|
|
@@ -0,0 +1,956 @@
|
|
|
+apiVersion: v1
|
|
|
+kind: Template
|
|
|
+labels:
|
|
|
+ template: cloudforms-ext-db
|
|
|
+metadata:
|
|
|
+ name: cloudforms-ext-db
|
|
|
+ annotations:
|
|
|
+ description: CloudForms appliance with persistent storage using a external DB host
|
|
|
+ tags: instant-app,cloudforms,cfme
|
|
|
+ iconClass: icon-rails
|
|
|
+objects:
|
|
|
+- apiVersion: v1
|
|
|
+ kind: ServiceAccount
|
|
|
+ metadata:
|
|
|
+ name: cfme-orchestrator
|
|
|
+- apiVersion: v1
|
|
|
+ kind: ServiceAccount
|
|
|
+ metadata:
|
|
|
+ name: cfme-anyuid
|
|
|
+- apiVersion: v1
|
|
|
+ kind: ServiceAccount
|
|
|
+ metadata:
|
|
|
+ name: cfme-privileged
|
|
|
+- apiVersion: v1
|
|
|
+ kind: ServiceAccount
|
|
|
+ metadata:
|
|
|
+ name: cfme-httpd
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Secret
|
|
|
+ metadata:
|
|
|
+ name: "${NAME}-secrets"
|
|
|
+ stringData:
|
|
|
+ pg-password: "${DATABASE_PASSWORD}"
|
|
|
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
|
|
|
+ database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
|
|
|
+ v2-key: "${V2_KEY}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Secret
|
|
|
+ metadata:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
|
|
|
+ stringData:
|
|
|
+ rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
|
|
|
+ secret-key: "${ANSIBLE_SECRET_KEY}"
|
|
|
+ admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Service
|
|
|
+ metadata:
|
|
|
+ annotations:
|
|
|
+ description: Exposes and load balances CloudForms pods
|
|
|
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
|
|
|
+ name: "${NAME}"
|
|
|
+ spec:
|
|
|
+ clusterIP: None
|
|
|
+ ports:
|
|
|
+ - name: http
|
|
|
+ port: 80
|
|
|
+ protocol: TCP
|
|
|
+ targetPort: 80
|
|
|
+ selector:
|
|
|
+ name: "${NAME}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Route
|
|
|
+ metadata:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}"
|
|
|
+ spec:
|
|
|
+ host: "${APPLICATION_DOMAIN}"
|
|
|
+ port:
|
|
|
+ targetPort: http
|
|
|
+ tls:
|
|
|
+ termination: edge
|
|
|
+ insecureEdgeTerminationPolicy: Redirect
|
|
|
+ to:
|
|
|
+ kind: Service
|
|
|
+ name: "${HTTPD_SERVICE_NAME}"
|
|
|
+- apiVersion: apps/v1beta1
|
|
|
+ kind: StatefulSet
|
|
|
+ metadata:
|
|
|
+ name: "${NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Defines how to deploy the CloudForms appliance
|
|
|
+ spec:
|
|
|
+ serviceName: "${NAME}"
|
|
|
+ replicas: "${APPLICATION_REPLICA_COUNT}"
|
|
|
+ template:
|
|
|
+ metadata:
|
|
|
+ labels:
|
|
|
+ name: "${NAME}"
|
|
|
+ name: "${NAME}"
|
|
|
+ spec:
|
|
|
+ containers:
|
|
|
+ - name: cloudforms
|
|
|
+ image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
|
|
|
+ livenessProbe:
|
|
|
+ exec:
|
|
|
+ command:
|
|
|
+ - pidof
|
|
|
+ - MIQ Server
|
|
|
+ initialDelaySeconds: 480
|
|
|
+ timeoutSeconds: 3
|
|
|
+ readinessProbe:
|
|
|
+ tcpSocket:
|
|
|
+ port: 80
|
|
|
+ initialDelaySeconds: 200
|
|
|
+ timeoutSeconds: 3
|
|
|
+ ports:
|
|
|
+ - containerPort: 80
|
|
|
+ protocol: TCP
|
|
|
+ volumeMounts:
|
|
|
+ - name: "${NAME}-server"
|
|
|
+ mountPath: "/persistent"
|
|
|
+ env:
|
|
|
+ - name: MY_POD_NAMESPACE
|
|
|
+ valueFrom:
|
|
|
+ fieldRef:
|
|
|
+ fieldPath: metadata.namespace
|
|
|
+ - name: APPLICATION_INIT_DELAY
|
|
|
+ value: "${APPLICATION_INIT_DELAY}"
|
|
|
+ - name: DATABASE_REGION
|
|
|
+ value: "${DATABASE_REGION}"
|
|
|
+ - name: DATABASE_URL
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${NAME}-secrets"
|
|
|
+ key: database-url
|
|
|
+ - name: V2_KEY
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${NAME}-secrets"
|
|
|
+ key: v2-key
|
|
|
+ - name: APPLICATION_ADMIN_PASSWORD
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${NAME}-secrets"
|
|
|
+ key: admin-password
|
|
|
+ - name: ANSIBLE_ADMIN_PASSWORD
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
|
|
|
+ key: admin-password
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ memory: "${APPLICATION_MEM_REQ}"
|
|
|
+ cpu: "${APPLICATION_CPU_REQ}"
|
|
|
+ limits:
|
|
|
+ memory: "${APPLICATION_MEM_LIMIT}"
|
|
|
+ lifecycle:
|
|
|
+ preStop:
|
|
|
+ exec:
|
|
|
+ command:
|
|
|
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
|
|
|
+ serviceAccount: cfme-orchestrator
|
|
|
+ serviceAccountName: cfme-orchestrator
|
|
|
+ terminationGracePeriodSeconds: 90
|
|
|
+ volumeClaimTemplates:
|
|
|
+ - metadata:
|
|
|
+ name: "${NAME}-server"
|
|
|
+ annotations:
|
|
|
+ spec:
|
|
|
+ accessModes:
|
|
|
+ - ReadWriteOnce
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Service
|
|
|
+ metadata:
|
|
|
+ annotations:
|
|
|
+ description: Headless service for CloudForms backend pods
|
|
|
+ name: "${NAME}-backend"
|
|
|
+ spec:
|
|
|
+ clusterIP: None
|
|
|
+ selector:
|
|
|
+ name: "${NAME}-backend"
|
|
|
+- apiVersion: apps/v1beta1
|
|
|
+ kind: StatefulSet
|
|
|
+ metadata:
|
|
|
+ name: "${NAME}-backend"
|
|
|
+ annotations:
|
|
|
+ description: Defines how to deploy the CloudForms appliance
|
|
|
+ spec:
|
|
|
+ serviceName: "${NAME}-backend"
|
|
|
+ replicas: 0
|
|
|
+ template:
|
|
|
+ metadata:
|
|
|
+ labels:
|
|
|
+ name: "${NAME}-backend"
|
|
|
+ name: "${NAME}-backend"
|
|
|
+ spec:
|
|
|
+ containers:
|
|
|
+ - name: cloudforms
|
|
|
+ image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
|
|
|
+ livenessProbe:
|
|
|
+ exec:
|
|
|
+ command:
|
|
|
+ - pidof
|
|
|
+ - MIQ Server
|
|
|
+ initialDelaySeconds: 480
|
|
|
+ timeoutSeconds: 3
|
|
|
+ volumeMounts:
|
|
|
+ - name: "${NAME}-server"
|
|
|
+ mountPath: "/persistent"
|
|
|
+ env:
|
|
|
+ - name: APPLICATION_INIT_DELAY
|
|
|
+ value: "${APPLICATION_INIT_DELAY}"
|
|
|
+ - name: DATABASE_URL
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${NAME}-secrets"
|
|
|
+ key: database-url
|
|
|
+ - name: MIQ_SERVER_DEFAULT_ROLES
|
|
|
+ value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
|
|
|
+ - name: FRONTEND_SERVICE_NAME
|
|
|
+ value: "${NAME}"
|
|
|
+ - name: V2_KEY
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${NAME}-secrets"
|
|
|
+ key: v2-key
|
|
|
+ - name: ANSIBLE_ADMIN_PASSWORD
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
|
|
|
+ key: admin-password
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ memory: "${APPLICATION_MEM_REQ}"
|
|
|
+ cpu: "${APPLICATION_CPU_REQ}"
|
|
|
+ limits:
|
|
|
+ memory: "${APPLICATION_MEM_LIMIT}"
|
|
|
+ lifecycle:
|
|
|
+ preStop:
|
|
|
+ exec:
|
|
|
+ command:
|
|
|
+ - "/opt/rh/cfme-container-scripts/sync-pv-data"
|
|
|
+ serviceAccount: cfme-orchestrator
|
|
|
+ serviceAccountName: cfme-orchestrator
|
|
|
+ terminationGracePeriodSeconds: 90
|
|
|
+ volumeClaimTemplates:
|
|
|
+ - metadata:
|
|
|
+ name: "${NAME}-server"
|
|
|
+ annotations:
|
|
|
+ spec:
|
|
|
+ accessModes:
|
|
|
+ - ReadWriteOnce
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ storage: "${APPLICATION_VOLUME_CAPACITY}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Service
|
|
|
+ metadata:
|
|
|
+ name: "${MEMCACHED_SERVICE_NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Exposes the memcached server
|
|
|
+ spec:
|
|
|
+ ports:
|
|
|
+ - name: memcached
|
|
|
+ port: 11211
|
|
|
+ targetPort: 11211
|
|
|
+ selector:
|
|
|
+ name: "${MEMCACHED_SERVICE_NAME}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: DeploymentConfig
|
|
|
+ metadata:
|
|
|
+ name: "${MEMCACHED_SERVICE_NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Defines how to deploy memcached
|
|
|
+ spec:
|
|
|
+ strategy:
|
|
|
+ type: Recreate
|
|
|
+ triggers:
|
|
|
+ - type: ConfigChange
|
|
|
+ replicas: 1
|
|
|
+ selector:
|
|
|
+ name: "${MEMCACHED_SERVICE_NAME}"
|
|
|
+ template:
|
|
|
+ metadata:
|
|
|
+ name: "${MEMCACHED_SERVICE_NAME}"
|
|
|
+ labels:
|
|
|
+ name: "${MEMCACHED_SERVICE_NAME}"
|
|
|
+ spec:
|
|
|
+ volumes: []
|
|
|
+ containers:
|
|
|
+ - name: memcached
|
|
|
+ image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
|
|
|
+ ports:
|
|
|
+ - containerPort: 11211
|
|
|
+ readinessProbe:
|
|
|
+ timeoutSeconds: 1
|
|
|
+ initialDelaySeconds: 5
|
|
|
+ tcpSocket:
|
|
|
+ port: 11211
|
|
|
+ livenessProbe:
|
|
|
+ timeoutSeconds: 1
|
|
|
+ initialDelaySeconds: 30
|
|
|
+ tcpSocket:
|
|
|
+ port: 11211
|
|
|
+ volumeMounts: []
|
|
|
+ env:
|
|
|
+ - name: MEMCACHED_MAX_MEMORY
|
|
|
+ value: "${MEMCACHED_MAX_MEMORY}"
|
|
|
+ - name: MEMCACHED_MAX_CONNECTIONS
|
|
|
+ value: "${MEMCACHED_MAX_CONNECTIONS}"
|
|
|
+ - name: MEMCACHED_SLAB_PAGE_SIZE
|
|
|
+ value: "${MEMCACHED_SLAB_PAGE_SIZE}"
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ memory: "${MEMCACHED_MEM_REQ}"
|
|
|
+ cpu: "${MEMCACHED_CPU_REQ}"
|
|
|
+ limits:
|
|
|
+ memory: "${MEMCACHED_MEM_LIMIT}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Service
|
|
|
+ metadata:
|
|
|
+ name: "${DATABASE_SERVICE_NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Remote database service
|
|
|
+ spec:
|
|
|
+ ports:
|
|
|
+ - name: postgresql
|
|
|
+ port: 5432
|
|
|
+ targetPort: "${{DATABASE_PORT}}"
|
|
|
+ selector: {}
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Endpoints
|
|
|
+ metadata:
|
|
|
+ name: "${DATABASE_SERVICE_NAME}"
|
|
|
+ subsets:
|
|
|
+ - addresses:
|
|
|
+ - ip: "${DATABASE_IP}"
|
|
|
+ ports:
|
|
|
+ - port: "${{DATABASE_PORT}}"
|
|
|
+ name: postgresql
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Service
|
|
|
+ metadata:
|
|
|
+ annotations:
|
|
|
+ description: Exposes and load balances Ansible pods
|
|
|
+ service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}"
|
|
|
+ spec:
|
|
|
+ ports:
|
|
|
+ - name: http
|
|
|
+ port: 80
|
|
|
+ protocol: TCP
|
|
|
+ targetPort: 80
|
|
|
+ - name: https
|
|
|
+ port: 443
|
|
|
+ protocol: TCP
|
|
|
+ targetPort: 443
|
|
|
+ selector:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}"
|
|
|
+- apiVersion: v1
|
|
|
+ kind: DeploymentConfig
|
|
|
+ metadata:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Defines how to deploy the Ansible appliance
|
|
|
+ spec:
|
|
|
+ strategy:
|
|
|
+ type: Recreate
|
|
|
+ serviceName: "${ANSIBLE_SERVICE_NAME}"
|
|
|
+ replicas: 0
|
|
|
+ template:
|
|
|
+ metadata:
|
|
|
+ labels:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}"
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}"
|
|
|
+ spec:
|
|
|
+ containers:
|
|
|
+ - name: ansible
|
|
|
+ image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
|
|
|
+ livenessProbe:
|
|
|
+ tcpSocket:
|
|
|
+ port: 443
|
|
|
+ initialDelaySeconds: 480
|
|
|
+ timeoutSeconds: 3
|
|
|
+ readinessProbe:
|
|
|
+ httpGet:
|
|
|
+ path: "/"
|
|
|
+ port: 443
|
|
|
+ scheme: HTTPS
|
|
|
+ initialDelaySeconds: 200
|
|
|
+ timeoutSeconds: 3
|
|
|
+ ports:
|
|
|
+ - containerPort: 80
|
|
|
+ protocol: TCP
|
|
|
+ - containerPort: 443
|
|
|
+ protocol: TCP
|
|
|
+ securityContext:
|
|
|
+ privileged: true
|
|
|
+ env:
|
|
|
+ - name: ADMIN_PASSWORD
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
|
|
|
+ key: admin-password
|
|
|
+ - name: RABBITMQ_USER_NAME
|
|
|
+ value: "${ANSIBLE_RABBITMQ_USER_NAME}"
|
|
|
+ - name: RABBITMQ_PASSWORD
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
|
|
|
+ key: rabbit-password
|
|
|
+ - name: ANSIBLE_SECRET_KEY
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${ANSIBLE_SERVICE_NAME}-secrets"
|
|
|
+ key: secret-key
|
|
|
+ - name: DATABASE_SERVICE_NAME
|
|
|
+ value: "${DATABASE_SERVICE_NAME}"
|
|
|
+ - name: POSTGRESQL_USER
|
|
|
+ value: "${DATABASE_USER}"
|
|
|
+ - name: POSTGRESQL_PASSWORD
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: "${NAME}-secrets"
|
|
|
+ key: pg-password
|
|
|
+ - name: POSTGRESQL_DATABASE
|
|
|
+ value: "${ANSIBLE_DATABASE_NAME}"
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ memory: "${ANSIBLE_MEM_REQ}"
|
|
|
+ cpu: "${ANSIBLE_CPU_REQ}"
|
|
|
+ limits:
|
|
|
+ memory: "${ANSIBLE_MEM_LIMIT}"
|
|
|
+ serviceAccount: cfme-privileged
|
|
|
+ serviceAccountName: cfme-privileged
|
|
|
+- apiVersion: v1
|
|
|
+ kind: ConfigMap
|
|
|
+ metadata:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}-configs"
|
|
|
+ data:
|
|
|
+ application.conf: |
|
|
|
+ # Timeout: The number of seconds before receives and sends time out.
|
|
|
+ Timeout 120
|
|
|
+
|
|
|
+ RewriteEngine On
|
|
|
+ Options SymLinksIfOwnerMatch
|
|
|
+
|
|
|
+ <VirtualHost *:80>
|
|
|
+ KeepAlive on
|
|
|
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
|
|
|
+ ServerName https://%{REQUEST_HOST}
|
|
|
+
|
|
|
+ ProxyPreserveHost on
|
|
|
+
|
|
|
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
|
|
|
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
|
|
|
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
|
|
|
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
|
|
|
+
|
|
|
+ # For httpd, some ErrorDocuments must by served by the httpd pod
|
|
|
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
|
|
|
+
|
|
|
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
|
|
|
+ RewriteCond %{REQUEST_URI} !^/saml2
|
|
|
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
|
|
|
+ ProxyPassReverse / http://${NAME}/
|
|
|
+
|
|
|
+ # Ensures httpd stdout/stderr are seen by docker logs.
|
|
|
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
|
|
|
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
|
|
|
+ </VirtualHost>
|
|
|
+ authentication.conf: |
|
|
|
+ # Load appropriate authentication configuration files
|
|
|
+ #
|
|
|
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
|
|
|
+ configuration-internal-auth: |
|
|
|
+ # Internal authentication
|
|
|
+ #
|
|
|
+ configuration-external-auth: |
|
|
|
+ Include "conf.d/external-auth-load-modules-conf"
|
|
|
+
|
|
|
+ <Location /dashboard/kerberos_authenticate>
|
|
|
+ AuthType Kerberos
|
|
|
+ AuthName "Kerberos Login"
|
|
|
+ KrbMethodNegotiate On
|
|
|
+ KrbMethodK5Passwd Off
|
|
|
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
|
|
|
+ Krb5KeyTab /etc/http.keytab
|
|
|
+ KrbServiceName Any
|
|
|
+ Require pam-account httpd-auth
|
|
|
+
|
|
|
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
|
|
|
+ </Location>
|
|
|
+
|
|
|
+ Include "conf.d/external-auth-login-form-conf"
|
|
|
+ Include "conf.d/external-auth-application-api-conf"
|
|
|
+ Include "conf.d/external-auth-lookup-user-details-conf"
|
|
|
+ Include "conf.d/external-auth-remote-user-conf"
|
|
|
+ configuration-active-directory-auth: |
|
|
|
+ Include "conf.d/external-auth-load-modules-conf"
|
|
|
+
|
|
|
+ <Location /dashboard/kerberos_authenticate>
|
|
|
+ AuthType Kerberos
|
|
|
+ AuthName "Kerberos Login"
|
|
|
+ KrbMethodNegotiate On
|
|
|
+ KrbMethodK5Passwd Off
|
|
|
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
|
|
|
+ Krb5KeyTab /etc/krb5.keytab
|
|
|
+ KrbServiceName Any
|
|
|
+ Require pam-account httpd-auth
|
|
|
+
|
|
|
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
|
|
|
+ </Location>
|
|
|
+
|
|
|
+ Include "conf.d/external-auth-login-form-conf"
|
|
|
+ Include "conf.d/external-auth-application-api-conf"
|
|
|
+ Include "conf.d/external-auth-lookup-user-details-conf"
|
|
|
+ Include "conf.d/external-auth-remote-user-conf"
|
|
|
+ configuration-saml-auth: |
|
|
|
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
|
|
|
+
|
|
|
+ <Location />
|
|
|
+ MellonEnable "info"
|
|
|
+
|
|
|
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
|
|
|
+
|
|
|
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
|
|
|
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
|
|
|
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
|
|
|
+
|
|
|
+ MellonVariable "sp-cookie"
|
|
|
+ MellonSecureCookie On
|
|
|
+ MellonCookiePath "/"
|
|
|
+
|
|
|
+ MellonIdP "IDP"
|
|
|
+
|
|
|
+ MellonEndpointPath "/saml2"
|
|
|
+
|
|
|
+ MellonUser username
|
|
|
+ MellonMergeEnvVars On
|
|
|
+
|
|
|
+ MellonSetEnvNoPrefix "REMOTE_USER" username
|
|
|
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
|
|
|
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
|
|
|
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
|
|
|
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
|
|
|
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
|
|
|
+ </Location>
|
|
|
+
|
|
|
+ <Location /saml_login>
|
|
|
+ AuthType "Mellon"
|
|
|
+ MellonEnable "auth"
|
|
|
+ Require valid-user
|
|
|
+ </Location>
|
|
|
+
|
|
|
+ Include "conf.d/external-auth-remote-user-conf"
|
|
|
+ external-auth-load-modules-conf: |
|
|
|
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
|
|
|
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
|
|
|
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
|
|
|
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
|
|
|
+ external-auth-login-form-conf: |
|
|
|
+ <Location /dashboard/external_authenticate>
|
|
|
+ InterceptFormPAMService httpd-auth
|
|
|
+ InterceptFormLogin user_name
|
|
|
+ InterceptFormPassword user_password
|
|
|
+ InterceptFormLoginSkip admin
|
|
|
+ InterceptFormClearRemoteUserForSkipped on
|
|
|
+ </Location>
|
|
|
+ external-auth-application-api-conf: |
|
|
|
+ <LocationMatch ^/api>
|
|
|
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
|
|
|
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
|
|
|
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
|
|
|
+
|
|
|
+ AuthType Basic
|
|
|
+ AuthName "External Authentication (httpd) for API"
|
|
|
+ AuthBasicProvider PAM
|
|
|
+
|
|
|
+ AuthPAMService httpd-auth
|
|
|
+ Require valid-user
|
|
|
+ Order Allow,Deny
|
|
|
+ Allow from env=let_admin_in
|
|
|
+ Allow from env=let_api_token_in
|
|
|
+ Allow from env=let_sys_token_in
|
|
|
+ Satisfy Any
|
|
|
+ </LocationMatch>
|
|
|
+ external-auth-lookup-user-details-conf: |
|
|
|
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
|
|
|
+ LookupUserAttr mail REMOTE_USER_EMAIL
|
|
|
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
|
|
|
+ LookupUserAttr sn REMOTE_USER_LASTNAME
|
|
|
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
|
|
|
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
|
|
|
+
|
|
|
+ LookupUserGroups REMOTE_USER_GROUPS ":"
|
|
|
+ LookupDbusTimeout 5000
|
|
|
+ </LocationMatch>
|
|
|
+ external-auth-remote-user-conf: |
|
|
|
+ RequestHeader unset X_REMOTE_USER
|
|
|
+
|
|
|
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
|
|
|
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
|
|
|
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
|
|
|
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
|
|
|
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
|
|
|
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
|
|
|
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
|
|
|
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
|
|
|
+- apiVersion: v1
|
|
|
+ kind: ConfigMap
|
|
|
+ metadata:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
|
|
|
+ data:
|
|
|
+ auth-type: internal
|
|
|
+ auth-kerberos-realms: undefined
|
|
|
+ auth-configuration.conf: |
|
|
|
+ # External Authentication Configuration File
|
|
|
+ #
|
|
|
+ # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Service
|
|
|
+ metadata:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Exposes the httpd server
|
|
|
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
|
|
|
+ spec:
|
|
|
+ ports:
|
|
|
+ - name: http
|
|
|
+ port: 80
|
|
|
+ targetPort: 80
|
|
|
+ selector:
|
|
|
+ name: httpd
|
|
|
+- apiVersion: v1
|
|
|
+ kind: Service
|
|
|
+ metadata:
|
|
|
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Exposes the httpd server dbus api
|
|
|
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
|
|
|
+ spec:
|
|
|
+ ports:
|
|
|
+ - name: http-dbus-api
|
|
|
+ port: 8080
|
|
|
+ targetPort: 8080
|
|
|
+ selector:
|
|
|
+ name: httpd
|
|
|
+- apiVersion: v1
|
|
|
+ kind: DeploymentConfig
|
|
|
+ metadata:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}"
|
|
|
+ annotations:
|
|
|
+ description: Defines how to deploy httpd
|
|
|
+ spec:
|
|
|
+ strategy:
|
|
|
+ type: Recreate
|
|
|
+ recreateParams:
|
|
|
+ timeoutSeconds: 1200
|
|
|
+ triggers:
|
|
|
+ - type: ConfigChange
|
|
|
+ replicas: 1
|
|
|
+ selector:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}"
|
|
|
+ template:
|
|
|
+ metadata:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}"
|
|
|
+ labels:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}"
|
|
|
+ spec:
|
|
|
+ volumes:
|
|
|
+ - name: httpd-config
|
|
|
+ configMap:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}-configs"
|
|
|
+ - name: httpd-auth-config
|
|
|
+ configMap:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
|
|
|
+ containers:
|
|
|
+ - name: httpd
|
|
|
+ image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
|
|
|
+ ports:
|
|
|
+ - containerPort: 80
|
|
|
+ protocol: TCP
|
|
|
+ - containerPort: 8080
|
|
|
+ protocol: TCP
|
|
|
+ livenessProbe:
|
|
|
+ exec:
|
|
|
+ command:
|
|
|
+ - pidof
|
|
|
+ - httpd
|
|
|
+ initialDelaySeconds: 15
|
|
|
+ timeoutSeconds: 3
|
|
|
+ readinessProbe:
|
|
|
+ tcpSocket:
|
|
|
+ port: 80
|
|
|
+ initialDelaySeconds: 10
|
|
|
+ timeoutSeconds: 3
|
|
|
+ volumeMounts:
|
|
|
+ - name: httpd-config
|
|
|
+ mountPath: "${HTTPD_CONFIG_DIR}"
|
|
|
+ - name: httpd-auth-config
|
|
|
+ mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
|
|
|
+ resources:
|
|
|
+ requests:
|
|
|
+ memory: "${HTTPD_MEM_REQ}"
|
|
|
+ cpu: "${HTTPD_CPU_REQ}"
|
|
|
+ limits:
|
|
|
+ memory: "${HTTPD_MEM_LIMIT}"
|
|
|
+ env:
|
|
|
+ - name: HTTPD_AUTH_TYPE
|
|
|
+ valueFrom:
|
|
|
+ configMapKeyRef:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
|
|
|
+ key: auth-type
|
|
|
+ - name: HTTPD_AUTH_KERBEROS_REALMS
|
|
|
+ valueFrom:
|
|
|
+ configMapKeyRef:
|
|
|
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
|
|
|
+ key: auth-kerberos-realms
|
|
|
+ lifecycle:
|
|
|
+ postStart:
|
|
|
+ exec:
|
|
|
+ command:
|
|
|
+ - "/usr/bin/save-container-environment"
|
|
|
+ serviceAccount: cfme-httpd
|
|
|
+ serviceAccountName: cfme-httpd
|
|
|
+parameters:
|
|
|
+- name: NAME
|
|
|
+ displayName: Name
|
|
|
+ required: true
|
|
|
+ description: The name assigned to all of the frontend objects defined in this template.
|
|
|
+ value: cloudforms
|
|
|
+- name: V2_KEY
|
|
|
+ displayName: CloudForms Encryption Key
|
|
|
+ required: true
|
|
|
+ description: Encryption Key for CloudForms Passwords
|
|
|
+ from: "[a-zA-Z0-9]{43}"
|
|
|
+ generate: expression
|
|
|
+- name: DATABASE_SERVICE_NAME
|
|
|
+ displayName: PostgreSQL Service Name
|
|
|
+ required: true
|
|
|
+ description: The name of the OpenShift Service exposed for the PostgreSQL container.
|
|
|
+ value: postgresql
|
|
|
+- name: DATABASE_USER
|
|
|
+ displayName: PostgreSQL User
|
|
|
+ required: true
|
|
|
+ description: PostgreSQL user that will access the database.
|
|
|
+ value: root
|
|
|
+- name: DATABASE_PASSWORD
|
|
|
+ displayName: PostgreSQL Password
|
|
|
+ required: true
|
|
|
+ description: Password for the PostgreSQL user.
|
|
|
+ from: "[a-zA-Z0-9]{8}"
|
|
|
+ generate: expression
|
|
|
+- name: DATABASE_IP
|
|
|
+ displayName: PostgreSQL Server IP
|
|
|
+ required: true
|
|
|
+ description: PostgreSQL external server IP used to configure service.
|
|
|
+ value: ''
|
|
|
+- name: DATABASE_PORT
|
|
|
+ displayName: PostgreSQL Server Port
|
|
|
+ required: true
|
|
|
+ description: PostgreSQL external server port used to configure service.
|
|
|
+ value: '5432'
|
|
|
+- name: DATABASE_NAME
|
|
|
+ required: true
|
|
|
+ displayName: PostgreSQL Database Name
|
|
|
+ description: Name of the PostgreSQL database accessed.
|
|
|
+ value: vmdb_production
|
|
|
+- name: DATABASE_REGION
|
|
|
+ required: true
|
|
|
+ displayName: Application Database Region
|
|
|
+ description: Database region that will be used for application.
|
|
|
+ value: '0'
|
|
|
+- name: APPLICATION_ADMIN_PASSWORD
|
|
|
+ displayName: Application Admin Password
|
|
|
+ required: true
|
|
|
+ description: Admin password that will be set on the application.
|
|
|
+ value: smartvm
|
|
|
+- name: ANSIBLE_DATABASE_NAME
|
|
|
+ displayName: Ansible PostgreSQL database name
|
|
|
+ required: true
|
|
|
+ description: The database to be used by the Ansible continer
|
|
|
+ value: awx
|
|
|
+- name: MEMCACHED_SERVICE_NAME
|
|
|
+ required: true
|
|
|
+ displayName: Memcached Service Name
|
|
|
+ description: The name of the OpenShift Service exposed for the Memcached container.
|
|
|
+ value: memcached
|
|
|
+- name: MEMCACHED_MAX_MEMORY
|
|
|
+ displayName: Memcached Max Memory
|
|
|
+ description: Memcached maximum memory for memcached object storage in MB.
|
|
|
+ value: '64'
|
|
|
+- name: MEMCACHED_MAX_CONNECTIONS
|
|
|
+ displayName: Memcached Max Connections
|
|
|
+ description: Memcached maximum number of connections allowed.
|
|
|
+ value: '1024'
|
|
|
+- name: MEMCACHED_SLAB_PAGE_SIZE
|
|
|
+ displayName: Memcached Slab Page Size
|
|
|
+ description: Memcached size of each slab page.
|
|
|
+ value: 1m
|
|
|
+- name: ANSIBLE_SERVICE_NAME
|
|
|
+ displayName: Ansible Service Name
|
|
|
+ description: The name of the OpenShift Service exposed for the Ansible container.
|
|
|
+ value: ansible
|
|
|
+- name: ANSIBLE_ADMIN_PASSWORD
|
|
|
+ displayName: Ansible admin User password
|
|
|
+ required: true
|
|
|
+ description: The password for the Ansible container admin user
|
|
|
+ from: "[a-zA-Z0-9]{32}"
|
|
|
+ generate: expression
|
|
|
+- name: ANSIBLE_SECRET_KEY
|
|
|
+ displayName: Ansible Secret Key
|
|
|
+ required: true
|
|
|
+ description: Encryption key for the Ansible container
|
|
|
+ from: "[a-f0-9]{32}"
|
|
|
+ generate: expression
|
|
|
+- name: ANSIBLE_RABBITMQ_USER_NAME
|
|
|
+ displayName: RabbitMQ Username
|
|
|
+ required: true
|
|
|
+ description: Username for the Ansible RabbitMQ Server
|
|
|
+ value: ansible
|
|
|
+- name: ANSIBLE_RABBITMQ_PASSWORD
|
|
|
+ displayName: RabbitMQ Server Password
|
|
|
+ required: true
|
|
|
+ description: Password for the Ansible RabbitMQ Server
|
|
|
+ from: "[a-zA-Z0-9]{32}"
|
|
|
+ generate: expression
|
|
|
+- name: APPLICATION_CPU_REQ
|
|
|
+ displayName: Application Min CPU Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of CPU time the Application container will need (expressed in millicores).
|
|
|
+ value: 1000m
|
|
|
+- name: MEMCACHED_CPU_REQ
|
|
|
+ displayName: Memcached Min CPU Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
|
|
|
+ value: 200m
|
|
|
+- name: ANSIBLE_CPU_REQ
|
|
|
+ displayName: Ansible Min CPU Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
|
|
|
+ value: 1000m
|
|
|
+- name: APPLICATION_MEM_REQ
|
|
|
+ displayName: Application Min RAM Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of memory the Application container will need.
|
|
|
+ value: 6144Mi
|
|
|
+- name: MEMCACHED_MEM_REQ
|
|
|
+ displayName: Memcached Min RAM Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of memory the Memcached container will need.
|
|
|
+ value: 64Mi
|
|
|
+- name: ANSIBLE_MEM_REQ
|
|
|
+ displayName: Ansible Min RAM Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of memory the Ansible container will need.
|
|
|
+ value: 2048Mi
|
|
|
+- name: APPLICATION_MEM_LIMIT
|
|
|
+ displayName: Application Max RAM Limit
|
|
|
+ required: true
|
|
|
+ description: Maximum amount of memory the Application container can consume.
|
|
|
+ value: 16384Mi
|
|
|
+- name: MEMCACHED_MEM_LIMIT
|
|
|
+ displayName: Memcached Max RAM Limit
|
|
|
+ required: true
|
|
|
+ description: Maximum amount of memory the Memcached container can consume.
|
|
|
+ value: 256Mi
|
|
|
+- name: ANSIBLE_MEM_LIMIT
|
|
|
+ displayName: Ansible Max RAM Limit
|
|
|
+ required: true
|
|
|
+ description: Maximum amount of memory the Ansible container can consume.
|
|
|
+ value: 8096Mi
|
|
|
+- name: MEMCACHED_IMG_NAME
|
|
|
+ displayName: Memcached Image Name
|
|
|
+ description: This is the Memcached image name requested to deploy.
|
|
|
+ value: registry.access.redhat.com/cloudforms46/cfme-openshift-memcached
|
|
|
+- name: MEMCACHED_IMG_TAG
|
|
|
+ displayName: Memcached Image Tag
|
|
|
+ description: This is the Memcached image tag/version requested to deploy.
|
|
|
+ value: latest
|
|
|
+- name: FRONTEND_APPLICATION_IMG_NAME
|
|
|
+ displayName: Frontend Application Image Name
|
|
|
+ description: This is the Frontend Application image name requested to deploy.
|
|
|
+ value: registry.access.redhat.com/cloudforms46/cfme-openshift-app-ui
|
|
|
+- name: BACKEND_APPLICATION_IMG_NAME
|
|
|
+ displayName: Backend Application Image Name
|
|
|
+ description: This is the Backend Application image name requested to deploy.
|
|
|
+ value: registry.access.redhat.com/cloudforms46/cfme-openshift-app
|
|
|
+- name: FRONTEND_APPLICATION_IMG_TAG
|
|
|
+ displayName: Front end Application Image Tag
|
|
|
+ description: This is the CloudForms Frontend Application image tag/version requested to deploy.
|
|
|
+ value: latest
|
|
|
+- name: BACKEND_APPLICATION_IMG_TAG
|
|
|
+ displayName: Back end Application Image Tag
|
|
|
+ description: This is the CloudForms Backend Application image tag/version requested to deploy.
|
|
|
+ value: latest
|
|
|
+- name: ANSIBLE_IMG_NAME
|
|
|
+ displayName: Ansible Image Name
|
|
|
+ description: This is the Ansible image name requested to deploy.
|
|
|
+ value: registry.access.redhat.com/cloudforms46/cfme-openshift-embedded-ansible
|
|
|
+- name: ANSIBLE_IMG_TAG
|
|
|
+ displayName: Ansible Image Tag
|
|
|
+ description: This is the Ansible image tag/version requested to deploy.
|
|
|
+ value: latest
|
|
|
+- name: APPLICATION_DOMAIN
|
|
|
+ displayName: Application Hostname
|
|
|
+ description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
|
|
|
+ value: ''
|
|
|
+- name: APPLICATION_REPLICA_COUNT
|
|
|
+ displayName: Application Replica Count
|
|
|
+ description: This is the number of Application replicas requested to deploy.
|
|
|
+ value: '1'
|
|
|
+- name: APPLICATION_INIT_DELAY
|
|
|
+ displayName: Application Init Delay
|
|
|
+ required: true
|
|
|
+ description: Delay in seconds before we attempt to initialize the application.
|
|
|
+ value: '15'
|
|
|
+- name: APPLICATION_VOLUME_CAPACITY
|
|
|
+ displayName: Application Volume Capacity
|
|
|
+ required: true
|
|
|
+ description: Volume space available for application data.
|
|
|
+ value: 5Gi
|
|
|
+- name: HTTPD_SERVICE_NAME
|
|
|
+ required: true
|
|
|
+ displayName: Apache httpd Service Name
|
|
|
+ description: The name of the OpenShift Service exposed for the httpd container.
|
|
|
+ value: httpd
|
|
|
+- name: HTTPD_DBUS_API_SERVICE_NAME
|
|
|
+ required: true
|
|
|
+ displayName: Apache httpd DBus API Service Name
|
|
|
+ description: The name of httpd dbus api service.
|
|
|
+ value: httpd-dbus-api
|
|
|
+- name: HTTPD_IMG_NAME
|
|
|
+ displayName: Apache httpd Image Name
|
|
|
+ description: This is the httpd image name requested to deploy.
|
|
|
+ value: registry.access.redhat.com/cloudforms46/cfme-openshift-httpd
|
|
|
+- name: HTTPD_IMG_TAG
|
|
|
+ displayName: Apache httpd Image Tag
|
|
|
+ description: This is the httpd image tag/version requested to deploy.
|
|
|
+ value: latest
|
|
|
+- name: HTTPD_CONFIG_DIR
|
|
|
+ displayName: Apache httpd Configuration Directory
|
|
|
+ description: Directory used to store the Apache configuration files.
|
|
|
+ value: "/etc/httpd/conf.d"
|
|
|
+- name: HTTPD_AUTH_CONFIG_DIR
|
|
|
+ displayName: External Authentication Configuration Directory
|
|
|
+ description: Directory used to store the external authentication configuration files.
|
|
|
+ value: "/etc/httpd/auth-conf.d"
|
|
|
+- name: HTTPD_CPU_REQ
|
|
|
+ displayName: Apache httpd Min CPU Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
|
|
|
+ value: 500m
|
|
|
+- name: HTTPD_MEM_REQ
|
|
|
+ displayName: Apache httpd Min RAM Requested
|
|
|
+ required: true
|
|
|
+ description: Minimum amount of memory the httpd container will need.
|
|
|
+ value: 512Mi
|
|
|
+- name: HTTPD_MEM_LIMIT
|
|
|
+ displayName: Apache httpd Max RAM Limit
|
|
|
+ required: true
|
|
|
+ description: Maximum amount of memory the httpd container can consume.
|
|
|
+ value: 8192Mi
|
Satoe Imaishi