apiVersion: v1
kind: Template
labels:
template: cloudforms
metadata:
name: cloudforms
annotations:
description: CloudForms appliance with persistent storage
tags: instant-app,cloudforms,cfme
iconClass: icon-rails
objects:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: cfme-orchestrator
- apiVersion: v1
kind: ServiceAccount
metadata:
name: cfme-anyuid
- apiVersion: v1
kind: ServiceAccount
metadata:
name: cfme-privileged
- apiVersion: v1
kind: ServiceAccount
metadata:
name: cfme-httpd
- apiVersion: v1
kind: RoleBinding
metadata:
name: view
roleRef:
name: view
subjects:
- kind: ServiceAccount
name: cfme-orchestrator
- apiVersion: v1
kind: RoleBinding
metadata:
name: edit
roleRef:
name: edit
subjects:
- kind: ServiceAccount
name: cfme-orchestrator
- apiVersion: v1
kind: Secret
metadata:
name: "${NAME}-secrets"
stringData:
pg-password: "${DATABASE_PASSWORD}"
admin-password: "${APPLICATION_ADMIN_PASSWORD}"
database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
v2-key: "${V2_KEY}"
- apiVersion: v1
kind: Secret
metadata:
name: "${ANSIBLE_SERVICE_NAME}-secrets"
stringData:
rabbit-password: "${ANSIBLE_RABBITMQ_PASSWORD}"
secret-key: "${ANSIBLE_SECRET_KEY}"
admin-password: "${ANSIBLE_ADMIN_PASSWORD}"
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${DATABASE_SERVICE_NAME}-configs"
data:
01_miq_overrides.conf: |
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
tcp_keepalives_count = 9
tcp_keepalives_idle = 3
tcp_keepalives_interval = 75
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
shared_preload_libraries = 'pglogical,repmgr_funcs'
max_worker_processes = 10
#------------------------------------------------------------------------------
# WRITE AHEAD LOG
#------------------------------------------------------------------------------
wal_level = 'logical'
wal_log_hints = on
wal_buffers = 16MB
checkpoint_completion_target = 0.9
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
max_wal_senders = 10
wal_sender_timeout = 0
max_replication_slots = 10
hot_standby = on
#------------------------------------------------------------------------------
# ERROR REPORTING AND LOGGING
#------------------------------------------------------------------------------
log_filename = 'postgresql.log'
log_rotation_age = 0
log_min_duration_statement = 5000
log_connections = on
log_disconnections = on
log_line_prefix = '%t:%r:%c:%u@%d:[%p]:'
log_lock_waits = on
#------------------------------------------------------------------------------
# AUTOVACUUM PARAMETERS
#------------------------------------------------------------------------------
log_autovacuum_min_duration = 0
autovacuum_naptime = 5min
autovacuum_vacuum_threshold = 500
autovacuum_analyze_threshold = 500
autovacuum_vacuum_scale_factor = 0.05
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
deadlock_timeout = 5s
#------------------------------------------------------------------------------
# VERSION/PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
escape_string_warning = off
standard_conforming_strings = off
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-configs"
data:
application.conf: |
# Timeout: The number of seconds before receives and sends time out.
Timeout 120
RewriteEngine On
Options SymLinksIfOwnerMatch
KeepAlive on
# Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
ServerName https://%{REQUEST_HOST}
ProxyPreserveHost on
RewriteCond %{REQUEST_URI} ^/ws [NC]
RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
# For httpd, some ErrorDocuments must by served by the httpd pod
RewriteCond %{REQUEST_URI} !^/proxy_pages
# For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
RewriteCond %{REQUEST_URI} !^/saml2
RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
ProxyPassReverse / http://${NAME}/
# Ensures httpd stdout/stderr are seen by 'docker logs'.
ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
authentication.conf: |
# Load appropriate authentication configuration files
#
Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
configuration-internal-auth: |
# Internal authentication
#
configuration-external-auth: |
Include "conf.d/external-auth-load-modules-conf"
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
Krb5KeyTab /etc/http.keytab
KrbServiceName Any
Require pam-account httpd-auth
ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
Include "conf.d/external-auth-login-form-conf"
Include "conf.d/external-auth-application-api-conf"
Include "conf.d/external-auth-lookup-user-details-conf"
Include "conf.d/external-auth-remote-user-conf"
configuration-active-directory-auth: |
Include "conf.d/external-auth-load-modules-conf"
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
Krb5KeyTab /etc/krb5.keytab
KrbServiceName Any
Require pam-account httpd-auth
ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
Include "conf.d/external-auth-login-form-conf"
Include "conf.d/external-auth-application-api-conf"
Include "conf.d/external-auth-lookup-user-details-conf"
Include "conf.d/external-auth-remote-user-conf"
configuration-saml-auth: |
LoadModule auth_mellon_module modules/mod_auth_mellon.so
MellonEnable "info"
MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
MellonVariable "sp-cookie"
MellonSecureCookie On
MellonCookiePath "/"
MellonIdP "IDP"
MellonEndpointPath "/saml2"
MellonUser username
MellonMergeEnvVars On
MellonSetEnvNoPrefix "REMOTE_USER" username
MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
AuthType "Mellon"
MellonEnable "auth"
Require valid-user
Include "conf.d/external-auth-remote-user-conf"
external-auth-load-modules-conf: |
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
LoadModule lookup_identity_module modules/mod_lookup_identity.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
external-auth-login-form-conf: |
InterceptFormPAMService httpd-auth
InterceptFormLogin user_name
InterceptFormPassword user_password
InterceptFormLoginSkip admin
InterceptFormClearRemoteUserForSkipped on
external-auth-application-api-conf: |
SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
SetEnvIf X-Auth-Token '^.+$' let_api_token_in
SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
AuthType Basic
AuthName "External Authentication (httpd) for API"
AuthBasicProvider PAM
AuthPAMService httpd-auth
Require valid-user
Order Allow,Deny
Allow from env=let_admin_in
Allow from env=let_api_token_in
Allow from env=let_sys_token_in
Satisfy Any
external-auth-lookup-user-details-conf: |
LookupUserAttr mail REMOTE_USER_EMAIL
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
LookupUserAttr sn REMOTE_USER_LASTNAME
LookupUserAttr displayname REMOTE_USER_FULLNAME
LookupUserAttr domainname REMOTE_USER_DOMAIN
LookupUserGroups REMOTE_USER_GROUPS ":"
LookupDbusTimeout 5000
external-auth-remote-user-conf: |
RequestHeader unset X_REMOTE_USER
RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
data:
auth-type: internal
auth-kerberos-realms: undefined
auth-configuration.conf: |
# External Authentication Configuration File
#
# For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
- apiVersion: v1
kind: Service
metadata:
annotations:
description: Exposes and load balances CloudForms pods
service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"},{"name":"${MEMCACHED_SERVICE_NAME}","namespace":"","kind":"Service"}]'
name: "${NAME}"
spec:
clusterIP: None
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
name: "${NAME}"
- apiVersion: v1
kind: Route
metadata:
name: "${HTTPD_SERVICE_NAME}"
spec:
host: "${APPLICATION_DOMAIN}"
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: "${HTTPD_SERVICE_NAME}"
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "${NAME}-${DATABASE_SERVICE_NAME}"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "${DATABASE_VOLUME_CAPACITY}"
- apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: "${NAME}"
annotations:
description: Defines how to deploy the CloudForms appliance
spec:
serviceName: "${NAME}"
replicas: "${APPLICATION_REPLICA_COUNT}"
template:
metadata:
labels:
name: "${NAME}"
name: "${NAME}"
spec:
containers:
- name: cloudforms
image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
exec:
command:
- pidof
- MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
- containerPort: 80
protocol: TCP
volumeMounts:
- name: "${NAME}-server"
mountPath: "/persistent"
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: APPLICATION_INIT_DELAY
value: "${APPLICATION_INIT_DELAY}"
- name: DATABASE_REGION
value: "${DATABASE_REGION}"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: "${NAME}-secrets"
key: database-url
- name: V2_KEY
valueFrom:
secretKeyRef:
name: "${NAME}-secrets"
key: v2-key
- name: APPLICATION_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "${NAME}-secrets"
key: admin-password
- name: ANSIBLE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "${ANSIBLE_SERVICE_NAME}-secrets"
key: admin-password
resources:
requests:
memory: "${APPLICATION_MEM_REQ}"
cpu: "${APPLICATION_CPU_REQ}"
limits:
memory: "${APPLICATION_MEM_LIMIT}"
lifecycle:
preStop:
exec:
command:
- "/opt/rh/cfme-container-scripts/sync-pv-data"
serviceAccount: cfme-orchestrator
serviceAccountName: cfme-orchestrator
terminationGracePeriodSeconds: 90
volumeClaimTemplates:
- metadata:
name: "${NAME}-server"
annotations:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "${APPLICATION_VOLUME_CAPACITY}"
- apiVersion: v1
kind: Service
metadata:
annotations:
description: Headless service for CloudForms backend pods
name: "${NAME}-backend"
spec:
clusterIP: None
selector:
name: "${NAME}-backend"
- apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: "${NAME}-backend"
annotations:
description: Defines how to deploy the CloudForms appliance
spec:
serviceName: "${NAME}-backend"
replicas: 0
template:
metadata:
labels:
name: "${NAME}-backend"
name: "${NAME}-backend"
spec:
containers:
- name: cloudforms
image: "${BACKEND_APPLICATION_IMG_NAME}:${BACKEND_APPLICATION_IMG_TAG}"
livenessProbe:
exec:
command:
- pidof
- MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
volumeMounts:
- name: "${NAME}-server"
mountPath: "/persistent"
env:
- name: APPLICATION_INIT_DELAY
value: "${APPLICATION_INIT_DELAY}"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: "${NAME}-secrets"
key: database-url
- name: MIQ_SERVER_DEFAULT_ROLES
value: database_operations,event,reporting,scheduler,smartstate,ems_operations,ems_inventory,automate
- name: FRONTEND_SERVICE_NAME
value: "${NAME}"
- name: V2_KEY
valueFrom:
secretKeyRef:
name: "${NAME}-secrets"
key: v2-key
- name: ANSIBLE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "${ANSIBLE_SERVICE_NAME}-secrets"
key: admin-password
resources:
requests:
memory: "${APPLICATION_MEM_REQ}"
cpu: "${APPLICATION_CPU_REQ}"
limits:
memory: "${APPLICATION_MEM_LIMIT}"
lifecycle:
preStop:
exec:
command:
- "/opt/rh/cfme-container-scripts/sync-pv-data"
serviceAccount: cfme-orchestrator
serviceAccountName: cfme-orchestrator
terminationGracePeriodSeconds: 90
volumeClaimTemplates:
- metadata:
name: "${NAME}-server"
annotations:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "${APPLICATION_VOLUME_CAPACITY}"
- apiVersion: v1
kind: Service
metadata:
name: "${MEMCACHED_SERVICE_NAME}"
annotations:
description: Exposes the memcached server
spec:
ports:
- name: memcached
port: 11211
targetPort: 11211
selector:
name: "${MEMCACHED_SERVICE_NAME}"
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${MEMCACHED_SERVICE_NAME}"
annotations:
description: Defines how to deploy memcached
spec:
strategy:
type: Recreate
triggers:
- type: ConfigChange
replicas: 1
selector:
name: "${MEMCACHED_SERVICE_NAME}"
template:
metadata:
name: "${MEMCACHED_SERVICE_NAME}"
labels:
name: "${MEMCACHED_SERVICE_NAME}"
spec:
volumes: []
containers:
- name: memcached
image: "${MEMCACHED_IMG_NAME}:${MEMCACHED_IMG_TAG}"
ports:
- containerPort: 11211
readinessProbe:
timeoutSeconds: 1
initialDelaySeconds: 5
tcpSocket:
port: 11211
livenessProbe:
timeoutSeconds: 1
initialDelaySeconds: 30
tcpSocket:
port: 11211
volumeMounts: []
env:
- name: MEMCACHED_MAX_MEMORY
value: "${MEMCACHED_MAX_MEMORY}"
- name: MEMCACHED_MAX_CONNECTIONS
value: "${MEMCACHED_MAX_CONNECTIONS}"
- name: MEMCACHED_SLAB_PAGE_SIZE
value: "${MEMCACHED_SLAB_PAGE_SIZE}"
resources:
requests:
memory: "${MEMCACHED_MEM_REQ}"
cpu: "${MEMCACHED_CPU_REQ}"
limits:
memory: "${MEMCACHED_MEM_LIMIT}"
- apiVersion: v1
kind: Service
metadata:
name: "${DATABASE_SERVICE_NAME}"
annotations:
description: Exposes the database server
spec:
ports:
- name: postgresql
port: 5432
targetPort: 5432
selector:
name: "${DATABASE_SERVICE_NAME}"
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${DATABASE_SERVICE_NAME}"
annotations:
description: Defines how to deploy the database
spec:
strategy:
type: Recreate
triggers:
- type: ConfigChange
replicas: 1
selector:
name: "${DATABASE_SERVICE_NAME}"
template:
metadata:
name: "${DATABASE_SERVICE_NAME}"
labels:
name: "${DATABASE_SERVICE_NAME}"
spec:
volumes:
- name: cfme-pgdb-volume
persistentVolumeClaim:
claimName: "${NAME}-${DATABASE_SERVICE_NAME}"
- name: cfme-pg-configs
configMap:
name: "${DATABASE_SERVICE_NAME}-configs"
containers:
- name: postgresql
image: "${POSTGRESQL_IMG_NAME}:${POSTGRESQL_IMG_TAG}"
ports:
- containerPort: 5432
readinessProbe:
timeoutSeconds: 1
initialDelaySeconds: 15
exec:
command:
- "/bin/sh"
- "-i"
- "-c"
- psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1'
livenessProbe:
timeoutSeconds: 1
initialDelaySeconds: 60
tcpSocket:
port: 5432
volumeMounts:
- name: cfme-pgdb-volume
mountPath: "/var/lib/pgsql/data"
- name: cfme-pg-configs
mountPath: "/opt/app-root/src/postgresql-cfg/"
env:
- name: POSTGRESQL_USER
value: "${DATABASE_USER}"
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: "${NAME}-secrets"
key: pg-password
- name: POSTGRESQL_DATABASE
value: "${DATABASE_NAME}"
- name: POSTGRESQL_MAX_CONNECTIONS
value: "${POSTGRESQL_MAX_CONNECTIONS}"
- name: POSTGRESQL_SHARED_BUFFERS
value: "${POSTGRESQL_SHARED_BUFFERS}"
resources:
requests:
memory: "${POSTGRESQL_MEM_REQ}"
cpu: "${POSTGRESQL_CPU_REQ}"
limits:
memory: "${POSTGRESQL_MEM_LIMIT}"
- apiVersion: v1
kind: Service
metadata:
annotations:
description: Exposes and load balances Ansible pods
service.alpha.openshift.io/dependencies: '[{"name":"${DATABASE_SERVICE_NAME}","namespace":"","kind":"Service"}]'
name: "${ANSIBLE_SERVICE_NAME}"
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
selector:
name: "${ANSIBLE_SERVICE_NAME}"
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${ANSIBLE_SERVICE_NAME}"
annotations:
description: Defines how to deploy the Ansible appliance
spec:
strategy:
type: Recreate
serviceName: "${ANSIBLE_SERVICE_NAME}"
replicas: 0
template:
metadata:
labels:
name: "${ANSIBLE_SERVICE_NAME}"
name: "${ANSIBLE_SERVICE_NAME}"
spec:
containers:
- name: ansible
image: "${ANSIBLE_IMG_NAME}:${ANSIBLE_IMG_TAG}"
livenessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/"
port: 443
scheme: HTTPS
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
- containerPort: 80
protocol: TCP
- containerPort: 443
protocol: TCP
securityContext:
privileged: true
env:
- name: ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "${ANSIBLE_SERVICE_NAME}-secrets"
key: admin-password
- name: RABBITMQ_USER_NAME
value: "${ANSIBLE_RABBITMQ_USER_NAME}"
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: "${ANSIBLE_SERVICE_NAME}-secrets"
key: rabbit-password
- name: ANSIBLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: "${ANSIBLE_SERVICE_NAME}-secrets"
key: secret-key
- name: DATABASE_SERVICE_NAME
value: "${DATABASE_SERVICE_NAME}"
- name: POSTGRESQL_USER
value: "${DATABASE_USER}"
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: "${NAME}-secrets"
key: pg-password
- name: POSTGRESQL_DATABASE
value: "${ANSIBLE_DATABASE_NAME}"
resources:
requests:
memory: "${ANSIBLE_MEM_REQ}"
cpu: "${ANSIBLE_CPU_REQ}"
limits:
memory: "${ANSIBLE_MEM_LIMIT}"
serviceAccount: cfme-privileged
serviceAccountName: cfme-privileged
- apiVersion: v1
kind: Service
metadata:
name: "${HTTPD_SERVICE_NAME}"
annotations:
description: Exposes the httpd server
service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
name: httpd
- apiVersion: v1
kind: Service
metadata:
name: "${HTTPD_DBUS_API_SERVICE_NAME}"
annotations:
description: Exposes the httpd server dbus api
service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
spec:
ports:
- name: http-dbus-api
port: 8080
targetPort: 8080
selector:
name: httpd
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${HTTPD_SERVICE_NAME}"
annotations:
description: Defines how to deploy httpd
spec:
strategy:
type: Recreate
recreateParams:
timeoutSeconds: 1200
triggers:
- type: ConfigChange
replicas: 1
selector:
name: "${HTTPD_SERVICE_NAME}"
template:
metadata:
name: "${HTTPD_SERVICE_NAME}"
labels:
name: "${HTTPD_SERVICE_NAME}"
spec:
volumes:
- name: httpd-config
configMap:
name: "${HTTPD_SERVICE_NAME}-configs"
- name: httpd-auth-config
configMap:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
containers:
- name: httpd
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
ports:
- containerPort: 80
protocol: TCP
- containerPort: 8080
protocol: TCP
livenessProbe:
exec:
command:
- pidof
- httpd
initialDelaySeconds: 15
timeoutSeconds: 3
readinessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 10
timeoutSeconds: 3
volumeMounts:
- name: httpd-config
mountPath: "${HTTPD_CONFIG_DIR}"
- name: httpd-auth-config
mountPath: "${HTTPD_AUTH_CONFIG_DIR}"
resources:
requests:
memory: "${HTTPD_MEM_REQ}"
cpu: "${HTTPD_CPU_REQ}"
limits:
memory: "${HTTPD_MEM_LIMIT}"
env:
- name: HTTPD_AUTH_TYPE
valueFrom:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-type
- name: HTTPD_AUTH_KERBEROS_REALMS
valueFrom:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-kerberos-realms
lifecycle:
postStart:
exec:
command:
- "/usr/bin/save-container-environment"
serviceAccount: cfme-httpd
serviceAccountName: cfme-httpd
parameters:
- name: NAME
displayName: Name
required: true
description: The name assigned to all of the frontend objects defined in this template.
value: cloudforms
- name: V2_KEY
displayName: CloudForms Encryption Key
required: true
description: Encryption Key for CloudForms Passwords
from: "[a-zA-Z0-9]{43}"
generate: expression
- name: DATABASE_SERVICE_NAME
displayName: PostgreSQL Service Name
required: true
description: The name of the OpenShift Service exposed for the PostgreSQL container.
value: postgresql
- name: DATABASE_USER
displayName: PostgreSQL User
required: true
description: PostgreSQL user that will access the database.
value: root
- name: DATABASE_PASSWORD
displayName: PostgreSQL Password
required: true
description: Password for the PostgreSQL user.
from: "[a-zA-Z0-9]{8}"
generate: expression
- name: DATABASE_NAME
required: true
displayName: PostgreSQL Database Name
description: Name of the PostgreSQL database accessed.
value: vmdb_production
- name: DATABASE_REGION
required: true
displayName: Application Database Region
description: Database region that will be used for application.
value: '0'
- name: APPLICATION_ADMIN_PASSWORD
displayName: Application Admin Password
required: true
description: Admin password that will be set on the application.
value: smartvm
- name: ANSIBLE_DATABASE_NAME
displayName: Ansible PostgreSQL database name
required: true
description: The database to be used by the Ansible continer
value: awx
- name: MEMCACHED_SERVICE_NAME
required: true
displayName: Memcached Service Name
description: The name of the OpenShift Service exposed for the Memcached container.
value: memcached
- name: MEMCACHED_MAX_MEMORY
displayName: Memcached Max Memory
description: Memcached maximum memory for memcached object storage in MB.
value: '64'
- name: MEMCACHED_MAX_CONNECTIONS
displayName: Memcached Max Connections
description: Memcached maximum number of connections allowed.
value: '1024'
- name: MEMCACHED_SLAB_PAGE_SIZE
displayName: Memcached Slab Page Size
description: Memcached size of each slab page.
value: 1m
- name: POSTGRESQL_MAX_CONNECTIONS
displayName: PostgreSQL Max Connections
description: PostgreSQL maximum number of database connections allowed.
value: '1000'
- name: POSTGRESQL_SHARED_BUFFERS
displayName: PostgreSQL Shared Buffer Amount
description: Amount of memory dedicated for PostgreSQL shared memory buffers.
value: 1GB
- name: ANSIBLE_SERVICE_NAME
displayName: Ansible Service Name
description: The name of the OpenShift Service exposed for the Ansible container.
value: ansible
- name: ANSIBLE_ADMIN_PASSWORD
displayName: Ansible admin User password
required: true
description: The password for the Ansible container admin user
from: "[a-zA-Z0-9]{32}"
generate: expression
- name: ANSIBLE_SECRET_KEY
displayName: Ansible Secret Key
required: true
description: Encryption key for the Ansible container
from: "[a-f0-9]{32}"
generate: expression
- name: ANSIBLE_RABBITMQ_USER_NAME
displayName: RabbitMQ Username
required: true
description: Username for the Ansible RabbitMQ Server
value: ansible
- name: ANSIBLE_RABBITMQ_PASSWORD
displayName: RabbitMQ Server Password
required: true
description: Password for the Ansible RabbitMQ Server
from: "[a-zA-Z0-9]{32}"
generate: expression
- name: APPLICATION_CPU_REQ
displayName: Application Min CPU Requested
required: true
description: Minimum amount of CPU time the Application container will need (expressed in millicores).
value: 1000m
- name: POSTGRESQL_CPU_REQ
displayName: PostgreSQL Min CPU Requested
required: true
description: Minimum amount of CPU time the PostgreSQL container will need (expressed in millicores).
value: 500m
- name: MEMCACHED_CPU_REQ
displayName: Memcached Min CPU Requested
required: true
description: Minimum amount of CPU time the Memcached container will need (expressed in millicores).
value: 200m
- name: ANSIBLE_CPU_REQ
displayName: Ansible Min CPU Requested
required: true
description: Minimum amount of CPU time the Ansible container will need (expressed in millicores).
value: 1000m
- name: APPLICATION_MEM_REQ
displayName: Application Min RAM Requested
required: true
description: Minimum amount of memory the Application container will need.
value: 6144Mi
- name: POSTGRESQL_MEM_REQ
displayName: PostgreSQL Min RAM Requested
required: true
description: Minimum amount of memory the PostgreSQL container will need.
value: 4Gi
- name: MEMCACHED_MEM_REQ
displayName: Memcached Min RAM Requested
required: true
description: Minimum amount of memory the Memcached container will need.
value: 64Mi
- name: ANSIBLE_MEM_REQ
displayName: Ansible Min RAM Requested
required: true
description: Minimum amount of memory the Ansible container will need.
value: 2048Mi
- name: APPLICATION_MEM_LIMIT
displayName: Application Max RAM Limit
required: true
description: Maximum amount of memory the Application container can consume.
value: 16384Mi
- name: POSTGRESQL_MEM_LIMIT
displayName: PostgreSQL Max RAM Limit
required: true
description: Maximum amount of memory the PostgreSQL container can consume.
value: 8Gi
- name: MEMCACHED_MEM_LIMIT
displayName: Memcached Max RAM Limit
required: true
description: Maximum amount of memory the Memcached container can consume.
value: 256Mi
- name: ANSIBLE_MEM_LIMIT
displayName: Ansible Max RAM Limit
required: true
description: Maximum amount of memory the Ansible container can consume.
value: 8096Mi
- name: POSTGRESQL_IMG_NAME
displayName: PostgreSQL Image Name
description: This is the PostgreSQL image name requested to deploy.
value: registry.access.redhat.com/cloudforms46/cfme-openshift-postgresql
- name: POSTGRESQL_IMG_TAG
displayName: PostgreSQL Image Tag
description: This is the PostgreSQL image tag/version requested to deploy.
value: latest
- name: MEMCACHED_IMG_NAME
displayName: Memcached Image Name
description: This is the Memcached image name requested to deploy.
value: registry.access.redhat.com/cloudforms46/cfme-openshift-memcached
- name: MEMCACHED_IMG_TAG
displayName: Memcached Image Tag
description: This is the Memcached image tag/version requested to deploy.
value: latest
- name: FRONTEND_APPLICATION_IMG_NAME
displayName: Frontend Application Image Name
description: This is the Frontend Application image name requested to deploy.
value: registry.access.redhat.com/cloudforms46/cfme-openshift-app-ui
- name: BACKEND_APPLICATION_IMG_NAME
displayName: Backend Application Image Name
description: This is the Backend Application image name requested to deploy.
value: registry.access.redhat.com/cloudforms46/cfme-openshift-app
- name: FRONTEND_APPLICATION_IMG_TAG
displayName: Front end Application Image Tag
description: This is the CloudForms Frontend Application image tag/version requested to deploy.
value: latest
- name: BACKEND_APPLICATION_IMG_TAG
displayName: Back end Application Image Tag
description: This is the CloudForms Backend Application image tag/version requested to deploy.
value: latest
- name: ANSIBLE_IMG_NAME
displayName: Ansible Image Name
description: This is the Ansible image name requested to deploy.
value: registry.access.redhat.com/cloudforms46/cfme-openshift-embedded-ansible
- name: ANSIBLE_IMG_TAG
displayName: Ansible Image Tag
description: This is the Ansible image tag/version requested to deploy.
value: latest
- name: APPLICATION_DOMAIN
displayName: Application Hostname
description: The exposed hostname that will route to the application service, if left blank a value will be defaulted.
value: ''
- name: APPLICATION_REPLICA_COUNT
displayName: Application Replica Count
description: This is the number of Application replicas requested to deploy.
value: '1'
- name: APPLICATION_INIT_DELAY
displayName: Application Init Delay
required: true
description: Delay in seconds before we attempt to initialize the application.
value: '15'
- name: APPLICATION_VOLUME_CAPACITY
displayName: Application Volume Capacity
required: true
description: Volume space available for application data.
value: 5Gi
- name: DATABASE_VOLUME_CAPACITY
displayName: Database Volume Capacity
required: true
description: Volume space available for database.
value: 15Gi
- name: HTTPD_SERVICE_NAME
required: true
displayName: Apache httpd Service Name
description: The name of the OpenShift Service exposed for the httpd container.
value: httpd
- name: HTTPD_DBUS_API_SERVICE_NAME
required: true
displayName: Apache httpd DBus API Service Name
description: The name of httpd dbus api service.
value: httpd-dbus-api
- name: HTTPD_IMG_NAME
displayName: Apache httpd Image Name
description: This is the httpd image name requested to deploy.
value: registry.access.redhat.com/cloudforms46/cfme-openshift-httpd
- name: HTTPD_IMG_TAG
displayName: Apache httpd Image Tag
description: This is the httpd image tag/version requested to deploy.
value: latest
- name: HTTPD_CONFIG_DIR
displayName: Apache Configuration Directory
description: Directory used to store the Apache configuration files.
value: "/etc/httpd/conf.d"
- name: HTTPD_AUTH_CONFIG_DIR
displayName: External Authentication Configuration Directory
description: Directory used to store the external authentication configuration files.
value: "/etc/httpd/auth-conf.d"
- name: HTTPD_CPU_REQ
displayName: Apache httpd Min CPU Requested
required: true
description: Minimum amount of CPU time the httpd container will need (expressed in millicores).
value: 500m
- name: HTTPD_MEM_REQ
displayName: Apache httpd Min RAM Requested
required: true
description: Minimum amount of memory the httpd container will need.
value: 512Mi
- name: HTTPD_MEM_LIMIT
displayName: Apache httpd Max RAM Limit
required: true
description: Maximum amount of memory the httpd container can consume.
value: 8192Mi