" } when: - custom_config_folder.stat.exists - settings.internal @@ -167,7 +167,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-transformer.yaml", vdm: true, priority: 65 } + - { transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-transformer.yaml", priority: 65 } when: - not V4_CFG_CADENCE_NAME|lower == "fast" and V4_CFG_CADENCE_VERSION is version('2023.03', "<") - crunchy_tuning_folder.stat.exists @@ -277,8 +277,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-connection-params-transformer.yaml" - vdm: true + - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-connection-params-transformer.yaml" priority: 65 when: - V4_CFG_CADENCE_VERSION is version('2023.03', ">=") or V4_CFG_CADENCE_NAME|lower == "fast" @@ -295,8 +294,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-pg-hba-no-tls-transformer.yaml" - vdm: true + - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-pg-hba-no-tls-transformer.yaml" priority: 65 when: - V4_CFG_CADENCE_VERSION is version('2023.03', ">=") or V4_CFG_CADENCE_NAME|lower == "fast" diff --git a/roles/vdm/tasks/postgres/postgres.yaml b/roles/vdm/tasks/postgres/postgres.yaml index 9dfc694c..c6b7beb0 100644 --- a/roles/vdm/tasks/postgres/postgres.yaml +++ b/roles/vdm/tasks/postgres/postgres.yaml @@ -56,8 +56,8 @@ - { resources: overlays/internal-postgres } - { resources: overlays/crunchydata } - { transformers: overlays/internal-postgres/internal-postgres-transformer.yaml } - - { transformers: postgres-storage-transformer.yaml, vdm: true, max: 2020.1.3 } - - { transformers: postgres-storage-transformer.v2.yaml, vdm: true, min: 2020.1.3 } + - { transformers: postgres-storage-transformer.yaml, max: 2020.1.3 } + - { transformers: postgres-storage-transformer.v2.yaml, min: 2020.1.3 } when: - internal_postgres - name: Postgres - external @@ -67,10 +67,10 @@ existing: "{{ vdm_overlays }}" add: - { transformers: overlays/external-postgres/external-postgres-transformer.yaml } - - { generators: postgres-sas-user.yaml, vdm: true } - - { generators: sas-go-config.yaml, vdm: true } - - { generators: sas-postgres-config.yaml, max: 2020.0.4, vdm: true } - - { generators: sas-postgres-config.v2.yaml, min: 2020.0.5, vdm: true } + - { generators: postgres-sas-user.yaml } + - { generators: sas-go-config.yaml } + - { generators: sas-postgres-config.yaml, max: 2020.0.4 } + - { generators: sas-postgres-config.v2.yaml, min: 2020.0.5 } when: - not internal_postgres @@ -89,7 +89,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: postgres-storage-transformer.v3.yaml, vdm: true } + - { transformers: postgres-storage-transformer.v3.yaml } when: - internal_postgres - name: Postgres - external diff --git a/roles/vdm/tasks/start_stop.yaml b/roles/vdm/tasks/start_stop.yaml index 3aa63b03..b701fc84 100644 --- a/roles/vdm/tasks/start_stop.yaml +++ b/roles/vdm/tasks/start_stop.yaml @@ -24,7 +24,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: schedule-start-stop.yaml, vdm: true, min: "2021.2", priority: 61 } + - { transformers: schedule-start-stop.yaml, min: "2021.2", priority: 61 } when: - V4_CFG_VIYA_STOP_SCHEDULE is not none or V4_CFG_VIYA_START_SCHEDULE is not none tags: diff --git a/roles/vdm/tasks/storage.yaml b/roles/vdm/tasks/storage.yaml index d59fba06..8a574970 100644 --- a/roles/vdm/tasks/storage.yaml +++ b/roles/vdm/tasks/storage.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: sas-storageclass.yaml, vdm: true, priority: 49 } + - { transformers: sas-storageclass.yaml, priority: 49 } tags: - install - uninstall @@ -20,11 +20,11 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-add-nfs-mount.yaml, vdm: true } - - { transformers: compute-server-add-nfs-mount.yaml, max: 2021.1.6, vdm: true } - - { transformers: compute-server-add-nfs-mount.v2.yaml, min: "2021.2", vdm: true } - - { transformers: launcher-service-add-nfs.yaml, max: 2021.1.6, vdm: true } - - { transformers: launcher-nfs-mount.yaml, min: "2021.2", vdm: true } + - { transformers: cas-add-nfs-mount.yaml } + - { transformers: compute-server-add-nfs-mount.yaml, max: 2021.1.6 } + - { transformers: compute-server-add-nfs-mount.v2.yaml, min: "2021.2" } + - { transformers: launcher-service-add-nfs.yaml, max: 2021.1.6 } + - { transformers: launcher-nfs-mount.yaml, min: "2021.2" } when: - V4_CFG_RWX_FILESTORE_ENDPOINT is not none - V4_CFG_RWX_FILESTORE_PATH is not none diff --git a/roles/vdm/tasks/tls.yaml b/roles/vdm/tasks/tls.yaml index 65bca17a..0228d6a9 100644 --- a/roles/vdm/tasks/tls.yaml +++ b/roles/vdm/tasks/tls.yaml @@ -30,7 +30,7 @@ add: - { resources: "overlays/network/{{ V4_CFG_INGRESS_TYPE }}", max: 2021.1.5 } - { resources: "overlays/network/{{ V4_CFG_INGRESS_TYPE }}/security", max: 2021.1.2 } - - { resources: "overlays/network/{{ network_name_map[V4_CFG_INGRESS_TYPE] }}", min: 2021.1.6 } + - { resources: "overlays/network/{{ network_name_map[V4_CFG_INGRESS_TYPE]['name'] }}", min: 2021.1.6 } tags: - install - uninstall @@ -70,39 +70,82 @@ - V4_CFG_TLS_GENERATOR == "cert-manager" - name: TLS - Full-stack TLS - overlay_facts: - cadence_name: "{{ V4_CFG_CADENCE_NAME }}" - cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" - existing: "{{ vdm_overlays }}" - add: - - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { transformers: overlays/network/ingress/security/transformers/product-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { transformers: overlays/network/ingress/security/transformers/backend-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { components: components/security/core/base/full-stack-tls, min: 2021.1.3, priority: 51 } - - { components: components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/full-stack-tls, min: 2021.1.3, priority: 51 } when: - V4_CFG_TLS_MODE == "full-stack" tags: - install - uninstall - update + block: + - name: TLS - Full-stack TLS (Base) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { components: components/security/core/base/full-stack-tls, min: 2021.1.3, priority: 51 } + - { components: "components/security/network/{{ network_name_map[V4_CFG_INGRESS_TYPE]['name'] }}/{{ network_name_map[V4_CFG_INGRESS_TYPE]['component'] }}/full-stack-tls", min: 2021.1.3, priority: 51 } + + - name: TLS - Full-stack TLS (Ingress) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + - { transformers: overlays/network/ingress/security/transformers/product-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + - { transformers: overlays/network/ingress/security/transformers/backend-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "ingress" + + - name: TLS - Full-stack TLS (Openshift) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/route.openshift.io/security/transformers/sas-route-cookie-samesite-transformer.yaml, min: 2021.1.6, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "route" + - name: TLS - Front-door TLS - overlay_facts: - cadence_name: "{{ V4_CFG_CADENCE_NAME }}" - cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" - existing: "{{ vdm_overlays }}" - add: - - { transformers: overlays/network/ingress/security/transformers/cas-connect-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { components: components/security/core/base/front-door-tls, min: 2021.1.3, priority: 51 } - - { components: components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/front-door-tls, min: 2021.1.3, priority: 51 } when: - V4_CFG_TLS_MODE == "front-door" tags: - install - uninstall - update + block: + - name: TLS - Front-door TLS (Base) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { components: components/security/core/base/front-door-tls, min: 2021.1.3, priority: 51 } + - { components: "components/security/network/{{ network_name_map[V4_CFG_INGRESS_TYPE]['name'] }}/{{ network_name_map[V4_CFG_INGRESS_TYPE]['component'] }}/front-door-tls", min: 2021.1.3, priority: 51 } + + - name: TLS - Front-door TLS (Ingress) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/ingress/security/transformers/cas-connect-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "ingress" + + - name: TLS - Front-door TLS (Openshift) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/route.openshift.io/security/transformers/sas-route-cookie-samesite-transformer.yaml, min: 2021.1.6, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "route" - name: TLS - Ingress-only TLS - check cadence ansible.builtin.fail: @@ -171,7 +214,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: customer-provided-ca-certificates.yaml, vdm: true } + - { generators: customer-provided-ca-certificates.yaml } - name: TLS - customer provided server certificates when: @@ -204,7 +247,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: customer-provided-ingress-certificate.yaml, vdm: true } + - { generators: customer-provided-ingress-certificate.yaml } - name: TLS - Certificate Generation - cert-manager overlay_facts: @@ -212,7 +255,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cert-manager-provided-ingress-certificate.yaml, vdm: true, max: "2022.1", priority: 70 } + - { transformers: cert-manager-provided-ingress-certificate.yaml, max: "2022.1", priority: 70 } - { transformers: overlays/cert-manager-provided-ingress-certificate/ingress-annotation-transformer.yaml, min: 2022.1.1, priority: 70 } when: - V4_CFG_TLS_MODE != "disabled" @@ -228,7 +271,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: openssl-generated-ingress-certificate.yaml, vdm: true, min: "2021.2" } + - { resources: openssl-generated-ingress-certificate.yaml, min: "2021.2" } when: - V4_CFG_TLS_MODE != "disabled" - (V4_CFG_TLS_CERT is none and V4_CFG_TLS_KEY is none and V4_CFG_TLS_GENERATOR == "openssl") @@ -242,7 +285,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: customer-provided-merge-sas-certframe-configmap.yaml, vdm: true } + - { generators: customer-provided-merge-sas-certframe-configmap.yaml } when: - V4_CFG_TLS_MODE != "disabled" - (V4_CFG_TLS_GENERATOR == "cert-manager" or V4_CFG_TLS_GENERATOR == "openssl") @@ -257,7 +300,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: consul-ui.yaml, vdm: true } + - { resources: consul-ui.yaml } when: - V4_CFG_CONSUL_ENABLE_LOADBALANCER tags: @@ -271,7 +314,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: nginx-ingressclass.yaml, vdm: true, max: 2021.1.5 } + - { transformers: nginx-ingressclass.yaml, max: 2021.1.5 } when: - V4_CFG_INGRESS_TYPE == "ingress" tags: diff --git a/roles/vdm/tasks/workload_orchestrator.yaml b/roles/vdm/tasks/workload_orchestrator.yaml index ac477d50..3fcbd204 100644 --- a/roles/vdm/tasks/workload_orchestrator.yaml +++ b/roles/vdm/tasks/workload_orchestrator.yaml @@ -9,7 +9,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: overlays/sas-workload-orchestrator, min: "2023.08", vdm: false } + - { resources: overlays/sas-workload-orchestrator, min: "2023.08" } when: - V4_WORKLOAD_ORCHESTRATOR_ENABLED tags: @@ -23,7 +23,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: examples/sas-workload-orchestrator/enable-disable/sas-workload-orchestrator-disable-patch-transformer.yaml, min: "2023.08", vdm: false } + - { transformers: examples/sas-workload-orchestrator/enable-disable/sas-workload-orchestrator-disable-patch-transformer.yaml, min: "2023.08" } when: - not V4_WORKLOAD_ORCHESTRATOR_ENABLED tags: diff --git a/roles/vdm/templates/copy_if_exists.yaml.j2 b/roles/vdm/templates/copy_if_exists.yaml.j2 new file mode 100644 index 00000000..18006883 --- /dev/null +++ b/roles/vdm/templates/copy_if_exists.yaml.j2 @@ -0,0 +1,14 @@ +{% set glob = {} %} + +{% for k, v in item.items() %} +{% if k == 'priority' %} +{% set _ = glob.update({'priority': v}) %} +{% else %} +{% set _ = glob.update({'res': k}) %} +{% set _ = glob.update({'path': v}) %} +{% endif %} +{% endfor %} +type: {{ glob.res }} +path: {{ glob.path }} +priority: {{ glob.priority|default(10) }} +filename: {{ glob.path if glob.path.startswith('overlays') else (glob.path|basename) }} \ No newline at end of file diff --git a/roles/vdm/templates/resources/cas-server-scc.yaml b/roles/vdm/templates/resources/cas-server-scc.yaml new file mode 100644 index 00000000..fdeac1f2 --- /dev/null +++ b/roles/vdm/templates/resources/cas-server-scc.yaml @@ -0,0 +1,43 @@ +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: [] +fsGroup: + ranges: + - max: 1001 + min: 1001 + type: MustRunAs +groups: +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: scc for sas-cas-server service account + name: sas-cas-server +priority: 0 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +runAsUser: + type: MustRunAs + uid: 1001 +seLinuxContext: + type: MustRunAs +seccompProfiles: +- runtime/default +supplementalGroups: + type: RunAsAny +users: +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- nfs diff --git a/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml b/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml index 1ac24a7a..43b1696e 100644 --- a/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml +++ b/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml @@ -58,6 +58,7 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: + add: [] drop: - ALL privileged: false @@ -68,10 +69,14 @@ spec: - mountPath: /security name: security restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: certframe-token secret: defaultMode: 420 secretName: sas-certframe-token - emptyDir: {} - name: security + name: security \ No newline at end of file diff --git a/roles/vdm/templates/resources/pyconfig-scc.yaml b/roles/vdm/templates/resources/pyconfig-scc.yaml new file mode 100644 index 00000000..9b1768c9 --- /dev/null +++ b/roles/vdm/templates/resources/pyconfig-scc.yaml @@ -0,0 +1,41 @@ +--- +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: [] +fsGroup: + ranges: + - max: 1001 + min: 1001 + type: MustRunAs +groups: +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: scc for sas-pyconfig service account + name: sas-pyconfig +priority: 0 +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAs + uid: 1001 +seLinuxContext: + type: RunAsAny +seccompProfiles: +- runtime/default +supplementalGroups: + type: RunAsAny +users: +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- nfs \ No newline at end of file diff --git a/roles/vdm/templates/resources/sas-watchdog-scc.yaml b/roles/vdm/templates/resources/sas-watchdog-scc.yaml new file mode 100644 index 00000000..ea1e563e --- /dev/null +++ b/roles/vdm/templates/resources/sas-watchdog-scc.yaml @@ -0,0 +1,43 @@ +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: +- 'CAP_SYS_ADMIN' +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: based on anyuid, the sas-watchdog scc allows + the root user for the watchdog side-car to be used to effect nsenter into + the main container. Note that the main container itself does not require or use + elevated privileges. + name: sas-watchdog +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: null +volumes: +- configMap +- downwardAPI +- emptyDir +- hostPath +- nfs +- persistentVolumeClaim +- projected +- secret \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml b/roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml new file mode 100644 index 00000000..7aa0099f --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml @@ -0,0 +1,126 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-anyuid +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-create-user-job" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-create-user-job + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-migrate-database-job" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-migrate-database-job + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-redis" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-redis + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-scheduler" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-scheduler + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-triggerer" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-triggerer + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-webserver" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-webserver + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-worker" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-worker + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-process-orchestration" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-process-orchestration + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-cas-server.yaml b/roles/vdm/templates/resources/scc-sas-cas-server.yaml new file mode 100644 index 00000000..a3066781 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-cas-server.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }}-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-cas-server + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }}-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }}-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }} + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-connect-spawner.yaml b/roles/vdm/templates/resources/scc-sas-connect-spawner.yaml new file mode 100644 index 00000000..2bb7ec08 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-connect-spawner.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-connect-spawner-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-connect-spawner + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-connect-spawner-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-connect-spawner-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-connect-spawner + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-esp-project.yaml b/roles/vdm/templates/resources/scc-sas-esp-project.yaml new file mode 100644 index 00000000..bb622d5b --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-esp-project.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-esp-project-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - nonroot + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-esp-project-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-esp-project-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-esp-project + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml b/roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml new file mode 100644 index 00000000..4ff8b989 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-microanalytic-score-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-microanalytic-score + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-microanalytic-score-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-microanalytic-score-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-microanalytic-score + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml b/roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml new file mode 100644 index 00000000..0ac418c1 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-model-publish-kaniko-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-model-publish-kaniko-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-model-publish-kaniko-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-model-publish-kaniko + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-model-repository.yaml b/roles/vdm/templates/resources/scc-sas-model-repository.yaml new file mode 100644 index 00000000..6983219a --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-model-repository.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-model-repository-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-model-repository + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-model-repository-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-model-repository-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-model-repository + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-programming-environment.yaml b/roles/vdm/templates/resources/scc-sas-programming-environment.yaml new file mode 100644 index 00000000..605d6cc2 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-programming-environment.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-programming-environment-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - {{ 'hostmount-anyuid' if V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT_HOSTPATH else 'nonroot' }} + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-programming-environment-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-programming-environment-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-programming-environment + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-pyconfig.yaml b/roles/vdm/templates/resources/scc-sas-pyconfig.yaml new file mode 100644 index 00000000..047085e0 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-pyconfig.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-pyconfig-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-pyconfig + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-pyconfig-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-pyconfig-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-pyconfig + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-watchdog.yaml b/roles/vdm/templates/resources/scc-sas-watchdog.yaml new file mode 100644 index 00000000..899ce97c --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-watchdog.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-watchdog-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-watchdog + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-watchdog-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-watchdog-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-programming-environment + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/vars/main.yaml b/roles/vdm/vars/main.yaml index 85ece2ec..88e866d9 100644 --- a/roles/vdm/vars/main.yaml +++ b/roles/vdm/vars/main.yaml @@ -22,7 +22,35 @@ pg_cluster_name_map: { } # TODO - Fix once 2021.1.6 is ready and the kustomization files have been updated network_name_map: { - ingress: networking.k8s.io, - contour: projectcountour.io, - route: route.openshift.io + ingress: { + name: networking.k8s.io, + component: ingess/nginx.ingress.kubernetes.io + }, + contour: { + name: projectcountour.io, + component: httpproxy + }, + route: { + name: route.openshift.io, + component: route + }, + istio: { + name: networking.istio.io, + component: virtualservice + } } + +openshift_cas_scc_map: { + standard: { + filesuffix: "", + suffix: "" + }, + host: { + filesuffix: "-host-launch", + suffix: "-host" + }, + sssd: { + filesuffix: "-sssd", + suffix: "-sssd" + }, +} \ No newline at end of file From 05b436f158fcd63860eb64d6f7901a21920a0288 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Thu, 12 Sep 2024 12:34:03 -0400 Subject: [PATCH 06/15] fix ocp seccomp remove --- roles/vdm/tasks/openshift.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vdm/tasks/openshift.yaml b/roles/vdm/tasks/openshift.yaml index 75444a13..29301e78 100644 --- a/roles/vdm/tasks/openshift.yaml +++ b/roles/vdm/tasks/openshift.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: overlays/security/remove-seccomp-transformer.yaml, priority: 99 } + - { transformers: overlays/security/container-security/remove-seccomp-transformer.yaml, priority: 99 } tags: - install - uninstall From 8eb16571c9c60c1ac8007c50411f588776fcd6d4 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Thu, 12 Sep 2024 12:37:45 -0400 Subject: [PATCH 07/15] fix ocp seccomp remove --- roles/vdm/tasks/openshift.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vdm/tasks/openshift.yaml b/roles/vdm/tasks/openshift.yaml index 29301e78..b2c499d0 100644 --- a/roles/vdm/tasks/openshift.yaml +++ b/roles/vdm/tasks/openshift.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: overlays/security/container-security/remove-seccomp-transformer.yaml, priority: 99 } + - { transformers: overlays/security/container-security/remove-seccomp-transformer.yaml, priority: 90 } tags: - install - uninstall From 1817992d8eaae68b998f782383ece0adc30dfd05 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Tue, 6 Aug 2024 16:13:45 -0400 Subject: [PATCH 08/15] enhance overlay ordering controls --- roles/vdm/library/overlay_facts.py | 26 ++++++++------------ roles/vdm/library/siteconfig_info.py | 18 ++++++++------ roles/vdm/tasks/kustomize.yaml | 16 +++--------- roles/vdm/templates/kustomization.yaml | 34 ++++++-------------------- 4 files changed, 32 insertions(+), 62 deletions(-) diff --git a/roles/vdm/library/overlay_facts.py b/roles/vdm/library/overlay_facts.py index 74cc039b..160f882c 100644 --- a/roles/vdm/library/overlay_facts.py +++ b/roles/vdm/library/overlay_facts.py @@ -13,6 +13,7 @@ def main(): "existing": {"required": True, "type": dict}, "cadence_number": {"default": "0.0.0", "type": str}, "cadence_name": {"default": "lts", "type": str}, + "customizations": {"default": {}, "type": dict} } results = dict( @@ -42,8 +43,7 @@ def main(): if ((existingVersion < minVersion) and module.params["cadence_name"].lower() != "fast") or (existingVersion > maxVersion): continue - priority = str(overlay.setdefault("priority", 1)) - phase = "pre" if int(priority) < 50 else "post" + priority = str(overlay.setdefault("priority", 10)) overlay.pop("priority", None) overlay_type = list(overlay.keys())[0] @@ -52,24 +52,18 @@ def main(): overlay_path = os.path.join(folderPath, overlay[overlay_type]) module.params['existing'].setdefault(overlay_type, {}) - module.params['existing'][overlay_type].setdefault(phase, {}) + module.params['existing'][overlay_type].setdefault(priority, []) - if priority in module.params['existing'][overlay_type][phase]: - if overlay_path not in module.params['existing'][overlay_type][phase][priority]: - module.params['existing'][overlay_type][phase][priority].append(overlay_path) - else: - module.params['existing'][overlay_type][phase].update({priority: [overlay_path]}) + # duplicate check + if overlay_path not in module.params['existing'][overlay_type][priority]: + module.params['existing'][overlay_type][priority].append(overlay_path) results['ansible_facts'] = {"vdm_overlays": module.params['existing']} module.exit_json(**results) - else: - for resource_type, phases in module.params['existing'].items(): - results['result'][resource_type] = {} - for phase in phases: - results['result'][resource_type][phase] = [] - for priority in sorted(module.params['existing'][resource_type][phase]): - results['result'][resource_type][phase] += module.params['existing'][resource_type][phase][priority] - module.exit_json(**results) + # else: + # results['result'] = set(module.params['existing']).union(module.params['customizations']['overlays']) + # module.fail_json(results) + # module.exit_json(**results) except Exception as e: module.fail_json(error=e, msg="Error occurred") raise diff --git a/roles/vdm/library/siteconfig_info.py b/roles/vdm/library/siteconfig_info.py index 01304793..1b5baaaf 100644 --- a/roles/vdm/library/siteconfig_info.py +++ b/roles/vdm/library/siteconfig_info.py @@ -6,6 +6,7 @@ import glob import yaml import os +import re from enum import Enum, auto class Overlay(Enum): @@ -16,15 +17,17 @@ class Overlay(Enum): TRANSFORMER = "transformers" class siteConfig(object): - def __init__(self, basedir): - self._overlays = dict() + def __init__(self, basedir, _overlays): + self._overlays = _overlays self._basedir = os.path.join(basedir, '') def add_overlays(self, overlay_type: Overlay, config: str): - if overlay_type.value in self._overlays: - self._overlays[overlay_type.value].append(self.remove_basedir(config)) - else: - self._overlays[overlay_type.value] = [self.remove_basedir(config)] + match = re.search(r"^(\d{1,2})", os.path.basename(config)) + priority = match.group(1) if match else 50 + + self._overlays.setdefault(overlay_type.value, {}) + self._overlays[overlay_type.value].setdefault(priority, []) + self._overlays[overlay_type.value][priority].append(self.remove_basedir(config)) def get_overlays(self) -> dict: return self._overlays @@ -104,10 +107,11 @@ def main(): fields = { "path": {"required": True, "type": "str"}, "exclude": {"default": [], "type": list}, + "existing": {"default": {}, "type": dict} } module = AnsibleModule(argument_spec=fields) try: - sc = siteConfig(module.params['path']) + sc = siteConfig(module.params['path'], module.params['existing']) scFolder = os.path.join(module.params['path'], 'site-config') _, folders, _ = next(os.walk(scFolder)) for folder in folders: diff --git a/roles/vdm/tasks/kustomize.yaml b/roles/vdm/tasks/kustomize.yaml index 80f99fa0..dc3327ea 100644 --- a/roles/vdm/tasks/kustomize.yaml +++ b/roles/vdm/tasks/kustomize.yaml @@ -37,22 +37,14 @@ - name: Kustomize - Get user's customizations siteconfig_info: + existing: "{{ vdm_overlays }}" path: "{{ DEPLOY_DIR }}" exclude: - vdm - multi-tenant - sas-tenant-job - operator-deploy - register: user_customizations - tags: - - install - - uninstall - - update - -- name: Kustomize - Ordered overlays - overlay_facts: - existing: "{{ vdm_overlays }}" - register: ordered_overlays + register: unified_overlays tags: - install - uninstall @@ -62,8 +54,8 @@ include_tasks: copy_overlay.yaml vars: resource: "{{ item.key }}" - overlays: "{{ item.value.pre | default([], true) + item.value.post | default([], true) }}" - with_dict: "{{ ordered_overlays.result }}" + overlays: "{{ item.value | default([], true) }}" + with_dict: "{{ unified_overlays['overlays'] }}" tags: - install - uninstall diff --git a/roles/vdm/templates/kustomization.yaml b/roles/vdm/templates/kustomization.yaml index 1fc802c7..e47c5496 100644 --- a/roles/vdm/templates/kustomization.yaml +++ b/roles/vdm/templates/kustomization.yaml @@ -3,34 +3,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 namespace: {{ NAMESPACE }} -{% for resource in ordered_overlays.result %} +{% for resource in unified_overlays['overlays'] %} {{ resource }}: -{% if 'pre' in ordered_overlays.result[resource] and ordered_overlays.result[resource]['pre']|length > 0 %} -## vdm defined {{ resource }} (pre) -{% for overlay in ordered_overlays.result[resource]['pre'] %} -- {{ overlay |dirname }}/{{ overlay | basename | regex_replace('\\..*\\.yaml$', '.yaml') }} +{% for priority in unified_overlays['overlays'][resource]|sort %} +{% for overlay in unified_overlays['overlays'][resource][priority] %} +{% set dirname = (overlay |dirname ) %} +{% set source = 'vdm' if (dirname.startswith('sas-bases') or dirname.startswith('site-config/vdm')) else 'user' %} +- {{ dirname}}/{{ overlay | basename | regex_replace('\\..*\\.yaml$', '.yaml') }} # source: {{ source }}, priority: {{ priority }} {% endfor %} -{% endif %} -{% if resource in user_customizations.overlays %} -## user defined {{ resource }} -{% for item in user_customizations.overlays[resource]|sort %} -- {{ item }} {% endfor %} -{% endif %} -{% if 'post' in ordered_overlays.result[resource] and ordered_overlays.result[resource]['post']|length > 0 %} -## vdm defined {{ resource }} (post) -{% for overlay in ordered_overlays.result[resource]['post'] %} -- {{ overlay |dirname }}/{{ overlay | basename | regex_replace('\\..*\\.yaml$', '.yaml') }} -{% endfor %} -{% endif %} -{% endfor %} -{% if "components" not in ordered_overlays.result %} -{% if "components" in user_customizations.overlays %} -components: -## user defined components -{% for item in user_customizations.overlays['components']|sort %} -- {{ item }} -{% endfor %} -{% endif %} -{% endif %} +{% endfor %} \ No newline at end of file From 3029336e9bcb5273f56d6247437949bca41c3174 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Tue, 6 Aug 2024 16:25:00 -0400 Subject: [PATCH 09/15] remvoe unused block and variable --- roles/vdm/library/overlay_facts.py | 54 +++++++++++++----------------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/roles/vdm/library/overlay_facts.py b/roles/vdm/library/overlay_facts.py index 160f882c..f7dd00ac 100644 --- a/roles/vdm/library/overlay_facts.py +++ b/roles/vdm/library/overlay_facts.py @@ -13,7 +13,6 @@ def main(): "existing": {"required": True, "type": dict}, "cadence_number": {"default": "0.0.0", "type": str}, "cadence_name": {"default": "lts", "type": str}, - "customizations": {"default": {}, "type": dict} } results = dict( @@ -31,39 +30,34 @@ def main(): module.exit_json(**results) try: - if len(module.params['add']) > 0: - for overlay in module.params['add']: - - # Version checks - minVersion = parse_version(str(overlay.setdefault("min", "0.0.0"))) - if "max" in overlay and module.params["cadence_name"].lower() == "fast": - continue - maxVersion = parse_version(str(overlay.setdefault("max", "9999.9999.9999"))) - existingVersion = parse_version(module.params['cadence_number']) - if ((existingVersion < minVersion) and module.params["cadence_name"].lower() != "fast") or (existingVersion > maxVersion): - continue + for overlay in module.params['add']: + + # Version checks + minVersion = parse_version(str(overlay.setdefault("min", "0.0.0"))) + if "max" in overlay and module.params["cadence_name"].lower() == "fast": + continue + maxVersion = parse_version(str(overlay.setdefault("max", "9999.9999.9999"))) + existingVersion = parse_version(module.params['cadence_number']) + if ((existingVersion < minVersion) and module.params["cadence_name"].lower() != "fast") or (existingVersion > maxVersion): + continue - priority = str(overlay.setdefault("priority", 10)) - overlay.pop("priority", None) - overlay_type = list(overlay.keys())[0] + priority = str(overlay.setdefault("priority", 10)) + overlay.pop("priority", None) + overlay_type = list(overlay.keys())[0] - # set correct path for vdm or sas-bases patches - folderPath = os.path.join("site-config/vdm", overlay_type) if bool(overlay.setdefault("vdm", False)) else "sas-bases/" - overlay_path = os.path.join(folderPath, overlay[overlay_type]) - - module.params['existing'].setdefault(overlay_type, {}) - module.params['existing'][overlay_type].setdefault(priority, []) + # set correct path for vdm or sas-bases patches + folderPath = os.path.join("site-config/vdm", overlay_type) if bool(overlay.setdefault("vdm", False)) else "sas-bases/" + overlay_path = os.path.join(folderPath, overlay[overlay_type]) + + module.params['existing'].setdefault(overlay_type, {}) + module.params['existing'][overlay_type].setdefault(priority, []) - # duplicate check - if overlay_path not in module.params['existing'][overlay_type][priority]: - module.params['existing'][overlay_type][priority].append(overlay_path) + # duplicate check + if overlay_path not in module.params['existing'][overlay_type][priority]: + module.params['existing'][overlay_type][priority].append(overlay_path) - results['ansible_facts'] = {"vdm_overlays": module.params['existing']} - module.exit_json(**results) - # else: - # results['result'] = set(module.params['existing']).union(module.params['customizations']['overlays']) - # module.fail_json(results) - # module.exit_json(**results) + results['ansible_facts'] = {"vdm_overlays": module.params['existing']} + module.exit_json(**results) except Exception as e: module.fail_json(error=e, msg="Error occurred") raise From 49c0f9632d880b37077e5687cffd9a2cf4ca55e4 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Tue, 6 Aug 2024 16:41:56 -0400 Subject: [PATCH 10/15] fix vdm copy overlays --- roles/vdm/tasks/kustomize.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vdm/tasks/kustomize.yaml b/roles/vdm/tasks/kustomize.yaml index dc3327ea..1d032b44 100644 --- a/roles/vdm/tasks/kustomize.yaml +++ b/roles/vdm/tasks/kustomize.yaml @@ -54,7 +54,7 @@ include_tasks: copy_overlay.yaml vars: resource: "{{ item.key }}" - overlays: "{{ item.value | default([], true) }}" + overlays: "{{ item.value.values() | default([], true) }}" with_dict: "{{ unified_overlays['overlays'] }}" tags: - install From 19a1ee6de04ed8e76ced41c11fb47d1108004d86 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Wed, 7 Aug 2024 09:54:06 -0400 Subject: [PATCH 11/15] fail if user defined overlay is 0 --- roles/vdm/library/siteconfig_info.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/vdm/library/siteconfig_info.py b/roles/vdm/library/siteconfig_info.py index 1b5baaaf..a491d4ba 100644 --- a/roles/vdm/library/siteconfig_info.py +++ b/roles/vdm/library/siteconfig_info.py @@ -17,14 +17,19 @@ class Overlay(Enum): TRANSFORMER = "transformers" class siteConfig(object): - def __init__(self, basedir, _overlays): - self._overlays = _overlays + def __init__(self, basedir, overlays, fail_json): + self._overlays = overlays self._basedir = os.path.join(basedir, '') + self._fail_json = fail_json def add_overlays(self, overlay_type: Overlay, config: str): match = re.search(r"^(\d{1,2})", os.path.basename(config)) - priority = match.group(1) if match else 50 - + priority = 50 + if match: + if int(match.group(1)) == 0: + self._fail_json(f"User defined overlay cannot be priority 0, {config}") + else: + priority = int(match.group(1)) self._overlays.setdefault(overlay_type.value, {}) self._overlays[overlay_type.value].setdefault(priority, []) self._overlays[overlay_type.value][priority].append(self.remove_basedir(config)) @@ -111,7 +116,7 @@ def main(): } module = AnsibleModule(argument_spec=fields) try: - sc = siteConfig(module.params['path'], module.params['existing']) + sc = siteConfig(module.params['path'], module.params['existing'], module.fail_json) scFolder = os.path.join(module.params['path'], 'site-config') _, folders, _ = next(os.walk(scFolder)) for folder in folders: From 5bd634c4fa0e0588c67a201b06c76bb9e13d3010 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Thu, 12 Sep 2024 13:19:01 -0400 Subject: [PATCH 12/15] rebase upstream --- docs/CONFIG-VARS.md | 27 +++- roles/vdm/defaults/main.yaml | 14 ++ roles/vdm/library/overlay_facts.py | 2 +- roles/vdm/tasks/cas.yaml | 14 +- roles/vdm/tasks/connect.yaml | 2 +- roles/vdm/tasks/helpers/add_if_exists.yaml | 56 +++++++ .../vdm/tasks/{ => helpers}/copy_overlay.yaml | 0 roles/vdm/tasks/kustomize.yaml | 4 +- roles/vdm/tasks/main.yaml | 33 ++-- roles/vdm/tasks/message_broker.yaml | 2 +- roles/vdm/tasks/mirror.yaml | 6 +- roles/vdm/tasks/openshift.yaml | 142 ++++++++++++++++++ .../tasks/postgres/gcp-cloud-sql-proxy.yaml | 2 +- .../vdm/tasks/postgres/postgres-instance.yaml | 12 +- .../postgres-multi-tenant-config.yaml | 12 +- roles/vdm/tasks/postgres/postgres.yaml | 14 +- roles/vdm/tasks/start_stop.yaml | 2 +- roles/vdm/tasks/storage.yaml | 12 +- roles/vdm/tasks/tls.yaml | 97 ++++++++---- roles/vdm/tasks/workload_orchestrator.yaml | 4 +- roles/vdm/templates/copy_if_exists.yaml.j2 | 14 ++ ...openssl-generated-ingress-certificate.yaml | 7 +- .../scc-sas-airflow-create-user-job.yaml | 126 ++++++++++++++++ .../resources/scc-sas-cas-server.yaml | 28 ++++ .../resources/scc-sas-connect-spawner.yaml | 28 ++++ .../resources/scc-sas-esp-project.yaml | 28 ++++ .../scc-sas-microanalytic-score.yaml | 28 ++++ .../scc-sas-model-publish-kaniko.yaml | 28 ++++ .../resources/scc-sas-model-repository.yaml | 28 ++++ .../scc-sas-programming-environment.yaml | 28 ++++ .../templates/resources/scc-sas-pyconfig.yaml | 28 ++++ .../templates/resources/scc-sas-watchdog.yaml | 28 ++++ roles/vdm/vars/main.yaml | 34 ++++- 33 files changed, 801 insertions(+), 89 deletions(-) create mode 100644 roles/vdm/tasks/helpers/add_if_exists.yaml rename roles/vdm/tasks/{ => helpers}/copy_overlay.yaml (100%) create mode 100644 roles/vdm/tasks/openshift.yaml create mode 100644 roles/vdm/templates/copy_if_exists.yaml.j2 create mode 100644 roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-cas-server.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-connect-spawner.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-esp-project.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-model-repository.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-programming-environment.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-pyconfig.yaml create mode 100644 roles/vdm/templates/resources/scc-sas-watchdog.yaml diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 59ea5a2d..1957ff4b 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -26,6 +26,7 @@ Supported configuration variables are listed in the table below. All variables - [CONNECT](#connect) - [Workload Orchestrator](#workload-orchestrator) - [Miscellaneous](#miscellaneous) + - [Openshift](#openshift) - [Third-Party Tools](#third-party-tools) - [Cert-manager](#cert-manager) - [Cluster Autoscaler](#cluster-autoscaler) @@ -35,6 +36,7 @@ Supported configuration variables are listed in the table below. All variables - [NFS Client](#nfs-client) - [Postgres NFS Client](#postgres-nfs-client) + ## BASE | Name | Description | Type | Default | Required | Notes | Tasks | @@ -365,6 +367,29 @@ Notes: - For example, defining `V4_CFG_VIYA_STOP_SCHEDULE` and not `V4_CFG_VIYA_START_SCHEDULE` will result in a Viya stop job that runs on a schedule and a suspended Viya start job that you will be able to manually trigger. - Defining both `V4_CFG_VIYA_START_SCHEDULE` and `V4_CFG_VIYA_STOP_SCHEDULE` will result in a non-suspended Viya start and stop job that runs on the schedule you defined. +## Openshift + +This tool has basic support for Openshift. It will configure routes, TLS, remove seccomp profile, and can **optionally** setup SecurityContextConstraints (SCC) and dependant RBAC permissions. + +Notes: + - must be set to "route" + - This tool does **not** handle the configurations needed for sas-opendistro or OpenSearch needed when running on Openshift. + +| Name | Description | Type | Default | Required | Notes | Tasks | +| :--- | ---: | ---: | ---: | ---: | ---: | ---: | +| V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED | Globally setting to enable SCC configuration and dependent RBAC creation | bool | false | false | Can be overridden with individual settings below | viya | +| V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE | CAS server mode | string | standard | false | Supported values: [`standard`, `sssd`, `host`] | viya | +| V4_CFG_OPENSHIFT_SCC_AIRFLOW | Configure SCC and dependent RBAC for sas-airflow | bool | | false | Only applicable if deployment includes SAS Airflow | viya | +| V4_CFG_OPENSHIFT_SCC_ESP_PROJECT | Configure SCC and dependent RBAC for sas-esp-project | bool | | false | Only applicable if deployment includes SAS Event Stream Processing | viya | +| V4_CFG_OPENSHIFT_SCC_MICROANALYTIC_SCORE | Configure SCC and dependent RBAC for sas-microanalytic-score | bool | | false | Only applicable if deployment includes SAS Microanalytic Score | viya | +| V4_CFG_OPENSHIFT_SCC_MODEL_PUBLISH_KANIKO | Configure SCC and dependent RBAC for sas-model-publish-kaniko | bool | | false | Required to be set to **true** if you plan to publish models with SAS Model Manager or SAS Intelligent Decisioning to containers using kaniko | viya | +| V4_CFG_OPENSHIFT_SCC_MODEL_REPOSITORY | Configure SCC and dependent RBAC for sas-model-repository | bool | | false | Only applicable if deployment includes SAS Model Repository | viya | +| V4_CFG_OPENSHIFT_SCC_PYCONFIG | Configure SCC and dependent RBAC for sas-pyconfig | bool | | false | | viya | +| V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT | Configure SCC and dependent RBAC for sas-programming-environment | bool | | false | This or should be set true but not both | viya | +| V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT_HOSTPATH | Does this deployment use hostPath volume mounts | bool | false | false | | viya | +| V4_CFG_OPENSHIFT_SCC_CONNECT_SPAWNER | Configure SCC and dependent RBAC for sas-connect-spawner | bool | | false | Required to be set to **true** only if you intend to launch your SAS/CONNECT servers in the Spawner pod, rather than in their own pods | viya | +| V4_CFG_OPENSHIFT_SCC_WATCHDOG | Configure SCC and dependent RBAC for sas-watchdog | bool | false | false | This or should be set true but not both.
Required to be set to **true** if you are deploying SAS Watchdog | viya | + ## Third-Party Tools ### Cert-manager @@ -456,4 +481,4 @@ The Postgres NFS client is currently supported by the nfs-subdir-external-provis | PG_NFS_CLIENT_CHART_URL | nfs-subdir-external-provisioner Helm chart URL | string | Go [here](https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/) for more information. | false | | baseline | | PG_NFS_CLIENT_CHART_NAME | nfs-subdir-external-provisioner Helm chart name | string | nfs-subdir-external-provisioner | false | | baseline | | PG_NFS_CLIENT_CHART_VERSION | nfs-subdir-external-provisioner Helm chart version | string | 4.0.18| false | | baseline | -| PG_NFS_CLIENT_CONFIG | nfs-subdir-external-provisioner Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline | +| PG_NFS_CLIENT_CONFIG | nfs-subdir-external-provisioner Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline | \ No newline at end of file diff --git a/roles/vdm/defaults/main.yaml b/roles/vdm/defaults/main.yaml index 1df50dc7..ae96bf10 100644 --- a/roles/vdm/defaults/main.yaml +++ b/roles/vdm/defaults/main.yaml @@ -117,3 +117,17 @@ V4_WORKLOAD_ORCHESTRATOR_ENABLED: true ## NIST Features V4_CFG_NIST_FEATURES_ENABLED: false + +## Openshift +V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED: false +V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE: standard # standard, ssd, host +V4_CFG_OPENSHIFT_SCC_AIRFLOW: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_ESP_PROJECT: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_MICROANALYTIC_SCORE: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_MODEL_PUBLISH_KANIKO: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_MODEL_REPOSITORY: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_PYCONFIG: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED }}" +V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT: "{{ V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED if not V4_CFG_OPENSHIFT_SCC_WATCHDOG else false }}" +V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT_HOSTPATH: false +V4_CFG_OPENSHIFT_SCC_CONNECT_SPAWNER: false +V4_CFG_OPENSHIFT_SCC_WATCHDOG: false \ No newline at end of file diff --git a/roles/vdm/library/overlay_facts.py b/roles/vdm/library/overlay_facts.py index f7dd00ac..3f496ff1 100644 --- a/roles/vdm/library/overlay_facts.py +++ b/roles/vdm/library/overlay_facts.py @@ -46,7 +46,7 @@ def main(): overlay_type = list(overlay.keys())[0] # set correct path for vdm or sas-bases patches - folderPath = os.path.join("site-config/vdm", overlay_type) if bool(overlay.setdefault("vdm", False)) else "sas-bases/" + folderPath = "sas-bases/" if ("/" in overlay[overlay_type] or overlay[overlay_type] == "base") else os.path.join("site-config/vdm", overlay_type) overlay_path = os.path.join(folderPath, overlay[overlay_type]) module.params['existing'].setdefault(overlay_type, {}) diff --git a/roles/vdm/tasks/cas.yaml b/roles/vdm/tasks/cas.yaml index 698e0651..3a86efc2 100644 --- a/roles/vdm/tasks/cas.yaml +++ b/roles/vdm/tasks/cas.yaml @@ -39,8 +39,8 @@ existing: "{{ vdm_overlays }}" add: - { transformers: overlays/cas-server/cas-sssd-sidecar.yaml, priority: 0 } - - { transformers: cas-sssd.yaml, vdm: true } - - { generators: sas-sssd-config.yaml, vdm: true } + - { transformers: cas-sssd.yaml } + - { generators: sas-sssd-config.yaml } - name: CAS - backup controller overlay_facts: @@ -48,7 +48,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-manage-backup.yaml, vdm: true } + - { transformers: cas-manage-backup.yaml } when: - V4_CFG_CAS_ENABLE_BACKUP_CONTROLLER tags: @@ -77,7 +77,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-manage-cpu-and-memory.yaml, vdm: true } + - { transformers: cas-manage-cpu-and-memory.yaml } when: - V4_CFG_CAS_RAM is not none - V4_CFG_CAS_CORES is not none @@ -92,7 +92,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-manage-workers.yaml, vdm: true } + - { transformers: cas-manage-workers.yaml } when: - V4_CFG_CAS_WORKER_COUNT |int > 1 tags: @@ -106,7 +106,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-enable-external-services.yaml, vdm: true } + - { transformers: cas-enable-external-services.yaml } when: - V4_CFG_CAS_ENABLE_LOADBALANCER tags: @@ -120,7 +120,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-auto-restart.yaml, vdm: true, min: "2021.2" } + - { transformers: cas-auto-restart.yaml, min: "2021.2" } when: - V4_DEPLOYMENT_OPERATOR_ENABLED - V4_CFG_CAS_ENABLE_AUTO_RESTART diff --git a/roles/vdm/tasks/connect.yaml b/roles/vdm/tasks/connect.yaml index 6c235f45..59726750 100644 --- a/roles/vdm/tasks/connect.yaml +++ b/roles/vdm/tasks/connect.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: sas-connect-spawner-enable-loadbalancer.yaml, vdm: true } + - { resources: sas-connect-spawner-enable-loadbalancer.yaml } when: - V4_CFG_CONNECT_ENABLE_LOADBALANCER tags: diff --git a/roles/vdm/tasks/helpers/add_if_exists.yaml b/roles/vdm/tasks/helpers/add_if_exists.yaml new file mode 100644 index 00000000..968fb1ba --- /dev/null +++ b/roles/vdm/tasks/helpers/add_if_exists.yaml @@ -0,0 +1,56 @@ +# Copyright © 2020-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +--- +- name: Check if file exists - {{ resource }} + stat: + path: "{{ DEPLOY_DIR }}/sas-bases/{{ resource }}" + register: resource_check + tags: + - install + - uninstall + - update + +- block: + - set_fact: + copy_overlay_item: "{{ lookup('template', 'copy_if_exists.yaml.j2') | from_yaml }}" + loop : "{{ overlays |flatten(levels=1) }}" + register: copy_overlay_result + + - set_fact: + copy_overlays: "{{ copy_overlay_result.results | map(attribute='ansible_facts.copy_overlay_item') | list }}" + tags: + - install + - uninstall + - update + + - copy: + src: "{{ DEPLOY_DIR }}/sas-bases/{{ item.path }}" + dest: "{{ role_path }}/templates/{{ item.type }}/" + mode: "0660" + with_items: + - "{{ copy_overlays }}" + when: "item.path.startswith('examples')" + tags: + - install + - uninstall + - update + + - overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - "{{ [[item.type, item.filename], ['priority', item.priority]] | community.general.dict }}" + with_items: + - "{{ copy_overlays }}" + tags: + - install + - uninstall + - update + + when: resource_check.stat.exists + tags: + - install + - uninstall + - update \ No newline at end of file diff --git a/roles/vdm/tasks/copy_overlay.yaml b/roles/vdm/tasks/helpers/copy_overlay.yaml similarity index 100% rename from roles/vdm/tasks/copy_overlay.yaml rename to roles/vdm/tasks/helpers/copy_overlay.yaml diff --git a/roles/vdm/tasks/kustomize.yaml b/roles/vdm/tasks/kustomize.yaml index 1d032b44..04a4ab13 100644 --- a/roles/vdm/tasks/kustomize.yaml +++ b/roles/vdm/tasks/kustomize.yaml @@ -29,7 +29,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: sas-deployment-buildinfo.yaml, vdm: true } + - { resources: sas-deployment-buildinfo.yaml } tags: - install - uninstall @@ -51,7 +51,7 @@ - update - name: Kustomize - Copy VDM overlays - include_tasks: copy_overlay.yaml + include_tasks: helpers/copy_overlay.yaml vars: resource: "{{ item.key }}" overlays: "{{ item.value.values() | default([], true) }}" diff --git a/roles/vdm/tasks/main.yaml b/roles/vdm/tasks/main.yaml index b3fcb44f..97b68781 100644 --- a/roles/vdm/tasks/main.yaml +++ b/roles/vdm/tasks/main.yaml @@ -53,11 +53,11 @@ - { resources: overlays/update-checker } - { configurations: overlays/required/kustomizeconfig.yaml, priority: 51 } - { transformers: overlays/required/transformers.yaml, priority: 60 } - - { generators: sas-license.yaml, vdm: true } - - { generators: sas-shared-config.yaml, vdm: true } - - { generators: sas-consul-config.yaml, vdm: true, max: "2021.1" } - - { generators: sas-consul-config-secret.yaml, vdm: true, min: 2021.1.1 } - - { generators: ingress-input.yaml, vdm: true } + - { generators: sas-license.yaml } + - { generators: sas-shared-config.yaml } + - { generators: sas-consul-config.yaml, max: "2021.1" } + - { generators: sas-consul-config-secret.yaml, min: 2021.1.1 } + - { generators: ingress-input.yaml } tags: - install - uninstall @@ -82,7 +82,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: sas-image-pull-secrets.yaml, vdm: true } + - { generators: sas-image-pull-secrets.yaml } - name: Include Mirror include_tasks: mirror.yaml @@ -92,6 +92,15 @@ - uninstall - update +- name: Include Openshift + include_tasks: openshift.yaml + when: + - V4_CFG_INGRESS_TYPE == "route" + tags: + - install + - uninstall + - update + - name: Include MultiTenant include_tasks: multi_tenant.yaml when: V4MT_ENABLE @@ -120,9 +129,9 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: openldap.yaml, vdm: true } - - { transformers: openldap.yaml, vdm: true } - - { generators: openldap-bootstrap-config.yaml, vdm: true } + - { resources: openldap.yaml } + - { transformers: openldap.yaml } + - { generators: openldap-bootstrap-config.yaml } when: - not V4MT_ENABLE - V4_CFG_EMBEDDED_LDAP_ENABLE @@ -137,9 +146,9 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: openldap.yaml, vdm: true } - - { transformers: openldap.yaml, vdm: true } - - { generators: openldap-bootstrap-mt-config.yaml, vdm: true } + - { resources: openldap.yaml } + - { transformers: openldap.yaml } + - { generators: openldap-bootstrap-mt-config.yaml } when: - V4MT_ENABLE - V4_CFG_EMBEDDED_LDAP_ENABLE diff --git a/roles/vdm/tasks/message_broker.yaml b/roles/vdm/tasks/message_broker.yaml index 18a23c8c..e7624c56 100644 --- a/roles/vdm/tasks/message_broker.yaml +++ b/roles/vdm/tasks/message_broker.yaml @@ -78,7 +78,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "rabbitmq-node-count.yaml", vdm: true} + - { transformers: "rabbitmq-node-count.yaml"} when: rabbitmq_config.stat.exists tags: - install diff --git a/roles/vdm/tasks/mirror.yaml b/roles/vdm/tasks/mirror.yaml index cf70db6d..2c2d9529 100644 --- a/roles/vdm/tasks/mirror.yaml +++ b/roles/vdm/tasks/mirror.yaml @@ -28,9 +28,9 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: mirror.yaml, vdm: true, priority: 65 } - - { generators: mirror.yaml, vdm: true, max: "2022.09" } - - { generators: mirror.v2.yaml, vdm: true, min: "2022.10" } + - { transformers: mirror.yaml, priority: 65 } + - { generators: mirror.yaml, max: "2022.09" } + - { generators: mirror.v2.yaml, min: "2022.10" } tags: - install - uninstall diff --git a/roles/vdm/tasks/openshift.yaml b/roles/vdm/tasks/openshift.yaml new file mode 100644 index 00000000..75444a13 --- /dev/null +++ b/roles/vdm/tasks/openshift.yaml @@ -0,0 +1,142 @@ +# Copyright © 2020-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +--- +- name: Openshift - seccomp + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/security/remove-seccomp-transformer.yaml, priority: 99 } + tags: + - install + - uninstall + - update + +- name: Openshift SCC - airflow + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-airflow/README.md" + overlays: + - { resources: scc-sas-airflow-create-user-job.yaml } + when: V4_CFG_OPENSHIFT_SCC_AIRFLOW + tags: + - install + - uninstall + - update + +- name: Openshift SCC - cas-server + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/cas/configure/cas-server-scc{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]['filesuffix'] }}.yaml" + overlays: + - { resources: "examples/cas/configure/cas-server-scc{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]['filesuffix'] }}.yaml" } + - { resources: scc-sas-cas-server.yaml } + when: V4_CFG_OPENSHIFT_SCC_RBAC_ENABLED + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-connect-spawner + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-connect-spawner/openshift/sas-connect-spawner-scc.yaml" + overlays: + - { resources: examples/sas-connect-spawner/openshift/sas-connect-spawner-scc.yaml } + - { resources: scc-sas-connect-spawner.yaml } + when: V4_CFG_OPENSHIFT_SCC_CONNECT_SPAWNER + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-esp-project + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-esp-operator/README.md" + overlays: + - { resources: scc-esp-project.yaml } + when: V4_CFG_OPENSHIFT_SCC_ESP_PROJECT + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-microanalytic-score + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "overlays/sas-microanalytic-score/service-account/README.md" + overlays: + - { resources: overlays/sas-microanalytic-score/service-account/sas-microanalytic-score-scc.yaml } + - { resources: scc-sas-microanalytic-score.yaml } + when: V4_CFG_OPENSHIFT_SCC_MICROANALYTIC_SCORE + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-model-publish-kaniko + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-model-publish/kaniko/README.md" + overlays: + - { resources: scc-sas-model-publish-kaniko.yaml } + when: V4_CFG_OPENSHIFT_SCC_MODEL_PUBLISH_KANIKO + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-model-repository + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "overlays/sas-model-repository/service-account/README.md" + overlays: + - { resources: overlays/sas-model-repository/service-account/sas-model-repository-scc.yaml } + - { resources: scc-sas-model-repository.yaml } + when: V4_CFG_OPENSHIFT_SCC_MODEL_REPOSITORY + tags: + - install + - uninstall + - update + +- name: Openshift SCC - pyconfig + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "examples/sas-pyconfig/pyconfig-scc.yaml" + overlays: + - { resources: examples/sas-pyconfig/pyconfig-scc.yaml } + - { resources: scc-sas-pyconfig.yaml } + when: V4_CFG_OPENSHIFT_SCC_PYCONFIG + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-watchdog + include_tasks: helpers/add_if_exists.yaml + vars: + resource: "overlays/sas-programming-environment/watchdog/README.md" + overlays: + - { resources: examples/sas-programming-environment/watchdog/sas-watchdog-scc.yaml } + - { resources: scc-sas-watchdog.yaml } + when: V4_CFG_OPENSHIFT_SCC_WATCHDOG + tags: + - install + - uninstall + - update + +- name: Openshift SCC - sas-programming-environment + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { resources: sas-programming-environment.yaml } + when: V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT + tags: + - install + - uninstall + - update diff --git a/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml b/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml index 8bf16493..47262ad9 100644 --- a/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml +++ b/roles/vdm/tasks/postgres/gcp-cloud-sql-proxy.yaml @@ -41,6 +41,6 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "cloud-sql-proxy-{{ role }}-instance.yaml", vdm: true } + - { resources: "cloud-sql-proxy-{{ role }}-instance.yaml" } - { transformers: overlays/external-postgres/googlecloud-full-stack-tls-transformer.yaml, priority: 55, max: "2022.09" } - { transformers: overlays/postgres/external-postgres/gcp-tls-transformer.yaml, priority: 55, min: "2022.10" } diff --git a/roles/vdm/tasks/postgres/postgres-instance.yaml b/roles/vdm/tasks/postgres/postgres-instance.yaml index 9d68f4c4..a1182175 100644 --- a/roles/vdm/tasks/postgres/postgres-instance.yaml +++ b/roles/vdm/tasks/postgres/postgres-instance.yaml @@ -195,7 +195,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "{{ role }}-crunchy-storage-transformer.yaml", min: "2022.10", vdm: true } + - { transformers: "{{ role }}-crunchy-storage-transformer.yaml", min: "2022.10" } - name: Postgres instance - set immutable storage transformer values block: - name: Postgres instance - save role storage map values @@ -300,8 +300,8 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "{{ role }}-dataserver-transformer.yaml", min: "2022.10", vdm: true } - - { generators: "postgres-{{ role }}-secrets.yaml", min: "2022.10", vdm: true } + - { transformers: "{{ role }}-dataserver-transformer.yaml", min: "2022.10" } + - { generators: "postgres-{{ role }}-secrets.yaml", min: "2022.10" } - name: Postgres instance - external post 2022.10 - additional servers when: @@ -325,7 +325,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "platform-postgres-{{ role }}-dataserver.yaml", min: "2022.10", vdm: true } + - { resources: "platform-postgres-{{ role }}-dataserver.yaml", min: "2022.10" } # TODO Fix Logic for tasks below @@ -349,7 +349,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "postgres-{{ role }}-instance.yaml", vdm: true } + - { resources: "postgres-{{ role }}-instance.yaml" } - name: Postgres instance - external pre 2022.10 when: @@ -372,4 +372,4 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: "postgres-{{ role }}-instance.yaml", vdm: true } + - { resources: "postgres-{{ role }}-instance.yaml" } diff --git a/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml b/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml index 03fd5f7e..880168e9 100644 --- a/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml +++ b/roles/vdm/tasks/postgres/postgres-multi-tenant-config.yaml @@ -78,8 +78,8 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config-transformer.yaml", vdm: true, priority: 65 } - - { resources: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config.yaml", vdm: true } + - { transformers: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config-transformer.yaml", priority: 65 } + - { resources: "sas-{{ 'postgres' if role == 'default' else role }}-custom-config.yaml" } when: - custom_config_folder.stat.exists - settings.internal @@ -167,7 +167,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-transformer.yaml", vdm: true, priority: 65 } + - { transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-transformer.yaml", priority: 65 } when: - not V4_CFG_CADENCE_NAME|lower == "fast" and V4_CFG_CADENCE_VERSION is version('2023.03', "<") - crunchy_tuning_folder.stat.exists @@ -277,8 +277,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-connection-params-transformer.yaml" - vdm: true + - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-connection-params-transformer.yaml" priority: 65 when: - V4_CFG_CADENCE_VERSION is version('2023.03', ">=") or V4_CFG_CADENCE_NAME|lower == "fast" @@ -295,8 +294,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-pg-hba-no-tls-transformer.yaml" - vdm: true + - transformers: "{{ 'platform-postgres' if role == 'default' else role }}-crunchy-tuning-pg-hba-no-tls-transformer.yaml" priority: 65 when: - V4_CFG_CADENCE_VERSION is version('2023.03', ">=") or V4_CFG_CADENCE_NAME|lower == "fast" diff --git a/roles/vdm/tasks/postgres/postgres.yaml b/roles/vdm/tasks/postgres/postgres.yaml index 9dfc694c..c6b7beb0 100644 --- a/roles/vdm/tasks/postgres/postgres.yaml +++ b/roles/vdm/tasks/postgres/postgres.yaml @@ -56,8 +56,8 @@ - { resources: overlays/internal-postgres } - { resources: overlays/crunchydata } - { transformers: overlays/internal-postgres/internal-postgres-transformer.yaml } - - { transformers: postgres-storage-transformer.yaml, vdm: true, max: 2020.1.3 } - - { transformers: postgres-storage-transformer.v2.yaml, vdm: true, min: 2020.1.3 } + - { transformers: postgres-storage-transformer.yaml, max: 2020.1.3 } + - { transformers: postgres-storage-transformer.v2.yaml, min: 2020.1.3 } when: - internal_postgres - name: Postgres - external @@ -67,10 +67,10 @@ existing: "{{ vdm_overlays }}" add: - { transformers: overlays/external-postgres/external-postgres-transformer.yaml } - - { generators: postgres-sas-user.yaml, vdm: true } - - { generators: sas-go-config.yaml, vdm: true } - - { generators: sas-postgres-config.yaml, max: 2020.0.4, vdm: true } - - { generators: sas-postgres-config.v2.yaml, min: 2020.0.5, vdm: true } + - { generators: postgres-sas-user.yaml } + - { generators: sas-go-config.yaml } + - { generators: sas-postgres-config.yaml, max: 2020.0.4 } + - { generators: sas-postgres-config.v2.yaml, min: 2020.0.5 } when: - not internal_postgres @@ -89,7 +89,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: postgres-storage-transformer.v3.yaml, vdm: true } + - { transformers: postgres-storage-transformer.v3.yaml } when: - internal_postgres - name: Postgres - external diff --git a/roles/vdm/tasks/start_stop.yaml b/roles/vdm/tasks/start_stop.yaml index 3aa63b03..b701fc84 100644 --- a/roles/vdm/tasks/start_stop.yaml +++ b/roles/vdm/tasks/start_stop.yaml @@ -24,7 +24,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: schedule-start-stop.yaml, vdm: true, min: "2021.2", priority: 61 } + - { transformers: schedule-start-stop.yaml, min: "2021.2", priority: 61 } when: - V4_CFG_VIYA_STOP_SCHEDULE is not none or V4_CFG_VIYA_START_SCHEDULE is not none tags: diff --git a/roles/vdm/tasks/storage.yaml b/roles/vdm/tasks/storage.yaml index d59fba06..8a574970 100644 --- a/roles/vdm/tasks/storage.yaml +++ b/roles/vdm/tasks/storage.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: sas-storageclass.yaml, vdm: true, priority: 49 } + - { transformers: sas-storageclass.yaml, priority: 49 } tags: - install - uninstall @@ -20,11 +20,11 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cas-add-nfs-mount.yaml, vdm: true } - - { transformers: compute-server-add-nfs-mount.yaml, max: 2021.1.6, vdm: true } - - { transformers: compute-server-add-nfs-mount.v2.yaml, min: "2021.2", vdm: true } - - { transformers: launcher-service-add-nfs.yaml, max: 2021.1.6, vdm: true } - - { transformers: launcher-nfs-mount.yaml, min: "2021.2", vdm: true } + - { transformers: cas-add-nfs-mount.yaml } + - { transformers: compute-server-add-nfs-mount.yaml, max: 2021.1.6 } + - { transformers: compute-server-add-nfs-mount.v2.yaml, min: "2021.2" } + - { transformers: launcher-service-add-nfs.yaml, max: 2021.1.6 } + - { transformers: launcher-nfs-mount.yaml, min: "2021.2" } when: - V4_CFG_RWX_FILESTORE_ENDPOINT is not none - V4_CFG_RWX_FILESTORE_PATH is not none diff --git a/roles/vdm/tasks/tls.yaml b/roles/vdm/tasks/tls.yaml index 65bca17a..0228d6a9 100644 --- a/roles/vdm/tasks/tls.yaml +++ b/roles/vdm/tasks/tls.yaml @@ -30,7 +30,7 @@ add: - { resources: "overlays/network/{{ V4_CFG_INGRESS_TYPE }}", max: 2021.1.5 } - { resources: "overlays/network/{{ V4_CFG_INGRESS_TYPE }}/security", max: 2021.1.2 } - - { resources: "overlays/network/{{ network_name_map[V4_CFG_INGRESS_TYPE] }}", min: 2021.1.6 } + - { resources: "overlays/network/{{ network_name_map[V4_CFG_INGRESS_TYPE]['name'] }}", min: 2021.1.6 } tags: - install - uninstall @@ -70,39 +70,82 @@ - V4_CFG_TLS_GENERATOR == "cert-manager" - name: TLS - Full-stack TLS - overlay_facts: - cadence_name: "{{ V4_CFG_CADENCE_NAME }}" - cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" - existing: "{{ vdm_overlays }}" - add: - - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { transformers: overlays/network/ingress/security/transformers/product-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { transformers: overlays/network/ingress/security/transformers/backend-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { components: components/security/core/base/full-stack-tls, min: 2021.1.3, priority: 51 } - - { components: components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/full-stack-tls, min: 2021.1.3, priority: 51 } when: - V4_CFG_TLS_MODE == "full-stack" tags: - install - uninstall - update + block: + - name: TLS - Full-stack TLS (Base) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { components: components/security/core/base/full-stack-tls, min: 2021.1.3, priority: 51 } + - { components: "components/security/network/{{ network_name_map[V4_CFG_INGRESS_TYPE]['name'] }}/{{ network_name_map[V4_CFG_INGRESS_TYPE]['component'] }}/full-stack-tls", min: 2021.1.3, priority: 51 } + + - name: TLS - Full-stack TLS (Ingress) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + - { transformers: overlays/network/ingress/security/transformers/product-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + - { transformers: overlays/network/ingress/security/transformers/backend-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "ingress" + + - name: TLS - Full-stack TLS (Openshift) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/route.openshift.io/security/transformers/sas-route-cookie-samesite-transformer.yaml, min: 2021.1.6, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "route" + - name: TLS - Front-door TLS - overlay_facts: - cadence_name: "{{ V4_CFG_CADENCE_NAME }}" - cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" - existing: "{{ vdm_overlays }}" - add: - - { transformers: overlays/network/ingress/security/transformers/cas-connect-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } - - { components: components/security/core/base/front-door-tls, min: 2021.1.3, priority: 51 } - - { components: components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/front-door-tls, min: 2021.1.3, priority: 51 } when: - V4_CFG_TLS_MODE == "front-door" tags: - install - uninstall - update + block: + - name: TLS - Front-door TLS (Base) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { components: components/security/core/base/front-door-tls, min: 2021.1.3, priority: 51 } + - { components: "components/security/network/{{ network_name_map[V4_CFG_INGRESS_TYPE]['name'] }}/{{ network_name_map[V4_CFG_INGRESS_TYPE]['component'] }}/front-door-tls", min: 2021.1.3, priority: 51 } + + - name: TLS - Front-door TLS (Ingress) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/ingress/security/transformers/cas-connect-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "ingress" + + - name: TLS - Front-door TLS (Openshift) + overlay_facts: + cadence_name: "{{ V4_CFG_CADENCE_NAME }}" + cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" + existing: "{{ vdm_overlays }}" + add: + - { transformers: overlays/network/route.openshift.io/security/transformers/sas-route-cookie-samesite-transformer.yaml, min: 2021.1.6, priority: 51 } + when: + - V4_CFG_INGRESS_TYPE == "route" - name: TLS - Ingress-only TLS - check cadence ansible.builtin.fail: @@ -171,7 +214,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: customer-provided-ca-certificates.yaml, vdm: true } + - { generators: customer-provided-ca-certificates.yaml } - name: TLS - customer provided server certificates when: @@ -204,7 +247,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: customer-provided-ingress-certificate.yaml, vdm: true } + - { generators: customer-provided-ingress-certificate.yaml } - name: TLS - Certificate Generation - cert-manager overlay_facts: @@ -212,7 +255,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: cert-manager-provided-ingress-certificate.yaml, vdm: true, max: "2022.1", priority: 70 } + - { transformers: cert-manager-provided-ingress-certificate.yaml, max: "2022.1", priority: 70 } - { transformers: overlays/cert-manager-provided-ingress-certificate/ingress-annotation-transformer.yaml, min: 2022.1.1, priority: 70 } when: - V4_CFG_TLS_MODE != "disabled" @@ -228,7 +271,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: openssl-generated-ingress-certificate.yaml, vdm: true, min: "2021.2" } + - { resources: openssl-generated-ingress-certificate.yaml, min: "2021.2" } when: - V4_CFG_TLS_MODE != "disabled" - (V4_CFG_TLS_CERT is none and V4_CFG_TLS_KEY is none and V4_CFG_TLS_GENERATOR == "openssl") @@ -242,7 +285,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { generators: customer-provided-merge-sas-certframe-configmap.yaml, vdm: true } + - { generators: customer-provided-merge-sas-certframe-configmap.yaml } when: - V4_CFG_TLS_MODE != "disabled" - (V4_CFG_TLS_GENERATOR == "cert-manager" or V4_CFG_TLS_GENERATOR == "openssl") @@ -257,7 +300,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: consul-ui.yaml, vdm: true } + - { resources: consul-ui.yaml } when: - V4_CFG_CONSUL_ENABLE_LOADBALANCER tags: @@ -271,7 +314,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: nginx-ingressclass.yaml, vdm: true, max: 2021.1.5 } + - { transformers: nginx-ingressclass.yaml, max: 2021.1.5 } when: - V4_CFG_INGRESS_TYPE == "ingress" tags: diff --git a/roles/vdm/tasks/workload_orchestrator.yaml b/roles/vdm/tasks/workload_orchestrator.yaml index ac477d50..3fcbd204 100644 --- a/roles/vdm/tasks/workload_orchestrator.yaml +++ b/roles/vdm/tasks/workload_orchestrator.yaml @@ -9,7 +9,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: overlays/sas-workload-orchestrator, min: "2023.08", vdm: false } + - { resources: overlays/sas-workload-orchestrator, min: "2023.08" } when: - V4_WORKLOAD_ORCHESTRATOR_ENABLED tags: @@ -23,7 +23,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: examples/sas-workload-orchestrator/enable-disable/sas-workload-orchestrator-disable-patch-transformer.yaml, min: "2023.08", vdm: false } + - { transformers: examples/sas-workload-orchestrator/enable-disable/sas-workload-orchestrator-disable-patch-transformer.yaml, min: "2023.08" } when: - not V4_WORKLOAD_ORCHESTRATOR_ENABLED tags: diff --git a/roles/vdm/templates/copy_if_exists.yaml.j2 b/roles/vdm/templates/copy_if_exists.yaml.j2 new file mode 100644 index 00000000..18006883 --- /dev/null +++ b/roles/vdm/templates/copy_if_exists.yaml.j2 @@ -0,0 +1,14 @@ +{% set glob = {} %} + +{% for k, v in item.items() %} +{% if k == 'priority' %} +{% set _ = glob.update({'priority': v}) %} +{% else %} +{% set _ = glob.update({'res': k}) %} +{% set _ = glob.update({'path': v}) %} +{% endif %} +{% endfor %} +type: {{ glob.res }} +path: {{ glob.path }} +priority: {{ glob.priority|default(10) }} +filename: {{ glob.path if glob.path.startswith('overlays') else (glob.path|basename) }} \ No newline at end of file diff --git a/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml b/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml index 1ac24a7a..43b1696e 100644 --- a/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml +++ b/roles/vdm/templates/resources/openssl-generated-ingress-certificate.yaml @@ -58,6 +58,7 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: + add: [] drop: - ALL privileged: false @@ -68,10 +69,14 @@ spec: - mountPath: /security name: security restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: certframe-token secret: defaultMode: 420 secretName: sas-certframe-token - emptyDir: {} - name: security + name: security \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml b/roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml new file mode 100644 index 00000000..7aa0099f --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-airflow-create-user-job.yaml @@ -0,0 +1,126 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-anyuid +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-create-user-job" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-create-user-job + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-migrate-database-job" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-migrate-database-job + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-redis" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-redis + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-scheduler" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-scheduler + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-triggerer" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-triggerer + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-webserver" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-webserver + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-airflow-worker" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-airflow-worker + namespace: "{{ NAMESPACE }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "sas-process-orchestration" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-anyuid +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-process-orchestration + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-cas-server.yaml b/roles/vdm/templates/resources/scc-sas-cas-server.yaml new file mode 100644 index 00000000..a3066781 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-cas-server.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }}-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-cas-server + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }}-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }}-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-cas-server{{ openshift_cas_scc_map[V4_CFG_OPENSHIFT_SCC_CAS_SERVER_MODE]["suffix"] }} + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-connect-spawner.yaml b/roles/vdm/templates/resources/scc-sas-connect-spawner.yaml new file mode 100644 index 00000000..2bb7ec08 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-connect-spawner.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-connect-spawner-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-connect-spawner + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-connect-spawner-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-connect-spawner-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-connect-spawner + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-esp-project.yaml b/roles/vdm/templates/resources/scc-sas-esp-project.yaml new file mode 100644 index 00000000..bb622d5b --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-esp-project.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-esp-project-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - nonroot + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-esp-project-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-esp-project-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-esp-project + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml b/roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml new file mode 100644 index 00000000..4ff8b989 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-microanalytic-score.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-microanalytic-score-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-microanalytic-score + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-microanalytic-score-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-microanalytic-score-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-microanalytic-score + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml b/roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml new file mode 100644 index 00000000..0ac418c1 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-model-publish-kaniko.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-model-publish-kaniko-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-model-publish-kaniko-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-model-publish-kaniko-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-model-publish-kaniko + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-model-repository.yaml b/roles/vdm/templates/resources/scc-sas-model-repository.yaml new file mode 100644 index 00000000..6983219a --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-model-repository.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-model-repository-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-model-repository + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-model-repository-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-model-repository-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-model-repository + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-programming-environment.yaml b/roles/vdm/templates/resources/scc-sas-programming-environment.yaml new file mode 100644 index 00000000..605d6cc2 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-programming-environment.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-programming-environment-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - {{ 'hostmount-anyuid' if V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT_HOSTPATH else 'nonroot' }} + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-programming-environment-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-programming-environment-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-programming-environment + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-pyconfig.yaml b/roles/vdm/templates/resources/scc-sas-pyconfig.yaml new file mode 100644 index 00000000..047085e0 --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-pyconfig.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-pyconfig-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-pyconfig + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-pyconfig-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-pyconfig-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-pyconfig + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/templates/resources/scc-sas-watchdog.yaml b/roles/vdm/templates/resources/scc-sas-watchdog.yaml new file mode 100644 index 00000000..899ce97c --- /dev/null +++ b/roles/vdm/templates/resources/scc-sas-watchdog.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sas-watchdog-scc +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - sas-watchdog + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sas-watchdog-scc +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sas-watchdog-scc +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sas-programming-environment + namespace: "{{ NAMESPACE }}" \ No newline at end of file diff --git a/roles/vdm/vars/main.yaml b/roles/vdm/vars/main.yaml index 85ece2ec..88e866d9 100644 --- a/roles/vdm/vars/main.yaml +++ b/roles/vdm/vars/main.yaml @@ -22,7 +22,35 @@ pg_cluster_name_map: { } # TODO - Fix once 2021.1.6 is ready and the kustomization files have been updated network_name_map: { - ingress: networking.k8s.io, - contour: projectcountour.io, - route: route.openshift.io + ingress: { + name: networking.k8s.io, + component: ingess/nginx.ingress.kubernetes.io + }, + contour: { + name: projectcountour.io, + component: httpproxy + }, + route: { + name: route.openshift.io, + component: route + }, + istio: { + name: networking.istio.io, + component: virtualservice + } } + +openshift_cas_scc_map: { + standard: { + filesuffix: "", + suffix: "" + }, + host: { + filesuffix: "-host-launch", + suffix: "-host" + }, + sssd: { + filesuffix: "-sssd", + suffix: "-sssd" + }, +} \ No newline at end of file From 9aef039815c3964bd21b72025447b2e0563b658b Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Thu, 12 Sep 2024 12:34:03 -0400 Subject: [PATCH 13/15] fix ocp seccomp remove --- roles/vdm/tasks/openshift.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vdm/tasks/openshift.yaml b/roles/vdm/tasks/openshift.yaml index 75444a13..29301e78 100644 --- a/roles/vdm/tasks/openshift.yaml +++ b/roles/vdm/tasks/openshift.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: overlays/security/remove-seccomp-transformer.yaml, priority: 99 } + - { transformers: overlays/security/container-security/remove-seccomp-transformer.yaml, priority: 99 } tags: - install - uninstall From ecfc3b86bf9b700334f382170f48831e0890d8e6 Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Thu, 12 Sep 2024 12:37:45 -0400 Subject: [PATCH 14/15] fix ocp seccomp remove --- roles/vdm/tasks/openshift.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vdm/tasks/openshift.yaml b/roles/vdm/tasks/openshift.yaml index 29301e78..b2c499d0 100644 --- a/roles/vdm/tasks/openshift.yaml +++ b/roles/vdm/tasks/openshift.yaml @@ -8,7 +8,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { transformers: overlays/security/container-security/remove-seccomp-transformer.yaml, priority: 99 } + - { transformers: overlays/security/container-security/remove-seccomp-transformer.yaml, priority: 90 } tags: - install - uninstall From 70475a3391ae19abad03c8382b1b60aabacfe14e Mon Sep 17 00:00:00 2001 From: Norman Johnson Date: Thu, 12 Sep 2024 13:35:17 -0400 Subject: [PATCH 15/15] fix typo --- roles/vdm/tasks/openshift.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vdm/tasks/openshift.yaml b/roles/vdm/tasks/openshift.yaml index b2c499d0..297a7a08 100644 --- a/roles/vdm/tasks/openshift.yaml +++ b/roles/vdm/tasks/openshift.yaml @@ -134,7 +134,7 @@ cadence_number: "{{ V4_CFG_CADENCE_VERSION }}" existing: "{{ vdm_overlays }}" add: - - { resources: sas-programming-environment.yaml } + - { resources: scc-sas-programming-environment.yaml } when: V4_CFG_OPENSHIFT_SCC_PROGRAMMING_ENVIRONMENT tags: - install