Import upstream templates. Do the work. Validate parameters.

playbooks/common/openshift-cfme/config.yml

@@ -15,7 +15,7 @@
 #     poll: 0
 
 - name: Setup CFME
-  hosts: m01.example.com
+  hosts: oo_first_master
   pre_tasks:
   - name: Create a temporary place to evaluate the PV templates
     command: mktemp -d /tmp/openshift-ansible-XXXXXXX

roles/openshift_cfme/defaults/main.yml

@@ -2,7 +2,7 @@
 # Namespace for the CFME project
 openshift_cfme_project: openshift-cfme
 # Namespace/project description
-openshift_cfme_project_description: ManageIQ - CloudForms Management Engine 4.6
+openshift_cfme_project_description: CloudForms Management Engine
 
 ######################################################################
 # BASE TEMPLATE AND DATABASE OPTIONS
@@ -17,20 +17,25 @@ openshift_cfme_app_template: miq-template
 
 # If you are using the miq-template-ext-db template then you must add
 # the required database parameters to the
-# openshift_cfme_template_parameters variable. For example:
+# openshift_cfme_template_parameters variable. You only need to
+# provide parameters that differ from the ones in the following
+# example. Any omitted parameter by the user will be default to its
+# default below:
 #
 # openshift_cfme_template_parameters:
-#   DATABASE_USER: root
-#   DATABASE_PASSWORD: @_grrrr8Pa$$.h3r3
-#   DATABASE_IP: 10.1.1.10
+#   DATABASE_USER: 'root'
+#   DATABASE_PASSWORD: ''
+#   DATABASE_IP: ''
 #   DATABASE_PORT: 5432
-#   DATABASE_NAME: vmdb_production
+#   DATABASE_NAME: 'vmdb_production'
+#
+# See also var: __openshift_cfme_default_db_connection_info
 
 ######################################################################
 # STORAGE OPTIONS
 ######################################################################
 # DEFAULT - 'nfs'
-# Allowed options: nfs, external, preconfigured, cloudprovider.
+# Allowed options: nfs, nfs_external, preconfigured, cloudprovider.
 openshift_cfme_storage_class: nfs
 # * nfs - Best used for proof-of-concept installs. Will setup NFS on a
 #   cluster host (defaults to your first master in the inventory file)
@@ -41,8 +46,8 @@ openshift_cfme_storage_class: nfs
 #   available space on an volume/partition if used specifically for
 #   NFS purposes)
 #
-# * external - You are using an external NFS server, such as a netapp
-#   appliance. See the STORAGE - NFS OPTIONS section below for
+# * nfs_external - You are using an external NFS server, such as a
+#   netapp appliance. See the STORAGE - NFS OPTIONS section below for
 #   required information.
 #
 # * preconfigured - This CFME role will do NOTHING to modify storage
@@ -57,67 +62,43 @@ openshift_cfme_storage_class: nfs
 #   Ensure 'openshift_cloudprovider_kind' is defined (aws or gce) and
 #   that the applicable cloudprovider parameters are provided.
 
-######################################################################
+#---------------------------------------------------------------------
 # STORAGE - NFS OPTIONS
-######################################################################
+#---------------------------------------------------------------------
 # [OPTIONAL] - If you are using an EXTERNAL NFS server, such as a
 # netapp appliance, then you must set the hostname here. Leave the
-# value as 'false' if you are not using external NFS
-openshift_cfme_storage_external_nfs_hostname: false
+# value as 'false' if you are not using external NFS.
+openshift_cfme_storage_nfs_external_hostname: false
 # [OPTIONAL] - If you are using external NFS then you must set the base
 # path to the exports location here.
 #
-# Or, change this value if you want to change the default path used
-# for local NFS exports.
-openshift_cfme_storage_external_nfs_base_dir: /exports/
-
-
-######################################################################
-# VARIOUS CONSTANTS - DO NOT OVERRIDE THESE UNDER ANY CIRCUMSTANCES
-######################################################################
-
-######################################################################
-# Misc enumerated values
-# Allowed choices for the storage class parameter
-openshift_cfme_storage_classes:
-  - nfs
-  - external
-  - preconfigured
-  - cloudprovider
-# Name of the application templates with object/parameter definitions
-openshift_cfme_app_templates:
-  - miq-template-ext-db
-  - miq-template
-# PostgreSQL database connection parameters
-openshift_cfme_db_parameters:
-  - DATABASE_USER
-  - DATABASE_PASSWORD
-  - DATABASE_IP
-  - DATABASE_PORT
-  - DATABASE_NAME
-
-
-######################################################################
-# ACCOUNTING
-######################################################################
-# Service Account SSCs
-openshift_system_account_sccs:
-  - name: miq-anyuid
-    resource_name: anyuid
-  - name: miq-orchestrator
-    resource_name: anyuid
-  - name: miq-privileged
-    resource_name: privileged
-  - name: miq-httpd
-    resource_name: miq-httpd
-
-# Service Account Roles
-openshift_cfme_system_account_roles:
-  - name: miq-orchestrator
-    resource_name: view
-  - name: miq-orchestrator
-    resource_name: edit
+# Additionally: EXTERNAL NFS REQUIRES that YOU CREATE the nfs exports
+# that will back the application PV and optionally the database
+# pv. Export path definitions, relative to
+# {{ openshift_cfme_storage_nfs_base_dir }}
+#
+# * REQUIRED[ALWAYS]: /miq-app - MIQ Server PV.
+#
+# * REQUIRED[NFS_EXTERNAL]: /miq-db - Podified DB PB
+#
+# LOCAL NFS NOTE:
+#
+# You may may also change this value if you want to change the default
+# path used for local NFS exports.
+openshift_cfme_storage_nfs_base_dir: /exports
+#
+# LOCAL NFS NOTE:
+#
+# You may override the automatically selected LOCAL NFS server by
+# setting this variable. Useful for testing specific task files.
+openshift_cfme_storage_nfs_local_hostname: false
 
+#---------------------------------------------------------------------
+# DEFAULT PV SIZES
+# How large to make the MIQ application PV
+openshift_cfme_app_pv_size: 5Gi
+# How large to make the MIQ PostgreSQL PV
+openshift_cfme_db_pv_size: 15Gi
 
 ######################################################################
 # SCAFFOLDING - These are parameters we pre-seed that a user may or
@@ -132,29 +113,11 @@ openshift_cfme_system_account_roles:
 # openshift_cfme_template_parameters={'APPLICATION_MEM_REQ': '512Mi'}
 openshift_cfme_template_parameters: {}
 
-# # All the required exports
-# openshift_cfme_pv_exports:
-#   - miq-pv01
-#   - miq-pv02
-#   - miq-pv03
-# # PV template files and their created object names
-# openshift_cfme_pv_data:
-#   - pv_name: miq-pv01
-#     pv_template: miq-pv-db.yaml
-#     pv_label: CFME DB PV
-#   - pv_name: miq-pv02
-#     pv_template: miq-pv-region.yaml
-#     pv_label: CFME Region PV
-#   - pv_name: miq-pv03
-#     pv_template: miq-pv-server.yaml
-#     pv_label: CFME Server PV
-
-# TODO: Refactor '_install_app' variable. This is just for testing but
-# maybe in the future it should control the entire yes/no for CFME.
-#
-# Whether or not the manageiq app should be initialized ('oc new-app
+######################################################################
+# Whether or not the cfme app should be initialized ('oc new-app
 # --template=manageiq). If False everything UP TO 'new-app' is ran.
-openshift_cfme_install_app: False
+openshift_cfme_install_app: false
+
 # Docker image to pull
 # openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms46/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}"
 # openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'frontend-latest' }}"

roles/openshift_cfme/files/miq-pv-server-example.yaml

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: "${PV_NAME}"
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-  - ReadWriteOnce
-  nfs:
-    path: "/${BASE_PATH}/${PV_NAME}"
-    server: "${NFS_SERVER}"
-  persistentVolumeReclaimPolicy: Retain
-parameters:
-- name: BASE_PATH
-  displayName: BasePath
-  required: true
-  description: The parent directory of your NFS exports
-  value: /exports
-- name: PV_NAME
-  displayName: PVName
-  required: true
-  description: The name of this PV
-- name: NFS_SERVER
-  displayName: NFSServer
-  required: true
-  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/openshift_cfme.exports

@@ -1,3 +0,0 @@
-/exports/miq-pv01 *(rw,no_root_squash,no_wdelay)
-/exports/miq-pv02 *(rw,no_root_squash,no_wdelay)
-/exports/miq-pv03 *(rw,no_root_squash,no_wdelay)

roles/openshift_cfme/files/templates/cloudforms/cfme-backup-job.yaml

@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cloudforms-backup
+spec:
+  template:
+    metadata:
+      name: cloudforms-backup
+    spec:
+      containers:
+      - name: postgresql
+        image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+        command:
+        - "/opt/rh/cfme-container-scripts/backup_db"
+        env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: cloudforms-secrets
+              key: database-url
+        volumeMounts:
+        - name: cfme-backup-vol
+          mountPath: "/backups"
+      volumes:
+      - name: cfme-backup-vol
+        persistentVolumeClaim:
+          claimName: cloudforms-backup
+      restartPolicy: Never

roles/openshift_cfme/files/templates/cloudforms/cfme-backup-pvc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: cloudforms-backup
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 15Gi

roles/openshift_cfme/files/miq-pv-db-example.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: miq-pv01
+  name: cfme-pv03
 spec:
   capacity:
     storage: 15Gi
   accessModes:
   - ReadWriteOnce
   nfs:
-    path: "/exports/miq-pv01"
+    path: "/exports/cfme-pv03"
     server: "<your-nfs-host-here>"
   persistentVolumeReclaimPolicy: Retain

roles/openshift_cfme/files/templates/cloudforms/cfme-pv-db-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms-db-pv
+metadata:
+  name: cloudforms-db-pv
+  annotations:
+    description: PV Template for CFME PostgreSQL DB
+    tags: PVS, CFME
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: cfme-db
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/cfme-db"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for DB
+  required: true
+  description: The size of the CFME DB PV given in Gi
+  value: 15Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/templates/cloudforms/cfme-pv-server-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms-app-pv
+metadata:
+  name: cloudforms-app-pv
+  annotations:
+    description: PV Template for CFME Server
+    tags: PVS, CFME
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: cfme-app
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/cfme-app"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for App
+  required: true
+  description: The size of the CFME APP PV given in Gi
+  value: 5Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/templates/cloudforms/cfme-restore-job.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cloudforms-restore
+spec:
+  template:
+    metadata:
+      name: cloudforms-restore
+    spec:
+      containers:
+      - name: postgresql
+        image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+        command:
+        - "/opt/rh/cfme-container-scripts/restore_db"
+        env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: cloudforms-secrets
+              key: database-url
+        - name: BACKUP_VERSION
+          value: latest
+        volumeMounts:
+        - name: cfme-backup-vol
+          mountPath: "/backups"
+        - name: cfme-prod-vol
+          mountPath: "/restore"
+      volumes:
+      - name: cfme-backup-vol
+        persistentVolumeClaim:
+          claimName: cloudforms-backup
+      - name: cfme-prod-vol
+        persistentVolumeClaim:
+          claimName: cloudforms-postgresql
+      restartPolicy: Never

roles/openshift_cfme/files/miq-scc-httpd.yaml

@@ -15,9 +15,9 @@ groups:
 kind: SecurityContextConstraints
 metadata:
   annotations:
-    kubernetes.io/description: miq-httpd provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus.
+    kubernetes.io/description: cfme-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus.
   creationTimestamp:
-  name: miq-httpd
+  name: cfme-sysadmin
 priority: 10
 readOnlyRootFilesystem: false
 requiredDropCapabilities:

roles/openshift_cfme/files/templates/cloudforms/cfme-template-ext-db.yaml

@@ -0,0 +1,763 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms-ext-db
+metadata:
+  name: cloudforms-ext-db
+  annotations:
+    description: CloudForms appliance with persistent storage using a external DB host
+    tags: instant-app,cloudforms,cfme
+    iconClass: icon-rails
+objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-orchestrator
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-anyuid
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-privileged
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-httpd
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${NAME}-secrets"
+  stringData:
+    pg-password: "${DATABASE_PASSWORD}"
+    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+    v2-key: "${V2_KEY}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}-secrets"
+  stringData:
+    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+    secret-key: "${ANSIBLE_SECRET_KEY}"
+    admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances CloudForms pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${NAME}"
+  spec:
+    clusterIP: None
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    selector:
+      name: "${NAME}"
+- apiVersion: v1
+  kind: Route
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+  spec:
+    host: "${APPLICATION_DOMAIN}"
+    port:
+      targetPort: http
+    tls:
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
+    to:
+      kind: Service
+      name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}"
+    replicas: "${APPLICATION_REPLICA_COUNT}"
+    template:
+      metadata:
+        labels:
+          name: "${NAME}"
+        name: "${NAME}"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: MY_POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_REGION
+            value: "${DATABASE_REGION}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Headless service for CloudForms backend pods
+    name: "${NAME}-backend"
+  spec:
+    clusterIP: None
+    selector:
+      name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}-backend"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}-backend"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${NAME}-backend"
+        name: "${NAME}-backend"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - MIQ Server
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MIQ_SERVER_DEFAULT_ROLES
+            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+          - name: FRONTEND_SERVICE_NAME
+            value: "${NAME}"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Exposes the memcached server
+  spec:
+    ports:
+    - name: memcached
+      port: 11211
+      targetPort: 11211
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy memcached
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${MEMCACHED_SERVICE_NAME}"
+        labels:
+          name: "${MEMCACHED_SERVICE_NAME}"
+      spec:
+        volumes: []
+        containers:
+        - name: memcached
+          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+          ports:
+          - containerPort: 11211
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 5
+            tcpSocket:
+              port: 11211
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 30
+            tcpSocket:
+              port: 11211
+          volumeMounts: []
+          env:
+          - name: MEMCACHED_MAX_MEMORY
+            value: "${MEMCACHED_MAX_MEMORY}"
+          - name: MEMCACHED_MAX_CONNECTIONS
+            value: "${MEMCACHED_MAX_CONNECTIONS}"
+          - name: MEMCACHED_SLAB_PAGE_SIZE
+            value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+          resources:
+            requests:
+              memory: "${MEMCACHED_MEM_REQ}"
+              cpu: "${MEMCACHED_CPU_REQ}"
+            limits:
+              memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Remote database service
+  spec:
+    ports:
+    - name: postgresql
+      port: 5432
+      targetPort: "${{DATABASE_PORT}}"
+    selector: {}
+- apiVersion: v1
+  kind: Endpoints
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+  subsets:
+  - addresses:
+    - ip: "${DATABASE_IP}"
+    ports:
+    - port: "${{DATABASE_PORT}}"
+      name: postgresql
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances Ansible pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${ANSIBLE_SERVICE_NAME}"
+  spec:
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    selector:
+      name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the Ansible appliance
+  spec:
+    strategy:
+      type: Recreate
+    serviceName: "${ANSIBLE_SERVICE_NAME}"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${ANSIBLE_SERVICE_NAME}"
+        name: "${ANSIBLE_SERVICE_NAME}"
+      spec:
+        containers:
+        - name: ansible
+          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          - containerPort: 443
+            protocol: TCP
+          securityContext:
+            privileged: true
+          env:
+          - name: ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          - name: RABBITMQ_USER_NAME
+            value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+          - name: RABBITMQ_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: rabbit-password
+          - name: ANSIBLE_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: secret-key
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${ANSIBLE_DATABASE_NAME}"
+          resources:
+            requests:
+              memory: "${ANSIBLE_MEM_REQ}"
+              cpu: "${ANSIBLE_CPU_REQ}"
+            limits:
+              memory: "${ANSIBLE_MEM_LIMIT}"
+        serviceAccount: cfme-privileged
+        serviceAccountName: cfme-privileged
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-configs"
+  data:
+    application.conf: |
+      # Timeout: The number of seconds before receives and sends time out.
+      Timeout 120
+
+      RewriteEngine On
+      Options SymLinksIfOwnerMatch
+
+      <VirtualHost *:80>
+        KeepAlive on
+        ProxyPreserveHost on
+        ProxyPass        /ws/ ws://${NAME}/ws/
+        ProxyPassReverse /ws/ ws://${NAME}/ws/
+        ProxyPass        / http://${NAME}/
+        ProxyPassReverse / http://${NAME}/
+      </VirtualHost>
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-auth-configs"
+  data:
+    auth-type: internal
+    auth-configuration.conf: |
+      # External Authentication Configuration File
+      #
+      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Exposes the httpd server
+      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+  spec:
+    ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    selector:
+      name: httpd
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy httpd
+  spec:
+    strategy:
+      type: Recreate
+      recreateParams:
+        timeoutSeconds: 1200
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${HTTPD_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${HTTPD_SERVICE_NAME}"
+        labels:
+          name: "${HTTPD_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: httpd-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-configs"
+        - name: httpd-auth-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-auth-configs"
+        containers:
+        - name: httpd
+          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+          ports:
+          - containerPort: 80
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - httpd
+            initialDelaySeconds: 15
+            timeoutSeconds: 3
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: httpd-config
+            mountPath: "${HTTPD_CONFIG_DIR}"
+          - name: httpd-auth-config
+            mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${HTTPD_MEM_REQ}"
+              cpu: "${HTTPD_CPU_REQ}"
+            limits:
+              memory: "${HTTPD_MEM_LIMIT}"
+          env:
+          - name: HTTPD_AUTH_TYPE
+            valueFrom:
+              configMapKeyRef:
+                name: "${HTTPD_SERVICE_NAME}-auth-configs"
+                key: auth-type
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                - "/usr/bin/save-container-environment"
+        serviceAccount: cfme-httpd
+        serviceAccountName: cfme-httpd
+parameters:
+- name: NAME
+  displayName: Name
+  required: true
+  description: The name assigned to all of the frontend objects defined in this template.
+  value: cloudforms
+- name: V2_KEY
+  displayName: CloudForms Encryption Key
+  required: true
+  description: Encryption Key for CloudForms Passwords
+  from: "[a-zA-Z0-9]{43}"
+  generate: expression
+- name: DATABASE_SERVICE_NAME
+  displayName: PostgreSQL Service Name
+  required: true
+  description: The name of the OpenShift Service exposed for the PostgreSQL container.
+  value: postgresql
+- name: DATABASE_USER
+  displayName: PostgreSQL User
+  required: true
+  description: PostgreSQL user that will access the database.
+  value: root
+- name: DATABASE_PASSWORD
+  displayName: PostgreSQL Password
+  required: true
+  description: Password for the PostgreSQL user.
+  from: "[a-zA-Z0-9]{8}"
+  generate: expression
+- name: DATABASE_IP
+  displayName: PostgreSQL Server IP
+  required: true
+  description: PostgreSQL external server IP used to configure service.
+  value: ''
+- name: DATABASE_PORT
+  displayName: PostgreSQL Server Port
+  required: true
+  description: PostgreSQL external server port used to configure service.
+  value: '5432'
+- name: DATABASE_NAME
+  required: true
+  displayName: PostgreSQL Database Name
+  description: Name of the PostgreSQL database accessed.
+  value: vmdb_production
+- name: DATABASE_REGION
+  required: true
+  displayName: Application Database Region
+  description: Database region that will be used for application.
+  value: '0'
+- name: ANSIBLE_DATABASE_NAME
+  displayName: Ansible PostgreSQL database name
+  required: true
+  description: The database to be used by the Ansible continer
+  value: awx
+- name: MEMCACHED_SERVICE_NAME
+  required: true
+  displayName: Memcached Service Name
+  description: The name of the OpenShift Service exposed for the Memcached container.
+  value: memcached
+- name: MEMCACHED_MAX_MEMORY
+  displayName: Memcached Max Memory
+  description: Memcached maximum memory for memcached object storage in MB.
+  value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+  displayName: Memcached Max Connections
+  description: Memcached maximum number of connections allowed.
+  value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+  displayName: Memcached Slab Page Size
+  description: Memcached size of each slab page.
+  value: 1m
+- name: ANSIBLE_SERVICE_NAME
+  displayName: Ansible Service Name
+  description: The name of the OpenShift Service exposed for the Ansible container.
+  value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+  displayName: Ansible admin User password
+  required: true
+  description: The password for the Ansible container admin user
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: ANSIBLE_SECRET_KEY
+  displayName: Ansible Secret Key
+  required: true
+  description: Encryption key for the Ansible container
+  from: "[a-f0-9]{32}"
+  generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+  displayName: RabbitMQ Username
+  required: true
+  description: Username for the Ansible RabbitMQ Server
+  value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+  displayName: RabbitMQ Server Password
+  required: true
+  description: Password for the Ansible RabbitMQ Server
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: APPLICATION_CPU_REQ
+  displayName: Application Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+  value: 1000m
+- name: MEMCACHED_CPU_REQ
+  displayName: Memcached Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+  value: 200m
+- name: ANSIBLE_CPU_REQ
+  displayName: Ansible Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+  value: 1000m
+- name: APPLICATION_MEM_REQ
+  displayName: Application Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Application container will need.
+  value: 6144Mi
+- name: MEMCACHED_MEM_REQ
+  displayName: Memcached Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Memcached container will need.
+  value: 64Mi
+- name: ANSIBLE_MEM_REQ
+  displayName: Ansible Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Ansible container will need.
+  value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+  displayName: Application Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Application container can consume.
+  value: 16384Mi
+- name: MEMCACHED_MEM_LIMIT
+  displayName: Memcached Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Memcached container can consume.
+  value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+  displayName: Ansible Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Ansible container can consume.
+  value: 8096Mi
+- name: MEMCACHED_IMG_NAME
+  displayName: Memcached Image Name
+  description: This is the Memcached image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+  displayName: Memcached Image Tag
+  description: This is the Memcached image tag/version requested to deploy.
+  value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+  displayName: Frontend Application Image Name
+  description: This is the Frontend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+  displayName: Backend Application Image Name
+  description: This is the Backend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+  displayName: Front end Application Image Tag
+  description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+  value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+  displayName: Back end Application Image Tag
+  description: This is the CloudForms Backend Application image tag/version requested to deploy.
+  value: latest
+- name: ANSIBLE_IMG_NAME
+  displayName: Ansible Image Name
+  description: This is the Ansible image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+  displayName: Ansible Image Tag
+  description: This is the Ansible image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_DOMAIN
+  displayName: Application Hostname
+  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+  value: ''
+- name: APPLICATION_REPLICA_COUNT
+  displayName: Application Replica Count
+  description: This is the number of Application replicas requested to deploy.
+  value: '1'
+- name: APPLICATION_INIT_DELAY
+  displayName: Application Init Delay
+  required: true
+  description: Delay in seconds before we attempt to initialize the application.
+  value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+  displayName: Application Volume Capacity
+  required: true
+  description: Volume space available for application data.
+  value: 5Gi
+- name: HTTPD_SERVICE_NAME
+  required: true
+  displayName: Apache httpd Service Name
+  description: The name of the OpenShift Service exposed for the httpd container.
+  value: httpd
+- name: HTTPD_IMG_NAME
+  displayName: Apache httpd Image Name
+  description: This is the httpd image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+  displayName: Apache httpd Image Tag
+  description: This is the httpd image tag/version requested to deploy.
+  value: latest
+- name: HTTPD_CONFIG_DIR
+  displayName: Apache httpd Configuration Directory
+  description: Directory used to store the Apache configuration files.
+  value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+  displayName: External Authentication Configuration Directory
+  description: Directory used to store the external authentication configuration files.
+  value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+  displayName: Apache httpd Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+  value: 500m
+- name: HTTPD_MEM_REQ
+  displayName: Apache httpd Min RAM Requested
+  required: true
+  description: Minimum amount of memory the httpd container will need.
+  value: 512Mi
+- name: HTTPD_MEM_LIMIT
+  displayName: Apache httpd Max RAM Limit
+  required: true
+  description: Maximum amount of memory the httpd container can consume.
+  value: 8192Mi

roles/openshift_cfme/files/templates/cloudforms/cfme-template.yaml

@@ -0,0 +1,940 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: cloudforms
+metadata:
+  name: cloudforms
+  annotations:
+    description: CloudForms appliance with persistent storage
+    tags: instant-app,cloudforms,cfme
+    iconClass: icon-rails
+objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-orchestrator
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-anyuid
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-privileged
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: cfme-httpd
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${NAME}-secrets"
+  stringData:
+    pg-password: "${DATABASE_PASSWORD}"
+    database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
+    v2-key: "${V2_KEY}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}-secrets"
+  stringData:
+    rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
+    secret-key: "${ANSIBLE_SECRET_KEY}"
+    admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}-configs"
+  data:
+    01_miq_overrides.conf: |
+      #------------------------------------------------------------------------------
+      # CONNECTIONS AND AUTHENTICATION
+      #------------------------------------------------------------------------------
+
+      tcp_keepalives_count = 9
+      tcp_keepalives_idle = 3
+      tcp_keepalives_interval = 75
+
+      #------------------------------------------------------------------------------
+      # RESOURCE USAGE (except WAL)
+      #------------------------------------------------------------------------------
+
+      shared_preload_libraries = 'pglogical,repmgr_funcs'
+      max_worker_processes = 10
+
+      #------------------------------------------------------------------------------
+      # WRITE AHEAD LOG
+      #------------------------------------------------------------------------------
+
+      wal_level = 'logical'
+      wal_log_hints = on
+      wal_buffers = 16MB
+      checkpoint_completion_target = 0.9
+
+      #------------------------------------------------------------------------------
+      # REPLICATION
+      #------------------------------------------------------------------------------
+
+      max_wal_senders = 10
+      wal_sender_timeout = 0
+      max_replication_slots = 10
+      hot_standby = on
+
+      #------------------------------------------------------------------------------
+      # ERROR REPORTING AND LOGGING
+      #------------------------------------------------------------------------------
+
+      log_filename = 'postgresql.log'
+      log_rotation_age = 0
+      log_min_duration_statement = 5000
+      log_connections = on
+      log_disconnections = on
+      log_line_prefix = '%t:%r:%c:%u@%d:[%p]:'
+      log_lock_waits = on
+
+      #------------------------------------------------------------------------------
+      # AUTOVACUUM PARAMETERS
+      #------------------------------------------------------------------------------
+
+      log_autovacuum_min_duration = 0
+      autovacuum_naptime = 5min
+      autovacuum_vacuum_threshold = 500
+      autovacuum_analyze_threshold = 500
+      autovacuum_vacuum_scale_factor = 0.05
+
+      #------------------------------------------------------------------------------
+      # LOCK MANAGEMENT
+      #------------------------------------------------------------------------------
+
+      deadlock_timeout = 5s
+
+      #------------------------------------------------------------------------------
+      # VERSION/PLATFORM COMPATIBILITY
+      #------------------------------------------------------------------------------
+
+      escape_string_warning = off
+      standard_conforming_strings = off
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-configs"
+  data:
+    application.conf: |
+      # Timeout: The number of seconds before receives and sends time out.
+      Timeout 120
+
+      RewriteEngine On
+      Options SymLinksIfOwnerMatch
+
+      <VirtualHost *:80>
+        KeepAlive on
+        ProxyPreserveHost on
+        ProxyPass        /ws/ ws://${NAME}/ws/
+        ProxyPassReverse /ws/ ws://${NAME}/ws/
+        ProxyPass        / http://${NAME}/
+        ProxyPassReverse / http://${NAME}/
+      </VirtualHost>
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}-auth-configs"
+  data:
+    auth-type: internal
+    auth-configuration.conf: |
+      # External Authentication Configuration File
+      #
+      # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances CloudForms pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${NAME}"
+  spec:
+    clusterIP: None
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    selector:
+      name: "${NAME}"
+- apiVersion: v1
+  kind: Route
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+  spec:
+    host: "${APPLICATION_DOMAIN}"
+    port:
+      targetPort: http
+    tls:
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
+    to:
+      kind: Service
+      name: "${HTTPD_SERVICE_NAME}"
+- apiVersion: v1
+  kind: PersistentVolumeClaim
+  metadata:
+    name: "${NAME}-${DATABASE_SERVICE_NAME}"
+  spec:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: "${DATABASE_VOLUME_CAPACITY}"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}"
+    replicas: "${APPLICATION_REPLICA_COUNT}"
+    template:
+      metadata:
+        labels:
+          name: "${NAME}"
+        name: "${NAME}"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: MY_POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_REGION
+            value: "${DATABASE_REGION}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Headless service for CloudForms backend pods
+    name: "${NAME}-backend"
+  spec:
+    clusterIP: None
+    selector:
+      name: "${NAME}-backend"
+- apiVersion: apps/v1beta1
+  kind: StatefulSet
+  metadata:
+    name: "${NAME}-backend"
+    annotations:
+      description: Defines how to deploy the CloudForms appliance
+  spec:
+    serviceName: "${NAME}-backend"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${NAME}-backend"
+        name: "${NAME}-backend"
+      spec:
+        containers:
+        - name: cloudforms
+          image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - MIQ Server
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: "${NAME}-server"
+            mountPath: "/persistent"
+          env:
+          - name: APPLICATION_INIT_DELAY
+            value: "${APPLICATION_INIT_DELAY}"
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: database-url
+          - name: MIQ_SERVER_DEFAULT_ROLES
+            value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
+          - name: FRONTEND_SERVICE_NAME
+            value: "${NAME}"
+          - name: V2_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: v2-key
+          - name: ANSIBLE_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          resources:
+            requests:
+              memory: "${APPLICATION_MEM_REQ}"
+              cpu: "${APPLICATION_CPU_REQ}"
+            limits:
+              memory: "${APPLICATION_MEM_LIMIT}"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/opt/rh/cfme-container-scripts/sync-pv-data"
+        serviceAccount: cfme-orchestrator
+        serviceAccountName: cfme-orchestrator
+        terminationGracePeriodSeconds: 90
+    volumeClaimTemplates:
+    - metadata:
+        name: "${NAME}-server"
+        annotations:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "${APPLICATION_VOLUME_CAPACITY}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Exposes the memcached server
+  spec:
+    ports:
+    - name: memcached
+      port: 11211
+      targetPort: 11211
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${MEMCACHED_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy memcached
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${MEMCACHED_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${MEMCACHED_SERVICE_NAME}"
+        labels:
+          name: "${MEMCACHED_SERVICE_NAME}"
+      spec:
+        volumes: []
+        containers:
+        - name: memcached
+          image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
+          ports:
+          - containerPort: 11211
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 5
+            tcpSocket:
+              port: 11211
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 30
+            tcpSocket:
+              port: 11211
+          volumeMounts: []
+          env:
+          - name: MEMCACHED_MAX_MEMORY
+            value: "${MEMCACHED_MAX_MEMORY}"
+          - name: MEMCACHED_MAX_CONNECTIONS
+            value: "${MEMCACHED_MAX_CONNECTIONS}"
+          - name: MEMCACHED_SLAB_PAGE_SIZE
+            value: "${MEMCACHED_SLAB_PAGE_SIZE}"
+          resources:
+            requests:
+              memory: "${MEMCACHED_MEM_REQ}"
+              cpu: "${MEMCACHED_CPU_REQ}"
+            limits:
+              memory: "${MEMCACHED_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Exposes the database server
+  spec:
+    ports:
+    - name: postgresql
+      port: 5432
+      targetPort: 5432
+    selector:
+      name: "${DATABASE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${DATABASE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the database
+  spec:
+    strategy:
+      type: Recreate
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${DATABASE_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${DATABASE_SERVICE_NAME}"
+        labels:
+          name: "${DATABASE_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: cfme-pgdb-volume
+          persistentVolumeClaim:
+            claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
+        - name: cfme-pg-configs
+          configMap:
+            name: "${DATABASE_SERVICE_NAME}-configs"
+        containers:
+        - name: postgresql
+          image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
+          ports:
+          - containerPort: 5432
+          readinessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 15
+            exec:
+              command:
+              - "/bin/sh"
+              - "-i"
+              - "-c"
+              - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'
+          livenessProbe:
+            timeoutSeconds: 1
+            initialDelaySeconds: 60
+            tcpSocket:
+              port: 5432
+          volumeMounts:
+          - name: cfme-pgdb-volume
+            mountPath: "/var/lib/pgsql/data"
+          - name: cfme-pg-configs
+            mountPath: "${POSTGRESQL_CONFIG_DIR}"
+          env:
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${DATABASE_NAME}"
+          - name: POSTGRESQL_MAX_CONNECTIONS
+            value: "${POSTGRESQL_MAX_CONNECTIONS}"
+          - name: POSTGRESQL_SHARED_BUFFERS
+            value: "${POSTGRESQL_SHARED_BUFFERS}"
+          - name: POSTGRESQL_CONFIG_DIR
+            value: "${POSTGRESQL_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${POSTGRESQL_MEM_REQ}"
+              cpu: "${POSTGRESQL_CPU_REQ}"
+            limits:
+              memory: "${POSTGRESQL_MEM_LIMIT}"
+- apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      description: Exposes and load balances Ansible pods
+      service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
+    name: "${ANSIBLE_SERVICE_NAME}"
+  spec:
+    ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    selector:
+      name: "${ANSIBLE_SERVICE_NAME}"
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${ANSIBLE_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy the Ansible appliance
+  spec:
+    strategy:
+      type: Recreate
+    serviceName: "${ANSIBLE_SERVICE_NAME}"
+    replicas: 0
+    template:
+      metadata:
+        labels:
+          name: "${ANSIBLE_SERVICE_NAME}"
+        name: "${ANSIBLE_SERVICE_NAME}"
+      spec:
+        containers:
+        - name: ansible
+          image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 480
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 200
+            timeoutSeconds: 3
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          - containerPort: 443
+            protocol: TCP
+          securityContext:
+            privileged: true
+          env:
+          - name: ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: admin-password
+          - name: RABBITMQ_USER_NAME
+            value: "${ANSIBLE_RABBITMQ_USER_NAME}"
+          - name: RABBITMQ_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: rabbit-password
+          - name: ANSIBLE_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "${ANSIBLE_SERVICE_NAME}-secrets"
+                key: secret-key
+          - name: DATABASE_SERVICE_NAME
+            value: "${DATABASE_SERVICE_NAME}"
+          - name: POSTGRESQL_USER
+            value: "${DATABASE_USER}"
+          - name: POSTGRESQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "${NAME}-secrets"
+                key: pg-password
+          - name: POSTGRESQL_DATABASE
+            value: "${ANSIBLE_DATABASE_NAME}"
+          resources:
+            requests:
+              memory: "${ANSIBLE_MEM_REQ}"
+              cpu: "${ANSIBLE_CPU_REQ}"
+            limits:
+              memory: "${ANSIBLE_MEM_LIMIT}"
+        serviceAccount: cfme-privileged
+        serviceAccountName: cfme-privileged
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Exposes the httpd server
+      service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+  spec:
+    ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    selector:
+      name: httpd
+- apiVersion: v1
+  kind: DeploymentConfig
+  metadata:
+    name: "${HTTPD_SERVICE_NAME}"
+    annotations:
+      description: Defines how to deploy httpd
+  spec:
+    strategy:
+      type: Recreate
+      recreateParams:
+        timeoutSeconds: 1200
+    triggers:
+    - type: ConfigChange
+    replicas: 1
+    selector:
+      name: "${HTTPD_SERVICE_NAME}"
+    template:
+      metadata:
+        name: "${HTTPD_SERVICE_NAME}"
+        labels:
+          name: "${HTTPD_SERVICE_NAME}"
+      spec:
+        volumes:
+        - name: httpd-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-configs"
+        - name: httpd-auth-config
+          configMap:
+            name: "${HTTPD_SERVICE_NAME}-auth-configs"
+        containers:
+        - name: httpd
+          image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
+          ports:
+          - containerPort: 80
+          livenessProbe:
+            exec:
+              command:
+              - pidof
+              - httpd
+            initialDelaySeconds: 15
+            timeoutSeconds: 3
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+          volumeMounts:
+          - name: httpd-config
+            mountPath: "${HTTPD_CONFIG_DIR}"
+          - name: httpd-auth-config
+            mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
+          resources:
+            requests:
+              memory: "${HTTPD_MEM_REQ}"
+              cpu: "${HTTPD_CPU_REQ}"
+            limits:
+              memory: "${HTTPD_MEM_LIMIT}"
+          env:
+          - name: HTTPD_AUTH_TYPE
+            valueFrom:
+              configMapKeyRef:
+                name: "${HTTPD_SERVICE_NAME}-auth-configs"
+                key: auth-type
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                - "/usr/bin/save-container-environment"
+        serviceAccount: cfme-httpd
+        serviceAccountName: cfme-httpd
+parameters:
+- name: NAME
+  displayName: Name
+  required: true
+  description: The name assigned to all of the frontend objects defined in this template.
+  value: cloudforms
+- name: V2_KEY
+  displayName: CloudForms Encryption Key
+  required: true
+  description: Encryption Key for CloudForms Passwords
+  from: "[a-zA-Z0-9]{43}"
+  generate: expression
+- name: DATABASE_SERVICE_NAME
+  displayName: PostgreSQL Service Name
+  required: true
+  description: The name of the OpenShift Service exposed for the PostgreSQL container.
+  value: postgresql
+- name: DATABASE_USER
+  displayName: PostgreSQL User
+  required: true
+  description: PostgreSQL user that will access the database.
+  value: root
+- name: DATABASE_PASSWORD
+  displayName: PostgreSQL Password
+  required: true
+  description: Password for the PostgreSQL user.
+  from: "[a-zA-Z0-9]{8}"
+  generate: expression
+- name: DATABASE_NAME
+  required: true
+  displayName: PostgreSQL Database Name
+  description: Name of the PostgreSQL database accessed.
+  value: vmdb_production
+- name: DATABASE_REGION
+  required: true
+  displayName: Application Database Region
+  description: Database region that will be used for application.
+  value: '0'
+- name: ANSIBLE_DATABASE_NAME
+  displayName: Ansible PostgreSQL database name
+  required: true
+  description: The database to be used by the Ansible continer
+  value: awx
+- name: MEMCACHED_SERVICE_NAME
+  required: true
+  displayName: Memcached Service Name
+  description: The name of the OpenShift Service exposed for the Memcached container.
+  value: memcached
+- name: MEMCACHED_MAX_MEMORY
+  displayName: Memcached Max Memory
+  description: Memcached maximum memory for memcached object storage in MB.
+  value: '64'
+- name: MEMCACHED_MAX_CONNECTIONS
+  displayName: Memcached Max Connections
+  description: Memcached maximum number of connections allowed.
+  value: '1024'
+- name: MEMCACHED_SLAB_PAGE_SIZE
+  displayName: Memcached Slab Page Size
+  description: Memcached size of each slab page.
+  value: 1m
+- name: POSTGRESQL_CONFIG_DIR
+  displayName: PostgreSQL Configuration Overrides
+  description: Directory used to store PostgreSQL configuration overrides.
+  value: "/var/lib/pgsql/conf.d"
+- name: POSTGRESQL_MAX_CONNECTIONS
+  displayName: PostgreSQL Max Connections
+  description: PostgreSQL maximum number of database connections allowed.
+  value: '1000'
+- name: POSTGRESQL_SHARED_BUFFERS
+  displayName: PostgreSQL Shared Buffer Amount
+  description: Amount of memory dedicated for PostgreSQL shared memory buffers.
+  value: 1GB
+- name: ANSIBLE_SERVICE_NAME
+  displayName: Ansible Service Name
+  description: The name of the OpenShift Service exposed for the Ansible container.
+  value: ansible
+- name: ANSIBLE_ADMIN_PASSWORD
+  displayName: Ansible admin User password
+  required: true
+  description: The password for the Ansible container admin user
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: ANSIBLE_SECRET_KEY
+  displayName: Ansible Secret Key
+  required: true
+  description: Encryption key for the Ansible container
+  from: "[a-f0-9]{32}"
+  generate: expression
+- name: ANSIBLE_RABBITMQ_USER_NAME
+  displayName: RabbitMQ Username
+  required: true
+  description: Username for the Ansible RabbitMQ Server
+  value: ansible
+- name: ANSIBLE_RABBITMQ_PASSWORD
+  displayName: RabbitMQ Server Password
+  required: true
+  description: Password for the Ansible RabbitMQ Server
+  from: "[a-zA-Z0-9]{32}"
+  generate: expression
+- name: APPLICATION_CPU_REQ
+  displayName: Application Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Application container will need (expressed in millicores).
+  value: 1000m
+- name: POSTGRESQL_CPU_REQ
+  displayName: PostgreSQL Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores).
+  value: 500m
+- name: MEMCACHED_CPU_REQ
+  displayName: Memcached Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
+  value: 200m
+- name: ANSIBLE_CPU_REQ
+  displayName: Ansible Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
+  value: 1000m
+- name: APPLICATION_MEM_REQ
+  displayName: Application Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Application container will need.
+  value: 6144Mi
+- name: POSTGRESQL_MEM_REQ
+  displayName: PostgreSQL Min RAM Requested
+  required: true
+  description: Minimum amount of memory the PostgreSQL container will need.
+  value: 4Gi
+- name: MEMCACHED_MEM_REQ
+  displayName: Memcached Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Memcached container will need.
+  value: 64Mi
+- name: ANSIBLE_MEM_REQ
+  displayName: Ansible Min RAM Requested
+  required: true
+  description: Minimum amount of memory the Ansible container will need.
+  value: 2048Mi
+- name: APPLICATION_MEM_LIMIT
+  displayName: Application Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Application container can consume.
+  value: 16384Mi
+- name: POSTGRESQL_MEM_LIMIT
+  displayName: PostgreSQL Max RAM Limit
+  required: true
+  description: Maximum amount of memory the PostgreSQL container can consume.
+  value: 8Gi
+- name: MEMCACHED_MEM_LIMIT
+  displayName: Memcached Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Memcached container can consume.
+  value: 256Mi
+- name: ANSIBLE_MEM_LIMIT
+  displayName: Ansible Max RAM Limit
+  required: true
+  description: Maximum amount of memory the Ansible container can consume.
+  value: 8096Mi
+- name: POSTGRESQL_IMG_NAME
+  displayName: PostgreSQL Image Name
+  description: This is the PostgreSQL image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql
+- name: POSTGRESQL_IMG_TAG
+  displayName: PostgreSQL Image Tag
+  description: This is the PostgreSQL image tag/version requested to deploy.
+  value: latest
+- name: MEMCACHED_IMG_NAME
+  displayName: Memcached Image Name
+  description: This is the Memcached image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+- name: MEMCACHED_IMG_TAG
+  displayName: Memcached Image Tag
+  description: This is the Memcached image tag/version requested to deploy.
+  value: latest
+- name: FRONTEND_APPLICATION_IMG_NAME
+  displayName: Frontend Application Image Name
+  description: This is the Frontend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+- name: BACKEND_APPLICATION_IMG_NAME
+  displayName: Backend Application Image Name
+  description: This is the Backend Application image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+- name: FRONTEND_APPLICATION_IMG_TAG
+  displayName: Front end Application Image Tag
+  description: This is the CloudForms Frontend Application image tag/version requested to deploy.
+  value: latest
+- name: BACKEND_APPLICATION_IMG_TAG
+  displayName: Back end Application Image Tag
+  description: This is the CloudForms Backend Application image tag/version requested to deploy.
+  value: latest
+- name: ANSIBLE_IMG_NAME
+  displayName: Ansible Image Name
+  description: This is the Ansible image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+- name: ANSIBLE_IMG_TAG
+  displayName: Ansible Image Tag
+  description: This is the Ansible image tag/version requested to deploy.
+  value: latest
+- name: APPLICATION_DOMAIN
+  displayName: Application Hostname
+  description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
+  value: ''
+- name: APPLICATION_REPLICA_COUNT
+  displayName: Application Replica Count
+  description: This is the number of Application replicas requested to deploy.
+  value: '1'
+- name: APPLICATION_INIT_DELAY
+  displayName: Application Init Delay
+  required: true
+  description: Delay in seconds before we attempt to initialize the application.
+  value: '15'
+- name: APPLICATION_VOLUME_CAPACITY
+  displayName: Application Volume Capacity
+  required: true
+  description: Volume space available for application data.
+  value: 5Gi
+- name: DATABASE_VOLUME_CAPACITY
+  displayName: Database Volume Capacity
+  required: true
+  description: Volume space available for database.
+  value: 15Gi
+- name: HTTPD_SERVICE_NAME
+  required: true
+  displayName: Apache httpd Service Name
+  description: The name of the OpenShift Service exposed for the httpd container.
+  value: httpd
+- name: HTTPD_IMG_NAME
+  displayName: Apache httpd Image Name
+  description: This is the httpd image name requested to deploy.
+  value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+- name: HTTPD_IMG_TAG
+  displayName: Apache httpd Image Tag
+  description: This is the httpd image tag/version requested to deploy.
+  value: latest
+- name: HTTPD_CONFIG_DIR
+  displayName: Apache Configuration Directory
+  description: Directory used to store the Apache configuration files.
+  value: "/etc/httpd/conf.d"
+- name: HTTPD_AUTH_CONFIG_DIR
+  displayName: External Authentication Configuration Directory
+  description: Directory used to store the external authentication configuration files.
+  value: "/etc/httpd/auth-conf.d"
+- name: HTTPD_CPU_REQ
+  displayName: Apache httpd Min CPU Requested
+  required: true
+  description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
+  value: 500m
+- name: HTTPD_MEM_REQ
+  displayName: Apache httpd Min RAM Requested
+  required: true
+  description: Minimum amount of memory the httpd container will need.
+  value: 512Mi
+- name: HTTPD_MEM_LIMIT
+  displayName: Apache httpd Max RAM Limit
+  required: true
+  description: Maximum amount of memory the httpd container can consume.
+  value: 8192Mi

roles/openshift_cfme/files/templates/manageiq/miq-pv-db-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: manageiq-db-pv
+metadata:
+  name: manageiq-db-pv
+  annotations:
+    description: PV Template for MIQ PostgreSQL DB
+    tags: PVS, MIQ
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: miq-db
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/miq-db"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for DB
+  required: true
+  description: The size of the MIQ DB PV given in Gi
+  value: 15Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/files/templates/manageiq/miq-pv-server-example.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Template
+labels:
+  template: manageiq-app-pv
+metadata:
+  name: manageiq-app-pv
+  annotations:
+    description: PV Template for MIQ Server
+    tags: PVS, MIQ
+objects:
+- apiVersion: v1
+  kind: PersistentVolume
+  metadata:
+    name: miq-app
+  spec:
+    capacity:
+      storage: "${PV_SIZE}"
+    accessModes:
+    - ReadWriteOnce
+    nfs:
+      path: "${BASE_PATH}/miq-app"
+      server: "${NFS_HOST}"
+    persistentVolumeReclaimPolicy: Retain
+parameters:
+- name: PV_SIZE
+  displayName: PV Size for App
+  required: true
+  description: The size of the MIQ APP PV given in Gi
+  value: 5Gi
+- name: BASE_PATH
+  displayName: Exports Directory Base Path
+  required: true
+  description: The parent directory of your NFS exports
+  value: "/exports"
+- name: NFS_HOST
+  displayName: NFS Server Hostname
+  required: true
+  description: The hostname or IP address of the NFS server

roles/openshift_cfme/handlers/main.yml

@@ -1,40 +0,0 @@
----
-######################################################################
-# NOTE: These are duplicated from roles/openshift_master/handlers/main.yml
-#
-# TODO: Use the consolidated 'openshift_handlers' role once it's ready
-# See: https://github.com/openshift/openshift-ansible/pull/4041#discussion_r118770782
-######################################################################
-
-- name: restart master api
-  systemd: name={{ openshift.common.service_type }}-master-api state=restarted
-  when: (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native'
-  notify: Verify API Server
-
-- name: restart master controllers
-  systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted
-  when: (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native'
-
-- name: Verify API Server
-  # Using curl here since the uri module requires python-httplib2 and
-  # wait_for port doesn't provide health information.
-  command: >
-    curl --silent --tlsv1.2
-    {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
-    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
-    {% else %}
-    --cacert {{ openshift.common.config_base }}/master/ca.crt
-    {% endif %}
-    {{ openshift.master.api_url }}/healthz/ready
-  args:
-    # Disables the following warning:
-    # Consider using get_url or uri module rather than running curl
-    warn: no
-  register: api_available_output
-  until: api_available_output.stdout == 'ok'
-  retries: 120
-  delay: 1
-  changed_when: false
-
-- name: OpenShift-CFME - Reload NFS Exports
-  command: exportfs -ar

roles/openshift_cfme/meta/main.yml

@@ -16,5 +16,3 @@ galaxy_info:
 dependencies:
 - role: lib_openshift
 - role: lib_utils
-# - role: openshift_facts
-# - role: openshift_master_facts

roles/openshift_cfme/tasks/accounts.yml

@@ -1,65 +1,28 @@
 ---
 # This role task file is responsible for user/system account creation,
 # and ensuring correct access is provided as required.
-
-# TODO: This is currently not idempotent, bug report will be filed
-# after this. Currently this task will return 'changed' if it just
-# created a user, updated a user, or doesn't modify a user at
-# all. Seems to be failing some kind of 'does it need updating' test
-# condition and running the replace command regardless.
-- name: Check if the miq-httpd scc exists
-  oc_obj:
-    namespace: "{{ openshift_cfme_project }}"
-    state: list
-    kind: scc
-    name: miq-httpd
-  register: miq_httpd_scc_exists
-
-# TODO: Cleanup when conditions
-- name: Copy the miq-httpd SCC to the cluster
-  copy:
-    src: miq-scc-httpd.yaml
-    dest: "{{ template_dir }}"
-  when:
-    - miq_httpd_scc_exists.results.results | length == 1
-    - miq_httpd_scc_exists.results.results[0] == {}
-
-- name: Ensure the CFME miq-httpd SCC exists
-  oc_obj:
-    state: present
-    name: miq-httpd
-    namespace: "{{ openshift_cfme_project }}"
-    kind: scc
-    files:
-      - "{{ template_dir }}/miq-scc-httpd.yaml"
-    delete_after: True
-  run_once: True
-  when:
-    - miq_httpd_scc_exists.results.results | length == 1
-    - miq_httpd_scc_exists.results.results[0] == {}
-
-- name: Ensure the CFME system users exist
+- name: Ensure the CFME system accounts exist
   oc_serviceaccount:
     namespace: "{{ openshift_cfme_project }}"
     state: present
-    name: "{{ item.name }}"
+    name: "{{ openshift_cfme_flavor_short }}{{ item.name }}"
   with_items:
-    - "{{ openshift_system_account_sccs }}"
+    - "{{ __openshift_system_account_sccs }}"
 
 - name: Ensure the CFME system accounts have all the required SCCs
   oc_adm_policy_user:
     namespace: "{{ openshift_cfme_project }}"
-    user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}"
+    user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ openshift_cfme_flavor_short }}{{ item.name }}"
     resource_kind: scc
     resource_name: "{{ item.resource_name }}"
   with_items:
-    - "{{ openshift_system_account_sccs }}"
+    - "{{ __openshift_system_account_sccs }}"
 
 - name: Ensure the CFME system accounts have the required roles
   oc_adm_policy_user:
     namespace: "{{ openshift_cfme_project }}"
-    user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}"
+    user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ openshift_cfme_flavor_short }}{{ item.name }}"
     resource_kind: role
     resource_name: "{{ item.resource_name }}"
   with_items:
-    - "{{ openshift_cfme_system_account_roles }}"
+    - "{{ __openshift_cfme_system_account_roles }}"

roles/openshift_cfme/tasks/main.yml

@@ -15,7 +15,7 @@
   include: accounts.yml
 
 ######################################################################
-# STORAGE - Initialize basic storage classes
+# STORAGE - Initialize basic storage class
 #---------------------------------------------------------------------
 # * nfs - set up NFS shares on the first master for a proof of concept
 - name: Create required NFS exports for CFME app storage
@@ -26,8 +26,8 @@
 # * external - NFS again, but pointing to a pre-configured NFS server
 - name: Note Storage Type -  External NFS
   debug:
-    msg: Setting up external NFS storage, openshift_cfme_storage_class is 'external'
-  when: openshift_cfme_storage_class == 'external'
+    msg: "Setting up external NFS storage, openshift_cfme_storage_class is {{ openshift_cfme_storage_class }}"
+  when: openshift_cfme_storage_class == 'nfs_external'
 
 #---------------------------------------------------------------------
 # * cloudprovider - use an existing cloudprovider based storage
@@ -45,55 +45,35 @@
 
 ######################################################################
 # APPLICATION TEMPLATE
-- name: Install the correct CFME app template
+- name: Install the CFME app and PV templates
   include: template.yml
 
 ######################################################################
 # APP & DB Storage
 
+# For local/external NFS backed installations
+- name: "Create the required App and DB PVs using {{ openshift_cfme_storage_class }}"
+  include: storage/create_nfs_pvs.yml
+  when:
+    - openshift_cfme_storage_class in ['nfs', 'nfs_external']
 
 ######################################################################
-
-# ######################################################################
-# # Let's do this
-
-# - name: Ensure the CFME Server is created
-#   oc_process:
-#     namespace: "{{ openshift_cfme_project }}"
-#     template_name: manageiq
-#     create: True
-#     params:
-#       APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}"
-#       POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}"
-#       MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}"
-#       APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}"
-#       POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}"
-#       MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}"
-#   register: cfme_new_app_process
-#   run_once: True
-#   when:
-#     # User said to install CFME in their inventory
-#     - openshift_cfme_install_app | bool
-#     # # The server app doesn't exist already
-#     # - not miq_server_check.results.results.0
-
-# - debug:
-#     var: cfme_new_app_process
-
-# ######################################################################
-# # Various cleanup steps
-
-# # TODO: Not sure what to do about this right now. Might be able to
-# # just delete it?  This currently warns about "Unable to find
-# # '<TEMP_DIR>' in expected paths."
-# - name: Ensure the temporary PV/App templates are erased
-#   file:
-#     path: "{{ item }}"
-#     state: absent
-#   with_fileglob:
-#     - "{{ template_dir }}/*.yaml"
-
-# - name: Ensure the temporary PV/app template directory is erased
-#   file:
-#     path: "{{ template_dir }}"
-#     state: absent
+# CREATE APP
+- name: Note the correct ext-db template name
+  set_fact:
+    openshift_cfme_template_name: "{{ openshift_cfme_flavor }}-ext-db"
+  when:
+    - openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template-ext-db']
+
+- name: Note the correct podified db template name
+  set_fact:
+    openshift_cfme_template_name: "{{ openshift_cfme_flavor }}"
+  when:
+    - openshift_cfme_app_template in ['miq-template', 'cfme-template']
+
+- name: Ensure the CFME App is created
+  oc_process:
+    namespace: "{{ openshift_cfme_project }}"
+    template_name: "{{ openshift_cfme_template_name }}"
+    create: True
+    params: "{{ openshift_cfme_template_parameters }}"

roles/openshift_cfme/tasks/storage/create_nfs_pvs.yml

@@ -0,0 +1,43 @@
+---
+# Create the required PVs for the App and the DB
+- name: Check if the CFME App PV has been created
+  oc_obj:
+    namespace: "{{ openshift_cfme_project }}"
+    state: list
+    kind: pv
+    name: "{{ openshift_cfme_flavor_short }}-app"
+  register: miq_app_pv_check
+
+- name: Check if the CFME DB PV has been created
+  oc_obj:
+    namespace: "{{ openshift_cfme_project }}"
+    state: list
+    kind: pv
+    name: "{{ openshift_cfme_flavor_short }}-db"
+  register: miq_db_pv_check
+  when:
+    - openshift_cfme_app_template in ['miq-template', 'cfme-template']
+
+- name: Ensure the CFME App PV is created
+  oc_process:
+    namespace: "{{ openshift_cfme_project }}"
+    template_name: "{{ openshift_cfme_flavor }}-app-pv"
+    create: True
+    params:
+      PV_SIZE: "{{ openshift_cfme_app_pv_size }}"
+      BASE_PATH: "{{ openshift_cfme_storage_nfs_base_dir }}"
+      NFS_HOST: "{{ openshift_cfme_nfs_server }}"
+  when: miq_app_pv_check.results.results == [{}]
+
+- name: Ensure the CFME DB PV is created
+  oc_process:
+    namespace: "{{ openshift_cfme_project }}"
+    template_name: "{{ openshift_cfme_flavor }}-db-pv"
+    create: True
+    params:
+      PV_SIZE: "{{ openshift_cfme_db_pv_size }}"
+      BASE_PATH: "{{ openshift_cfme_storage_nfs_base_dir }}"
+      NFS_HOST: "{{ openshift_cfme_nfs_server }}"
+  when:
+    - openshift_cfme_app_template in ['miq-template', 'cfme-template']
+    - miq_db_pv_check.results.results == [{}]

roles/openshift_cfme/tasks/storage/create_pvs.yml

@@ -1,36 +0,0 @@
----
-# Check for existance and then conditionally:
-# - evaluate templates
-# - PVs
-#
-# These tasks idempotently create required CFME PV objects. Do not
-# call this file directly. This file is intended to be ran as an
-# include that has a 'with_items' attached to it. Hence the use below
-# of variables like "{{ item.pv_label }}"
-
-- name: "Check if the {{ item.pv_label }} template has been created already"
-  oc_obj:
-    namespace: "{{ openshift_cfme_project }}"
-    state: list
-    kind: pv
-    name: "{{ item.pv_name }}"
-  register: miq_pv_check
-
-# Skip all of this if the PV already exists
-- block:
-    - name: "Ensure the {{ item.pv_label }} template is evaluated"
-      template:
-        src: "{{ item.pv_template }}.j2"
-        dest: "{{ template_dir }}/{{ item.pv_template }}"
-
-    - name: "Ensure {{ item.pv_label }} is created"
-      oc_obj:
-        namespace: "{{ openshift_cfme_project }}"
-        kind: pv
-        name: "{{ item.pv_name }}"
-        state: present
-        delete_after: True
-        files:
-          - "{{ template_dir }}/{{ item.pv_template }}"
-  when:
-    - not miq_pv_check.results.results.0

roles/openshift_cfme/tasks/storage/nfs.yml

@@ -2,102 +2,66 @@
 # Tasks to statically provision NFS volumes
 # Include if not using dynamic volume provisioning
 
-- name: Note Storage Type - NFS
-  debug:
-    msg: Setting up NFS storage, openshift_cfme_storage_class is 'nfs'
-
-- name: TODO
-  debug:
-    msg: TODO - replace hard-coded hostname below with oo_nfs_to_config.0
-
-- name: Set openshift_cfme_nfs_server fact
-  when: openshift_cfme_nfs_server is not defined
+- name: Ensure we save the local NFS server if one is provided
   set_fact:
-    # Hostname/IP of the NFS server. Currently defaults to first master
-    openshift_cfme_nfs_server: m01.example.com
-
-# TODO: I was going to try to apply the openshift_storage_nfs role to
-# handle this, however, that role is not written to be used by
-# itself. Attempting to use it to create CFME exports would just add
-# more hard-coded values to the role. That said, we're doing this here
-# manually for now until some one comes up with a better solution, or
-# the role is made to accept parameters in a more functional way.
-#
-# I can't really even include the openshift_storage_nfs role in here
-# to do basic setup stuff because it would just result in a lot of
-# unwanted exports getting set up for the users.
-
-- name: Ensure the /exports/ directory exists
-  file:
-    path: /exports/
-    state: directory
-    mode: 0755
-    owner: root
-    group: root
-
-- name: Ensure exports directory exists
-  file:
-    path: /etc/exports.d/
-    state: directory
-
-# # TODO - with_items should be passed a list of storage configs for the
-# # desired CFME setup. This might mean a local or remote nfs server, as
-# # well as fully qualified filesystem paths.
-# - name: Ensure export directories exist
-#   file:
-#     path: "{{ item.storage.nfs.directory }}/{{ item.storage.volume.name }}"
-#     state: directory
-#     mode: 0777
-#     owner: nfsnobody
-#     group: nfsnobody
-#   with_items:
-
-- name: Enable and start services
-  systemd:
-    name: nfs-server
-    state: started
-    enabled: yes
-  register: start_result
-
-- set_fact:
-    nfs_service_status_changed: "{{ start_result | changed }}"
+    openshift_cfme_nfs_server: "{{ openshift_cfme_storage_nfs_local_hostname }}"
+  when:
+    - openshift_cfme_storage_nfs_local_hostname is defined
+    - openshift_cfme_storage_nfs_local_hostname != False
+    - openshift_cfme_storage_class == "nfs"
 
-- name: restart nfs-server
-  systemd:
-    name: nfs-server
-    state: restarted
-  when: nfs_service_status_changed | default(false)
-  notify:
-    - "OpenShift-CFME - Reload NFS Exports"
-
-######################################################################
-# TODO: Move the export directory and PV creation into individual
-# tasks under the respective server/database task files.
-
-# # - name: Ensure the miq-pv0X export directories exist
-# #   file:
-# #     path: "/exports/{{ item }}"
-# #     state: directory
-# #     mode: 0775
-# #     owner: nfsnobody
-# #     group: nfsnobody
-# #   with_items: "{{ openshift_cfme_pv_exports }}"
-
-# # - name: Ensure the NFS exports for CFME PVs exist
-# #   copy:
-# #     src: openshift_cfme.exports
-# #     dest: /etc/exports.d/openshift_cfme.exports
-# #   register: nfs_exports_updated
-
-
-# # Create the required CFME PVs. Check out these online docs if you
-# # need a refresher on includes looping with items:
-# # * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0
-# # * http://stackoverflow.com/a/35128533
-
-# # TODO: Handle the case where a PV template is updated in
-# # openshift-ansible and the change needs to be landed on the managed
-# # cluster.
+- name: Ensure we save the local NFS server
+  set_fact:
+    openshift_cfme_nfs_server: "{{ groups['oo_nfs_to_config'].0 }}"
+  when:
+    - openshift_cfme_nfs_server is not defined
+    - openshift_cfme_storage_class == "nfs"
 
-# # - include: create_pvs.yml
-# #   with_items: "{{ openshift_cfme_pv_data }}"
+- name: Ensure we save the external NFS server
+  set_fact:
+    openshift_cfme_nfs_server: "{{ openshift_cfme_storage_nfs_external_hostname }}"
+  when:
+    - openshift_cfme_storage_class == "nfs_external"
+
+- name: Failed NFS server detection
+  assert:
+    that:
+      - openshift_cfme_nfs_server is defined
+    msg: |
+      "Unable to detect an NFS server. The 'nfs_external'
+      openshift_cfme_storage_class option requires that you set
+      openshift_cfme_storage_nfs_external_hostname. NFS hosts detected
+      for local nfs services: {{ groups['oo_nfs_to_config'] | join(', ') }}"
+
+- name: Setting up NFS storage
+  block:
+    - name: Include the NFS Setup role tasks
+      include_role:
+        role: openshift_nfs
+        tasks_from: setup
+      vars:
+        l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}"
+
+    - name: Create the App export
+      include_role:
+        role: openshift_nfs
+        tasks_from: create_export
+      vars:
+        l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}"
+        l_nfs_export_config: "{{ openshift_cfme_flavor_short }}"
+        l_nfs_export_name: "{{ openshift_cfme_flavor_short }}-app"
+        l_nfs_options: "*(rw,no_root_squash,no_wdelay)"
+
+    - name: Create the DB export
+      include_role:
+        role: openshift_nfs
+        tasks_from: create_export
+      vars:
+        l_nfs_base_dir: "{{ openshift_cfme_storage_nfs_base_dir }}"
+        l_nfs_export_config: "{{ openshift_cfme_flavor_short }}"
+        l_nfs_export_name: "{{ openshift_cfme_flavor_short }}-db"
+        l_nfs_options: "*(rw,no_root_squash,no_wdelay)"
+      when:
+        - openshift_cfme_app_template in ['miq-template', 'cfme-template']
+
+  delegate_to: "{{ openshift_cfme_nfs_server }}"

roles/openshift_cfme/tasks/template.yml

@@ -4,69 +4,125 @@
 ######################################################################
 # CFME App Template
 #
-# Note, this is different from the create_pvs.yml tasks in that the
-# application template does not require any jinja2 evaluation.
+# Note, this is different from the create_nfs_pvs.yml tasks in that
+# the application template does not require any jinja2 evaluation.
 #
-# TODO: Handle the case where the server template is updated in
-# openshift-ansible and the change needs to be landed on the managed
-# cluster.
+# TODO: Handle the case where the server or PV templates are updated
+# in openshift-ansible and the change needs to be landed on the
+# managed cluster.
 
 ######################################################################
 # STANDARD PODIFIED DATABASE TEMPLATE
-- when: openshift_cfme_app_template == 'miq-template'
+- when: openshift_cfme_app_template in ['miq-template', 'cfme-template']
   block:
   - name: Check if the CFME Server template has been created already
     oc_obj:
       namespace: "{{ openshift_cfme_project }}"
       state: list
       kind: template
-      name: manageiq
+      name: "{{ openshift_cfme_flavor }}"
     register: miq_server_check
 
-  - name: Copy over CFME Server template
-    copy:
-      src: miq-template.yaml
-      dest: "{{ template_dir }}/"
-    when:
-    - miq_server_check.results.results == [{}]
+  - when: miq_server_check.results.results == [{}]
+    block:
+    - name: Copy over CFME Server template
+      copy:
+        src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-template.yaml"
+        dest: "{{ template_dir }}/"
 
-  - name: Ensure CFME Server Template is created
-    oc_obj:
-      namespace: "{{ openshift_cfme_project }}"
-      name: manageiq
-      state: present
-      kind: template
-      files:
-      - "{{ template_dir }}/miq-template.yaml"
-    when:
-    - miq_server_check.results.results == [{}]
+    - name: Ensure CFME Server Template is created
+      oc_obj:
+        namespace: "{{ openshift_cfme_project }}"
+        name: "{{ openshift_cfme_flavor }}"
+        state: present
+        kind: template
+        files:
+        - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-template.yaml"
 
 ######################################################################
 # EXTERNAL DATABASE TEMPLATE
-- when: openshift_cfme_app_template == 'miq-template-ext-db'
+- when: openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template']
   block:
   - name: Check if the CFME Ext-DB Server template has been created already
     oc_obj:
       namespace: "{{ openshift_cfme_project }}"
       state: list
       kind: template
-      name: manageiq-ext-db
+      name: "{{ openshift_cfme_flavor }}-ext-db"
     register: miq_ext_db_server_check
 
-  - name: Copy over CFME Ext-DB Server template
+  - when: miq_ext_db_server_check.results.results == [{}]
+    block:
+    - name: Copy over CFME Ext-DB Server template
+      copy:
+        src: "templates/{{ openshift_cfme_flavor }}/{{openshift_cfme_flavor_short}}-template-ext-db.yaml"
+        dest: "{{ template_dir }}/"
+
+    - name: Ensure CFME Ext-DB Server Template is created
+      oc_obj:
+        namespace: "{{ openshift_cfme_project }}"
+        name: "{{ openshift_cfme_flavor }}-ext-db"
+        state: present
+        kind: template
+        files:
+        - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-template-ext-db.yaml"
+
+# End app template creation.
+######################################################################
+
+######################################################################
+# Begin conditional PV template creations
+
+# Required for the application server
+- name: Check if the CFME App PV template has been created already
+  oc_obj:
+    namespace: "{{ openshift_cfme_project }}"
+    state: list
+    kind: template
+    name: "{{ openshift_cfme_flavor }}-app-pv"
+  register: miq_app_pv_check
+
+- when: miq_app_pv_check.results.results == [{}]
+  block:
+  - name: Copy over CFME App PV template
     copy:
-      src: miq-template-ext-db.yaml
+      src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-pv-server-example.yaml"
       dest: "{{ template_dir }}/"
-    when:
-    - miq_ext_db_server_check.results.results == [{}]
 
-  - name: Ensure CFME Ext-DB Server Template is created
+  - name: Ensure CFME App PV Template is created
     oc_obj:
       namespace: "{{ openshift_cfme_project }}"
-      name: manageiq-ext-db
+      name: "{{ openshift_cfme_flavor }}-app-pv"
       state: present
       kind: template
       files:
-      - "{{ template_dir }}/miq-template-ext-db.yaml"
-    when:
-    - miq_ext_db_server_check.results.results == [{}]
+      - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-pv-server-example.yaml"
+
+#---------------------------------------------------------------------
+
+# Required for database if the installation is fully podified
+- when: openshift_cfme_app_template in ['miq-template', 'cfme-template']
+  block:
+  - name: Check if the CFME DB PV template has been created already
+    oc_obj:
+      namespace: "{{ openshift_cfme_project }}"
+      state: list
+      kind: template
+      name: "{{ openshift_cfme_flavor }}-db-pv"
+    register: miq_db_pv_check
+
+  - when: miq_db_pv_check.results.results == [{}]
+    block:
+    - name: Copy over CFME DB PV template
+      copy:
+        src: "templates/{{ openshift_cfme_flavor }}/{{ openshift_cfme_flavor_short }}-pv-db-example.yaml"
+        dest: "{{ template_dir }}/"
+
+    - name: Ensure CFME DB PV Template is created
+      oc_obj:
+        namespace: "{{ openshift_cfme_project }}"
+        name: "{{ openshift_cfme_flavor }}-db-pv"
+        state: present
+        kind: template
+        files:
+        - "{{ template_dir }}/{{ openshift_cfme_flavor_short }}-pv-db-example.yaml"

roles/openshift_cfme/tasks/uninstall.yml

@@ -1,46 +1,23 @@
 ---
-- include_role:
-    name: lib_openshift
+- name: Start removing all the objects
+  command: "oc delete -n {{ openshift_cfme_project }} {{ item }} --all"
+  with_items:
+    - rc
+    - dc
+    - po
+    - svc
+    - pv
+    - pvc
+    - statefulsets
+    - routes
 
-- name: Uninstall CFME - ManageIQ
-  debug:
-    msg: Uninstalling Cloudforms Management Engine - ManageIQ
+- name: Remove the project
+  command: "oc delete -n {{ openshift_cfme_project }} project {{ openshift_cfme_project }}"
 
-- name: Ensure the CFME project is removed
-  oc_project:
-    state: absent
-    name: "{{ openshift_cfme_project }}"
-
-- name: Ensure the CFME template is removed
-  oc_obj:
-    namespace: "{{ openshift_cfme_project }}"
-    state: absent
-    kind: template
-    name: manageiq
-
-- name: Ensure the CFME PVs are removed
-  oc_obj:
-    state: absent
-    all_namespaces: True
-    kind: pv
-    name: "{{ item }}"
-  with_items: "{{ openshift_cfme_pv_exports }}"
-  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))
-
-- name: Ensure the CFME user is removed
-  oc_user:
-    state: absent
-    username: "{{ openshift_cfme_user }}"
-
-- name: Ensure the CFME NFS Exports are removed
-  file:
-    path: /etc/exports.d/openshift_cfme.exports
-    state: absent
-  register: nfs_exports_removed
-  when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))
-
-- name: Ensure the NFS export table is refreshed if exports were removed
-  command: exportfs -ar
-  when:
-    - nfs_exports_removed.changed
-    - not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce'))
+- name: Verify project has been destroyed
+  command: "oc get project {{ openshift_cfme_project }}"
+  ignore_errors: True
+  register: project_terminated
+  until: project_terminated.stderr.find("NotFound") != -1
+  delay: 5
+  retries: 30

roles/openshift_cfme/tasks/validate.yml

@@ -1,26 +1,35 @@
 ---
 # Validate configuration parameters passed to the openshift_cfme role
 
+######################################################################
+# CORE PARAMETERS
 - name: Ensure openshift_cfme_app_template is valid
   assert:
     that:
-      - openshift_cfme_app_template in openshift_cfme_app_templates
-    msg: "openshift_cfme_app_template must be one of {{ openshift_cfme_app_templates | join(', ') }}"
+      - openshift_cfme_app_template in __openshift_cfme_app_templates
+    msg: "openshift_cfme_app_template must be one of {{ __openshift_cfme_app_templates | join(', ') }}"
 
 - name: Ensure openshift_cfme_storage_class is a valid type
   assert:
     that:
-      - openshift_cfme_storage_class in openshift_cfme_storage_classes
-    msg: "openshift_cfme_storage_class must be one of {{ openshift_cfme_storage_classes | join(', ') }}"
+      - openshift_cfme_storage_class in __openshift_cfme_storage_classes
+    msg: "openshift_cfme_storage_class must be one of {{ __openshift_cfme_storage_classes | join(', ') }}"
 
+######################################################################
+# STORAGE PARAMS - NFS
 - name: Ensure external NFS storage has a valid NFS server hostname defined
   assert:
     that:
-      - openshift_cfme_storage_external_nfs_hostname is not False
-    msg: The selected storage class 'external' requires a valid hostname for the openshift_cfme_storage_external_nfs_hostname parameter
+      - openshift_cfme_storage_nfs_external_hostname | default(False)
+    msg: The selected storage class 'nfs_external' requires a valid hostname for the openshift_cfme_storage_nfs_hostname parameter
   when:
-    - openshift_cfme_storage_class == 'external'
+    - openshift_cfme_storage_class == 'nfs_external'
 
+# that 'nfs' types have one of the following set:
+#
+
+######################################################################
+# STORAGE PARAMS  -CLOUD PROVIDER
 - name: Validate Cloud Provider storage class
   assert:
     that:
@@ -31,4 +40,33 @@
       example inventories for the required parameters for your
       selected cloud provider. Working providers: 'aws' and 'gce'.
   when:
+    - openshift_cfme_storage_class == 'cloudprovider'
     - openshift_cloudprovider_kind is defined
+
+- name: Validate 'cloudprovider' Storage Class has required parameters defined
+  assert:
+    that:
+      - openshift_cloudprovider_kind is defined
+    msg: |
+      openshift_cfme_storage_class is 'cloudprovider' but you do not
+      have 'openshift_cloudprovider_kind' defined, this is
+      required. Search the example inventories for
+      'openshift_cloudprovider_kind'. The required parameters for your
+      selected cloud provider must be defined in your inventory as
+      well. Working providers: 'aws' and 'gce'.
+  when:
+    - openshift_cfme_storage_class == 'cloudprovider'
+
+######################################################################
+# DATABASE CONNECTION VALIDATION
+- name: Validate all required database parameters were provided for ext-db template
+  assert:
+    that:
+      - item in openshift_cfme_template_parameters
+    msg: |
+      "You are not using podified database services and a required
+      database parameter {{ item }} was not found in
+      'openshift_cfme_template_parameters'"
+  with_items: "{{ __openshift_cfme_required_db_conn_params }}"
+  when:
+    - openshift_cfme_app_template in ['miq-template-ext-db', 'cfme-template-ext-db']

roles/openshift_cfme/templates/openshift_cfme-miq-template-ext-db.exports.j2

@@ -0,0 +1 @@
+{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-app *(rw,no_root_squash,no_wdelay)

roles/openshift_cfme/templates/openshift_cfme-miq-template.exports.j2

@@ -0,0 +1,2 @@
+{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-app *(rw,no_root_squash,no_wdelay)
+{{ openshift_cfme_storage_nfs_base_dir }}/{{ openshift_cfme_flavor_short }}-db *(rw,no_root_squash,no_wdelay)

roles/openshift_cfme/vars/main.yml

@@ -0,0 +1,69 @@
+---
+# Misc enumerated values
+#---------------------------------------------------------------------
+# Allowed choices for the storage class parameter
+__openshift_cfme_storage_classes:
+  - nfs
+  - nfs_external
+  - preconfigured
+  - cloudprovider
+
+# Name of the application templates with object/parameter definitions
+__openshift_cfme_app_templates:
+  - miq-template-ext-db
+  - miq-template
+  - cfme-template-ext-db
+  - cfme-template
+
+# PostgreSQL database connection parameters
+__openshift_cfme_db_parameters:
+  - DATABASE_USER
+  - DATABASE_PASSWORD
+  - DATABASE_IP
+  - DATABASE_PORT
+  - DATABASE_NAME
+
+# # Commented out until we can support both CFME and MIQ
+# # openshift_cfme_flavor: "{{ 'cloudforms' if openshift_deployment_type == 'openshift-enterprise' else 'manageiq' }}"
+#openshift_cfme_flavor: cloudforms
+openshift_cfme_flavor: manageiq
+# TODO: Make this conditional as well based on the prior variable
+# # openshift_cfme_flavor_short: "{{ 'cfme' if openshift_deployment_type == 'openshift-enterprise' else 'miq' }}"
+# openshift_cfme_flavor_short: cfme
+openshift_cfme_flavor_short: miq
+
+######################################################################
+# ACCOUNTING
+######################################################################
+# Service Account SSCs
+__openshift_system_account_sccs:
+  - name: -anyuid
+    resource_name: anyuid
+  - name: -orchestrator
+    resource_name: anyuid
+  - name: -privileged
+    resource_name: privileged
+  - name: -httpd
+    resource_name: anyuid
+
+# Service Account Roles
+__openshift_cfme_system_account_roles:
+  - name: -orchestrator
+    resource_name: view
+  - name: -orchestrator
+    resource_name: edit
+
+######################################################################
+# DEFAULTS
+######################################################################
+# User only has to provide parameters they need to override, we will
+# do a hash update method with the provided user parameters to create
+# the final connection structure.
+#
+# TODO: Update user provided configs with this if they are missing fields
+__openshift_cfme_required_db_conn_params:
+  - DATABASE_USER
+  - DATABASE_PASSWORD
+  - DATABASE_IP
+  - DATABASE_PORT
+  - DATABASE_NAME

roles/openshift_manageiq/tasks/main.yaml

@@ -1,8 +1,4 @@
 ---
-- fail:
-    msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1."
-  when: not openshift.common.version_gte_3_1_or_1_1 | bool
-
 - name: Add Management Infrastructure project
   oc_project:
     name: management-infra
@@ -61,4 +57,3 @@
     resource_kind: "{{ item.resource_kind }}"
     user: "{{ item.user }}"
   with_items: "{{manage_iq_openshift_3_2_tasks}}"
-  when: openshift.common.version_gte_3_2_or_1_2 | bool

roles/openshift_nfs/README.md

@@ -0,0 +1,17 @@
+OpenShift NFS
+=============
+
+Sets up basic NFS services on a cluster host.
+
+See [tasks/create_export.yml](tasks/create_export.yml) for
+instructions on using the export creation tasks file.
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Tim Bielawa (tbielawa@redhat.com)

roles/openshift_nfs/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+r_openshift_nfs_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
+r_openshift_nfs_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
+
+r_openshift_nfs_os_firewall_deny: []
+r_openshift_nfs_firewall_allow:
+- service: nfs
+  port: "2049/tcp"

roles/openshift_nfs/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Tim Bielawa
+  description: OpenShift Basic NFS Configuration
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- role: lib_utils
+- role: lib_os_firewall

roles/openshift_nfs/tasks/create_export.yml

@@ -0,0 +1,34 @@
+---
+# Makes a new NFS export
+#
+# Include signature
+#
+# include_role:
+#   role: openshift_nfs
+#   tasks_from: create_export
+# vars:
+#   l_nfs_base_dir: Base dir to exports
+#   l_nfs_export_config: Name to prefix the .exports file with
+#   l_nfs_export_name: Name of sub-directory of the export
+#   l_nfs_options: Mount Options
+
+- name: Ensure CFME App NFS export directory exists
+  file:
+    path: "{{ l_nfs_base_dir }}/{{ l_nfs_export_name }}"
+    state: directory
+    mode: 0777
+    owner: nfsnobody
+    group: nfsnobody
+
+- name: "Create {{ l_nfs_export_name }} NFS export"
+  lineinfile:
+    path: "/etc/exports.d/{{ l_nfs_export_config }}.exports"
+    create: true
+    state: present
+    line: "{{ l_nfs_base_dir }}/{{ l_nfs_export_name }} {{ l_nfs_options }}"
+  register: created_export
+
+- name: Re-export NFS filesystems
+  command: exportfs -ar
+  when:
+    - created_export | changed

roles/openshift_nfs/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_nfs_firewall_enabled | bool and not r_openshift_nfs_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_os_firewall_deny }}"
+
+- when: r_openshift_nfs_firewall_enabled | bool and r_openshift_nfs_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_nfs_os_firewall_deny }}"

roles/openshift_nfs/tasks/setup.yml

@@ -0,0 +1,29 @@
+---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
+- name: Install nfs-utils
+  package: name=nfs-utils state=present
+
+- name: Configure NFS
+  lineinfile:
+    dest: /etc/sysconfig/nfs
+    regexp: '^RPCNFSDARGS=.*$'
+    line: 'RPCNFSDARGS="-N 2 -N 3"'
+  register: nfs_config
+
+- name: Restart nfs-config
+  systemd: name=nfs-config state=restarted
+  when: nfs_config | changed
+
+- name: Ensure exports directory exists
+  file:
+    path: "{{ l_nfs_base_dir }}"
+    state: directory
+
+- name: Enable and start NFS services
+  systemd:
+    name: nfs-server
+    state: started
+    enabled: yes

roles/openshift_storage_nfs/templates/exports.j2

@@ -3,5 +3,3 @@
 {{ openshift.logging.storage.nfs.directory }}/{{ openshift.logging.storage.volume.name }} {{ openshift.logging.storage.nfs.options }}
 {{ openshift.loggingops.storage.nfs.directory }}/{{ openshift.loggingops.storage.volume.name }} {{ openshift.loggingops.storage.nfs.options }}
 {{ openshift.hosted.etcd.storage.nfs.directory }}/{{ openshift.hosted.etcd.storage.volume.name }} {{ openshift.hosted.etcd.storage.nfs.options }}
-{{ openshift.hosted.cfme_app.storage.nfs.directory }}/{{ openshift.hosted.cfme.storage.volume.name }} {{ openshift.hosted.cfme.storage.nfs.options }}
-{{ openshift.hosted.cfme_db.storage.nfs.directory }}/{{ openshift.hosted.cfme.storage.volume.name }} {{ openshift.hosted.cfme.storage.nfs.options }}