added role for mirror appliance

quay · Jun 14, 2021 · b57186e · b57186e
1 parent 5ab33d2
commit b57186e
Show file tree

Hide file tree

Showing 19 changed files with 565 additions and 5 deletions.
diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf
@@ -0,0 +1,66 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "3.5.0"
+    }
+  }
+}
+
+
+variable "SSH_PUBLIC_KEY" {
+  type = string
+}
+
+provider "google" {
+
+  project = "quay-devel"
+  region  = "us-central1"
+  zone    = "us-central1-c"
+
+}
+
+resource "google_compute_network" "vpc_network" {
+  name = "terraform-network"
+}
+
+resource "google_compute_instance" "vm_instance" {
+  name         = "mirror-ci-rhel"
+  machine_type = "e2-medium"
+
+  boot_disk {
+    initialize_params {
+      image = "rhel-8"
+    }
+  }
+
+  tags = ["mirror-ci-rhel"]
+
+  network_interface {
+    network = google_compute_network.vpc_network.name
+    access_config {
+    }
+  }
+
+  metadata = {
+    ssh-keys = "jonathan:${var.SSH_PUBLIC_KEY}"
+  }
+}
+
+resource "google_compute_firewall" "ssh-rule" {
+  name    = "vm-ssh"
+  network = google_compute_network.vpc_network.name
+  allow {
+    protocol = "tcp"
+    ports    = ["22", "80", "8080", "443", "8443"]
+  }
+  allow {
+    protocol = "icmp"
+  }
+  target_tags   = ["mirror-ci-rhel"]
+  source_ranges = ["0.0.0.0/0"]
+}
+
+output "ip" {
+  value = google_compute_instance.vm_instance.network_interface.0.access_config.0.nat_ip
+}
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -0,0 +1,112 @@
+name: "Terraform"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  terraform:
+    name: "Terraform"
+    runs-on: ubuntu-latest
+    env:
+      GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
+      TF_VAR_SSH_PUBLIC_KEY: ${{ secrets.TF_VAR_SSH_PUBLIC_KEY }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install SSH Key
+        uses: webfactory/[email protected]
+        with:
+          ssh-private-key: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          # terraform_version: 0.13.0:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+          terraform_wrapper: false
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check
+        working-directory: ".github/workflows"
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+        working-directory: ".github/workflows"
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan
+        working-directory: ".github/workflows"
+
+      - name: Terraform Apply
+        run: terraform apply --auto-approve
+        working-directory: ".github/workflows"
+
+      - name: Get IP Address
+        run: |
+          export IP=$(terraform output ip)
+          echo "VM Started on ${IP}"
+        working-directory: ".github/workflows"
+
+      - name: Add hostname to /etc/hosts
+        run: echo "$(terraform -chdir=./.github/workflows output --raw ip)  quay" | sudo tee -a /etc/hosts; sudo cat /etc/hosts
+
+      - name: Wait for VM
+        uses: jakejarvis/wait-action@master
+        with:
+          time: "60s"
+
+      - name: Run playbook
+        run: ansible-playbook p_install-mirror-appliance.yml -i quay,
+
+      - name: Install oc
+        uses: redhat-actions/oc-installer@v1
+        with:
+          oc_version: "4.6"
+
+      - name: Wait for Quay
+        run: timeout 300 bash -c 'while [[ "$(curl --insecure -s -o /dev/null -w ''%{http_code}'' https://quay/health/instance)" != "200" ]]; do sleep 5; echo $(terraform -chdir=./.github/workflows output --raw ip)/health/instance; done'
+
+      - name: Create Init User
+        run: 'curl --insecure -H ''Content-Type: application/json'' --data ''{"username":"init","password":"password","access_token":"true"}'' https://quay/api/v1/user/initialize'
+
+      - name: Log in to Quay.io
+        run: podman login  $(terraform -chdir=./.github/workflows output --raw ip) --tls-verify=false -u init -p password
+
+      - name: Write Pull Secret
+        run: 'echo "$PULL_SECRET" > /home/runner/work/quay-ansible/quay-ansible/pull-secret.json; chmod 777 /home/runner/work/quay-ansible/quay-ansible/pull-secret.json'
+        shell: bash
+        env:
+          PULL_SECRET: ${{ secrets.PULL_SECRET }}
+
+      - name: Write mirror pull secret
+        run: 'echo "{\"auths\": {\"quay\": {\"auth\": \"$(echo -n init:password | base64 -w0)\", \"email\":\"[email protected]\"}}}"  > /home/runner/work/quay-ansible/quay-ansible/mirror-secret.json; chmod 777 /home/runner/work/quay-ansible/quay-ansible/mirror-secret.json'
+
+      - name: Merge secrets
+        run: "jq -s '.[0] * .[1]' /home/runner/work/quay-ansible/quay-ansible/pull-secret.json /home/runner/work/quay-ansible/quay-ansible/mirror-secret.json > /home/runner/work/quay-ansible/quay-ansible/merged-secret.json; chmod 777 /home/runner/work/quay-ansible/quay-ansible/merged-secret.json"
+
+      - name: Mirror OCP Images
+        run: |
+          oc adm release mirror -a ${LOCAL_SECRET_JSON}  \
+          --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
+          --to=quay/${LOCAL_REPOSITORY} \
+          --to-release-image=quay/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} \
+          --insecure
+        env:
+          OCP_RELEASE: 4.5.4
+          LOCAL_REPOSITORY: "init/openshift4"
+          PRODUCT_REPO: "openshift-release-dev"
+          LOCAL_SECRET_JSON: "/home/runner/work/quay-ansible/quay-ansible/merged-secret.json"
+          RELEASE_NAME: "ocp-release"
+          ARCHITECTURE: "x86_64"
+
+      - name: Terraform Destroy
+        run: terraform destroy --auto-approve
+        if: always()
+        working-directory: ".github/workflows"
diff --git a/ansible.cfg b/ansible.cfg
@@ -1,6 +1,6 @@
 [defaults]
 INVENTORY=./inventories/dev
-remote_user = dev
+remote_user = jonathan
 ask_vault_pass = no
 host_key_checking = false
 deprecation_warnings = false

diff --git a/p_install-mirror-appliance.yml b/p_install-mirror-appliance.yml
@@ -0,0 +1,12 @@
+- name: "Install Mirror Appliance"
+  gather_facts: yes
+  become: true
+  hosts: all
+  tags:
+    - quay
+  vars:
+    yum_packages:
+      - podman
+  roles:
+    - r_rhel_vm
+    - r_mirror-appliance
diff --git a/p_uninstall-mirror-appliance.yml b/p_uninstall-mirror-appliance.yml
@@ -0,0 +1,44 @@
+- name: "Uninstall Mirror Appliance"
+  gather_facts: yes
+  become: true
+  hosts: all
+  tags:
+    - quay
+  tasks:
+    - name: Delete Install Directory
+      file:
+        state: absent
+        path: /etc/quay-install/
+
+    - name: Just force systemd to re-execute itself (2.8 and above)
+      ansible.builtin.systemd:
+        daemon_reexec: yes
+
+    - name: Stop Postgres service
+      systemd:
+        name: quay-postgres.service
+        enabled: no
+        daemon_reload: yes
+        state: stopped
+        force: yes
+
+    - name: Stop Redis service
+      systemd:
+        name: quay-redis.service
+        enabled: no
+        daemon_reload: yes
+        state: stopped
+        force: yes
+
+    - name: Stop Quay service
+      systemd:
+        name: quay-app.service
+        enabled: no
+        daemon_reload: yes
+        state: stopped
+        force: yes
+
+    - name: Delete pod
+      containers.podman.podman_pod:
+        name: quay-pod
+        state: absent
diff --git a/roles/r_mirror-appliance/defaults/main.yml b/roles/r_mirror-appliance/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+redis_image: docker.io/centos/redis-5-centos8
+postgres_image: docker.io/centos/postgresql-10-centos8
+quay_image: quay.io/jonathankingfc/quay:first-user
+image_archive_path: "{{playbook_dir }}/files/image-archive.yaml"
diff --git a/roles/r_mirror-appliance/files/systemd/postgres.service b/roles/r_mirror-appliance/files/systemd/postgres.service
@@ -0,0 +1,31 @@
+[Unit]
+Description=PostgreSQL Podman Container for Quay
+Wants=network.target
+After=network-online.target
+
+[Service]
+Type=simple
+TimeoutStartSec=5m
+ExecStartPre=-/bin/rm -f %t/%n-pid %t/%n-cid
+ExecStart=/usr/bin/podman run \
+    --name quay-postgresql-service \
+    -v /etc/quay-install/pg-data:/var/lib/pgsql/data:Z \
+    -e POSTGRESQL_USER=user \
+    -e POSTGRESQL_PASSWORD=password \
+    -e POSTGRESQL_DATABASE=quay \
+    --pod=quay-pod \
+    --conmon-pidfile %t/%n-pid \
+    --cidfile %t/%n-cid \
+    --cgroups=no-conmon \
+    --replace \
+    docker.io/centos/postgresql-10-centos8
+
+ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n-cid -t 10
+ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n-cid
+PIDFile=%t/%n-pid
+KillMode=none
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target default.target
diff --git a/roles/r_mirror-appliance/files/systemd/quay.service b/roles/r_mirror-appliance/files/systemd/quay.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=Quay Container
+Wants=network.target
+After=network-online.target
+
+[Service]
+Type=simple
+TimeoutStartSec=5m
+ExecStartPre=-/bin/rm -f %t/%n-pid %t/%n-cid
+ExecStart=/usr/bin/podman run \
+    --name quay-app-service \
+    -v /etc/quay-install/quay-config:/quay-registry/conf/stack:Z \
+    -v /etc/quay-install/quay-storage:/datastorage:Z \
+    --pod=quay-pod \
+    --conmon-pidfile %t/%n-pid \
+    --cidfile %t/%n-cid \
+    --cgroups=no-conmon \
+    --replace \
+    quay.io/jonathankingfc/quay:first-user
+
+ExecStop=-/usr/bin/podman stop --ignore --cidfile %t/%n-cid -t 10
+ExecStopPost=-/usr/bin/podman rm --ignore -f --cidfile %t/%n-cid
+PIDFile=%t/%n-pid
+KillMode=none
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target default.target
diff --git a/roles/r_mirror-appliance/files/systemd/redis.service b/roles/r_mirror-appliance/files/systemd/redis.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=Redis Podman Container for Quay
+Wants=network.target
+After=network-online.target
+
+[Service]
+Type=simple
+TimeoutStartSec=5m
+ExecStartPre=-/bin/rm -f %t/%n-pid %t/%n-cid
+ExecStart=/usr/bin/podman run \
+    --name quay-redis-service \
+    -e REDIS_PASSWORD=password \
+    --pod=quay-pod \
+    --conmon-pidfile %t/%n-pid \
+    --cidfile %t/%n-cid \
+    --cgroups=no-conmon \
+    --replace \
+    docker.io/centos/redis-5-centos8
+
+ExecStop=-/usr/bin/podman stop --ignore --cidfile %t/%n-cid -t 10
+ExecStopPost=-/usr/bin/podman rm --ignore -f --cidfile %t/%n-cid
+PIDFile=%t/%n-pid
+KillMode=none
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target default.target
+
diff --git a/roles/r_mirror-appliance/meta/main.yml b/roles/r_mirror-appliance/meta/main.yml
@@ -0,0 +1,3 @@
+---
+allow_duplicates: false
+
diff --git a/roles/r_mirror-appliance/tasks/autodetect-image-archive.yaml b/roles/r_mirror-appliance/tasks/autodetect-image-archive.yaml
@@ -0,0 +1,7 @@
+- name: Ansible check file exists.
+  stat:
+    path: "{{ image_archive_path }}"
+  register: p
+- name: Image Archive Found. Loading Images.
+  command: "podman load -i {{ image_archive_path }}"
+  when: p.stat.exists
diff --git a/roles/r_mirror-appliance/tasks/create-podman-pod.yaml b/roles/r_mirror-appliance/tasks/create-podman-pod.yaml
@@ -0,0 +1,7 @@
+- name: Create podman pod for shared network namespace
+  containers.podman.podman_pod:
+    name: quay-pod
+    state: started
+    ports:
+      - 80:8080
+      - 443:8443
diff --git a/roles/r_mirror-appliance/tasks/install-postgres-service.yaml b/roles/r_mirror-appliance/tasks/install-postgres-service.yaml
@@ -0,0 +1,32 @@
+- name: Create necessary directory for Postgres persistent data
+  ansible.builtin.file:
+    path: /etc/quay-install/pg-data
+    state: directory
+    recurse: yes
+
+- name: Set permissions on data directory
+  ansible.posix.acl:
+    path: /etc/quay-install/pg-data
+    entry: u:26:-wx
+    state: present
+
+- name: Copy Postgres systemd service file
+  template: src=../files/systemd/postgres.service dest=/etc/systemd/system/quay-postgres.service
+
+- name: Pull Postgres image
+  containers.podman.podman_image:
+    name: "{{ postgres_image }}"
+
+- name: Start Postgres service
+  systemd:
+    name: quay-postgres.service
+    enabled: yes
+    daemon_reload: yes
+    state: started
+
+- name: Wait for pg_trgm to be installed
+  command: podman exec -it quay-postgresql-service /bin/bash -c "echo 'CREATE EXTENSION IF NOT EXISTS pg_trgm' | psql -d quay -U postgres"
+  register: result
+  until: result.rc == 0
+  retries: 20
+  delay: 5