Merge pull request #5336 from tbielawa/cfme_4.6

Automatic merge from submit-queue.

Cfme 4.6

# Description

* Implements support for **CFME 4.6** in OCP 3.7
* **Replaces** the Tech Preview CFME 4.5 release included in OCP 3.6
* Does not support graceful migrations from the CFME 4.5 tech preview release

# References

* [Trello - (5) Integrate CFME 4.6 into OCP Installation](https://trello.com/c/Rzfn5Qa8/380-5-integrate-cfme-46-into-ocp-installation)

Ensure the following RFE/Errors do not happen again

- [x] #4555 - Error creating the CFME user
- [x] #4556 - Error in PV template evaluation
- [x] #4822 - Changing `maxImagesBulkImportedPerRepository` parameter
- [x] #4568 - Add NFS directory support

# Features

Ensure the following features are configurable in the role

- [x] POC deployments can easily default to NFS storage
- [ ] Production/Cloud deployments can use automatic storage providers
- [ ] Able to select between podified vs. external PostgreSQL database (podified uses configured storage mechanism)
- [x] Template resource requests can be overridden for POC deployments

inventory/byo/hosts.origin.example

@@ -897,3 +897,60 @@ ose3-lb-ansible.test.example.com containerized=false
 [nodes]
 ose3-master[1:3]-ansible.test.example.com
 ose3-node[1:2]-ansible.test.example.com openshift_node_labels="{'region': 'primary', 'zone': 'default'}"
+# CloudForms/ManageIQ (CFME/MIQ) Configuration
+
+# See the readme for full descriptions and getting started
+# instructions: ../../roles/openshift_cfme/README.md or go directly to
+# their definitions: ../../roles/openshift_cfme/defaults/main.yml
+# ../../roles/openshift_cfme/vars/main.yml
+#
+# Namespace for the CFME project
+#openshift_cfme_project: openshift-cfme
+
+# Namespace/project description
+#openshift_cfme_project_description: CloudForms Management Engine
+
+# Choose 'miq-template' for a podified database install
+# Choose 'miq-template-ext-db' for an external database install
+#
+# If you are using the miq-template-ext-db template then you must add
+# the required database parameters to the
+# openshift_cfme_template_parameters variable.
+#openshift_cfme_app_template: miq-template
+
+# Allowed options: nfs, nfs_external, preconfigured, cloudprovider.
+#openshift_cfme_storage_class: nfs
+
+# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a
+# netapp appliance, then you must set the hostname here. Leave the
+# value as 'false' if you are not using external NFS.
+#openshift_cfme_storage_nfs_external_hostname: false
+
+# [OPTIONAL] - If you are using external NFS then you must set the base
+# path to the exports location here.
+#
+# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports
+# that will back the application PV and optionally the database
+# pv. Export path definitions, relative to
+# {{ openshift_cfme_storage_nfs_base_dir }}
+#
+# LOCAL NFS NOTE:
+#
+# You may may also change this value if you want to change the default
+# path used for local NFS exports.
+#openshift_cfme_storage_nfs_base_dir: /exports
+
+# LOCAL NFS NOTE:
+#
+# You may override the automatically selected LOCAL NFS server by
+# setting this variable. Useful for testing specific task files.
+#openshift_cfme_storage_nfs_local_hostname: false
+
+# A hash of parameters you want to override or set in the
+# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in
+# your inventory file as a simple hash. Acceptable values are defined
+# under the .parameters list in files/miq-template{-ext-db}.yaml
+# Example:
+#
+# openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '512Mi'}
+#openshift_cfme_template_parameters: {}

inventory/byo/hosts.ose.example

@@ -900,3 +900,61 @@ ose3-lb-ansible.test.example.com containerized=false
 [nodes]
 ose3-master[1:3]-ansible.test.example.com
 ose3-node[1:2]-ansible.test.example.com openshift_node_labels="{'region': 'primary', 'zone': 'default'}"
+
+# CloudForms/ManageIQ (CFME/MIQ) Configuration
+
+# See the readme for full descriptions and getting started
+# instructions: ../../roles/openshift_cfme/README.md or go directly to
+# their definitions: ../../roles/openshift_cfme/defaults/main.yml
+# ../../roles/openshift_cfme/vars/main.yml
+#
+# Namespace for the CFME project
+#openshift_cfme_project: openshift-cfme
+
+# Namespace/project description
+#openshift_cfme_project_description: CloudForms Management Engine
+
+# Choose 'miq-template' for a podified database install
+# Choose 'miq-template-ext-db' for an external database install
+#
+# If you are using the miq-template-ext-db template then you must add
+# the required database parameters to the
+# openshift_cfme_template_parameters variable.
+#openshift_cfme_app_template: miq-template
+
+# Allowed options: nfs, nfs_external, preconfigured, cloudprovider.
+#openshift_cfme_storage_class: nfs
+
+# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a
+# netapp appliance, then you must set the hostname here. Leave the
+# value as 'false' if you are not using external NFS.
+#openshift_cfme_storage_nfs_external_hostname: false
+
+# [OPTIONAL] - If you are using external NFS then you must set the base
+# path to the exports location here.
+#
+# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports
+# that will back the application PV and optionally the database
+# pv. Export path definitions, relative to
+# {{ openshift_cfme_storage_nfs_base_dir }}
+#
+# LOCAL NFS NOTE:
+#
+# You may may also change this value if you want to change the default
+# path used for local NFS exports.
+#openshift_cfme_storage_nfs_base_dir: /exports
+
+# LOCAL NFS NOTE:
+#
+# You may override the automatically selected LOCAL NFS server by
+# setting this variable. Useful for testing specific task files.
+#openshift_cfme_storage_nfs_local_hostname: false
+
+# A hash of parameters you want to override or set in the
+# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in
+# your inventory file as a simple hash. Acceptable values are defined
+# under the .parameters list in files/miq-template{-ext-db}.yaml
+# Example:
+#
+# openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '512Mi'}
+#openshift_cfme_template_parameters: {}

playbooks/common/openshift-cfme/config.yml

@@ -1,40 +1,11 @@
 ---
-# TODO: Make this work. The 'name' variable below is undefined
-# presently because it's part of the cfme role. This play can't run
-# until that's re-worked.
-#
-# - name: Pre-Pull manageiq-pods docker images
-#   hosts: nodes
-#   tasks:
-#   - name: Ensure the latest manageiq-pods docker image is pulling
-#     docker_image:
-#       name: "{{ openshift_cfme_container_image }}"
-#     # Fire-and-forget method, never timeout
-#     async: 99999999999
-#     # F-a-f, never check on this. True 'background' task.
-#     poll: 0
-
-- name: Configure Masters for CFME Bulk Image Imports
-  hosts: oo_masters_to_config
-  serial: 1
-  tasks:
-  - name: Run master cfme tuning playbook
-    include_role:
-      name: openshift_cfme
-      tasks_from: tune_masters
-
 - name: Setup CFME
   hosts: oo_first_master
-  vars:
-    r_openshift_cfme_miq_template_content: "{{ lookup('file', 'roles/openshift_cfme/files/miq-template.yaml') | from_yaml}}"
   pre_tasks:
   - name: Create a temporary place to evaluate the PV templates
     command: mktemp -d /tmp/openshift-ansible-XXXXXXX
     register: r_openshift_cfme_mktemp
     changed_when: false
-  - name: Ensure the server template was read from disk
-    debug:
-      msg="{{ r_openshift_cfme_miq_template_content | from_yaml }}"
 
   tasks:
   - name: Run the CFME Setup Role

playbooks/common/openshift-cluster/config.yml

@@ -46,6 +46,9 @@
 - include: service_catalog.yml
   when: openshift_enable_service_catalog | default(false) | bool
 
+- include: openshift_cfme.yml
+  when: openshift_cfme_install_cfme | default(false) | bool
+
 - name: Print deprecated variable warning message if necessary
   hosts: oo_first_master
   gather_facts: no

playbooks/common/openshift-cluster/openshift_cfme.yml

@@ -0,0 +1,25 @@
+---
+- name: CFME Install Checkpoint Start
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  tasks:
+  - name: Set CFME install 'In Progress'
+    set_stats:
+      data:
+        installer_phase_cfme: "In Progress"
+      aggregate: false
+
+- name: CFME
+  include: ../openshift-cfme/config.yml
+
+- name: CFME Install Checkpoint End
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  tasks:
+  - name: Set CFME install 'Complete'
+    set_stats:
+      data:
+        installer_phase_CFME: "Complete"
+      aggregate: false

roles/openshift_cfme/defaults/main.yml

@@ -1,42 +1,90 @@
 ---
-# Namespace for the CFME project (Note: changed post-3.6 to use
-# reserved 'openshift-' namespace prefix)
+# Namespace for the CFME project
 openshift_cfme_project: openshift-cfme
 # Namespace/project description
-openshift_cfme_project_description: ManageIQ - CloudForms Management Engine
-# Basic user assigned the `admin` role for the project
-openshift_cfme_user: cfme
-# Project system account for enabling privileged pods
-openshift_cfme_service_account: "system:serviceaccount:{{ openshift_cfme_project }}:default"
-# All the required exports
-openshift_cfme_pv_exports:
-  - miq-pv01
-  - miq-pv02
-  - miq-pv03
-# PV template files and their created object names
-openshift_cfme_pv_data:
-  - pv_name: miq-pv01
-    pv_template: miq-pv-db.yaml
-    pv_label: CFME DB PV
-  - pv_name: miq-pv02
-    pv_template: miq-pv-region.yaml
-    pv_label: CFME Region PV
-  - pv_name: miq-pv03
-    pv_template: miq-pv-server.yaml
-    pv_label: CFME Server PV
+openshift_cfme_project_description: CloudForms Management Engine
 
-# Tuning parameter to use more than 5 images at once from an ImageStream
-openshift_cfme_maxImagesBulkImportedPerRepository: 100
-# TODO: Refactor '_install_app' variable. This is just for testing but
-# maybe in the future it should control the entire yes/no for CFME.
-#
-# Whether or not the manageiq app should be initialized ('oc new-app
-# --template=manageiq). If False everything UP TO 'new-app' is ran.
-openshift_cfme_install_app: False
-# Docker image to pull
-openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}"
-openshift_cfme_postgresql_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}"
-openshift_cfme_memcached_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-memcached' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}"
-openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'app-latest-fine' }}"
-openshift_cfme_memcached_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'memcached-latest-fine' }}"
-openshift_cfme_postgresql_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'postgresql-latest-fine' }}"
+######################################################################
+# BASE TEMPLATE AND DATABASE OPTIONS
+######################################################################
+# Which flavor of CFME would you like? You may install CFME using a
+# podified PostgreSQL server, or you may choose to use an existing
+# PostgreSQL server.
+#
+# Choose 'miq-template' for a podified database install
+# Choose 'miq-template-ext-db' for an external database install
+openshift_cfme_app_template: miq-template
+# If you are using the miq-template-ext-db template then you must add
+# the required database parameters to the
+# openshift_cfme_template_parameters variable.
+
+######################################################################
+# STORAGE OPTIONS
+######################################################################
+# DEFAULT - 'nfs'
+# Allowed options: nfs, nfs_external, preconfigured, cloudprovider.
+openshift_cfme_storage_class: nfs
+# * nfs - Best used for proof-of-concept installs. Will setup NFS on a
+#   cluster host (defaults to your first master in the inventory file)
+#   to back the required PVCs. The application requires a PVC and the
+#   database (which may be hosted externally) may require a
+#   second. PVC minimum required sizes are: 5GiB for the MIQ
+#   application, and 15GiB for the PostgreSQL database (20GiB minimum
+#   available space on an volume/partition if used specifically for
+#   NFS purposes)
+#
+# * nfs_external - You are using an external NFS server, such as a
+#   netapp appliance. See the STORAGE - NFS OPTIONS section below for
+#   required information.
+#
+# * preconfigured - This CFME role will do NOTHING to modify storage
+#   settings. This option assumes expert knowledge and that you have
+#   done everything required ahead of time.
+#
+# * cloudprovider - You are using an OCP cloudprovider integration for
+#   your storage class. For this to work you must have already
+#   configured the required inventory parameters for your cloud
+#   provider
+#
+#   Ensure 'openshift_cloudprovider_kind' is defined (aws or gce) and
+#   that the applicable cloudprovider parameters are provided.
+
+#---------------------------------------------------------------------
+# STORAGE - NFS OPTIONS
+#---------------------------------------------------------------------
+# [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a
+# netapp appliance, then you must set the hostname here. Leave the
+# value as 'false' if you are not using external NFS.
+openshift_cfme_storage_nfs_external_hostname: false
+# [OPTIONAL] - If you are using external NFS then you must set the base
+# path to the exports location here.
+#
+# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports
+# that will back the application PV and optionally the database
+# pv. Export path definitions, relative to
+# {{ openshift_cfme_storage_nfs_base_dir }}
+#
+# LOCAL NFS NOTE:
+#
+# You may may also change this value if you want to change the default
+# path used for local NFS exports.
+openshift_cfme_storage_nfs_base_dir: /exports
+#
+# LOCAL NFS NOTE:
+#
+# You may override the automatically selected LOCAL NFS server by
+# setting this variable. Useful for testing specific task files.
+openshift_cfme_storage_nfs_local_hostname: false
+
+######################################################################
+# SCAFFOLDING - These are parameters we pre-seed that a user may or
+# may not set later
+######################################################################
+# A hash of parameters you want to override or set in the
+# miq-template.yaml or miq-template-ext-db.yaml templates. Set this in
+# your inventory file as a simple hash. Acceptable values are defined
+# under the .parameters list in files/miq-template{-ext-db}.yaml
+# Example:
+#
+# openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '512Mi'}
+openshift_cfme_template_parameters: {}

roles/openshift_cfme/files/miq-template.yaml

@@ -1,566 +0,0 @@
----
-path: /tmp/miq-template-out
-data:
-  apiVersion: v1
-  kind: Template
-  labels:
-    template: manageiq
-  metadata:
-    name: manageiq
-    annotations:
-      description: "ManageIQ appliance with persistent storage"
-      tags: "instant-app,manageiq,miq"
-      iconClass: "icon-rails"
-  objects:
-  - apiVersion: v1
-    kind: Secret
-    metadata:
-      name: "${NAME}-secrets"
-    stringData:
-      pg-password: "${DATABASE_PASSWORD}"
-  - apiVersion: v1
-    kind: Service
-    metadata:
-      annotations:
-        description: "Exposes and load balances ManageIQ pods"
-        service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
-      name: ${NAME}
-    spec:
-      clusterIP: None
-      ports:
-      - name: http
-        port: 80
-        protocol: TCP
-        targetPort: 80
-      - name: https
-        port: 443
-        protocol: TCP
-        targetPort: 443
-      selector:
-        name: ${NAME}
-  - apiVersion: v1
-    kind: Route
-    metadata:
-      name: ${NAME}
-    spec:
-      host: ${APPLICATION_DOMAIN}
-      port:
-        targetPort: https
-      tls:
-        termination: passthrough
-      to:
-        kind: Service
-        name: ${NAME}
-  - apiVersion: v1
-    kind: ImageStream
-    metadata:
-      name: miq-app
-      annotations:
-        description: "Keeps track of the ManageIQ image changes"
-    spec:
-      dockerImageRepository: "${APPLICATION_IMG_NAME}"
-  - apiVersion: v1
-    kind: ImageStream
-    metadata:
-      name: miq-postgresql
-      annotations:
-        description: "Keeps track of the PostgreSQL image changes"
-    spec:
-      dockerImageRepository: "${POSTGRESQL_IMG_NAME}"
-  - apiVersion: v1
-    kind: ImageStream
-    metadata:
-      name: miq-memcached
-      annotations:
-        description: "Keeps track of the Memcached image changes"
-    spec:
-      dockerImageRepository: "${MEMCACHED_IMG_NAME}"
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: "${NAME}-${DATABASE_SERVICE_NAME}"
-    spec:
-      accessModes:
-        - ReadWriteOnce
-      resources:
-        requests:
-          storage: ${DATABASE_VOLUME_CAPACITY}
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: "${NAME}-region"
-    spec:
-      accessModes:
-        - ReadWriteOnce
-      resources:
-        requests:
-          storage: ${APPLICATION_REGION_VOLUME_CAPACITY}
-  - apiVersion: apps/v1beta1
-    kind: "StatefulSet"
-    metadata:
-      name: ${NAME}
-      annotations:
-        description: "Defines how to deploy the ManageIQ appliance"
-    spec:
-      serviceName: "${NAME}"
-      replicas: "${APPLICATION_REPLICA_COUNT}"
-      template:
-        metadata:
-          labels:
-            name: ${NAME}
-          name: ${NAME}
-        spec:
-          containers:
-          - name: manageiq
-            image: "${APPLICATION_IMG_NAME}:${APPLICATION_IMG_TAG}"
-            livenessProbe:
-              tcpSocket:
-                port: 443
-              initialDelaySeconds: 480
-              timeoutSeconds: 3
-            readinessProbe:
-              httpGet:
-                path: /
-                port: 443
-                scheme: HTTPS
-              initialDelaySeconds: 200
-              timeoutSeconds: 3
-            ports:
-            - containerPort: 80
-              protocol: TCP
-            - containerPort: 443
-              protocol: TCP
-            securityContext:
-              privileged: true
-            volumeMounts:
-                -
-                  name: "${NAME}-server"
-                  mountPath: "/persistent"
-                -
-                  name: "${NAME}-region"
-                  mountPath: "/persistent-region"
-            env:
-              -
-                name: "APPLICATION_INIT_DELAY"
-                value: "${APPLICATION_INIT_DELAY}"
-              -
-                name: "DATABASE_SERVICE_NAME"
-                value: "${DATABASE_SERVICE_NAME}"
-              -
-                name: "DATABASE_REGION"
-                value: "${DATABASE_REGION}"
-              -
-                name: "MEMCACHED_SERVICE_NAME"
-                value: "${MEMCACHED_SERVICE_NAME}"
-              -
-                name: "POSTGRESQL_USER"
-                value: "${DATABASE_USER}"
-              -
-                name: "POSTGRESQL_PASSWORD"
-                valueFrom:
-                  secretKeyRef:
-                    name: "${NAME}-secrets"
-                    key: "pg-password"
-              -
-                name: "POSTGRESQL_DATABASE"
-                value: "${DATABASE_NAME}"
-              -
-                name: "POSTGRESQL_MAX_CONNECTIONS"
-                value: "${POSTGRESQL_MAX_CONNECTIONS}"
-              -
-                name: "POSTGRESQL_SHARED_BUFFERS"
-                value: "${POSTGRESQL_SHARED_BUFFERS}"
-            resources:
-              requests:
-                memory: "${APPLICATION_MEM_REQ}"
-                cpu: "${APPLICATION_CPU_REQ}"
-              limits:
-                memory: "${APPLICATION_MEM_LIMIT}"
-            lifecycle:
-              preStop:
-                exec:
-                  command:
-                    - /opt/manageiq/container-scripts/sync-pv-data
-          volumes:
-           -
-             name: "${NAME}-region"
-             persistentVolumeClaim:
-               claimName: ${NAME}-region
-      volumeClaimTemplates:
-        - metadata:
-            name: "${NAME}-server"
-            annotations:
-              # Uncomment this if using dynamic volume provisioning.
-              # https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html
-              # volume.alpha.kubernetes.io/storage-class: anything
-          spec:
-            accessModes: [ ReadWriteOnce ]
-            resources:
-              requests:
-                storage: "${APPLICATION_VOLUME_CAPACITY}"
-  - apiVersion: v1
-    kind: "Service"
-    metadata:
-      name: "${MEMCACHED_SERVICE_NAME}"
-      annotations:
-        description: "Exposes the memcached server"
-    spec:
-      ports:
-        -
-          name: "memcached"
-          port: 11211
-          targetPort: 11211
-      selector:
-        name: "${MEMCACHED_SERVICE_NAME}"
-  - apiVersion: v1
-    kind: "DeploymentConfig"
-    metadata:
-      name: "${MEMCACHED_SERVICE_NAME}"
-      annotations:
-        description: "Defines how to deploy memcached"
-    spec:
-      strategy:
-        type: "Recreate"
-      triggers:
-        -
-          type: "ImageChange"
-          imageChangeParams:
-            automatic: true
-            containerNames:
-              - "memcached"
-            from:
-              kind: "ImageStreamTag"
-              name: "miq-memcached:${MEMCACHED_IMG_TAG}"
-        -
-          type: "ConfigChange"
-      replicas: 1
-      selector:
-        name: "${MEMCACHED_SERVICE_NAME}"
-      template:
-        metadata:
-          name: "${MEMCACHED_SERVICE_NAME}"
-          labels:
-            name: "${MEMCACHED_SERVICE_NAME}"
-        spec:
-          volumes: []
-          containers:
-            -
-              name: "memcached"
-              image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
-              ports:
-                -
-                  containerPort: 11211
-              readinessProbe:
-                timeoutSeconds: 1
-                initialDelaySeconds: 5
-                tcpSocket:
-                  port: 11211
-              livenessProbe:
-                timeoutSeconds: 1
-                initialDelaySeconds: 30
-                tcpSocket:
-                  port: 11211
-              volumeMounts: []
-              env:
-                -
-                  name: "MEMCACHED_MAX_MEMORY"
-                  value: "${MEMCACHED_MAX_MEMORY}"
-                -
-                  name: "MEMCACHED_MAX_CONNECTIONS"
-                  value: "${MEMCACHED_MAX_CONNECTIONS}"
-                -
-                  name: "MEMCACHED_SLAB_PAGE_SIZE"
-                  value: "${MEMCACHED_SLAB_PAGE_SIZE}"
-              resources:
-                requests:
-                  memory: "${MEMCACHED_MEM_REQ}"
-                  cpu: "${MEMCACHED_CPU_REQ}"
-                limits:
-                  memory: "${MEMCACHED_MEM_LIMIT}"
-  - apiVersion: v1
-    kind: "Service"
-    metadata:
-      name: "${DATABASE_SERVICE_NAME}"
-      annotations:
-        description: "Exposes the database server"
-    spec:
-      ports:
-        -
-          name: "postgresql"
-          port: 5432
-          targetPort: 5432
-      selector:
-        name: "${DATABASE_SERVICE_NAME}"
-  - apiVersion: v1
-    kind: "DeploymentConfig"
-    metadata:
-      name: "${DATABASE_SERVICE_NAME}"
-      annotations:
-        description: "Defines how to deploy the database"
-    spec:
-      strategy:
-        type: "Recreate"
-      triggers:
-        -
-          type: "ImageChange"
-          imageChangeParams:
-            automatic: true
-            containerNames:
-              - "postgresql"
-            from:
-              kind: "ImageStreamTag"
-              name: "miq-postgresql:${POSTGRESQL_IMG_TAG}"
-        -
-          type: "ConfigChange"
-      replicas: 1
-      selector:
-        name: "${DATABASE_SERVICE_NAME}"
-      template:
-        metadata:
-          name: "${DATABASE_SERVICE_NAME}"
-          labels:
-            name: "${DATABASE_SERVICE_NAME}"
-        spec:
-          volumes:
-            -
-              name: "miq-pgdb-volume"
-              persistentVolumeClaim:
-                claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
-          containers:
-            -
-              name: "postgresql"
-              image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
-              ports:
-                -
-                  containerPort: 5432
-              readinessProbe:
-                timeoutSeconds: 1
-                initialDelaySeconds: 15
-                exec:
-                  command:
-                    - "/bin/sh"
-                    - "-i"
-                    - "-c"
-                    - "psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'"
-              livenessProbe:
-                timeoutSeconds: 1
-                initialDelaySeconds: 60
-                tcpSocket:
-                  port: 5432
-              volumeMounts:
-                -
-                  name: "miq-pgdb-volume"
-                  mountPath: "/var/lib/pgsql/data"
-              env:
-                -
-                  name: "POSTGRESQL_USER"
-                  value: "${DATABASE_USER}"
-                -
-                  name: "POSTGRESQL_PASSWORD"
-                  valueFrom:
-                    secretKeyRef:
-                      name: "${NAME}-secrets"
-                      key: "pg-password"
-                -
-                  name: "POSTGRESQL_DATABASE"
-                  value: "${DATABASE_NAME}"
-                -
-                  name: "POSTGRESQL_MAX_CONNECTIONS"
-                  value: "${POSTGRESQL_MAX_CONNECTIONS}"
-                -
-                  name: "POSTGRESQL_SHARED_BUFFERS"
-                  value: "${POSTGRESQL_SHARED_BUFFERS}"
-              resources:
-                requests:
-                  memory: "${POSTGRESQL_MEM_REQ}"
-                  cpu: "${POSTGRESQL_CPU_REQ}"
-                limits:
-                  memory: "${POSTGRESQL_MEM_LIMIT}"
-
-  parameters:
-    -
-      name: "NAME"
-      displayName: Name
-      required: true
-      description: "The name assigned to all of the frontend objects defined in this template."
-      value: manageiq
-    -
-      name: "DATABASE_SERVICE_NAME"
-      displayName: "PostgreSQL Service Name"
-      required: true
-      description: "The name of the OpenShift Service exposed for the PostgreSQL container."
-      value: "postgresql"
-    -
-      name: "DATABASE_USER"
-      displayName: "PostgreSQL User"
-      required: true
-      description: "PostgreSQL user that will access the database."
-      value: "root"
-    -
-      name: "DATABASE_PASSWORD"
-      displayName: "PostgreSQL Password"
-      required: true
-      description: "Password for the PostgreSQL user."
-      from: "[a-zA-Z0-9]{8}"
-      generate: expression
-    -
-      name: "DATABASE_NAME"
-      required: true
-      displayName: "PostgreSQL Database Name"
-      description: "Name of the PostgreSQL database accessed."
-      value: "vmdb_production"
-    -
-      name: "DATABASE_REGION"
-      required: true
-      displayName: "Application Database Region"
-      description: "Database region that will be used for application."
-      value: "0"
-    -
-      name: "MEMCACHED_SERVICE_NAME"
-      required: true
-      displayName: "Memcached Service Name"
-      description: "The name of the OpenShift Service exposed for the Memcached container."
-      value: "memcached"
-    -
-      name: "MEMCACHED_MAX_MEMORY"
-      displayName: "Memcached Max Memory"
-      description: "Memcached maximum memory for memcached object storage in MB."
-      value: "64"
-    -
-      name: "MEMCACHED_MAX_CONNECTIONS"
-      displayName: "Memcached Max Connections"
-      description: "Memcached maximum number of connections allowed."
-      value: "1024"
-    -
-      name: "MEMCACHED_SLAB_PAGE_SIZE"
-      displayName: "Memcached Slab Page Size"
-      description: "Memcached size of each slab page."
-      value: "1m"
-    -
-      name: "POSTGRESQL_MAX_CONNECTIONS"
-      displayName: "PostgreSQL Max Connections"
-      description: "PostgreSQL maximum number of database connections allowed."
-      value: "100"
-    -
-      name: "POSTGRESQL_SHARED_BUFFERS"
-      displayName: "PostgreSQL Shared Buffer Amount"
-      description: "Amount of memory dedicated for PostgreSQL shared memory buffers."
-      value: "256MB"
-    -
-      name: "APPLICATION_CPU_REQ"
-      displayName: "Application Min CPU Requested"
-      required: true
-      description: "Minimum amount of CPU time the Application container will need (expressed in millicores)."
-      value: "1000m"
-    -
-      name: "POSTGRESQL_CPU_REQ"
-      displayName: "PostgreSQL Min CPU Requested"
-      required: true
-      description: "Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores)."
-      value: "500m"
-    -
-      name: "MEMCACHED_CPU_REQ"
-      displayName: "Memcached Min CPU Requested"
-      required: true
-      description: "Minimum amount of CPU time the Memcached container will need (expressed in millicores)."
-      value: "200m"
-    -
-      name: "APPLICATION_MEM_REQ"
-      displayName: "Application Min RAM Requested"
-      required: true
-      description: "Minimum amount of memory the Application container will need."
-      value: "6144Mi"
-    -
-      name: "POSTGRESQL_MEM_REQ"
-      displayName: "PostgreSQL Min RAM Requested"
-      required: true
-      description: "Minimum amount of memory the PostgreSQL container will need."
-      value: "1024Mi"
-    -
-      name: "MEMCACHED_MEM_REQ"
-      displayName: "Memcached Min RAM Requested"
-      required: true
-      description: "Minimum amount of memory the Memcached container will need."
-      value: "64Mi"
-    -
-      name: "APPLICATION_MEM_LIMIT"
-      displayName: "Application Max RAM Limit"
-      required: true
-      description: "Maximum amount of memory the Application container can consume."
-      value: "16384Mi"
-    -
-      name: "POSTGRESQL_MEM_LIMIT"
-      displayName: "PostgreSQL Max RAM Limit"
-      required: true
-      description: "Maximum amount of memory the PostgreSQL container can consume."
-      value: "8192Mi"
-    -
-      name: "MEMCACHED_MEM_LIMIT"
-      displayName: "Memcached Max RAM Limit"
-      required: true
-      description: "Maximum amount of memory the Memcached container can consume."
-      value: "256Mi"
-    -
-      name: "POSTGRESQL_IMG_NAME"
-      displayName: "PostgreSQL Image Name"
-      description: "This is the PostgreSQL image name requested to deploy."
-      value: "docker.io/manageiq/manageiq-pods"
-    -
-      name: "POSTGRESQL_IMG_TAG"
-      displayName: "PostgreSQL Image Tag"
-      description: "This is the PostgreSQL image tag/version requested to deploy."
-      value: "postgresql-latest-fine"
-    -
-      name: "MEMCACHED_IMG_NAME"
-      displayName: "Memcached Image Name"
-      description: "This is the Memcached image name requested to deploy."
-      value: "docker.io/manageiq/manageiq-pods"
-    -
-      name: "MEMCACHED_IMG_TAG"
-      displayName: "Memcached Image Tag"
-      description: "This is the Memcached image tag/version requested to deploy."
-      value: "memcached-latest-fine"
-    -
-      name: "APPLICATION_IMG_NAME"
-      displayName: "Application Image Name"
-      description: "This is the Application image name requested to deploy."
-      value: "docker.io/manageiq/manageiq-pods"
-    -
-      name: "APPLICATION_IMG_TAG"
-      displayName: "Application Image Tag"
-      description: "This is the Application image tag/version requested to deploy."
-      value: "app-latest-fine"
-    -
-      name: "APPLICATION_DOMAIN"
-      displayName: "Application Hostname"
-      description: "The exposed hostname that will route to the application service, if left blank a value will be defaulted."
-      value: ""
-    -
-      name: "APPLICATION_REPLICA_COUNT"
-      displayName: "Application Replica Count"
-      description: "This is the number of Application replicas requested to deploy."
-      value: "1"
-    -
-      name: "APPLICATION_INIT_DELAY"
-      displayName: "Application Init Delay"
-      required: true
-      description: "Delay in seconds before we attempt to initialize the application."
-      value: "15"
-    -
-      name: "APPLICATION_VOLUME_CAPACITY"
-      displayName: "Application Volume Capacity"
-      required: true
-      description: "Volume space available for application data."
-      value: "5Gi"
-    -
-      name: "APPLICATION_REGION_VOLUME_CAPACITY"
-      displayName: "Application Region Volume Capacity"
-      required: true
-      description: "Volume space available for region application data."
-      value: "5Gi"
-    -
-      name: "DATABASE_VOLUME_CAPACITY"
-      displayName: "Database Volume Capacity"
-      required: true
-      description: "Volume space available for database."
-      value: "15Gi"

roles/openshift_cfme/files/openshift_cfme.exports

@@ -1,3 +0,0 @@
-/exports/miq-pv01 *(rw,no_root_squash,no_wdelay)
-/exports/miq-pv02 *(rw,no_root_squash,no_wdelay)
-/exports/miq-pv03 *(rw,no_root_squash,no_wdelay)

roles/openshift_cfme/files/templates/cloudforms/cfme-backup-job.yaml

@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cloudforms-backup
+spec:
+  template:
+    metadata:
+      name: cloudforms-backup
+    spec:
+      containers:
+      - name: postgresql
+        image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+        command:
+        - "/opt/rh/cfme-container-scripts/backup_db"
+        env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: cloudforms-secrets
+              key: database-url
+        volumeMounts:
+        - name: cfme-backup-vol
+          mountPath: "/backups"
+      volumes:
+      - name: cfme-backup-vol
+        persistentVolumeClaim:
+          claimName: cloudforms-backup
+      restartPolicy: Never

roles/openshift_cfme/files/templates/cloudforms/cfme-backup-pvc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: cloudforms-backup
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 15Gi

roles/openshift_cfme/files/templates/cloudforms/cfme-pv-backup-example.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: cfme-pv03
+spec:
+  capacity:
+    storage: 15Gi
+  accessModes:
+  - ReadWriteOnce
+  nfs:
+    path: "/exports/cfme-pv03"
+    server: "<your-nfs-host-here>"
+  persistentVolumeReclaimPolicy: Retain

roles/openshift_cfme/files/templates/cloudforms/cfme-pv-db-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms-db-pv
+metadata:
+  name: cloudforms-db-pv
+  annotations:
+    description: PV Template for CFME PostgreSQL DB
+    tags: PVS, CFME
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: cfme-db
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/cfme-db"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for DB
+  required: true
+  description: The size of the CFME DB PV given in Gi
+  value: 15Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/templates/cloudforms/cfme-pv-server-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms-app-pv
+metadata:
+  name: cloudforms-app-pv
+  annotations:
+    description: PV Template for CFME Server
+    tags: PVS, CFME
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: cfme-app
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/cfme-app"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for App
+  required: true
+  description: The size of the CFME APP PV given in Gi
+  value: 5Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/templates/cloudforms/cfme-restore-job.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cloudforms-restore
+spec:
+  template:
+    metadata:
+      name: cloudforms-restore
+    spec:
+      containers:
+      - name: postgresql
+        image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+        command:
+        - "/opt/rh/cfme-container-scripts/restore_db"
+        env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: cloudforms-secrets
+              key: database-url
+        - name: BACKUP_VERSION
+          value: latest
+        volumeMounts:
+        - name: cfme-backup-vol
+          mountPath: "/backups"
+        - name: cfme-prod-vol
+          mountPath: "/restore"
+      volumes:
+      - name: cfme-backup-vol
+        persistentVolumeClaim:
+          claimName: cloudforms-backup
+      - name: cfme-prod-vol
+        persistentVolumeClaim:
+          claimName: cloudforms-postgresql
+      restartPolicy: Never

roles/openshift_cfme/files/templates/cloudforms/cfme-scc-sysadmin.yaml

@@ -0,0 +1,38 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+apiVersion: v1
+defaultAddCapabilities:
+- SYS_ADMIN
+fsGroup:
+  type: RunAsAny
+groups:
+- system:cluster-admins
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus.
+  creationTimestamp:
+  name: cfme-sysadmin
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+- SYS_CHROOT
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- secret

roles/openshift_cfme/files/templates/cloudforms/cfme-template-ext-db.yaml

@@ -0,0 +1,763 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms-ext-db
+metadata:
+  name: cloudforms-ext-db
+  annotations:
+    description: CloudForms appliance with persistent storage using a external DB host
+    tags: instant-app,cloudforms,cfme
+    iconClass: icon-rails
+objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-orchestrator
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-anyuid
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-privileged
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-httpd
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${NAME}-secrets"
+  stringData:
+    pg-password: "${DATABASE_PASSWORD}"
+    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+    v2-key: "${V2_KEY}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}-secrets"
+  stringData:
+    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+    secret-key: "${ANSIBLE_SECRET_KEY}"
+    admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances CloudForms pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${NAME}"
+  spec:
+    clusterIP: None
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    selector:
+      name: "${NAME}"
+- apiVersion: v1
+  kind: Route
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+  spec:
+    host: "${APPLICATION_DOMAIN}"
+    port:
+      targetPort: http
+    tls:
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
+    to:
+      kind: Service
+      name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}"
+    replicas: "${APPLICATION_REPLICA_COUNT}"
+    template:
+      metadata:
+        labels:
+          name: "${NAME}"
+        name: "${NAME}"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: MY_POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_REGION
+            value: "${DATABASE_REGION}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Headless service for CloudForms backend pods
+    name: "${NAME}-backend"
+  spec:
+    clusterIP: None
+    selector:
+      name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}-backend"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}-backend"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${NAME}-backend"
+        name: "${NAME}-backend"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - MIQ Server
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MIQ_SERVER_DEFAULT_ROLES
+            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+          - name: FRONTEND_SERVICE_NAME
+            value: "${NAME}"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Exposes the memcached server
+  spec:
+    ports:
+    - name: memcached
+      port: 11211
+      targetPort: 11211
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy memcached
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${MEMCACHED_SERVICE_NAME}"
+        labels:
+          name: "${MEMCACHED_SERVICE_NAME}"
+      spec:
+        volumes: []
+        containers:
+        - name: memcached
+          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+          ports:
+          - containerPort: 11211
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 5
+            tcpSocket:
+              port: 11211
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 30
+            tcpSocket:
+              port: 11211
+          volumeMounts: []
+          env:
+          - name: MEMCACHED_MAX_MEMORY
+            value: "${MEMCACHED_MAX_MEMORY}"
+          - name: MEMCACHED_MAX_CONNECTIONS
+            value: "${MEMCACHED_MAX_CONNECTIONS}"
+          - name: MEMCACHED_SLAB_PAGE_SIZE
+            value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+          resources:
+            requests:
+              memory: "${MEMCACHED_MEM_REQ}"
+              cpu: "${MEMCACHED_CPU_REQ}"
+            limits:
+              memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Remote database service
+  spec:
+    ports:
+    - name: postgresql
+      port: 5432
+      targetPort: "${{DATABASE_PORT}}"
+    selector: {}
+- apiVersion: v1
+  kind: Endpoints
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+  subsets:
+  - addresses:
+    - ip: "${DATABASE_IP}"
+    ports:
+    - port: "${{DATABASE_PORT}}"
+      name: postgresql
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances Ansible pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${ANSIBLE_SERVICE_NAME}"
+  spec:
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    selector:
+      name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the Ansible appliance
+  spec:
+    strategy:
+      type: Recreate
+    serviceName: "${ANSIBLE_SERVICE_NAME}"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${ANSIBLE_SERVICE_NAME}"
+        name: "${ANSIBLE_SERVICE_NAME}"
+      spec:
+        containers:
+        - name: ansible
+          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          - containerPort: 443
+            protocol: TCP
+          securityContext:
+            privileged: true
+          env:
+          - name: ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          - name: RABBITMQ_USER_NAME
+            value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+          - name: RABBITMQ_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: rabbit-password
+          - name: ANSIBLE_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: secret-key
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${ANSIBLE_DATABASE_NAME}"
+          resources:
+            requests:
+              memory: "${ANSIBLE_MEM_REQ}"
+              cpu: "${ANSIBLE_CPU_REQ}"
+            limits:
+              memory: "${ANSIBLE_MEM_LIMIT}"
+        serviceAccount: cfme-privileged
+        serviceAccountName: cfme-privileged
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-configs"
+  data:
+    application.conf: |
+      # Timeout: The number of seconds before receives and sends time out.
+      Timeout 120
+
+      RewriteEngine On
+      Options SymLinksIfOwnerMatch
+
+      <VirtualHost *:80>
+        KeepAlive on
+        ProxyPreserveHost on
+        ProxyPass        /ws/ ws://${NAME}/ws/
+        ProxyPassReverse /ws/ ws://${NAME}/ws/
+        ProxyPass        / http://${NAME}/
+        ProxyPassReverse / http://${NAME}/
+      </VirtualHost>
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-auth-configs"
+  data:
+    auth-type: internal
+    auth-configuration.conf: |
+      # External Authentication Configuration File
+      #
+      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Exposes the httpd server
+      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+  spec:
+    ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    selector:
+      name: httpd
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy httpd
+  spec:
+    strategy:
+      type: Recreate
+      recreateParams:
+        timeoutSeconds: 1200
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${HTTPD_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${HTTPD_SERVICE_NAME}"
+        labels:
+          name: "${HTTPD_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: httpd-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-configs"
+        - name: httpd-auth-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-auth-configs"
+        containers:
+        - name: httpd
+          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+          ports:
+          - containerPort: 80
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - httpd
+            initialDelaySeconds: 15
+            timeoutSeconds: 3
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: httpd-config
+            mountPath: "${HTTPD_CONFIG_DIR}"
+          - name: httpd-auth-config
+            mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${HTTPD_MEM_REQ}"
+              cpu: "${HTTPD_CPU_REQ}"
+            limits:
+              memory: "${HTTPD_MEM_LIMIT}"
+          env:
+          - name: HTTPD_AUTH_TYPE
+            valueFrom:
+              configMapKeyRef:
+                name: "${HTTPD_SERVICE_NAME}-auth-configs"
+                key: auth-type
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                - "/usr/bin/save-container-environment"
+        serviceAccount: cfme-httpd
+        serviceAccountName: cfme-httpd
+parameters:
+- name: NAME
+  displayName: Name
+  required: true
+  description: The name assigned to all of the frontend objects defined in this template.
+  value: cloudforms
+- name: V2_KEY
+  displayName: CloudForms Encryption Key
+  required: true
+  description: Encryption Key for CloudForms Passwords
+  from: "[a-zA-Z0-9]{43}"
+  generate: expression
+- name: DATABASE_SERVICE_NAME
+  displayName: PostgreSQL Service Name
+  required: true
+  description: The name of the OpenShift Service exposed for the PostgreSQL container.
+  value: postgresql
+- name: DATABASE_USER
+  displayName: PostgreSQL User
+  required: true
+  description: PostgreSQL user that will access the database.
+  value: root
+- name: DATABASE_PASSWORD
+  displayName: PostgreSQL Password
+  required: true
+  description: Password for the PostgreSQL user.
+  from: "[a-zA-Z0-9]{8}"
+  generate: expression
+- name: DATABASE_IP
+  displayName: PostgreSQL Server IP
+  required: true
+  description: PostgreSQL external server IP used to configure service.
+  value: ''
+- name: DATABASE_PORT
+  displayName: PostgreSQL Server Port
+  required: true
+  description: PostgreSQL external server port used to configure service.
+  value: '5432'
+- name: DATABASE_NAME
+  required: true
+  displayName: PostgreSQL Database Name
+  description: Name of the PostgreSQL database accessed.
+  value: vmdb_production
+- name: DATABASE_REGION
+  required: true
+  displayName: Application Database Region
+  description: Database region that will be used for application.
+  value: '0'
+- name: ANSIBLE_DATABASE_NAME
+  displayName: Ansible PostgreSQL database name
+  required: true
+  description: The database to be used by the Ansible continer
+  value: awx
+- name: MEMCACHED_SERVICE_NAME
+  required: true
+  displayName: Memcached Service Name
+  description: The name of the OpenShift Service exposed for the Memcached container.
+  value: memcached
+- name: MEMCACHED_MAX_MEMORY
+  displayName: Memcached Max Memory
+  description: Memcached maximum memory for memcached object storage in MB.
+  value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+  displayName: Memcached Max Connections
+  description: Memcached maximum number of connections allowed.
+  value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+  displayName: Memcached Slab Page Size
+  description: Memcached size of each slab page.
+  value: 1m
+- name: ANSIBLE_SERVICE_NAME
+  displayName: Ansible Service Name
+  description: The name of the OpenShift Service exposed for the Ansible container.
+  value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+  displayName: Ansible admin User password
+  required: true
+  description: The password for the Ansible container admin user
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: ANSIBLE_SECRET_KEY
+  displayName: Ansible Secret Key
+  required: true
+  description: Encryption key for the Ansible container
+  from: "[a-f0-9]{32}"
+  generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+  displayName: RabbitMQ Username
+  required: true
+  description: Username for the Ansible RabbitMQ Server
+  value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+  displayName: RabbitMQ Server Password
+  required: true
+  description: Password for the Ansible RabbitMQ Server
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: APPLICATION_CPU_REQ
+  displayName: Application Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+  value: 1000m
+- name: MEMCACHED_CPU_REQ
+  displayName: Memcached Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+  value: 200m
+- name: ANSIBLE_CPU_REQ
+  displayName: Ansible Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+  value: 1000m
+- name: APPLICATION_MEM_REQ
+  displayName: Application Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Application container will need.
+  value: 6144Mi
+- name: MEMCACHED_MEM_REQ
+  displayName: Memcached Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Memcached container will need.
+  value: 64Mi
+- name: ANSIBLE_MEM_REQ
+  displayName: Ansible Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Ansible container will need.
+  value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+  displayName: Application Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Application container can consume.
+  value: 16384Mi
+- name: MEMCACHED_MEM_LIMIT
+  displayName: Memcached Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Memcached container can consume.
+  value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+  displayName: Ansible Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Ansible container can consume.
+  value: 8096Mi
+- name: MEMCACHED_IMG_NAME
+  displayName: Memcached Image Name
+  description: This is the Memcached image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+  displayName: Memcached Image Tag
+  description: This is the Memcached image tag/version requested to deploy.
+  value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+  displayName: Frontend Application Image Name
+  description: This is the Frontend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+  displayName: Backend Application Image Name
+  description: This is the Backend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+  displayName: Front end Application Image Tag
+  description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+  value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+  displayName: Back end Application Image Tag
+  description: This is the CloudForms Backend Application image tag/version requested to deploy.
+  value: latest
+- name: ANSIBLE_IMG_NAME
+  displayName: Ansible Image Name
+  description: This is the Ansible image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+  displayName: Ansible Image Tag
+  description: This is the Ansible image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_DOMAIN
+  displayName: Application Hostname
+  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+  value: ''
+- name: APPLICATION_REPLICA_COUNT
+  displayName: Application Replica Count
+  description: This is the number of Application replicas requested to deploy.
+  value: '1'
+- name: APPLICATION_INIT_DELAY
+  displayName: Application Init Delay
+  required: true
+  description: Delay in seconds before we attempt to initialize the application.
+  value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+  displayName: Application Volume Capacity
+  required: true
+  description: Volume space available for application data.
+  value: 5Gi
+- name: HTTPD_SERVICE_NAME
+  required: true
+  displayName: Apache httpd Service Name
+  description: The name of the OpenShift Service exposed for the httpd container.
+  value: httpd
+- name: HTTPD_IMG_NAME
+  displayName: Apache httpd Image Name
+  description: This is the httpd image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+  displayName: Apache httpd Image Tag
+  description: This is the httpd image tag/version requested to deploy.
+  value: latest
+- name: HTTPD_CONFIG_DIR
+  displayName: Apache httpd Configuration Directory
+  description: Directory used to store the Apache configuration files.
+  value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+  displayName: External Authentication Configuration Directory
+  description: Directory used to store the external authentication configuration files.
+  value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+  displayName: Apache httpd Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+  value: 500m
+- name: HTTPD_MEM_REQ
+  displayName: Apache httpd Min RAM Requested
+  required: true
+  description: Minimum amount of memory the httpd container will need.
+  value: 512Mi
+- name: HTTPD_MEM_LIMIT
+  displayName: Apache httpd Max RAM Limit
+  required: true
+  description: Maximum amount of memory the httpd container can consume.
+  value: 8192Mi

roles/openshift_cfme/files/templates/cloudforms/cfme-template.yaml

@@ -0,0 +1,940 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms
+metadata:
+  name: cloudforms
+  annotations:
+    description: CloudForms appliance with persistent storage
+    tags: instant-app,cloudforms,cfme
+    iconClass: icon-rails
+objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-orchestrator
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-anyuid
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-privileged
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-httpd
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${NAME}-secrets"
+  stringData:
+    pg-password: "${DATABASE_PASSWORD}"
+    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+    v2-key: "${V2_KEY}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}-secrets"
+  stringData:
+    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+    secret-key: "${ANSIBLE_SECRET_KEY}"
+    admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}-configs"
+  data:
+    01_miq_overrides.conf: |
+      #------------------------------------------------------------------------------
+      # CONNECTIONS AND AUTHENTICATION
+      #------------------------------------------------------------------------------
+
+      tcp_keepalives_count = 9
+      tcp_keepalives_idle = 3
+      tcp_keepalives_interval = 75
+
+      #------------------------------------------------------------------------------
+      # RESOURCE USAGE (except WAL)
+      #------------------------------------------------------------------------------
+
+      shared_preload_libraries = 'pglogical,repmgr_funcs'
+      max_worker_processes = 10
+
+      #------------------------------------------------------------------------------
+      # WRITE AHEAD LOG
+      #------------------------------------------------------------------------------
+
+      wal_level = 'logical'
+      wal_log_hints = on
+      wal_buffers = 16MB
+      checkpoint_completion_target = 0.9
+
+      #------------------------------------------------------------------------------
+      # REPLICATION
+      #------------------------------------------------------------------------------
+
+      max_wal_senders = 10
+      wal_sender_timeout = 0
+      max_replication_slots = 10
+      hot_standby = on
+
+      #------------------------------------------------------------------------------
+      # ERROR REPORTING AND LOGGING
+      #------------------------------------------------------------------------------
+
+      log_filename = 'postgresql.log'
+      log_rotation_age = 0
+      log_min_duration_statement = 5000
+      log_connections = on
+      log_disconnections = on
+      log_line_prefix = '%t:%r:%c:%u@%d:[%p]:'
+      log_lock_waits = on
+
+      #------------------------------------------------------------------------------
+      # AUTOVACUUM PARAMETERS
+      #------------------------------------------------------------------------------
+
+      log_autovacuum_min_duration = 0
+      autovacuum_naptime = 5min
+      autovacuum_vacuum_threshold = 500
+      autovacuum_analyze_threshold = 500
+      autovacuum_vacuum_scale_factor = 0.05
+
+      #------------------------------------------------------------------------------
+      # LOCK MANAGEMENT
+      #------------------------------------------------------------------------------
+
+      deadlock_timeout = 5s
+
+      #------------------------------------------------------------------------------
+      # VERSION/PLATFORM COMPATIBILITY
+      #------------------------------------------------------------------------------
+
+      escape_string_warning = off
+      standard_conforming_strings = off
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-configs"
+  data:
+    application.conf: |
+      # Timeout: The number of seconds before receives and sends time out.
+      Timeout 120
+
+      RewriteEngine On
+      Options SymLinksIfOwnerMatch
+
+      <VirtualHost *:80>
+        KeepAlive on
+        ProxyPreserveHost on
+        ProxyPass        /ws/ ws://${NAME}/ws/
+        ProxyPassReverse /ws/ ws://${NAME}/ws/
+        ProxyPass        / http://${NAME}/
+        ProxyPassReverse / http://${NAME}/
+      </VirtualHost>
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-auth-configs"
+  data:
+    auth-type: internal
+    auth-configuration.conf: |
+      # External Authentication Configuration File
+      #
+      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances CloudForms pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${NAME}"
+  spec:
+    clusterIP: None
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    selector:
+      name: "${NAME}"
+- apiVersion: v1
+  kind: Route
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+  spec:
+    host: "${APPLICATION_DOMAIN}"
+    port:
+      targetPort: http
+    tls:
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
+    to:
+      kind: Service
+      name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: v1
+  kind: PersistentVolumeClaim
+  metadata:
+    name: "${NAME}-${DATABASE_SERVICE_NAME}"
+  spec:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: "${DATABASE_VOLUME_CAPACITY}"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}"
+    replicas: "${APPLICATION_REPLICA_COUNT}"
+    template:
+      metadata:
+        labels:
+          name: "${NAME}"
+        name: "${NAME}"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: MY_POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_REGION
+            value: "${DATABASE_REGION}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Headless service for CloudForms backend pods
+    name: "${NAME}-backend"
+  spec:
+    clusterIP: None
+    selector:
+      name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}-backend"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}-backend"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${NAME}-backend"
+        name: "${NAME}-backend"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - MIQ Server
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MIQ_SERVER_DEFAULT_ROLES
+            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+          - name: FRONTEND_SERVICE_NAME
+            value: "${NAME}"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Exposes the memcached server
+  spec:
+    ports:
+    - name: memcached
+      port: 11211
+      targetPort: 11211
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy memcached
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${MEMCACHED_SERVICE_NAME}"
+        labels:
+          name: "${MEMCACHED_SERVICE_NAME}"
+      spec:
+        volumes: []
+        containers:
+        - name: memcached
+          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+          ports:
+          - containerPort: 11211
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 5
+            tcpSocket:
+              port: 11211
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 30
+            tcpSocket:
+              port: 11211
+          volumeMounts: []
+          env:
+          - name: MEMCACHED_MAX_MEMORY
+            value: "${MEMCACHED_MAX_MEMORY}"
+          - name: MEMCACHED_MAX_CONNECTIONS
+            value: "${MEMCACHED_MAX_CONNECTIONS}"
+          - name: MEMCACHED_SLAB_PAGE_SIZE
+            value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+          resources:
+            requests:
+              memory: "${MEMCACHED_MEM_REQ}"
+              cpu: "${MEMCACHED_CPU_REQ}"
+            limits:
+              memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Exposes the database server
+  spec:
+    ports:
+    - name: postgresql
+      port: 5432
+      targetPort: 5432
+    selector:
+      name: "${DATABASE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the database
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${DATABASE_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${DATABASE_SERVICE_NAME}"
+        labels:
+          name: "${DATABASE_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: cfme-pgdb-volume
+          persistentVolumeClaim:
+            claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
+        - name: cfme-pg-configs
+          configMap:
+            name: "${DATABASE_SERVICE_NAME}-configs"
+        containers:
+        - name: postgresql
+          image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
+          ports:
+          - containerPort: 5432
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 15
+            exec:
+              command:
+              - "/bin/sh"
+              - "-i"
+              - "-c"
+              - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 60
+            tcpSocket:
+              port: 5432
+          volumeMounts:
+          - name: cfme-pgdb-volume
+            mountPath: "/var/lib/pgsql/data"
+          - name: cfme-pg-configs
+            mountPath: "${POSTGRESQL_CONFIG_DIR}"
+          env:
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${DATABASE_NAME}"
+          - name: POSTGRESQL_MAX_CONNECTIONS
+            value: "${POSTGRESQL_MAX_CONNECTIONS}"
+          - name: POSTGRESQL_SHARED_BUFFERS
+            value: "${POSTGRESQL_SHARED_BUFFERS}"
+          - name: POSTGRESQL_CONFIG_DIR
+            value: "${POSTGRESQL_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${POSTGRESQL_MEM_REQ}"
+              cpu: "${POSTGRESQL_CPU_REQ}"
+            limits:
+              memory: "${POSTGRESQL_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances Ansible pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${ANSIBLE_SERVICE_NAME}"
+  spec:
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    selector:
+      name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the Ansible appliance
+  spec:
+    strategy:
+      type: Recreate
+    serviceName: "${ANSIBLE_SERVICE_NAME}"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${ANSIBLE_SERVICE_NAME}"
+        name: "${ANSIBLE_SERVICE_NAME}"
+      spec:
+        containers:
+        - name: ansible
+          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          - containerPort: 443
+            protocol: TCP
+          securityContext:
+            privileged: true
+          env:
+          - name: ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          - name: RABBITMQ_USER_NAME
+            value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+          - name: RABBITMQ_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: rabbit-password
+          - name: ANSIBLE_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: secret-key
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${ANSIBLE_DATABASE_NAME}"
+          resources:
+            requests:
+              memory: "${ANSIBLE_MEM_REQ}"
+              cpu: "${ANSIBLE_CPU_REQ}"
+            limits:
+              memory: "${ANSIBLE_MEM_LIMIT}"
+        serviceAccount: cfme-privileged
+        serviceAccountName: cfme-privileged
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Exposes the httpd server
+      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+  spec:
+    ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    selector:
+      name: httpd
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy httpd
+  spec:
+    strategy:
+      type: Recreate
+      recreateParams:
+        timeoutSeconds: 1200
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${HTTPD_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${HTTPD_SERVICE_NAME}"
+        labels:
+          name: "${HTTPD_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: httpd-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-configs"
+        - name: httpd-auth-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-auth-configs"
+        containers:
+        - name: httpd
+          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+          ports:
+          - containerPort: 80
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - httpd
+            initialDelaySeconds: 15
+            timeoutSeconds: 3
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: httpd-config
+            mountPath: "${HTTPD_CONFIG_DIR}"
+          - name: httpd-auth-config
+            mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${HTTPD_MEM_REQ}"
+              cpu: "${HTTPD_CPU_REQ}"
+            limits:
+              memory: "${HTTPD_MEM_LIMIT}"
+          env:
+          - name: HTTPD_AUTH_TYPE
+            valueFrom:
+              configMapKeyRef:
+                name: "${HTTPD_SERVICE_NAME}-auth-configs"
+                key: auth-type
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                - "/usr/bin/save-container-environment"
+        serviceAccount: cfme-httpd
+        serviceAccountName: cfme-httpd
+parameters:
+- name: NAME
+  displayName: Name
+  required: true
+  description: The name assigned to all of the frontend objects defined in this template.
+  value: cloudforms
+- name: V2_KEY
+  displayName: CloudForms Encryption Key
+  required: true
+  description: Encryption Key for CloudForms Passwords
+  from: "[a-zA-Z0-9]{43}"
+  generate: expression
+- name: DATABASE_SERVICE_NAME
+  displayName: PostgreSQL Service Name
+  required: true
+  description: The name of the OpenShift Service exposed for the PostgreSQL container.
+  value: postgresql
+- name: DATABASE_USER
+  displayName: PostgreSQL User
+  required: true
+  description: PostgreSQL user that will access the database.
+  value: root
+- name: DATABASE_PASSWORD
+  displayName: PostgreSQL Password
+  required: true
+  description: Password for the PostgreSQL user.
+  from: "[a-zA-Z0-9]{8}"
+  generate: expression
+- name: DATABASE_NAME
+  required: true
+  displayName: PostgreSQL Database Name
+  description: Name of the PostgreSQL database accessed.
+  value: vmdb_production
+- name: DATABASE_REGION
+  required: true
+  displayName: Application Database Region
+  description: Database region that will be used for application.
+  value: '0'
+- name: ANSIBLE_DATABASE_NAME
+  displayName: Ansible PostgreSQL database name
+  required: true
+  description: The database to be used by the Ansible continer
+  value: awx
+- name: MEMCACHED_SERVICE_NAME
+  required: true
+  displayName: Memcached Service Name
+  description: The name of the OpenShift Service exposed for the Memcached container.
+  value: memcached
+- name: MEMCACHED_MAX_MEMORY
+  displayName: Memcached Max Memory
+  description: Memcached maximum memory for memcached object storage in MB.
+  value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+  displayName: Memcached Max Connections
+  description: Memcached maximum number of connections allowed.
+  value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+  displayName: Memcached Slab Page Size
+  description: Memcached size of each slab page.
+  value: 1m
+- name: POSTGRESQL_CONFIG_DIR
+  displayName: PostgreSQL Configuration Overrides
+  description: Directory used to store PostgreSQL configuration overrides.
+  value: "/var/lib/pgsql/conf.d"
+- name: POSTGRESQL_MAX_CONNECTIONS
+  displayName: PostgreSQL Max Connections
+  description: PostgreSQL maximum number of database connections allowed.
+  value: '1000'
+- name: POSTGRESQL_SHARED_BUFFERS
+  displayName: PostgreSQL Shared Buffer Amount
+  description: Amount of memory dedicated for PostgreSQL shared memory buffers.
+  value: 1GB
+- name: ANSIBLE_SERVICE_NAME
+  displayName: Ansible Service Name
+  description: The name of the OpenShift Service exposed for the Ansible container.
+  value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+  displayName: Ansible admin User password
+  required: true
+  description: The password for the Ansible container admin user
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: ANSIBLE_SECRET_KEY
+  displayName: Ansible Secret Key
+  required: true
+  description: Encryption key for the Ansible container
+  from: "[a-f0-9]{32}"
+  generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+  displayName: RabbitMQ Username
+  required: true
+  description: Username for the Ansible RabbitMQ Server
+  value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+  displayName: RabbitMQ Server Password
+  required: true
+  description: Password for the Ansible RabbitMQ Server
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: APPLICATION_CPU_REQ
+  displayName: Application Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+  value: 1000m
+- name: POSTGRESQL_CPU_REQ
+  displayName: PostgreSQL Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores).
+  value: 500m
+- name: MEMCACHED_CPU_REQ
+  displayName: Memcached Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+  value: 200m
+- name: ANSIBLE_CPU_REQ
+  displayName: Ansible Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+  value: 1000m
+- name: APPLICATION_MEM_REQ
+  displayName: Application Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Application container will need.
+  value: 6144Mi
+- name: POSTGRESQL_MEM_REQ
+  displayName: PostgreSQL Min RAM Requested
+  required: true
+  description: Minimum amount of memory the PostgreSQL container will need.
+  value: 4Gi
+- name: MEMCACHED_MEM_REQ
+  displayName: Memcached Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Memcached container will need.
+  value: 64Mi
+- name: ANSIBLE_MEM_REQ
+  displayName: Ansible Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Ansible container will need.
+  value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+  displayName: Application Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Application container can consume.
+  value: 16384Mi
+- name: POSTGRESQL_MEM_LIMIT
+  displayName: PostgreSQL Max RAM Limit
+  required: true
+  description: Maximum amount of memory the PostgreSQL container can consume.
+  value: 8Gi
+- name: MEMCACHED_MEM_LIMIT
+  displayName: Memcached Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Memcached container can consume.
+  value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+  displayName: Ansible Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Ansible container can consume.
+  value: 8096Mi
+- name: POSTGRESQL_IMG_NAME
+  displayName: PostgreSQL Image Name
+  description: This is the PostgreSQL image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql
+- name: POSTGRESQL_IMG_TAG
+  displayName: PostgreSQL Image Tag
+  description: This is the PostgreSQL image tag/version requested to deploy.
+  value: latest
+- name: MEMCACHED_IMG_NAME
+  displayName: Memcached Image Name
+  description: This is the Memcached image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+  displayName: Memcached Image Tag
+  description: This is the Memcached image tag/version requested to deploy.
+  value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+  displayName: Frontend Application Image Name
+  description: This is the Frontend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+  displayName: Backend Application Image Name
+  description: This is the Backend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+  displayName: Front end Application Image Tag
+  description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+  value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+  displayName: Back end Application Image Tag
+  description: This is the CloudForms Backend Application image tag/version requested to deploy.
+  value: latest
+- name: ANSIBLE_IMG_NAME
+  displayName: Ansible Image Name
+  description: This is the Ansible image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+  displayName: Ansible Image Tag
+  description: This is the Ansible image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_DOMAIN
+  displayName: Application Hostname
+  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+  value: ''
+- name: APPLICATION_REPLICA_COUNT
+  displayName: Application Replica Count
+  description: This is the number of Application replicas requested to deploy.
+  value: '1'
+- name: APPLICATION_INIT_DELAY
+  displayName: Application Init Delay
+  required: true
+  description: Delay in seconds before we attempt to initialize the application.
+  value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+  displayName: Application Volume Capacity
+  required: true
+  description: Volume space available for application data.
+  value: 5Gi
+- name: DATABASE_VOLUME_CAPACITY
+  displayName: Database Volume Capacity
+  required: true
+  description: Volume space available for database.
+  value: 15Gi
+- name: HTTPD_SERVICE_NAME
+  required: true
+  displayName: Apache httpd Service Name
+  description: The name of the OpenShift Service exposed for the httpd container.
+  value: httpd
+- name: HTTPD_IMG_NAME
+  displayName: Apache httpd Image Name
+  description: This is the httpd image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+  displayName: Apache httpd Image Tag
+  description: This is the httpd image tag/version requested to deploy.
+  value: latest
+- name: HTTPD_CONFIG_DIR
+  displayName: Apache Configuration Directory
+  description: Directory used to store the Apache configuration files.
+  value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+  displayName: External Authentication Configuration Directory
+  description: Directory used to store the external authentication configuration files.
+  value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+  displayName: Apache httpd Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+  value: 500m
+- name: HTTPD_MEM_REQ
+  displayName: Apache httpd Min RAM Requested
+  required: true
+  description: Minimum amount of memory the httpd container will need.
+  value: 512Mi
+- name: HTTPD_MEM_LIMIT
+  displayName: Apache httpd Max RAM Limit
+  required: true
+  description: Maximum amount of memory the httpd container can consume.
+  value: 8192Mi

roles/openshift_cfme/files/templates/manageiq/miq-backup-job.yaml

@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: manageiq-backup
+spec:
+  template:
+    metadata:
+      name: manageiq-backup
+    spec:
+      containers:
+      - name: postgresql
+        image: docker.io/manageiq/postgresql:latest
+        command:
+        - "/opt/manageiq/container-scripts/backup_db"
+        env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: manageiq-secrets
+              key: database-url
+        volumeMounts:
+        - name: miq-backup-vol
+          mountPath: "/backups"
+      volumes:
+      - name: miq-backup-vol
+        persistentVolumeClaim:
+          claimName: manageiq-backup
+      restartPolicy: Never

roles/openshift_cfme/files/templates/manageiq/miq-backup-pvc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: manageiq-backup
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 15Gi

roles/openshift_cfme/files/templates/manageiq/miq-pv-backup-example.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: miq-pv03
+spec:
+  capacity:
+    storage: 15Gi
+  accessModes:
+  - ReadWriteOnce
+  nfs:
+    path: "/exports/miq-pv03"
+    server: "<your-nfs-host-here>"
+  persistentVolumeReclaimPolicy: Retain

roles/openshift_cfme/files/templates/manageiq/miq-pv-db-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: manageiq-db-pv
+metadata:
+  name: manageiq-db-pv
+  annotations:
+    description: PV Template for MIQ PostgreSQL DB
+    tags: PVS, MIQ
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: miq-db
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/miq-db"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for DB
+  required: true
+  description: The size of the MIQ DB PV given in Gi
+  value: 15Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/templates/manageiq/miq-pv-server-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: manageiq-app-pv
+metadata:
+  name: manageiq-app-pv
+  annotations:
+    description: PV Template for MIQ Server
+    tags: PVS, MIQ
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: miq-app
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/miq-app"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for App
+  required: true
+  description: The size of the MIQ APP PV given in Gi
+  value: 5Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/templates/manageiq/miq-restore-job.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: manageiq-restore
+spec:
+  template:
+    metadata:
+      name: manageiq-restore
+    spec:
+      containers:
+      - name: postgresql
+        image: docker.io/manageiq/postgresql:latest
+        command:
+        - "/opt/manageiq/container-scripts/restore_db"
+        env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: manageiq-secrets
+              key: database-url
+        - name: BACKUP_VERSION
+          value: latest
+        volumeMounts:
+        - name: miq-backup-vol
+          mountPath: "/backups"
+        - name: miq-prod-vol
+          mountPath: "/restore"
+      volumes:
+      - name: miq-backup-vol
+        persistentVolumeClaim:
+          claimName: manageiq-backup
+      - name: miq-prod-vol
+        persistentVolumeClaim:
+          claimName: manageiq-postgresql
+      restartPolicy: Never

roles/openshift_cfme/files/templates/manageiq/miq-template-ext-db.yaml

@@ -0,0 +1,771 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: manageiq-ext-db
+metadata:
+  name: manageiq-ext-db
+  annotations:
+    description: ManageIQ appliance with persistent storage using a external DB host
+    tags: instant-app,manageiq,miq
+    iconClass: icon-rails
+objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-orchestrator
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-anyuid
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-privileged
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-httpd
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${NAME}-secrets"
+  stringData:
+    pg-password: "${DATABASE_PASSWORD}"
+    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+    v2-key: "${V2_KEY}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}-secrets"
+  stringData:
+    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+    secret-key: "${ANSIBLE_SECRET_KEY}"
+    admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances ManageIQ pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${NAME}"
+  spec:
+    clusterIP: None
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    selector:
+      name: "${NAME}"
+- apiVersion: v1
+  kind: Route
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+  spec:
+    host: "${APPLICATION_DOMAIN}"
+    port:
+      targetPort: http
+    tls:
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
+    to:
+      kind: Service
+      name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}"
+    annotations:
+      description: Defines how to deploy the ManageIQ appliance
+  spec:
+    serviceName: "${NAME}"
+    replicas: "${APPLICATION_REPLICA_COUNT}"
+    template:
+      metadata:
+        labels:
+          name: "${NAME}"
+        name: "${NAME}"
+      spec:
+        containers:
+        - name: manageiq
+          image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: MY_POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: DATABASE_REGION
+            value: "${DATABASE_REGION}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MEMCACHED_SERVER
+            value: "${MEMCACHED_SERVICE_NAME}:11211"
+          - name: MEMCACHED_SERVICE_NAME
+            value: "${MEMCACHED_SERVICE_NAME}"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_SERVICE_NAME
+            value: "${ANSIBLE_SERVICE_NAME}"
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/manageiq/container-scripts/sync-pv-data"
+        serviceAccount: miq-orchestrator
+        serviceAccountName: miq-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Headless service for ManageIQ backend pods
+    name: "${NAME}-backend"
+  spec:
+    clusterIP: None
+    selector:
+      name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}-backend"
+    annotations:
+      description: Defines how to deploy the ManageIQ appliance
+  spec:
+    serviceName: "${NAME}-backend"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${NAME}-backend"
+        name: "${NAME}-backend"
+      spec:
+        containers:
+        - name: manageiq
+          image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - MIQ Server
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MIQ_SERVER_DEFAULT_ROLES
+            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+          - name: FRONTEND_SERVICE_NAME
+            value: "${NAME}"
+          - name: MEMCACHED_SERVER
+            value: "${MEMCACHED_SERVICE_NAME}:11211"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_SERVICE_NAME
+            value: "${ANSIBLE_SERVICE_NAME}"
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/manageiq/container-scripts/sync-pv-data"
+        serviceAccount: miq-orchestrator
+        serviceAccountName: miq-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Exposes the memcached server
+  spec:
+    ports:
+    - name: memcached
+      port: 11211
+      targetPort: 11211
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy memcached
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${MEMCACHED_SERVICE_NAME}"
+        labels:
+          name: "${MEMCACHED_SERVICE_NAME}"
+      spec:
+        volumes: []
+        containers:
+        - name: memcached
+          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+          ports:
+          - containerPort: 11211
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 5
+            tcpSocket:
+              port: 11211
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 30
+            tcpSocket:
+              port: 11211
+          volumeMounts: []
+          env:
+          - name: MEMCACHED_MAX_MEMORY
+            value: "${MEMCACHED_MAX_MEMORY}"
+          - name: MEMCACHED_MAX_CONNECTIONS
+            value: "${MEMCACHED_MAX_CONNECTIONS}"
+          - name: MEMCACHED_SLAB_PAGE_SIZE
+            value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+          resources:
+            requests:
+              memory: "${MEMCACHED_MEM_REQ}"
+              cpu: "${MEMCACHED_CPU_REQ}"
+            limits:
+              memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Remote database service
+  spec:
+    ports:
+    - name: postgresql
+      port: 5432
+      targetPort: "${{DATABASE_PORT}}"
+    selector: {}
+- apiVersion: v1
+  kind: Endpoints
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+  subsets:
+  - addresses:
+    - ip: "${DATABASE_IP}"
+    ports:
+    - port: "${{DATABASE_PORT}}"
+      name: postgresql
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances Ansible pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${ANSIBLE_SERVICE_NAME}"
+  spec:
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    selector:
+      name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the Ansible appliance
+  spec:
+    strategy:
+      type: Recreate
+    serviceName: "${ANSIBLE_SERVICE_NAME}"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${ANSIBLE_SERVICE_NAME}"
+        name: "${ANSIBLE_SERVICE_NAME}"
+      spec:
+        containers:
+        - name: ansible
+          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          - containerPort: 443
+            protocol: TCP
+          securityContext:
+            privileged: true
+          env:
+          - name: ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          - name: RABBITMQ_USER_NAME
+            value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+          - name: RABBITMQ_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: rabbit-password
+          - name: ANSIBLE_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: secret-key
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${ANSIBLE_DATABASE_NAME}"
+          resources:
+            requests:
+              memory: "${ANSIBLE_MEM_REQ}"
+              cpu: "${ANSIBLE_CPU_REQ}"
+            limits:
+              memory: "${ANSIBLE_MEM_LIMIT}"
+        serviceAccount: miq-privileged
+        serviceAccountName: miq-privileged
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-configs"
+  data:
+    application.conf: |
+      # Timeout: The number of seconds before receives and sends time out.
+      Timeout 120
+
+      RewriteEngine On
+      Options SymLinksIfOwnerMatch
+
+      <VirtualHost *:80>
+        KeepAlive on
+        ProxyPreserveHost on
+        ProxyPass        /ws/ ws://${NAME}/ws/
+        ProxyPassReverse /ws/ ws://${NAME}/ws/
+        ProxyPass        / http://${NAME}/
+        ProxyPassReverse / http://${NAME}/
+      </VirtualHost>
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-auth-configs"
+  data:
+    auth-type: internal
+    auth-configuration.conf: |
+      # External Authentication Configuration File
+      #
+      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Exposes the httpd server
+      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+  spec:
+    ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    selector:
+      name: httpd
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy httpd
+  spec:
+    strategy:
+      type: Recreate
+      recreateParams:
+        timeoutSeconds: 1200
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${HTTPD_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${HTTPD_SERVICE_NAME}"
+        labels:
+          name: "${HTTPD_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: httpd-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-configs"
+        - name: httpd-auth-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-auth-configs"
+        containers:
+        - name: httpd
+          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+          ports:
+          - containerPort: 80
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - httpd
+            initialDelaySeconds: 15
+            timeoutSeconds: 3
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: httpd-config
+            mountPath: "${HTTPD_CONFIG_DIR}"
+          - name: httpd-auth-config
+            mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${HTTPD_MEM_REQ}"
+              cpu: "${HTTPD_CPU_REQ}"
+            limits:
+              memory: "${HTTPD_MEM_LIMIT}"
+          env:
+          - name: HTTPD_AUTH_TYPE
+            valueFrom:
+              configMapKeyRef:
+                name: "${HTTPD_SERVICE_NAME}-auth-configs"
+                key: auth-type
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                - "/usr/bin/save-container-environment"
+        serviceAccount: miq-anyuid
+        serviceAccountName: miq-anyuid
+parameters:
+- name: NAME
+  displayName: Name
+  required: true
+  description: The name assigned to all of the frontend objects defined in this template.
+  value: manageiq
+- name: V2_KEY
+  displayName: ManageIQ Encryption Key
+  required: true
+  description: Encryption Key for ManageIQ Passwords
+  from: "[a-zA-Z0-9]{43}"
+  generate: expression
+- name: DATABASE_SERVICE_NAME
+  displayName: PostgreSQL Service Name
+  required: true
+  description: The name of the OpenShift Service exposed for the PostgreSQL container.
+  value: postgresql
+- name: DATABASE_USER
+  displayName: PostgreSQL User
+  required: true
+  description: PostgreSQL user that will access the database.
+  value: root
+- name: DATABASE_PASSWORD
+  displayName: PostgreSQL Password
+  required: true
+  description: Password for the PostgreSQL user.
+  from: "[a-zA-Z0-9]{8}"
+  generate: expression
+- name: DATABASE_IP
+  displayName: PostgreSQL Server IP
+  required: true
+  description: PostgreSQL external server IP used to configure service.
+  value: ''
+- name: DATABASE_PORT
+  displayName: PostgreSQL Server Port
+  required: true
+  description: PostgreSQL external server port used to configure service.
+  value: '5432'
+- name: DATABASE_NAME
+  required: true
+  displayName: PostgreSQL Database Name
+  description: Name of the PostgreSQL database accessed.
+  value: vmdb_production
+- name: DATABASE_REGION
+  required: true
+  displayName: Application Database Region
+  description: Database region that will be used for application.
+  value: '0'
+- name: ANSIBLE_DATABASE_NAME
+  displayName: Ansible PostgreSQL database name
+  required: true
+  description: The database to be used by the Ansible continer
+  value: awx
+- name: MEMCACHED_SERVICE_NAME
+  required: true
+  displayName: Memcached Service Name
+  description: The name of the OpenShift Service exposed for the Memcached container.
+  value: memcached
+- name: MEMCACHED_MAX_MEMORY
+  displayName: Memcached Max Memory
+  description: Memcached maximum memory for memcached object storage in MB.
+  value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+  displayName: Memcached Max Connections
+  description: Memcached maximum number of connections allowed.
+  value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+  displayName: Memcached Slab Page Size
+  description: Memcached size of each slab page.
+  value: 1m
+- name: ANSIBLE_SERVICE_NAME
+  displayName: Ansible Service Name
+  description: The name of the OpenShift Service exposed for the Ansible container.
+  value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+  displayName: Ansible admin User password
+  required: true
+  description: The password for the Ansible container admin user
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: ANSIBLE_SECRET_KEY
+  displayName: Ansible Secret Key
+  required: true
+  description: Encryption key for the Ansible container
+  from: "[a-f0-9]{32}"
+  generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+  displayName: RabbitMQ Username
+  required: true
+  description: Username for the Ansible RabbitMQ Server
+  value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+  displayName: RabbitMQ Server Password
+  required: true
+  description: Password for the Ansible RabbitMQ Server
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: APPLICATION_CPU_REQ
+  displayName: Application Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+  value: 1000m
+- name: MEMCACHED_CPU_REQ
+  displayName: Memcached Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+  value: 200m
+- name: ANSIBLE_CPU_REQ
+  displayName: Ansible Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+  value: 1000m
+- name: APPLICATION_MEM_REQ
+  displayName: Application Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Application container will need.
+  value: 6144Mi
+- name: MEMCACHED_MEM_REQ
+  displayName: Memcached Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Memcached container will need.
+  value: 64Mi
+- name: ANSIBLE_MEM_REQ
+  displayName: Ansible Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Ansible container will need.
+  value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+  displayName: Application Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Application container can consume.
+  value: 16384Mi
+- name: MEMCACHED_MEM_LIMIT
+  displayName: Memcached Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Memcached container can consume.
+  value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+  displayName: Ansible Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Ansible container can consume.
+  value: 8096Mi
+- name: MEMCACHED_IMG_NAME
+  displayName: Memcached Image Name
+  description: This is the Memcached image name requested to deploy.
+  value: docker.io/manageiq/memcached
+- name: MEMCACHED_IMG_TAG
+  displayName: Memcached Image Tag
+  description: This is the Memcached image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_IMG_NAME
+  displayName: Application Image Name
+  description: This is the Application image name requested to deploy.
+  value: docker.io/manageiq/manageiq-pods
+- name: FRONTEND_APPLICATION_IMG_TAG
+  displayName: Front end Application Image Tag
+  description: This is the ManageIQ Frontend Application image tag/version requested to deploy.
+  value: frontend-latest
+- name: BACKEND_APPLICATION_IMG_TAG
+  displayName: Back end Application Image Tag
+  description: This is the ManageIQ Backend Application image tag/version requested to deploy.
+  value: backend-latest
+- name: ANSIBLE_IMG_NAME
+  displayName: Ansible Image Name
+  description: This is the Ansible image name requested to deploy.
+  value: docker.io/manageiq/embedded-ansible
+- name: ANSIBLE_IMG_TAG
+  displayName: Ansible Image Tag
+  description: This is the Ansible image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_DOMAIN
+  displayName: Application Hostname
+  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+  value: ''
+- name: APPLICATION_REPLICA_COUNT
+  displayName: Application Replica Count
+  description: This is the number of Application replicas requested to deploy.
+  value: '1'
+- name: APPLICATION_INIT_DELAY
+  displayName: Application Init Delay
+  required: true
+  description: Delay in seconds before we attempt to initialize the application.
+  value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+  displayName: Application Volume Capacity
+  required: true
+  description: Volume space available for application data.
+  value: 5Gi
+- name: HTTPD_SERVICE_NAME
+  required: true
+  displayName: Apache httpd Service Name
+  description: The name of the OpenShift Service exposed for the httpd container.
+  value: httpd
+- name: HTTPD_IMG_NAME
+  displayName: Apache httpd Image Name
+  description: This is the httpd image name requested to deploy.
+  value: docker.io/manageiq/httpd
+- name: HTTPD_IMG_TAG
+  displayName: Apache httpd Image Tag
+  description: This is the httpd image tag/version requested to deploy.
+  value: latest
+- name: HTTPD_CONFIG_DIR
+  displayName: Apache httpd Configuration Directory
+  description: Directory used to store the Apache configuration files.
+  value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+  displayName: External Authentication Configuration Directory
+  description: Directory used to store the external authentication configuration files.
+  value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+  displayName: Apache httpd Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+  value: 500m
+- name: HTTPD_MEM_REQ
+  displayName: Apache httpd Min RAM Requested
+  required: true
+  description: Minimum amount of memory the httpd container will need.
+  value: 512Mi
+- name: HTTPD_MEM_LIMIT
+  displayName: Apache httpd Max RAM Limit
+  required: true
+  description: Maximum amount of memory the httpd container can consume.
+  value: 8192Mi

roles/openshift_cfme/files/templates/manageiq/miq-template.yaml

@@ -0,0 +1,948 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: manageiq
+metadata:
+  name: manageiq
+  annotations:
+    description: ManageIQ appliance with persistent storage
+    tags: instant-app,manageiq,miq
+    iconClass: icon-rails
+objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-orchestrator
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-anyuid
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-privileged
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-httpd
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${NAME}-secrets"
+  stringData:
+    pg-password: "${DATABASE_PASSWORD}"
+    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+    v2-key: "${V2_KEY}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}-secrets"
+  stringData:
+    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+    secret-key: "${ANSIBLE_SECRET_KEY}"
+    admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}-configs"
+  data:
+    01_miq_overrides.conf: |
+      #------------------------------------------------------------------------------
+      # CONNECTIONS AND AUTHENTICATION
+      #------------------------------------------------------------------------------
+
+      tcp_keepalives_count = 9
+      tcp_keepalives_idle = 3
+      tcp_keepalives_interval = 75
+
+      #------------------------------------------------------------------------------
+      # RESOURCE USAGE (except WAL)
+      #------------------------------------------------------------------------------
+
+      shared_preload_libraries = 'pglogical,repmgr_funcs'
+      max_worker_processes = 10
+
+      #------------------------------------------------------------------------------
+      # WRITE AHEAD LOG
+      #------------------------------------------------------------------------------
+
+      wal_level = 'logical'
+      wal_log_hints = on
+      wal_buffers = 16MB
+      checkpoint_completion_target = 0.9
+
+      #------------------------------------------------------------------------------
+      # REPLICATION
+      #------------------------------------------------------------------------------
+
+      max_wal_senders = 10
+      wal_sender_timeout = 0
+      max_replication_slots = 10
+      hot_standby = on
+
+      #------------------------------------------------------------------------------
+      # ERROR REPORTING AND LOGGING
+      #------------------------------------------------------------------------------
+
+      log_filename = 'postgresql.log'
+      log_rotation_age = 0
+      log_min_duration_statement = 5000
+      log_connections = on
+      log_disconnections = on
+      log_line_prefix = '%t:%r:%c:%u@%d:[%p]:'
+      log_lock_waits = on
+
+      #------------------------------------------------------------------------------
+      # AUTOVACUUM PARAMETERS
+      #------------------------------------------------------------------------------
+
+      log_autovacuum_min_duration = 0
+      autovacuum_naptime = 5min
+      autovacuum_vacuum_threshold = 500
+      autovacuum_analyze_threshold = 500
+      autovacuum_vacuum_scale_factor = 0.05
+
+      #------------------------------------------------------------------------------
+      # LOCK MANAGEMENT
+      #------------------------------------------------------------------------------
+
+      deadlock_timeout = 5s
+
+      #------------------------------------------------------------------------------
+      # VERSION/PLATFORM COMPATIBILITY
+      #------------------------------------------------------------------------------
+
+      escape_string_warning = off
+      standard_conforming_strings = off
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-configs"
+  data:
+    application.conf: |
+      # Timeout: The number of seconds before receives and sends time out.
+      Timeout 120
+
+      RewriteEngine On
+      Options SymLinksIfOwnerMatch
+
+      <VirtualHost *:80>
+        KeepAlive on
+        ProxyPreserveHost on
+        ProxyPass        /ws/ ws://${NAME}/ws/
+        ProxyPassReverse /ws/ ws://${NAME}/ws/
+        ProxyPass        / http://${NAME}/
+        ProxyPassReverse / http://${NAME}/
+      </VirtualHost>
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-auth-configs"
+  data:
+    auth-type: internal
+    auth-configuration.conf: |
+      # External Authentication Configuration File
+      #
+      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances ManageIQ pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${NAME}"
+  spec:
+    clusterIP: None
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    selector:
+      name: "${NAME}"
+- apiVersion: v1
+  kind: Route
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+  spec:
+    host: "${APPLICATION_DOMAIN}"
+    port:
+      targetPort: http
+    tls:
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
+    to:
+      kind: Service
+      name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: v1
+  kind: PersistentVolumeClaim
+  metadata:
+    name: "${NAME}-${DATABASE_SERVICE_NAME}"
+  spec:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: "${DATABASE_VOLUME_CAPACITY}"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}"
+    annotations:
+      description: Defines how to deploy the ManageIQ appliance
+  spec:
+    serviceName: "${NAME}"
+    replicas: "${APPLICATION_REPLICA_COUNT}"
+    template:
+      metadata:
+        labels:
+          name: "${NAME}"
+        name: "${NAME}"
+      spec:
+        containers:
+        - name: manageiq
+          image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: MY_POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: DATABASE_REGION
+            value: "${DATABASE_REGION}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MEMCACHED_SERVER
+            value: "${MEMCACHED_SERVICE_NAME}:11211"
+          - name: MEMCACHED_SERVICE_NAME
+            value: "${MEMCACHED_SERVICE_NAME}"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_SERVICE_NAME
+            value: "${ANSIBLE_SERVICE_NAME}"
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/manageiq/container-scripts/sync-pv-data"
+        serviceAccount: miq-orchestrator
+        serviceAccountName: miq-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Headless service for ManageIQ backend pods
+    name: "${NAME}-backend"
+  spec:
+    clusterIP: None
+    selector:
+      name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}-backend"
+    annotations:
+      description: Defines how to deploy the ManageIQ appliance
+  spec:
+    serviceName: "${NAME}-backend"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${NAME}-backend"
+        name: "${NAME}-backend"
+      spec:
+        containers:
+        - name: manageiq
+          image: "${APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - MIQ Server
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MIQ_SERVER_DEFAULT_ROLES
+            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+          - name: FRONTEND_SERVICE_NAME
+            value: "${NAME}"
+          - name: MEMCACHED_SERVER
+            value: "${MEMCACHED_SERVICE_NAME}:11211"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_SERVICE_NAME
+            value: "${ANSIBLE_SERVICE_NAME}"
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/manageiq/container-scripts/sync-pv-data"
+        serviceAccount: miq-orchestrator
+        serviceAccountName: miq-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Exposes the memcached server
+  spec:
+    ports:
+    - name: memcached
+      port: 11211
+      targetPort: 11211
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy memcached
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${MEMCACHED_SERVICE_NAME}"
+        labels:
+          name: "${MEMCACHED_SERVICE_NAME}"
+      spec:
+        volumes: []
+        containers:
+        - name: memcached
+          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+          ports:
+          - containerPort: 11211
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 5
+            tcpSocket:
+              port: 11211
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 30
+            tcpSocket:
+              port: 11211
+          volumeMounts: []
+          env:
+          - name: MEMCACHED_MAX_MEMORY
+            value: "${MEMCACHED_MAX_MEMORY}"
+          - name: MEMCACHED_MAX_CONNECTIONS
+            value: "${MEMCACHED_MAX_CONNECTIONS}"
+          - name: MEMCACHED_SLAB_PAGE_SIZE
+            value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+          resources:
+            requests:
+              memory: "${MEMCACHED_MEM_REQ}"
+              cpu: "${MEMCACHED_CPU_REQ}"
+            limits:
+              memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Exposes the database server
+  spec:
+    ports:
+    - name: postgresql
+      port: 5432
+      targetPort: 5432
+    selector:
+      name: "${DATABASE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the database
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${DATABASE_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${DATABASE_SERVICE_NAME}"
+        labels:
+          name: "${DATABASE_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: miq-pgdb-volume
+          persistentVolumeClaim:
+            claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
+        - name: miq-pg-configs
+          configMap:
+            name: "${DATABASE_SERVICE_NAME}-configs"
+        containers:
+        - name: postgresql
+          image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
+          ports:
+          - containerPort: 5432
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 15
+            exec:
+              command:
+              - "/bin/sh"
+              - "-i"
+              - "-c"
+              - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 60
+            tcpSocket:
+              port: 5432
+          volumeMounts:
+          - name: miq-pgdb-volume
+            mountPath: "/var/lib/pgsql/data"
+          - name: miq-pg-configs
+            mountPath: "${POSTGRESQL_CONFIG_DIR}"
+          env:
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${DATABASE_NAME}"
+          - name: POSTGRESQL_MAX_CONNECTIONS
+            value: "${POSTGRESQL_MAX_CONNECTIONS}"
+          - name: POSTGRESQL_SHARED_BUFFERS
+            value: "${POSTGRESQL_SHARED_BUFFERS}"
+          - name: POSTGRESQL_CONFIG_DIR
+            value: "${POSTGRESQL_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${POSTGRESQL_MEM_REQ}"
+              cpu: "${POSTGRESQL_CPU_REQ}"
+            limits:
+              memory: "${POSTGRESQL_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances Ansible pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${ANSIBLE_SERVICE_NAME}"
+  spec:
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    selector:
+      name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the Ansible appliance
+  spec:
+    strategy:
+      type: Recreate
+    serviceName: "${ANSIBLE_SERVICE_NAME}"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${ANSIBLE_SERVICE_NAME}"
+        name: "${ANSIBLE_SERVICE_NAME}"
+      spec:
+        containers:
+        - name: ansible
+          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          - containerPort: 443
+            protocol: TCP
+          securityContext:
+            privileged: true
+          env:
+          - name: ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          - name: RABBITMQ_USER_NAME
+            value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+          - name: RABBITMQ_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: rabbit-password
+          - name: ANSIBLE_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: secret-key
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${ANSIBLE_DATABASE_NAME}"
+          resources:
+            requests:
+              memory: "${ANSIBLE_MEM_REQ}"
+              cpu: "${ANSIBLE_CPU_REQ}"
+            limits:
+              memory: "${ANSIBLE_MEM_LIMIT}"
+        serviceAccount: miq-privileged
+        serviceAccountName: miq-privileged
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Exposes the httpd server
+      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+  spec:
+    ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    selector:
+      name: httpd
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy httpd
+  spec:
+    strategy:
+      type: Recreate
+      recreateParams:
+        timeoutSeconds: 1200
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${HTTPD_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${HTTPD_SERVICE_NAME}"
+        labels:
+          name: "${HTTPD_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: httpd-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-configs"
+        - name: httpd-auth-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-auth-configs"
+        containers:
+        - name: httpd
+          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+          ports:
+          - containerPort: 80
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - httpd
+            initialDelaySeconds: 15
+            timeoutSeconds: 3
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: httpd-config
+            mountPath: "${HTTPD_CONFIG_DIR}"
+          - name: httpd-auth-config
+            mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${HTTPD_MEM_REQ}"
+              cpu: "${HTTPD_CPU_REQ}"
+            limits:
+              memory: "${HTTPD_MEM_LIMIT}"
+          env:
+          - name: HTTPD_AUTH_TYPE
+            valueFrom:
+              configMapKeyRef:
+                name: "${HTTPD_SERVICE_NAME}-auth-configs"
+                key: auth-type
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                - "/usr/bin/save-container-environment"
+        serviceAccount: miq-anyuid
+        serviceAccountName: miq-anyuid
+parameters:
+- name: NAME
+  displayName: Name
+  required: true
+  description: The name assigned to all of the frontend objects defined in this template.
+  value: manageiq
+- name: V2_KEY
+  displayName: ManageIQ Encryption Key
+  required: true
+  description: Encryption Key for ManageIQ Passwords
+  from: "[a-zA-Z0-9]{43}"
+  generate: expression
+- name: DATABASE_SERVICE_NAME
+  displayName: PostgreSQL Service Name
+  required: true
+  description: The name of the OpenShift Service exposed for the PostgreSQL container.
+  value: postgresql
+- name: DATABASE_USER
+  displayName: PostgreSQL User
+  required: true
+  description: PostgreSQL user that will access the database.
+  value: root
+- name: DATABASE_PASSWORD
+  displayName: PostgreSQL Password
+  required: true
+  description: Password for the PostgreSQL user.
+  from: "[a-zA-Z0-9]{8}"
+  generate: expression
+- name: DATABASE_NAME
+  required: true
+  displayName: PostgreSQL Database Name
+  description: Name of the PostgreSQL database accessed.
+  value: vmdb_production
+- name: DATABASE_REGION
+  required: true
+  displayName: Application Database Region
+  description: Database region that will be used for application.
+  value: '0'
+- name: ANSIBLE_DATABASE_NAME
+  displayName: Ansible PostgreSQL database name
+  required: true
+  description: The database to be used by the Ansible continer
+  value: awx
+- name: MEMCACHED_SERVICE_NAME
+  required: true
+  displayName: Memcached Service Name
+  description: The name of the OpenShift Service exposed for the Memcached container.
+  value: memcached
+- name: MEMCACHED_MAX_MEMORY
+  displayName: Memcached Max Memory
+  description: Memcached maximum memory for memcached object storage in MB.
+  value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+  displayName: Memcached Max Connections
+  description: Memcached maximum number of connections allowed.
+  value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+  displayName: Memcached Slab Page Size
+  description: Memcached size of each slab page.
+  value: 1m
+- name: POSTGRESQL_CONFIG_DIR
+  displayName: PostgreSQL Configuration Overrides
+  description: Directory used to store PostgreSQL configuration overrides.
+  value: "/var/lib/pgsql/conf.d"
+- name: POSTGRESQL_MAX_CONNECTIONS
+  displayName: PostgreSQL Max Connections
+  description: PostgreSQL maximum number of database connections allowed.
+  value: '1000'
+- name: POSTGRESQL_SHARED_BUFFERS
+  displayName: PostgreSQL Shared Buffer Amount
+  description: Amount of memory dedicated for PostgreSQL shared memory buffers.
+  value: 1GB
+- name: ANSIBLE_SERVICE_NAME
+  displayName: Ansible Service Name
+  description: The name of the OpenShift Service exposed for the Ansible container.
+  value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+  displayName: Ansible admin User password
+  required: true
+  description: The password for the Ansible container admin user
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: ANSIBLE_SECRET_KEY
+  displayName: Ansible Secret Key
+  required: true
+  description: Encryption key for the Ansible container
+  from: "[a-f0-9]{32}"
+  generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+  displayName: RabbitMQ Username
+  required: true
+  description: Username for the Ansible RabbitMQ Server
+  value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+  displayName: RabbitMQ Server Password
+  required: true
+  description: Password for the Ansible RabbitMQ Server
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: APPLICATION_CPU_REQ
+  displayName: Application Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+  value: 1000m
+- name: POSTGRESQL_CPU_REQ
+  displayName: PostgreSQL Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores).
+  value: 500m
+- name: MEMCACHED_CPU_REQ
+  displayName: Memcached Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+  value: 200m
+- name: ANSIBLE_CPU_REQ
+  displayName: Ansible Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+  value: 1000m
+- name: APPLICATION_MEM_REQ
+  displayName: Application Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Application container will need.
+  value: 6144Mi
+- name: POSTGRESQL_MEM_REQ
+  displayName: PostgreSQL Min RAM Requested
+  required: true
+  description: Minimum amount of memory the PostgreSQL container will need.
+  value: 4Gi
+- name: MEMCACHED_MEM_REQ
+  displayName: Memcached Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Memcached container will need.
+  value: 64Mi
+- name: ANSIBLE_MEM_REQ
+  displayName: Ansible Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Ansible container will need.
+  value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+  displayName: Application Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Application container can consume.
+  value: 16384Mi
+- name: POSTGRESQL_MEM_LIMIT
+  displayName: PostgreSQL Max RAM Limit
+  required: true
+  description: Maximum amount of memory the PostgreSQL container can consume.
+  value: 8Gi
+- name: MEMCACHED_MEM_LIMIT
+  displayName: Memcached Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Memcached container can consume.
+  value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+  displayName: Ansible Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Ansible container can consume.
+  value: 8096Mi
+- name: POSTGRESQL_IMG_NAME
+  displayName: PostgreSQL Image Name
+  description: This is the PostgreSQL image name requested to deploy.
+  value: docker.io/manageiq/postgresql
+- name: POSTGRESQL_IMG_TAG
+  displayName: PostgreSQL Image Tag
+  description: This is the PostgreSQL image tag/version requested to deploy.
+  value: latest
+- name: MEMCACHED_IMG_NAME
+  displayName: Memcached Image Name
+  description: This is the Memcached image name requested to deploy.
+  value: docker.io/manageiq/memcached
+- name: MEMCACHED_IMG_TAG
+  displayName: Memcached Image Tag
+  description: This is the Memcached image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_IMG_NAME
+  displayName: Application Image Name
+  description: This is the Application image name requested to deploy.
+  value: docker.io/manageiq/manageiq-pods
+- name: FRONTEND_APPLICATION_IMG_TAG
+  displayName: Front end Application Image Tag
+  description: This is the ManageIQ Frontend Application image tag/version requested to deploy.
+  value: frontend-latest
+- name: BACKEND_APPLICATION_IMG_TAG
+  displayName: Back end Application Image Tag
+  description: This is the ManageIQ Backend Application image tag/version requested to deploy.
+  value: backend-latest
+- name: ANSIBLE_IMG_NAME
+  displayName: Ansible Image Name
+  description: This is the Ansible image name requested to deploy.
+  value: docker.io/manageiq/embedded-ansible
+- name: ANSIBLE_IMG_TAG
+  displayName: Ansible Image Tag
+  description: This is the Ansible image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_DOMAIN
+  displayName: Application Hostname
+  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+  value: ''
+- name: APPLICATION_REPLICA_COUNT
+  displayName: Application Replica Count
+  description: This is the number of Application replicas requested to deploy.
+  value: '1'
+- name: APPLICATION_INIT_DELAY
+  displayName: Application Init Delay
+  required: true
+  description: Delay in seconds before we attempt to initialize the application.
+  value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+  displayName: Application Volume Capacity
+  required: true
+  description: Volume space available for application data.
+  value: 5Gi
+- name: DATABASE_VOLUME_CAPACITY
+  displayName: Database Volume Capacity
+  required: true
+  description: Volume space available for database.
+  value: 15Gi
+- name: HTTPD_SERVICE_NAME
+  required: true
+  displayName: Apache httpd Service Name
+  description: The name of the OpenShift Service exposed for the httpd container.
+  value: httpd
+- name: HTTPD_IMG_NAME
+  displayName: Apache httpd Image Name
+  description: This is the httpd image name requested to deploy.
+  value: docker.io/manageiq/httpd
+- name: HTTPD_IMG_TAG
+  displayName: Apache httpd Image Tag
+  description: This is the httpd image tag/version requested to deploy.
+  value: latest
+- name: HTTPD_CONFIG_DIR
+  displayName: Apache Configuration Directory
+  description: Directory used to store the Apache configuration files.
+  value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+  displayName: External Authentication Configuration Directory
+  description: Directory used to store the external authentication configuration files.
+  value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+  displayName: Apache httpd Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+  value: 500m
+- name: HTTPD_MEM_REQ
+  displayName: Apache httpd Min RAM Requested
+  required: true
+  description: Minimum amount of memory the httpd container will need.
+  value: 512Mi
+- name: HTTPD_MEM_LIMIT
+  displayName: Apache httpd Max RAM Limit
+  required: true
+  description: Maximum amount of memory the httpd container can consume.
+  value: 8192Mi

roles/openshift_cfme/handlers/main.yml

@@ -1,37 +0,0 @@
----
-######################################################################
-# NOTE: These are duplicated from roles/openshift_master/handlers/main.yml
-#
-# TODO: Use the consolidated 'openshift_handlers' role once it's ready
-# See: https://github.com/openshift/openshift-ansible/pull/4041#discussion_r118770782
-######################################################################
-
-- name: restart master api
-  systemd: name={{ openshift.common.service_type }}-master-api state=restarted
-  when: (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native'
-  notify: Verify API Server
-
-- name: restart master controllers
-  systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted
-  when: (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native'
-
-- name: Verify API Server
-  # Using curl here since the uri module requires python-httplib2 and
-  # wait_for port doesn't provide health information.
-  command: >
-    curl --silent --tlsv1.2
-    {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
-    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
-    {% else %}
-    --cacert {{ openshift.common.config_base }}/master/ca.crt
-    {% endif %}
-    {{ openshift.master.api_url }}/healthz/ready
-  args:
-    # Disables the following warning:
-    # Consider using get_url or uri module rather than running curl
-    warn: no
-  register: api_available_output
-  until: api_available_output.stdout == 'ok'
-  retries: 120
-  delay: 1
-  changed_when: false

roles/openshift_cfme/meta/main.yml

@@ -16,4 +16,3 @@ galaxy_info:
 dependencies:
 - role: lib_openshift
 - role: lib_utils
-- role: openshift_master_facts

roles/openshift_cfme/tasks/accounts.yml

@@ -0,0 +1,28 @@
+---
+# This role task file is responsible for user/system account creation,
+# and ensuring correct access is provided as required.
+- name: Ensure the CFME system accounts exist
+  oc_serviceaccount:
+    namespace: "{{ openshift_cfme_project }}"
+    state: present
+    name: "{{ openshift_cfme_flavor_short }}{{ item.name }}"
+  with_items:
+    - "{{ __openshift_system_account_sccs }}"
+
+- name: Ensure the CFME system accounts have all the required SCCs
+  oc_adm_policy_user:
+    namespace: "{{ openshift_cfme_project }}"
+    user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ openshift_cfme_flavor_short }}{{ item.name }}"
+    resource_kind: scc
+    resource_name: "{{ item.resource_name }}"
+  with_items:
+    - "{{ __openshift_system_account_sccs }}"
+
+- name: Ensure the CFME system accounts have the required roles
+  oc_adm_policy_user:
+    namespace: "{{ openshift_cfme_project }}"
+    user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ openshift_cfme_flavor_short }}{{ item.name }}"
+    resource_kind: role
+    resource_name: "{{ item.resource_name }}"
+  with_items:
+    - "{{ __openshift_cfme_system_account_roles }}"

roles/openshift_cfme/tasks/create_pvs.yml

@@ -1,36 +0,0 @@
----
-# Check for existance and then conditionally:
-# - evaluate templates
-# - PVs
-#
-# These tasks idempotently create required CFME PV objects. Do not
-# call this file directly. This file is intended to be ran as an
-# include that has a 'with_items' attached to it. Hence the use below
-# of variables like "{{ item.pv_label }}"
-
-- name: "Check if the {{ item.pv_label }} template has been created already"
-  oc_obj:
-    namespace: "{{ openshift_cfme_project }}"
-    state: list
-    kind: pv
-    name: "{{ item.pv_name }}"
-  register: miq_pv_check
-
-# Skip all of this if the PV already exists
-- block:
-    - name: "Ensure the {{ item.pv_label }} template is evaluated"
-      template:
-        src: "{{ item.pv_template }}.j2"
-        dest: "{{ template_dir }}/{{ item.pv_template }}"
-
-    - name: "Ensure {{ item.pv_label }} is created"
-      oc_obj:
-        namespace: "{{ openshift_cfme_project }}"
-        kind: pv
-        name: "{{ item.pv_name }}"
-        state: present
-        delete_after: True
-        files:
-          - "{{ template_dir }}/{{ item.pv_template }}"
-  when:
-    - not miq_pv_check.results.results.0

roles/openshift_cfme/tasks/main.yml

@@ -1,117 +1,79 @@
 ---
-######################################################################
+######################################################################)
 # Users, projects, and privileges
 
-- name: Ensure the CFME user exists
-  oc_user:
-    state: present
-    username: "{{ openshift_cfme_user }}"
+- name: Run pre-install CFME validation checks
+  include: validate.yml
 
-- name: Ensure the CFME namespace exists with CFME user as admin
+- name: "Ensure the CFME '{{ openshift_cfme_project }}' namespace exists"
   oc_project:
     state: present
     name: "{{ openshift_cfme_project }}"
     display_name: "{{ openshift_cfme_project_description }}"
-    admin: "{{ openshift_cfme_user }}"
-
-- name: Ensure the CFME namespace service account is privileged
-  oc_adm_policy_user:
-    namespace: "{{ openshift_cfme_project }}"
-    user: "{{ openshift_cfme_service_account }}"
-    resource_kind: scc
-    resource_name: privileged
-    state: present
-
-######################################################################
-# NFS
-# In the case that we are not running on a cloud provider, volumes must be statically provisioned
 
-- include: nfs.yml
-  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))
+- name: Create and Authorize CFME Accounts
+  include: accounts.yml
 
 ######################################################################
-# CFME App Template
-#
-# Note, this is different from the create_pvs.yml tasks in that the
-# application template does not require any jinja2 evaluation.
-#
-# TODO: Handle the case where the server template is updated in
-# openshift-ansible and the change needs to be landed on the managed
-# cluster.
-
-- name: Check if the CFME Server template has been created already
-  oc_obj:
-    namespace: "{{ openshift_cfme_project }}"
-    state: list
-    kind: template
-    name: manageiq
-  register: miq_server_check
+# STORAGE - Initialize basic storage class
+#---------------------------------------------------------------------
+# * nfs - set up NFS shares on the first master for a proof of concept
+- name: Create required NFS exports for CFME app storage
+  include: storage/nfs.yml
+  when: openshift_cfme_storage_class == 'nfs'
+
+#---------------------------------------------------------------------
+# * external - NFS again, but pointing to a pre-configured NFS server
+- name: Note Storage Type -  External NFS
+  debug:
+    msg: "Setting up external NFS storage, openshift_cfme_storage_class is {{ openshift_cfme_storage_class }}"
+  when: openshift_cfme_storage_class == 'nfs_external'
 
-- name: Copy over CFME Server template
-  copy:
-    src: miq-template.yaml
-    dest: "{{ template_dir }}/miq-template.yaml"
+#---------------------------------------------------------------------
+# * cloudprovider - use an existing cloudprovider based storage
+- name: Note Storage Type - Cloud Provider
+  debug:
+    msg: Validating cloud provider storage type, openshift_cfme_storage_class is 'cloudprovider'
+  when: openshift_cfme_storage_class == 'cloudprovider'
 
-- name: Ensure the server template was read from disk
+#---------------------------------------------------------------------
+# * preconfigured - don't do anything, assume it's all there ready to go
+- name: Note Storage Type - Preconfigured
   debug:
-    var=r_openshift_cfme_miq_template_content
+    msg: Skipping storage configuration, openshift_cfme_storage_class is 'preconfigured'
+  when: openshift_cfme_storage_class == 'preconfigured'
 
-- name: Ensure CFME Server Template exists
-  oc_obj:
-    namespace: "{{ openshift_cfme_project }}"
-    kind: template
-    name: "manageiq"
-    state: present
-    content: "{{ r_openshift_cfme_miq_template_content }}"
+######################################################################
+# APPLICATION TEMPLATE
+- name: Install the CFME app and PV templates
+  include: template.yml
 
 ######################################################################
-# Let's do this
+# APP & DB Storage
 
-- name: Ensure the CFME Server is created
-  oc_process:
-    namespace: "{{ openshift_cfme_project }}"
-    template_name: manageiq
-    create: True
-    params:
-      APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}"
-      POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}"
-      MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}"
-      APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}"
-      POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}"
-      MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}"
-  register: cfme_new_app_process
-  run_once: True
+# For local/external NFS backed installations
+- name: "Create the required App and DB PVs using {{ openshift_cfme_storage_class }}"
+  include: storage/create_nfs_pvs.yml
   when:
-    # User said to install CFME in their inventory
-    - openshift_cfme_install_app | bool
-    # # The server app doesn't exist already
-    # - not miq_server_check.results.results.0
-
-- debug:
-    var: cfme_new_app_process
+    - openshift_cfme_storage_class in ['nfs', 'nfs_external']
 
 ######################################################################
-# Various cleanup steps
-
-# TODO: Not sure what to do about this right now. Might be able to
-# just delete it?  This currently warns about "Unable to find
-# '<TEMP_DIR>' in expected paths."
-- name: Ensure the temporary PV/App templates are erased
-  file:
-    path: "{{ item }}"
-    state: absent
-  with_fileglob:
-    - "{{ template_dir }}/*.yaml"
-
-- name: Ensure the temporary PV/app template directory is erased
-  file:
-    path: "{{ template_dir }}"
-    state: absent
+# CREATE APP
+- name: Note the correct ext-db template name
+  set_fact:
+    openshift_cfme_template_name: "{{ openshift_cfme_flavor }}-ext-db"
+  when:
+    - openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template-ext-db']
 
-######################################################################
+- name: Note the correct podified db template name
+  set_fact:
+    openshift_cfme_template_name: "{{ openshift_cfme_flavor }}"
+  when:
+    - openshift_cfme_app_template in ['miq-template', 'cfme-template']
 
-- name: Status update
-  debug:
-    msg: >
-      CFME has been deployed. Note that there will be a delay before
-      it is fully initialized.
+- name: Ensure the CFME App is created
+  oc_process:
+    namespace: "{{ openshift_cfme_project }}"
+    template_name: "{{ openshift_cfme_template_name }}"
+    create: True
+    params: "{{ openshift_cfme_template_parameters }}"

roles/openshift_cfme/tasks/nfs.yml

@@ -1,51 +0,0 @@
----
-# Tasks to statically provision NFS volumes
-# Include if not using dynamic volume provisioning
-
-- name: Set openshift_cfme_nfs_server fact
-  when: openshift_cfme_nfs_server is not defined
-  set_fact:
-    # Hostname/IP of the NFS server. Currently defaults to first master
-    openshift_cfme_nfs_server: "{{ oo_nfs_to_config.0 }}"
-
-- name: Ensure the /exports/ directory exists
-  file:
-    path: /exports/
-    state: directory
-    mode: 0755
-    owner: root
-    group: root
-
-- name: Ensure the miq-pv0X export directories exist
-  file:
-    path: "/exports/{{ item }}"
-    state: directory
-    mode: 0775
-    owner: root
-    group: root
-  with_items: "{{ openshift_cfme_pv_exports }}"
-
-- name: Ensure the NFS exports for CFME PVs exist
-  copy:
-    src: openshift_cfme.exports
-    dest: /etc/exports.d/openshift_cfme.exports
-  register: nfs_exports_updated
-
-- name: Ensure the NFS export table is refreshed if exports were added
-  command: exportfs -ar
-  when:
-    - nfs_exports_updated.changed
-
-
-######################################################################
-# Create the required CFME PVs. Check out these online docs if you
-# need a refresher on includes looping with items:
-# * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0
-# * http://stackoverflow.com/a/35128533
-#
-# TODO: Handle the case where a PV template is updated in
-# openshift-ansible and the change needs to be landed on the managed
-# cluster.
-
-- include: create_pvs.yml
-  with_items: "{{ openshift_cfme_pv_data }}"

roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml

@@ -0,0 +1,69 @@
+---
+# Create the required PVs for the App and the DB
+- name: Note the App PV Size from Template Parameters
+  set_fact:
+    openshift_cfme_app_pv_size: "{{ openshift_cfme_template_parameters.APPLICATION_VOLUME_CAPACITY }}"
+  when:
+    - openshift_cfme_template_parameters.APPLICATION_VOLUME_CAPACITY is defined
+
+- name: Note the App PV Size from defaults
+  set_fact:
+    openshift_cfme_app_pv_size: "{{ __openshift_cfme_app_pv_size }}"
+  when:
+    - openshift_cfme_template_parameters.APPLICATION_VOLUME_CAPACITY is not defined
+
+- when: openshift_cfme_app_template in ['miq-template', 'cfme-template']
+  block:
+    - name: Note the DB PV Size from Template Parameters
+      set_fact:
+        openshift_cfme_db_pv_size: "{{ openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY }}"
+      when:
+        - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is defined
+
+    - name: Note the DB PV Size from defaults
+      set_fact:
+        openshift_cfme_db_pv_size: "{{ __openshift_cfme_db_pv_size }}"
+      when:
+        - openshift_cfme_template_parameters.DATABASE_VOLUME_CAPACITY is not defined
+
+- name: Check if the CFME App PV has been created
+  oc_obj:
+    namespace: "{{ openshift_cfme_project }}"
+    state: list
+    kind: pv
+    name: "{{ openshift_cfme_flavor_short }}-app"
+  register: miq_app_pv_check
+
+- name: Check if the CFME DB PV has been created
+  oc_obj:
+    namespace: "{{ openshift_cfme_project }}"
+    state: list
+    kind: pv
+    name: "{{ openshift_cfme_flavor_short }}-db"
+  register: miq_db_pv_check
+  when:
+    - openshift_cfme_app_template in ['miq-template', 'cfme-template']
+
+- name: Ensure the CFME App PV is created
+  oc_process:
+    namespace: "{{ openshift_cfme_project }}"
+    template_name: "{{ openshift_cfme_flavor }}-app-pv"
+    create: True
+    params:
+      PV_SIZE: "{{ openshift_cfme_app_pv_size }}"
+      BASE_PATH: "{{ openshift_cfme_storage_nfs_base_dir }}"
+      NFS_HOST: "{{ openshift_cfme_nfs_server }}"
+  when: miq_app_pv_check.results.results == [{}]
+
+- name: Ensure the CFME DB PV is created
+  oc_process:
+    namespace: "{{ openshift_cfme_project }}"
+    template_name: "{{ openshift_cfme_flavor }}-db-pv"
+    create: True
+    params:
+      PV_SIZE: "{{ openshift_cfme_db_pv_size }}"
+      BASE_PATH: "{{ openshift_cfme_storage_nfs_base_dir }}"
+      NFS_HOST: "{{ openshift_cfme_nfs_server }}"
+  when:
+    - openshift_cfme_app_template in ['miq-template', 'cfme-template']
+    - miq_db_pv_check.results.results == [{}]

roles/openshift_cfme/tasks/storage/nfs.yml

@@ -0,0 +1,67 @@
+---
+# Tasks to statically provision NFS volumes
+# Include if not using dynamic volume provisioning
+
+- name: Ensure we save the local NFS server if one is provided
+  set_fact:
+    openshift_cfme_nfs_server: "{{ openshift_cfme_storage_nfs_local_hostname }}"
+  when:
+    - openshift_cfme_storage_nfs_local_hostname is defined
+    - openshift_cfme_storage_nfs_local_hostname != False
+    - openshift_cfme_storage_class == "nfs"
+
+- name: Ensure we save the local NFS server
+  set_fact:
+    openshift_cfme_nfs_server: "{{ groups['oo_nfs_to_config'].0 }}"
+  when:
+    - openshift_cfme_nfs_server is not defined
+    - openshift_cfme_storage_class == "nfs"
+
+- name: Ensure we save the external NFS server
+  set_fact:
+    openshift_cfme_nfs_server: "{{ openshift_cfme_storage_nfs_external_hostname }}"
+  when:
+    - openshift_cfme_storage_class == "nfs_external"
+
+- name: Failed NFS server detection
+  assert:
+    that:
+      - openshift_cfme_nfs_server is defined
+    msg: |
+      "Unable to detect an NFS server. The 'nfs_external'
+      openshift_cfme_storage_class option requires that you set
+      openshift_cfme_storage_nfs_external_hostname. NFS hosts detected
+      for local nfs services: {{ groups['oo_nfs_to_config'] | join(', ') }}"
+
+- name: Setting up NFS storage
+  block:
+    - name: Include the NFS Setup role tasks
+      include_role:
+        role: openshift_nfs
+        tasks_from: setup
+      vars:
+        l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}"
+
+    - name: Create the App export
+      include_role:
+        role: openshift_nfs
+        tasks_from: create_export
+      vars:
+        l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}"
+        l_nfs_export_config: "{{ openshift_cfme_flavor_short }}"
+        l_nfs_export_name: "{{ openshift_cfme_flavor_short }}-app"
+        l_nfs_options: "*(rw,no_root_squash,no_wdelay)"
+
+    - name: Create the DB export
+      include_role:
+        role: openshift_nfs
+        tasks_from: create_export
+      vars:
+        l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}"
+        l_nfs_export_config: "{{ openshift_cfme_flavor_short }}"
+        l_nfs_export_name: "{{ openshift_cfme_flavor_short }}-db"
+        l_nfs_options: "*(rw,no_root_squash,no_wdelay)"
+      when:
+        - openshift_cfme_app_template in ['miq-template', 'cfme-template']
+
+  delegate_to: "{{ openshift_cfme_nfs_server }}"

roles/openshift_cfme/tasks/storage/storage.yml

@@ -0,0 +1,3 @@
+---
+- include: nfs.yml
+  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))

roles/openshift_cfme/tasks/template.yml

@@ -0,0 +1,128 @@
+---
+# Tasks for ensuring the correct CFME templates are landed on the remote system
+
+######################################################################
+# CFME App Template
+#
+# Note, this is different from the create_nfs_pvs.yml tasks in that
+# the application template does not require any jinja2 evaluation.
+#
+# TODO: Handle the case where the server or PV templates are updated
+# in openshift-ansible and the change needs to be landed on the
+# managed cluster.
+
+######################################################################
+# STANDARD PODIFIED DATABASE TEMPLATE
+- when: openshift_cfme_app_template in ['miq-template', 'cfme-template']
+  block:
+  - name: Check if the CFME Server template has been created already
+    oc_obj:
+      namespace: "{{ openshift_cfme_project }}"
+      state: list
+      kind: template
+      name: "{{ openshift_cfme_flavor }}"
+    register: miq_server_check
+
+  - when: miq_server_check.results.results == [{}]
+    block:
+    - name: Copy over CFME Server template
+      copy:
+        src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-template.yaml"
+        dest: "{{ template_dir }}/"
+
+    - name: Ensure CFME Server Template is created
+      oc_obj:
+        namespace: "{{ openshift_cfme_project }}"
+        name: "{{ openshift_cfme_flavor }}"
+        state: present
+        kind: template
+        files:
+        - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-template.yaml"
+
+######################################################################
+# EXTERNAL DATABASE TEMPLATE
+- when: openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template']
+  block:
+  - name: Check if the CFME Ext-DB Server template has been created already
+    oc_obj:
+      namespace: "{{ openshift_cfme_project }}"
+      state: list
+      kind: template
+      name: "{{ openshift_cfme_flavor }}-ext-db"
+    register: miq_ext_db_server_check
+
+  - when: miq_ext_db_server_check.results.results == [{}]
+    block:
+    - name: Copy over CFME Ext-DB Server template
+      copy:
+        src: "templates/{{ openshift_cfme_flavor }}/{{openshift_cfme_flavor_short}}-template-ext-db.yaml"
+        dest: "{{ template_dir }}/"
+
+    - name: Ensure CFME Ext-DB Server Template is created
+      oc_obj:
+        namespace: "{{ openshift_cfme_project }}"
+        name: "{{ openshift_cfme_flavor }}-ext-db"
+        state: present
+        kind: template
+        files:
+        - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-template-ext-db.yaml"
+
+# End app template creation.
+######################################################################
+
+######################################################################
+# Begin conditional PV template creations
+
+# Required for the application server
+- name: Check if the CFME App PV template has been created already
+  oc_obj:
+    namespace: "{{ openshift_cfme_project }}"
+    state: list
+    kind: template
+    name: "{{ openshift_cfme_flavor }}-app-pv"
+  register: miq_app_pv_check
+
+- when: miq_app_pv_check.results.results == [{}]
+  block:
+  - name: Copy over CFME App PV template
+    copy:
+      src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-pv-server-example.yaml"
+      dest: "{{ template_dir }}/"
+
+  - name: Ensure CFME App PV Template is created
+    oc_obj:
+      namespace: "{{ openshift_cfme_project }}"
+      name: "{{ openshift_cfme_flavor }}-app-pv"
+      state: present
+      kind: template
+      files:
+      - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-pv-server-example.yaml"
+
+#---------------------------------------------------------------------
+
+# Required for database if the installation is fully podified
+- when: openshift_cfme_app_template in ['miq-template', 'cfme-template']
+  block:
+  - name: Check if the CFME DB PV template has been created already
+    oc_obj:
+      namespace: "{{ openshift_cfme_project }}"
+      state: list
+      kind: template
+      name: "{{ openshift_cfme_flavor }}-db-pv"
+    register: miq_db_pv_check
+
+  - when: miq_db_pv_check.results.results == [{}]
+    block:
+    - name: Copy over CFME DB PV template
+      copy:
+        src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-pv-db-example.yaml"
+        dest: "{{ template_dir }}/"
+
+    - name: Ensure CFME DB PV Template is created
+      oc_obj:
+        namespace: "{{ openshift_cfme_project }}"
+        name: "{{ openshift_cfme_flavor }}-db-pv"
+        state: present
+        kind: template
+        files:
+        - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-pv-db-example.yaml"

roles/openshift_cfme/tasks/tune_masters.yml

@@ -1,12 +0,0 @@
----
-- name: Ensure bulk image import limit is tuned
-  yedit:
-    src: /etc/origin/master/master-config.yaml
-    key: 'imagePolicyConfig.maxImagesBulkImportedPerRepository'
-    value: "{{ openshift_cfme_maxImagesBulkImportedPerRepository | int() }}"
-    state: present
-    backup: True
-  notify:
-    - restart master
-
-- meta: flush_handlers

roles/openshift_cfme/tasks/uninstall.yml

@@ -1,46 +1,23 @@
 ---
-- include_role:
-    name: lib_openshift
+- name: Start removing all the objects
+  command: "oc delete -n {{ openshift_cfme_project }} {{ item }} --all"
+  with_items:
+    - rc
+    - dc
+    - po
+    - svc
+    - pv
+    - pvc
+    - statefulsets
+    - routes
 
-- name: Uninstall CFME - ManageIQ
-  debug:
-    msg: Uninstalling Cloudforms Management Engine - ManageIQ
+- name: Remove the project
+  command: "oc delete -n {{ openshift_cfme_project }} project {{ openshift_cfme_project }}"
 
-- name: Ensure the CFME project is removed
-  oc_project:
-    state: absent
-    name: "{{ openshift_cfme_project }}"
-
-- name: Ensure the CFME template is removed
-  oc_obj:
-    namespace: "{{ openshift_cfme_project }}"
-    state: absent
-    kind: template
-    name: manageiq
-
-- name: Ensure the CFME PVs are removed
-  oc_obj:
-    state: absent
-    all_namespaces: True
-    kind: pv
-    name: "{{ item }}"
-  with_items: "{{ openshift_cfme_pv_exports }}"
-  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))
-
-- name: Ensure the CFME user is removed
-  oc_user:
-    state: absent
-    username: "{{ openshift_cfme_user }}"
-
-- name: Ensure the CFME NFS Exports are removed
-  file:
-    path: /etc/exports.d/openshift_cfme.exports
-    state: absent
-  register: nfs_exports_removed
-  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))
-
-- name: Ensure the NFS export table is refreshed if exports were removed
-  command: exportfs -ar
-  when:
-    - nfs_exports_removed.changed
-    - not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))
+- name: Verify project has been destroyed
+  command: "oc get project {{ openshift_cfme_project }}"
+  ignore_errors: True
+  register: project_terminated
+  until: project_terminated.stderr.find("NotFound") != -1
+  delay: 5
+  retries: 30

roles/openshift_cfme/tasks/validate.yml

@@ -0,0 +1,90 @@
+---
+# Validate configuration parameters passed to the openshift_cfme role
+
+######################################################################
+# CORE PARAMETERS
+- name: Ensure openshift_cfme_app_template is valid
+  assert:
+    that:
+      - openshift_cfme_app_template in __openshift_cfme_app_templates
+
+    msg: |
+      "openshift_cfme_app_template must be one of {{
+      __openshift_cfme_app_templates | join(', ') }}"
+
+- name: Ensure openshift_cfme_storage_class is a valid type
+  assert:
+    that:
+      - openshift_cfme_storage_class in __openshift_cfme_storage_classes
+    msg: |
+      "openshift_cfme_storage_class must be one of {{
+      __openshift_cfme_storage_classes | join(', ') }}"
+
+######################################################################
+# STORAGE PARAMS - NFS
+- name: Ensure external NFS storage has a valid NFS server hostname defined
+  assert:
+    that:
+      - openshift_cfme_storage_nfs_external_hostname | default(False)
+    msg: |
+      The selected storage class 'nfs_external' requires a valid
+      hostname for the openshift_cfme_storage_nfs_hostname parameter
+  when:
+    - openshift_cfme_storage_class == 'nfs_external'
+
+- name: Ensure local NFS storage has a valid NFS server to use
+  fail:
+    msg: |
+      No NFS hosts detected or defined but storage class is set to
+      'nfs'. Add hosts to your [nfs] group or define one manually with
+      the 'openshift_cfme_storage_nfs_local_hostname' parameter
+  when:
+    - openshift_cfme_storage_class == 'nfs'
+    # You haven't created any NFS groups
+    - (groups.nfs is defined and groups.nfs | length == 0) or (groups.nfs is not defined)
+    # You did not manually specify a host to use
+    - (openshift_cfme_storage_nfs_local_hostname is not defined) or (openshift_cfme_storage_nfs_local_hostname == false)
+
+######################################################################
+# STORAGE PARAMS  -CLOUD PROVIDER
+- name: Validate Cloud Provider storage class
+  assert:
+    that:
+      - openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'
+    msg: |
+      openshift_cfme_storage_class is 'cloudprovider' but you have an
+      invalid kind defined, '{{ openshift_cloudprovider_kind }}'. See
+      'openshift_cloudprovider_kind' in the example inventories for
+      the required parameters for your selected cloud
+      provider. Working providers: 'aws' and 'gce'.
+  when:
+    - openshift_cfme_storage_class == 'cloudprovider'
+    - openshift_cloudprovider_kind is defined
+
+- name: Validate 'cloudprovider' Storage Class has required parameters defined
+  assert:
+    that:
+      - openshift_cloudprovider_kind is defined
+    msg: |
+      openshift_cfme_storage_class is 'cloudprovider' but you do not
+      have 'openshift_cloudprovider_kind' defined, this is
+      required. Search the example inventories for
+      'openshift_cloudprovider_kind'. The required parameters for your
+      selected cloud provider must be defined in your inventory as
+      well. Working providers: 'aws' and 'gce'.
+  when:
+    - openshift_cfme_storage_class == 'cloudprovider'
+
+######################################################################
+# DATABASE CONNECTION VALIDATION
+- name: Validate all required database parameters were provided for ext-db template
+  assert:
+    that:
+      - item in openshift_cfme_template_parameters
+    msg: |
+      "You are using external database services but a required
+      database parameter {{ item }} was not found in
+      'openshift_cfme_template_parameters'"
+  with_items: "{{ __openshift_cfme_required_db_conn_params }}"
+  when:
+    - openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template-ext-db']

roles/openshift_cfme/templates/miq-pv-db.yaml.j2

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: miq-pv01
-spec:
-  capacity:
-    storage: 15Gi
-  accessModes:
-    - ReadWriteOnce
-  nfs: 
-    path: {{ openshift_cfme_nfs_directory }}/miq-pv01
-    server: {{ openshift_cfme_nfs_server }}
-  persistentVolumeReclaimPolicy: Retain

roles/openshift_cfme/templates/miq-pv-region.yaml.j2

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: miq-pv02
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-    - ReadWriteOnce
-  nfs: 
-    path: {{ openshift_cfme_nfs_directory }}/miq-pv02
-    server: {{ openshift_cfme_nfs_server }}
-  persistentVolumeReclaimPolicy: Retain

roles/openshift_cfme/templates/miq-pv-server.yaml.j2

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: miq-pv03
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-    - ReadWriteOnce
-  nfs: 
-    path: {{ openshift_cfme_nfs_directory }}/miq-pv03
-    server: {{ openshift_cfme_nfs_server }}
-  persistentVolumeReclaimPolicy: Retain

roles/openshift_cfme/templates/openshift_cfme-miq-template-ext-db.exports.j2

@@ -0,0 +1 @@
+{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-app *(rw,no_root_squash,no_wdelay)

roles/openshift_cfme/templates/openshift_cfme-miq-template.exports.j2

@@ -0,0 +1,2 @@
+{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-app *(rw,no_root_squash,no_wdelay)
+{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-db *(rw,no_root_squash,no_wdelay)

roles/openshift_cfme/vars/main.yml

@@ -0,0 +1,76 @@
+---
+# Misc enumerated values
+#---------------------------------------------------------------------
+# Allowed choices for the storage class parameter
+__openshift_cfme_storage_classes:
+  - nfs
+  - nfs_external
+  - preconfigured
+  - cloudprovider
+
+#---------------------------------------------------------------------
+# DEFAULT PV SIZES
+# How large to make the MIQ application PV
+__openshift_cfme_app_pv_size: 5Gi
+# How large to make the MIQ PostgreSQL PV
+__openshift_cfme_db_pv_size: 15Gi
+
+# Name of the application templates with object/parameter definitions
+__openshift_cfme_app_templates:
+  - miq-template-ext-db
+  - miq-template
+  - cfme-template-ext-db
+  - cfme-template
+
+# PostgreSQL database connection parameters
+__openshift_cfme_db_parameters:
+  - DATABASE_USER
+  - DATABASE_PASSWORD
+  - DATABASE_IP
+  - DATABASE_PORT
+  - DATABASE_NAME
+
+# # Commented out until we can support both CFME and MIQ
+# # openshift_cfme_flavor: "{{ 'cloudforms' if openshift_deployment_type == 'openshift-enterprise' else 'manageiq' }}"
+#openshift_cfme_flavor: cloudforms
+openshift_cfme_flavor: manageiq
+# TODO: Make this conditional as well based on the prior variable
+# # openshift_cfme_flavor_short: "{{ 'cfme' if openshift_deployment_type == 'openshift-enterprise' else 'miq' }}"
+# openshift_cfme_flavor_short: cfme
+openshift_cfme_flavor_short: miq
+
+######################################################################
+# ACCOUNTING
+######################################################################
+# Service Account SSCs
+__openshift_system_account_sccs:
+  - name: -anyuid
+    resource_name: anyuid
+  - name: -orchestrator
+    resource_name: anyuid
+  - name: -privileged
+    resource_name: privileged
+  - name: -httpd
+    resource_name: anyuid
+
+# Service Account Roles
+__openshift_cfme_system_account_roles:
+  - name: -orchestrator
+    resource_name: view
+  - name: -orchestrator
+    resource_name: edit
+
+######################################################################
+# DEFAULTS
+######################################################################
+# User only has to provide parameters they need to override, we will
+# do a hash update method with the provided user parameters to create
+# the final connection structure.
+#
+# TODO: Update user provided configs with this if they are missing fields
+__openshift_cfme_required_db_conn_params:
+  - DATABASE_USER
+  - DATABASE_PASSWORD
+  - DATABASE_IP
+  - DATABASE_PORT
+  - DATABASE_NAME

roles/openshift_manageiq/tasks/main.yaml

@@ -1,8 +1,4 @@
 ---
-- fail:
-    msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1."
-  when: not openshift.common.version_gte_3_1_or_1_1 | bool
-
 - name: Add Management Infrastructure project
   oc_project:
     name: management-infra
@@ -61,4 +57,3 @@
     resource_kind: "{{ item.resource_kind }}"
     user: "{{ item.user }}"
   with_items: "{{manage_iq_openshift_3_2_tasks}}"
-  when: openshift.common.version_gte_3_2_or_1_2 | bool

roles/openshift_nfs/README.md

@@ -0,0 +1,17 @@
+OpenShift NFS
+=============
+
+Sets up basic NFS services on a cluster host.
+
+See [tasks/create_export.yml](tasks/create_export.yml) for
+instructions on using the export creation tasks file.
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Tim Bielawa (tbielawa@redhat.com)

roles/openshift_nfs/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+r_openshift_nfs_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
+r_openshift_nfs_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
+
+r_openshift_nfs_os_firewall_deny: []
+r_openshift_nfs_firewall_allow:
+- service: nfs
+  port: "2049/tcp"

roles/openshift_nfs/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Tim Bielawa
+  description: OpenShift Basic NFS Configuration
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- role: lib_utils
+- role: lib_os_firewall

roles/openshift_nfs/tasks/create_export.yml

@@ -0,0 +1,34 @@
+---
+# Makes a new NFS export
+#
+# Include signature
+#
+# include_role:
+#   role: openshift_nfs
+#   tasks_from: create_export
+# vars:
+#   l_nfs_base_dir: Base dir to exports
+#   l_nfs_export_config: Name to prefix the .exports file with
+#   l_nfs_export_name: Name of sub-directory of the export
+#   l_nfs_options: Mount Options
+
+- name: Ensure CFME App NFS export directory exists
+  file:
+    path: "{{ l_nfs_base_dir }}/{{ l_nfs_export_name }}"
+    state: directory
+    mode: 0777
+    owner: nfsnobody
+    group: nfsnobody
+
+- name: "Create {{ l_nfs_export_name }} NFS export"
+  lineinfile:
+    path: "/etc/exports.d/{{ l_nfs_export_config }}.exports"
+    create: true
+    state: present
+    line: "{{ l_nfs_base_dir }}/{{ l_nfs_export_name }} {{ l_nfs_options }}"
+  register: created_export
+
+- name: Re-export NFS filesystems
+  command: exportfs -ar
+  when:
+    - created_export | changed

roles/openshift_nfs/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_nfs_firewall_enabled | bool and not r_openshift_nfs_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_os_firewall_deny }}"
+
+- when: r_openshift_nfs_firewall_enabled | bool and r_openshift_nfs_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_os_firewall_deny }}"

roles/openshift_nfs/tasks/setup.yml

@@ -0,0 +1,29 @@
+---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
+- name: Install nfs-utils
+  package: name=nfs-utils state=present
+
+- name: Configure NFS
+  lineinfile:
+    dest: /etc/sysconfig/nfs
+    regexp: '^RPCNFSDARGS=.*$'
+    line: 'RPCNFSDARGS="-N 2 -N 3"'
+  register: nfs_config
+
+- name: Restart nfs-config
+  systemd: name=nfs-config state=restarted
+  when: nfs_config | changed
+
+- name: Ensure exports directory exists
+  file:
+    path: "{{ l_nfs_base_dir }}"
+    state: directory
+
+- name: Enable and start NFS services
+  systemd:
+    name: nfs-server
+    state: started
+    enabled: yes