diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 49054719a..c2ae59ef7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -137,7 +137,7 @@ jobs: vagrant ssh quadlet -- sudo systemctl restart fapolicyd - name: Run image pull run: | - ./foremanctl pull-images + ./foremanctl pull-images ${{ matrix.database == 'external' && '--database-mode=external' || '' }} - name: Run deployment run: | ./foremanctl deploy \ diff --git a/docs/developer/deployment.md b/docs/developer/deployment.md index 263305de2..6156f05e0 100644 --- a/docs/developer/deployment.md +++ b/docs/developer/deployment.md @@ -52,23 +52,173 @@ IOP (Insights Operating Platform) deploys on-premise Insights services for advis See [IOP Architecture](iop.md) for details on the services deployed and configuration options. -### Authenticated Registry Handling +### Image Management -If you need to pull images from private or authenticated container registries, you can configure registry authentication using Podman's auth file. +foremanctl uses Podman quadlet [`.image` units](https://docs.podman.io/en/latest/markdown/podman-image.unit.5.html) to separate image sourcing from container definitions. Each unique container image (foreman, candlepin, pulp, etc.) gets a corresponding `.image` file deployed to `/etc/containers/systemd/`. Container roles reference these by name rather than by full image URL: -#### Setting up Registry Authentication +See the [podman-systemd.unit(5)](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html) reference for the full quadlet unit format. + +```ini +# /etc/containers/systemd/foreman.image +[Image] +Image=quay.io/foreman/foreman:nightly +``` + +```ini +# /etc/containers/systemd/foreman.container (excerpt) +[Container] +Image=foreman.image +``` + +All containers that share a base image (e.g., foreman, dynflow-sidekiq, foreman-recurring) reference the same `.image` unit. systemd ensures the image is pulled before any dependent container starts. + +#### Image Overrides via Drop-ins + +foremanctl uses quadlet's native drop-in mechanism for image overrides. Each `.image` file has a corresponding `.image.d/` directory. Drop-in `.conf` files placed there are merged on top of the base in lexicographic order — last wins. + +The quadlet generator reads from two directory tiers, with `/etc/` taking precedence over `/usr/share/`: + +``` +/usr/share/containers/systemd/ + foreman.image.d/ + 10-product.conf # vendor/RPM layer + 20-archive.conf # local media layer + +/etc/containers/systemd/ + foreman.image # base, always generated by foremanctl + foreman.image.d/ + 90-user.conf # user override layer +``` + +Precedence (last wins): + +1. `foreman.image` — foremanctl default from `images.yml` +2. `10-product.conf` — vendor/RPM provided +3. `20-archive.conf` — local media provided +4. `90-user.conf` — user provided (highest priority) + +#### registries.conf vs .image.d drop-ins + +Both `registries.conf` and `.image.d` drop-ins can redirect where an image is pulled from, but they behave differently and suit different use cases. + +`registries.conf` applies a transparent redirect at pull time — the image is fetched from the `location` registry but stored in local storage under the original `prefix` name. This means `podman images` shows the upstream name (e.g., `quay.io/foreman/foreman:nightly`), and the `.image` quadlet continues to reference that same name. This works well when the private registry mirrors upstream image names and tags exactly. + +`.image.d` drop-ins directly replace the `Image=` value in the quadlet unit. The image is pulled from and stored under the new reference. This is required when the image name or tag changes completely (e.g., `quay.io/foreman/foreman:nightly` → `registry.example.com/org/foreman-rhel9:stream`), since `registries.conf` cannot remap image names — only registry/namespace locations. + +#### Use Cases + +##### Upstream default (no user action) + +foremanctl generates `.image` files from its built-in `images.yml`: + +```ini +# /etc/containers/systemd/foreman.image (generated by foremanctl) +[Image] +Image=quay.io/foreman/foreman:nightly +``` + +##### RPM-provided images + +When a product uses different image names or tags from the upstream references (e.g., `foreman-rhel9:stream` instead of `foreman:nightly`), the RPM ships `.image.d` drop-ins to override each image unit directly: + +```ini +# /usr/share/containers/systemd/foreman.image.d/10-product.conf (from RPM) +[Image] +Image=registry.example.com/org/foreman-rhel9:stream +``` + +```ini +# /usr/share/containers/systemd/candlepin.image.d/10-product.conf (from RPM) +[Image] +Image=registry.example.com/org/candlepin-rhel9:stream +``` + +No user action required beyond installing the RPM and logging into the product registry: -1. **Login to your registry** using Podman and save credentials to the default auth file location: ```bash -podman login --authfile=/etc/foreman/registry-auth.json +podman login --authfile=/etc/foreman/registry-auth.json registry.example.com +``` + +##### Disconnected install from local media + +In air-gapped environments, container images must be brought in without network access. `registries.conf` cannot express non-registry sources, but Podman can read images from local archive files. Images can be transported via USB or other local media using `podman save` / `podman load`, then referenced via drop-ins: + +See [podman-export(1)](https://docs.podman.io/en/latest/markdown/podman-export.1.html) for producing archive files. + +```ini +# /usr/share/containers/systemd/foreman.image.d/20-archive.conf (from local media) +[Image] +Image=docker-archive:/opt/foreman/images/foreman-6.17.tar +``` + +##### User's own registry + +When the private registry mirrors upstream image names and tags exactly, `registries.conf.d` handles namespace-level remapping. foremanctl images span two upstream namespaces, so two entries are needed at minimum. See [containers-registries.conf(5)](https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md) for the full format. + +```toml +# /etc/containers/registries.conf.d/50-foremanctl-mirror.conf +[[registry]] +prefix = "quay.io/foreman" +location = "katello.example.com/Default_Organization" + +[[registry]] +prefix = "quay.io/sclorg" +location = "katello.example.com/Default_Organization" +``` + +When the private registry uses different image names or tags, use `.image.d` drop-ins instead: + +```ini +# /etc/containers/systemd/foreman.image.d/90-user.conf +[Image] +Image=katello.example.com/Default_Organization/foreman-rhel9:stream +``` + +##### Developer testing a container build + +An `.image.d` drop-in overrides a single image without affecting others: + +```ini +# /etc/containers/systemd/foreman.image.d/90-user.conf +# To test https://github.com/theforeman/foreman-oci-images/pull/12345 +[Image] +Image=quay.io/foreman/stage/foreman:pr-12345 ``` -2. **Deploy as usual** - foremanctl will automatically detect and use the authentication file: +#### Authenticated Registry Handling + +foremanctl uses `/etc/foreman/registry-auth.json` as the default credential store. When pulling images from an authenticated registry, log in using that file: + ```bash -./foremanctl deploy +podman login --authfile=/etc/foreman/registry-auth.json +``` + +Credentials must be for the registry the image is **physically pulled from**. When using `registries.conf` redirects, that is the `location` registry. When using `.image.d` drop-ins, that is the registry in the `Image=` value. + +foremanctl sets `REGISTRY_AUTH_FILE` in the `[Service]` section of each generated `.image` file. Quadlet propagates this setting to the generated `*-image.service`, so podman uses the auth file whenever the image service runs — including during `pull-images`: + +```ini +# /etc/containers/systemd/foreman.image (generated by foremanctl, excerpt) +[Service] +Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json ``` -This approach integrates seamlessly with both the happy path and advanced deployment paths described above. The authentication is handled transparently during image pulling operations. +If the auth file does not exist (unauthenticated registry), podman ignores it gracefully — no error is raised. + +#### Image Pulling (pull-images) + +The `foremanctl pull-images` command is an optional pre-deployment step that pulls all container images before running `foremanctl deploy`. This reduces deploy time and allows pre-staging images separately from deployment. + +`pull-images` deploys the `.image` unit files (making them available for quadlet to merge with any existing drop-ins from installed RPMs), then starts each `*-image.service` to perform the actual pull. To ensure mutable tags (such as `nightly`, `latest`, or `stream`) are always refreshed, `pull-images` temporarily creates a `Policy=always` drop-in before starting each service and removes it afterward, restoring `Policy=missing` for normal operation. See the [`Policy` field in `podman-image.unit(5)`](https://docs.podman.io/en/latest/markdown/podman-image.unit.5.html) for the full list of pull policies. + +``` +/etc/containers/systemd/ + foreman.image.d/ + 00-pull-always.conf # created by pull-images, removed after pull + 90-user.conf # permanent user override (if present) +``` + +Because the pull goes through the image services, any `.image.d` drop-ins already in place (e.g., from a product RPM) are respected — the image is pulled from whatever source the merged configuration specifies. ## Deployer Stages @@ -81,7 +231,7 @@ Some of the stages will be made available to the user to run independently. a. system requirements b. tuning requirements c. certificate requirements - 4. Place `.container` files + 4. Place `.image` and `.container` files 5. Create podman secrets 6. Reload systemd 7. (re)start services @@ -103,7 +253,9 @@ When the user provides parameters to alter the deployment, the deployment utilit ## Container changes (Upgrades) -When the running containers change because the stream was changed in the configuration, the deployment utility will pull the new images and use the new images when starting services. +When the running containers change because the stream was changed in the configuration, the deployment utility regenerates `.image` units with the new image references and restarts services to pull and use the updated images. + +User drop-in overrides in `.image.d/90-user.conf` take precedence over the base `.image` values — if a user-provided drop-in pins a specific tag, it will not be changed by an upgrade. As there is currently no way for the deployment utility to verify which image version is used by a running service, the user is advised to stop all services before performing an upgrade. diff --git a/src/playbooks/pull-images/pull-images.yaml b/src/playbooks/pull-images/pull-images.yaml index 3eb4e74d2..e4bb26ce1 100644 --- a/src/playbooks/pull-images/pull-images.yaml +++ b/src/playbooks/pull-images/pull-images.yaml @@ -11,27 +11,50 @@ roles: - role: pre_install post_tasks: - - name: Pull an image - containers.podman.podman_image: + - name: Deploy core image units + ansible.builtin.include_role: name: "{{ item }}" - environment: - REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" - loop: "{{ images }}" + tasks_from: image.yaml + loop: + - foreman + - candlepin + - pulp + - redis - - name: Pull foreman_proxy images - containers.podman.podman_image: - name: "{{ item }}" - environment: - REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" - loop: "{{ foreman_proxy_images }}" - when: - - "'foreman-proxy' in enabled_features" + - name: Deploy database image units + ansible.builtin.include_role: + name: postgresql + tasks_from: image.yaml + when: database_mode == 'internal' + + - name: Deploy proxy image units + ansible.builtin.include_role: + name: foreman_proxy + tasks_from: image.yaml + when: "'foreman-proxy' in enabled_features" - - name: Pull database images - containers.podman.podman_image: + - name: Deploy IOP image units + ansible.builtin.include_role: name: "{{ item }}" - environment: - REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" - loop: "{{ database_images }}" - when: - - database_mode == 'internal' + tasks_from: image.yaml + loop: + - iop_kafka + - iop_ingress + - iop_puptoo + - iop_yuptoo + - iop_engine + - iop_gateway + - iop_inventory + - iop_advisor + - iop_remediation + - iop_vmaas + - iop_vulnerability + - iop_advisor_frontend + - iop_inventory_frontend + - iop_vulnerability_frontend + when: "'iop' in enabled_features" + + - name: Pull images + ansible.builtin.include_role: + name: images + tasks_from: pull.yaml diff --git a/src/roles/candlepin/defaults/main.yml b/src/roles/candlepin/defaults/main.yml index a0a8b15b4..716dc6887 100644 --- a/src/roles/candlepin/defaults/main.yml +++ b/src/roles/candlepin/defaults/main.yml @@ -14,7 +14,6 @@ candlepin_ciphers: - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 candlepin_container_image: quay.io/foreman/candlepin candlepin_container_tag: "4.4.14" -candlepin_registry_auth_file: /etc/foreman/registry-auth.json candlepin_database_host: localhost candlepin_database_port: 5432 diff --git a/src/roles/candlepin/tasks/image.yaml b/src/roles/candlepin/tasks/image.yaml new file mode 100644 index 000000000..92eda8277 --- /dev/null +++ b/src/roles/candlepin/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy candlepin image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: candlepin + image: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml index 3d8b4b518..b66a99986 100644 --- a/src/roles/candlepin/tasks/main.yml +++ b/src/roles/candlepin/tasks/main.yml @@ -1,4 +1,7 @@ --- +- name: Deploy candlepin image + ansible.builtin.include_tasks: image.yaml + - name: Create log directories ansible.builtin.file: path: "{{ item }}" @@ -55,17 +58,10 @@ notify: - Restart candlepin -- name: Pull the Candlepin container image - containers.podman.podman_image: - name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ candlepin_registry_auth_file }}" - - name: Deploy Candlepin quadlet containers.podman.podman_container: name: "candlepin" - image: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" + image: candlepin.image state: quadlet network: host hostname: "{{ ansible_facts['hostname'] }}.local" diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml index fad6b1161..c15d41a37 100644 --- a/src/roles/foreman/defaults/main.yaml +++ b/src/roles/foreman/defaults/main.yaml @@ -1,7 +1,6 @@ --- foreman_container_image: "quay.io/foreman/foreman" foreman_container_tag: "nightly" -foreman_registry_auth_file: /etc/foreman/registry-auth.json foreman_database_name: foreman foreman_database_user: foreman diff --git a/src/roles/foreman/tasks/image.yaml b/src/roles/foreman/tasks/image.yaml new file mode 100644 index 000000000..77217905d --- /dev/null +++ b/src/roles/foreman/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy foreman image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: foreman + image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index f08ac17f9..01b2ce29c 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull the Foreman container image - containers.podman.podman_image: - name: "{{ foreman_container_image }}:{{ foreman_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ foreman_registry_auth_file }}" +- name: Deploy foreman image + ansible.builtin.include_tasks: image.yaml - name: Create secret for DATABASE_URL containers.podman.podman_secret: @@ -98,7 +94,7 @@ - name: Deploy Foreman Container containers.podman.podman_container: name: "foreman" - image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" + image: foreman.image state: quadlet sdnotify: true network: host @@ -130,13 +126,15 @@ PartOf=foreman.target Wants=redis.service postgresql.service candlepin.service After=redis.service postgresql.service candlepin.service + Requires=foreman-db-migrate.service + After=foreman-db-migrate.service notify: Restart foreman - name: Deploy Dynflow Container containers.podman.podman_container: name: "dynflow-sidekiq-%i" quadlet_filename: "dynflow-sidekiq@" - image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" + image: foreman.image state: quadlet sdnotify: true network: host @@ -165,6 +163,8 @@ PartOf=foreman.target Wants=redis.service postgresql.service After=redis.service postgresql.service + Requires=foreman-db-migrate.service + After=foreman-db-migrate.service - | [Service] Restart=on-failure @@ -191,7 +191,7 @@ name: "foreman-recurring-{{ item.instance }}" quadlet_filename: "foreman-recurring@{{ item.instance }}" state: quadlet - image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" + image: foreman.image sdnotify: false network: host hostname: "{{ ansible_facts['hostname'] }}.local" @@ -232,21 +232,14 @@ loop_control: label: "{{ item.instance }}" -- name: Run daemon reload to make Quadlet create the service files - ansible.builtin.systemd: - daemon_reload: true - -- name: Migrate and seed the Foreman database +- name: Deploy foreman database migration container containers.podman.podman_container: name: foreman-db-migrate - image: "{{ foreman_container_image }}:{{ foreman_container_tag }}" - command: - - bash - - -c - - bin/rails db:migrate && bin/rails db:seed - detach: false - rm: true + state: quadlet + image: foreman.image + sdnotify: false network: host + command: bash -c "bin/rails db:migrate && bin/rails db:seed" env: FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}" SEED_ORGANIZATION: "{{ foreman_initial_organization }}" @@ -257,6 +250,23 @@ - 'foreman-seed-admin-password,type=env,target=SEED_ADMIN_PASSWORD' - 'foreman-settings-yaml,type=mount,target=/etc/foreman/settings.yaml' - 'foreman-db-ca,type=mount,target={{ foreman_database_ssl_ca_path }}' + quadlet_options: + - | + [Service] + Type=oneshot + RemainAfterExit=yes + TimeoutStartSec=30m + +- name: Run daemon reload to make Quadlet create the service files + ansible.builtin.systemd: + daemon_reload: true + +- name: Migrate and seed the Foreman database + ansible.builtin.systemd: + name: foreman-db-migrate.service + state: restarted + async: 1800 + poll: 10 - name: Flush handlers to restart services ansible.builtin.meta: flush_handlers diff --git a/src/roles/foreman_proxy/defaults/main.yaml b/src/roles/foreman_proxy/defaults/main.yaml index cb62496ac..4791507b1 100644 --- a/src/roles/foreman_proxy/defaults/main.yaml +++ b/src/roles/foreman_proxy/defaults/main.yaml @@ -1,7 +1,6 @@ --- foreman_proxy_container_image: "quay.io/foreman/foreman-proxy" foreman_proxy_container_tag: "nightly" -foreman_proxy_registry_auth_file: /etc/foreman/registry-auth.json foreman_proxy_name: "{{ ansible_facts['fqdn'] }}" foreman_proxy_https_port: 8443 diff --git a/src/roles/foreman_proxy/tasks/image.yaml b/src/roles/foreman_proxy/tasks/image.yaml new file mode 100644 index 000000000..73aab8df6 --- /dev/null +++ b/src/roles/foreman_proxy/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy foreman-proxy image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: foreman-proxy + image: "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" diff --git a/src/roles/foreman_proxy/tasks/main.yaml b/src/roles/foreman_proxy/tasks/main.yaml index fa36f7f26..8033c9457 100644 --- a/src/roles/foreman_proxy/tasks/main.yaml +++ b/src/roles/foreman_proxy/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull the Foreman Proxy container image - containers.podman.podman_image: - name: "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ foreman_proxy_registry_auth_file }}" +- name: Deploy foreman-proxy image + ansible.builtin.include_tasks: image.yaml - name: Create config secrets ansible.builtin.include_tasks: configs.yaml @@ -15,7 +11,7 @@ - name: Deploy Foreman Proxy Container containers.podman.podman_container: name: "foreman-proxy" - image: "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" + image: foreman-proxy.image state: quadlet sdnotify: true network: host diff --git a/src/roles/images/defaults/main.yaml b/src/roles/images/defaults/main.yaml new file mode 100644 index 000000000..237b6ab6b --- /dev/null +++ b/src/roles/images/defaults/main.yaml @@ -0,0 +1,4 @@ +--- +images_quadlet_dir: /etc/containers/systemd +images_registry_auth_file: /etc/foreman/registry-auth.json +images_deployed_names: [] diff --git a/src/roles/images/tasks/deploy_image.yaml b/src/roles/images/tasks/deploy_image.yaml new file mode 100644 index 000000000..8328a912b --- /dev/null +++ b/src/roles/images/tasks/deploy_image.yaml @@ -0,0 +1,23 @@ +--- +- name: Generate image file for {{ images_definition.name }} + containers.podman.podman_image: + name: "{{ images_definition.image }}" + state: quadlet + quadlet_dir: "{{ images_quadlet_dir }}" + quadlet_filename: "{{ images_definition.name }}" + quadlet_file_mode: "0644" + quadlet_options: + - "Policy=missing" + - | + [Service] + Environment=REGISTRY_AUTH_FILE={{ images_registry_auth_file }} + +- name: Create drop-in directory for {{ images_definition.name }} + ansible.builtin.file: + path: "{{ images_quadlet_dir }}/{{ images_definition.name }}.image.d" + state: directory + mode: "0755" + +- name: Register deployed image name + ansible.builtin.set_fact: + images_deployed_names: "{{ images_deployed_names + [images_definition.name] }}" diff --git a/src/roles/images/tasks/pull.yaml b/src/roles/images/tasks/pull.yaml new file mode 100644 index 000000000..cce04beb7 --- /dev/null +++ b/src/roles/images/tasks/pull.yaml @@ -0,0 +1,44 @@ +--- +- name: Pull images + block: + - name: Set Policy=always to force image pull + ansible.builtin.copy: + dest: "{{ images_quadlet_dir }}/{{ item }}.image.d/00-pull-always.conf" + content: | + [Image] + Policy=always + mode: "0644" + loop: "{{ images_deployed_names | default([]) }}" + + - name: Run daemon reload + ansible.builtin.systemd: + daemon_reload: true + + - name: Pull images via image services + ansible.builtin.systemd: + name: "{{ item }}-image.service" + state: restarted + loop: "{{ images_deployed_names | default([]) }}" + async: 600 + poll: 0 + register: images_pull_jobs + + - name: Wait for image pulls to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + register: images_pull_result + until: images_pull_result is finished + retries: 120 + delay: 5 + loop: "{{ images_pull_jobs.results }}" + + always: + - name: Remove Policy=always drop-ins + ansible.builtin.file: + path: "{{ images_quadlet_dir }}/{{ item }}.image.d/00-pull-always.conf" + state: absent + loop: "{{ images_deployed_names | default([]) }}" + + - name: Run daemon reload + ansible.builtin.systemd: + daemon_reload: true diff --git a/src/roles/iop_advisor/defaults/main.yaml b/src/roles/iop_advisor/defaults/main.yaml index 52645e1d1..a3beb1188 100644 --- a/src/roles/iop_advisor/defaults/main.yaml +++ b/src/roles/iop_advisor/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_advisor_container_image: "quay.io/iop/advisor-backend" iop_advisor_container_tag: "foreman-3.18" -iop_advisor_registry_auth_file: /etc/foreman/registry-auth.json iop_advisor_database_name: advisor_db iop_advisor_database_user: advisor_user diff --git a/src/roles/iop_advisor/tasks/image.yaml b/src/roles/iop_advisor/tasks/image.yaml new file mode 100644 index 000000000..b22eeafe4 --- /dev/null +++ b/src/roles/iop_advisor/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-advisor image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-advisor + image: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" diff --git a/src/roles/iop_advisor/tasks/main.yaml b/src/roles/iop_advisor/tasks/main.yaml index 74d7a6773..6c10b4dd0 100644 --- a/src/roles/iop_advisor/tasks/main.yaml +++ b/src/roles/iop_advisor/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Advisor Backend container image - containers.podman.podman_image: - name: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_advisor_registry_auth_file }}" +- name: Deploy iop-advisor image + ansible.builtin.include_tasks: image.yaml - name: Create podman secret for advisor database username containers.podman.podman_secret: @@ -39,7 +35,7 @@ - name: Deploy Advisor Backend API Container containers.podman.podman_container: name: iop-service-advisor-backend-api - image: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" + image: iop-advisor.image state: quadlet command: sh -c "./container_init.sh && api/app.sh" network: @@ -62,7 +58,6 @@ INVENTORY_SERVER_URL: "http://iop-core-host-inventory-api:8081/api/inventory/v1" ADVISOR_DB_SSL_MODE: "disable" PORT: "8000" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-service-advisor-backend-database-username,type=env,target=ADVISOR_DB_USER' - 'iop-service-advisor-backend-database-password,type=env,target=ADVISOR_DB_PASSWORD' @@ -83,7 +78,7 @@ - name: Deploy Advisor Backend Service Container containers.podman.podman_container: name: iop-service-advisor-backend-service - image: "{{ iop_advisor_container_image }}:{{ iop_advisor_container_tag }}" + image: iop-advisor.image state: quadlet command: pipenv run python service/service.py network: @@ -92,7 +87,6 @@ BOOTSTRAP_SERVERS: "iop-core-kafka:9092" ADVISOR_DB_SSL_MODE: "disable" DISABLE_WEB_SERVER: "true" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-service-advisor-backend-database-username,type=env,target=ADVISOR_DB_USER' - 'iop-service-advisor-backend-database-password,type=env,target=ADVISOR_DB_PASSWORD' diff --git a/src/roles/iop_advisor_frontend/defaults/main.yaml b/src/roles/iop_advisor_frontend/defaults/main.yaml index fa5a98b15..d7584d876 100644 --- a/src/roles/iop_advisor_frontend/defaults/main.yaml +++ b/src/roles/iop_advisor_frontend/defaults/main.yaml @@ -1,6 +1,5 @@ --- iop_advisor_frontend_container_image: "quay.io/iop/advisor-frontend" iop_advisor_frontend_container_tag: "foreman-3.18" -iop_advisor_frontend_registry_auth_file: /etc/foreman/registry-auth.json iop_advisor_frontend_assets_path: "/var/www/iop/assets/apps/advisor" iop_advisor_frontend_source_path: "/srv/dist/." diff --git a/src/roles/iop_advisor_frontend/tasks/image.yaml b/src/roles/iop_advisor_frontend/tasks/image.yaml new file mode 100644 index 000000000..79e79ce93 --- /dev/null +++ b/src/roles/iop_advisor_frontend/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-advisor-frontend image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-advisor-frontend + image: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}" diff --git a/src/roles/iop_advisor_frontend/tasks/main.yaml b/src/roles/iop_advisor_frontend/tasks/main.yaml index 1c0b785ad..a10b8a7c4 100644 --- a/src/roles/iop_advisor_frontend/tasks/main.yaml +++ b/src/roles/iop_advisor_frontend/tasks/main.yaml @@ -1,10 +1,15 @@ --- -- name: Pull Advisor Frontend container image - containers.podman.podman_image: - name: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_advisor_frontend_registry_auth_file }}" +- name: Deploy iop-advisor-frontend image + ansible.builtin.include_tasks: image.yaml + +- name: Run daemon reload for image unit + ansible.builtin.systemd: + daemon_reload: true + +- name: Pull Advisor Frontend image via quadlet unit + ansible.builtin.systemd: + name: iop-advisor-frontend-image.service + state: started - name: Ensure parent assets directory exists ansible.builtin.file: diff --git a/src/roles/iop_engine/defaults/main.yaml b/src/roles/iop_engine/defaults/main.yaml index f2d210e3e..bc9af4f64 100644 --- a/src/roles/iop_engine/defaults/main.yaml +++ b/src/roles/iop_engine/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_engine_container_image: "quay.io/iop/insights-engine" iop_engine_container_tag: "foreman-3.18" -iop_engine_registry_auth_file: /etc/foreman/registry-auth.json iop_engine_packages: - "insights.specs.default" diff --git a/src/roles/iop_engine/tasks/image.yaml b/src/roles/iop_engine/tasks/image.yaml new file mode 100644 index 000000000..324bd1531 --- /dev/null +++ b/src/roles/iop_engine/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-engine image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-engine + image: "{{ iop_engine_container_image }}:{{ iop_engine_container_tag }}" diff --git a/src/roles/iop_engine/tasks/main.yaml b/src/roles/iop_engine/tasks/main.yaml index e92c111ec..0e97f7fed 100644 --- a/src/roles/iop_engine/tasks/main.yaml +++ b/src/roles/iop_engine/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Engine container image - containers.podman.podman_image: - name: "{{ iop_engine_container_image }}:{{ iop_engine_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_engine_registry_auth_file }}" +- name: Deploy iop-engine image + ansible.builtin.include_tasks: image.yaml - name: Create Engine config secret containers.podman.podman_secret: @@ -16,7 +12,7 @@ - name: Deploy Engine container containers.podman.podman_container: name: iop-core-engine - image: "{{ iop_engine_container_image }}:{{ iop_engine_container_tag }}" + image: iop-engine.image state: quadlet command: insights-core-engine /var/config.yml secrets: @@ -32,7 +28,6 @@ After=iop-core-kafka.service iop-core-ingress.service iop-core-puptoo.service Wants=iop-core-kafka.service iop-core-ingress.service iop-core-puptoo.service [Service] - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json Restart=on-failure [Install] WantedBy=default.target diff --git a/src/roles/iop_gateway/defaults/main.yaml b/src/roles/iop_gateway/defaults/main.yaml index 0e6209e98..e09d37c3d 100644 --- a/src/roles/iop_gateway/defaults/main.yaml +++ b/src/roles/iop_gateway/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_gateway_container_image: "quay.io/iop/gateway" iop_gateway_container_tag: "foreman-3.18" -iop_gateway_registry_auth_file: /etc/foreman/registry-auth.json iop_gateway_server_certificate: "/root/certificates/certs/localhost.crt" iop_gateway_server_key: "/root/certificates/private/localhost.key" diff --git a/src/roles/iop_gateway/tasks/image.yaml b/src/roles/iop_gateway/tasks/image.yaml new file mode 100644 index 000000000..abac5bcb3 --- /dev/null +++ b/src/roles/iop_gateway/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-gateway image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-gateway + image: "{{ iop_gateway_container_image }}:{{ iop_gateway_container_tag }}" diff --git a/src/roles/iop_gateway/tasks/main.yaml b/src/roles/iop_gateway/tasks/main.yaml index ca168b66c..1be38f938 100644 --- a/src/roles/iop_gateway/tasks/main.yaml +++ b/src/roles/iop_gateway/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Gateway container image - containers.podman.podman_image: - name: "{{ iop_gateway_container_image }}:{{ iop_gateway_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_gateway_registry_auth_file }}" +- name: Deploy iop-gateway image + ansible.builtin.include_tasks: image.yaml - name: Create Gateway server certificate secret containers.podman.podman_secret: @@ -58,14 +54,12 @@ - name: Deploy Gateway container containers.podman.podman_container: name: iop-core-gateway - image: "{{ iop_gateway_container_image }}:{{ iop_gateway_container_tag }}" + image: iop-gateway.image state: quadlet network: - iop-core-network publish: - "127.0.0.1:24443:8443" - env: - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-gateway-server-cert,target=/etc/nginx/certs/nginx.crt,mode=0440,uid=998,gid=998,type=mount' - 'iop-core-gateway-server-key,target=/etc/nginx/certs/nginx.key,mode=0440,uid=998,gid=998,type=mount' diff --git a/src/roles/iop_ingress/defaults/main.yaml b/src/roles/iop_ingress/defaults/main.yaml index e930e2634..8bce99a9b 100644 --- a/src/roles/iop_ingress/defaults/main.yaml +++ b/src/roles/iop_ingress/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_ingress_container_image: "quay.io/iop/ingress" iop_ingress_container_tag: "foreman-3.18" -iop_ingress_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_ingress/tasks/image.yaml b/src/roles/iop_ingress/tasks/image.yaml new file mode 100644 index 000000000..1524f716c --- /dev/null +++ b/src/roles/iop_ingress/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-ingress image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-ingress + image: "{{ iop_ingress_container_image }}:{{ iop_ingress_container_tag }}" diff --git a/src/roles/iop_ingress/tasks/main.yaml b/src/roles/iop_ingress/tasks/main.yaml index 0b49daadc..303f0adfd 100644 --- a/src/roles/iop_ingress/tasks/main.yaml +++ b/src/roles/iop_ingress/tasks/main.yaml @@ -1,15 +1,11 @@ --- -- name: Pull Ingress container image - containers.podman.podman_image: - name: "{{ iop_ingress_container_image }}:{{ iop_ingress_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_ingress_registry_auth_file }}" +- name: Deploy iop-ingress image + ansible.builtin.include_tasks: image.yaml - name: Deploy Ingress container containers.podman.podman_container: name: iop-core-ingress - image: "{{ iop_ingress_container_image }}:{{ iop_ingress_container_tag }}" + image: iop-ingress.image state: quadlet env: INGRESS_VALID_UPLOAD_TYPES: "advisor,compliance,qpc,rhv,tower,leapp-reporting,xavier,playbook,playbook-sat,malware-detection,tasks" diff --git a/src/roles/iop_inventory/defaults/main.yaml b/src/roles/iop_inventory/defaults/main.yaml index b287bbf78..ce4991b76 100644 --- a/src/roles/iop_inventory/defaults/main.yaml +++ b/src/roles/iop_inventory/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_inventory_container_image: "quay.io/iop/host-inventory" iop_inventory_container_tag: "foreman-3.18" -iop_inventory_registry_auth_file: /etc/foreman/registry-auth.json iop_inventory_database_name: inventory_db iop_inventory_database_user: inventory_admin diff --git a/src/roles/iop_inventory/tasks/image.yaml b/src/roles/iop_inventory/tasks/image.yaml new file mode 100644 index 000000000..43caefdc6 --- /dev/null +++ b/src/roles/iop_inventory/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-inventory image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-inventory + image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" diff --git a/src/roles/iop_inventory/tasks/main.yaml b/src/roles/iop_inventory/tasks/main.yaml index 158007f83..1c575170c 100644 --- a/src/roles/iop_inventory/tasks/main.yaml +++ b/src/roles/iop_inventory/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Host Inventory container image - containers.podman.podman_image: - name: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_inventory_registry_auth_file }}" +- name: Deploy iop-inventory image + ansible.builtin.include_tasks: image.yaml - name: Create podman secret for inventory database username containers.podman.podman_secret: @@ -39,7 +35,7 @@ - name: Deploy Host Inventory Database Migration Container containers.podman.podman_container: name: iop-core-host-inventory-migrate - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: make upgrade_db network: @@ -48,7 +44,6 @@ KAFKA_BOOTSTRAP_SERVERS: "PLAINTEXT://iop-core-kafka:9092" USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' @@ -68,7 +63,7 @@ - name: Deploy Host Inventory MQ Service Container containers.podman.podman_container: name: iop-core-host-inventory - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: make run_inv_mq_service network: @@ -77,7 +72,6 @@ KAFKA_BOOTSTRAP_SERVERS: "PLAINTEXT://iop-core-kafka:9092" USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' @@ -98,7 +92,7 @@ - name: Deploy Host Inventory API Container containers.podman.podman_container: name: iop-core-host-inventory-api - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: python run_gunicorn.py network: @@ -109,7 +103,6 @@ BYPASS_RBAC: "true" USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' @@ -128,7 +121,7 @@ - name: Deploy Host Inventory Cleanup Container containers.podman.podman_container: name: iop-core-host-inventory-cleanup - image: "{{ iop_inventory_container_image }}:{{ iop_inventory_container_tag }}" + image: iop-inventory.image state: quadlet command: make run_host_delete_access_tags network: @@ -138,7 +131,6 @@ USE_SUBMAN_ID: "true" INVENTORY_DB_SSL_MODE: "disable" PYTHONPATH: "/opt/app-root/src" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-core-host-inventory-database-username,type=env,target=INVENTORY_DB_USER' - 'iop-core-host-inventory-database-password,type=env,target=INVENTORY_DB_PASS' diff --git a/src/roles/iop_inventory_frontend/defaults/main.yaml b/src/roles/iop_inventory_frontend/defaults/main.yaml index cd2964b62..2448a31e6 100644 --- a/src/roles/iop_inventory_frontend/defaults/main.yaml +++ b/src/roles/iop_inventory_frontend/defaults/main.yaml @@ -1,6 +1,5 @@ --- iop_inventory_frontend_container_image: "quay.io/iop/host-inventory-frontend" iop_inventory_frontend_container_tag: "foreman-3.18" -iop_inventory_frontend_registry_auth_file: /etc/foreman/registry-auth.json iop_inventory_frontend_assets_path: "/var/www/iop/assets/apps/inventory" iop_inventory_frontend_source_path: "/srv/dist/." diff --git a/src/roles/iop_inventory_frontend/tasks/image.yaml b/src/roles/iop_inventory_frontend/tasks/image.yaml new file mode 100644 index 000000000..251b7ea9a --- /dev/null +++ b/src/roles/iop_inventory_frontend/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-inventory-frontend image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-inventory-frontend + image: "{{ iop_inventory_frontend_container_image }}:{{ iop_inventory_frontend_container_tag }}" diff --git a/src/roles/iop_inventory_frontend/tasks/main.yaml b/src/roles/iop_inventory_frontend/tasks/main.yaml index 6d2e5be3f..12c73b678 100644 --- a/src/roles/iop_inventory_frontend/tasks/main.yaml +++ b/src/roles/iop_inventory_frontend/tasks/main.yaml @@ -1,10 +1,15 @@ --- -- name: Pull Inventory Frontend container image - containers.podman.podman_image: - name: "{{ iop_inventory_frontend_container_image }}:{{ iop_inventory_frontend_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_inventory_frontend_registry_auth_file }}" +- name: Deploy iop-inventory-frontend image + ansible.builtin.include_tasks: image.yaml + +- name: Run daemon reload for image unit + ansible.builtin.systemd: + daemon_reload: true + +- name: Pull Inventory Frontend image via quadlet unit + ansible.builtin.systemd: + name: iop-inventory-frontend-image.service + state: started - name: Ensure parent assets directory exists ansible.builtin.file: diff --git a/src/roles/iop_kafka/defaults/main.yaml b/src/roles/iop_kafka/defaults/main.yaml index 71b5179e8..176858bc7 100644 --- a/src/roles/iop_kafka/defaults/main.yaml +++ b/src/roles/iop_kafka/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_kafka_container_image: "quay.io/strimzi/kafka" iop_kafka_container_tag: "latest-kafka-3.7.1" -iop_kafka_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_kafka/tasks/image.yaml b/src/roles/iop_kafka/tasks/image.yaml new file mode 100644 index 000000000..ad5f6ecad --- /dev/null +++ b/src/roles/iop_kafka/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-kafka image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-kafka + image: "{{ iop_kafka_container_image }}:{{ iop_kafka_container_tag }}" diff --git a/src/roles/iop_kafka/tasks/main.yaml b/src/roles/iop_kafka/tasks/main.yaml index 8906b5417..b2c996549 100644 --- a/src/roles/iop_kafka/tasks/main.yaml +++ b/src/roles/iop_kafka/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Kafka container image - containers.podman.podman_image: - name: "{{ iop_kafka_container_image }}:{{ iop_kafka_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_kafka_registry_auth_file }}" +- name: Deploy iop-kafka image + ansible.builtin.include_tasks: image.yaml - name: Create Kafka init script secret containers.podman.podman_secret: @@ -35,7 +31,7 @@ - name: Deploy Kafka container containers.podman.podman_container: name: iop-core-kafka - image: "{{ iop_kafka_container_image }}:{{ iop_kafka_container_tag }}" + image: iop-kafka.image state: quadlet command: sh bin/init-start.sh network: diff --git a/src/roles/iop_puptoo/defaults/main.yaml b/src/roles/iop_puptoo/defaults/main.yaml index c49eb8f74..8a6d20828 100644 --- a/src/roles/iop_puptoo/defaults/main.yaml +++ b/src/roles/iop_puptoo/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_puptoo_container_image: "quay.io/iop/puptoo" iop_puptoo_container_tag: "foreman-3.18" -iop_puptoo_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_puptoo/tasks/image.yaml b/src/roles/iop_puptoo/tasks/image.yaml new file mode 100644 index 000000000..60206a801 --- /dev/null +++ b/src/roles/iop_puptoo/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-puptoo image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-puptoo + image: "{{ iop_puptoo_container_image }}:{{ iop_puptoo_container_tag }}" diff --git a/src/roles/iop_puptoo/tasks/main.yaml b/src/roles/iop_puptoo/tasks/main.yaml index c219f6dfd..eb114a93a 100644 --- a/src/roles/iop_puptoo/tasks/main.yaml +++ b/src/roles/iop_puptoo/tasks/main.yaml @@ -1,15 +1,11 @@ --- -- name: Pull Puptoo container image - containers.podman.podman_image: - name: "{{ iop_puptoo_container_image }}:{{ iop_puptoo_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_puptoo_registry_auth_file }}" +- name: Deploy iop-puptoo image + ansible.builtin.include_tasks: image.yaml - name: Deploy Puptoo container containers.podman.podman_container: name: iop-core-puptoo - image: "{{ iop_puptoo_container_image }}:{{ iop_puptoo_container_tag }}" + image: iop-puptoo.image state: quadlet env: BOOTSTRAP_SERVERS: "iop-core-kafka:9092" diff --git a/src/roles/iop_remediation/defaults/main.yaml b/src/roles/iop_remediation/defaults/main.yaml index 99bceb8e9..29710f735 100644 --- a/src/roles/iop_remediation/defaults/main.yaml +++ b/src/roles/iop_remediation/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_remediation_container_image: "quay.io/iop/remediations" iop_remediation_container_tag: "foreman-3.18" -iop_remediation_registry_auth_file: /etc/foreman/registry-auth.json iop_remediation_database_name: remediations_db iop_remediation_database_user: remediations_user diff --git a/src/roles/iop_remediation/tasks/image.yaml b/src/roles/iop_remediation/tasks/image.yaml new file mode 100644 index 000000000..c40cf6338 --- /dev/null +++ b/src/roles/iop_remediation/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-remediation image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-remediation + image: "{{ iop_remediation_container_image }}:{{ iop_remediation_container_tag }}" diff --git a/src/roles/iop_remediation/tasks/main.yaml b/src/roles/iop_remediation/tasks/main.yaml index dc50d4de8..00b6ae6e3 100644 --- a/src/roles/iop_remediation/tasks/main.yaml +++ b/src/roles/iop_remediation/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Remediation container image - containers.podman.podman_image: - name: "{{ iop_remediation_container_image }}:{{ iop_remediation_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_remediation_registry_auth_file }}" +- name: Deploy iop-remediation image + ansible.builtin.include_tasks: image.yaml - name: Create Remediation database username secret containers.podman.podman_secret: @@ -44,7 +40,7 @@ - name: Deploy Remediation API container containers.podman.podman_container: name: iop-service-remediations-api - image: "{{ iop_remediation_container_image }}:{{ iop_remediation_container_tag }}" + image: iop-remediation.image state: quadlet network: - iop-core-network @@ -56,7 +52,6 @@ ADVISOR_HOST: "http://iop-service-advisor-backend-api:8000" INVENTORY_HOST: "http://iop-core-host-inventory-api:8081" DB_SSL_ENABLED: "false" - REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json" secrets: - 'iop-service-remediations-db-username,type=env,target=DB_USERNAME' - 'iop-service-remediations-db-password,type=env,target=DB_PASSWORD' diff --git a/src/roles/iop_vmaas/defaults/main.yaml b/src/roles/iop_vmaas/defaults/main.yaml index 2d5f0511f..0ba603ee1 100644 --- a/src/roles/iop_vmaas/defaults/main.yaml +++ b/src/roles/iop_vmaas/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_vmaas_container_image: "quay.io/iop/vmaas" iop_vmaas_container_tag: "foreman-3.18" -iop_vmaas_registry_auth_file: /etc/foreman/registry-auth.json iop_vmaas_database_name: vmaas_db iop_vmaas_database_user: vmaas_admin diff --git a/src/roles/iop_vmaas/tasks/image.yaml b/src/roles/iop_vmaas/tasks/image.yaml new file mode 100644 index 000000000..5e6bb2991 --- /dev/null +++ b/src/roles/iop_vmaas/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-vmaas image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-vmaas + image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" diff --git a/src/roles/iop_vmaas/tasks/main.yaml b/src/roles/iop_vmaas/tasks/main.yaml index 3b1b7ec5a..2292561e3 100644 --- a/src/roles/iop_vmaas/tasks/main.yaml +++ b/src/roles/iop_vmaas/tasks/main.yaml @@ -1,17 +1,13 @@ --- +- name: Deploy iop-vmaas image + ansible.builtin.include_tasks: image.yaml + - name: Create VMAAS client CA certificate secret containers.podman.podman_secret: state: present name: iop-service-vmaas-reposcan-client-ca-cert path: "{{ iop_vmaas_client_ca_certificate }}" -- name: Pull VMAAS container image - containers.podman.podman_image: - name: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_vmaas_registry_auth_file }}" - - name: Create VMAAS database secrets containers.podman.podman_secret: name: "{{ item.name }}" @@ -39,7 +35,7 @@ - name: Deploy VMAAS Reposcan container containers.podman.podman_container: name: iop-service-vmaas-reposcan - image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" + image: iop-vmaas.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -72,14 +68,13 @@ Description=VMAAS Reposcan Service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target - name: Deploy VMAAS Webapp-Go container containers.podman.podman_container: name: iop-service-vmaas-webapp-go - image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}" + image: iop-vmaas.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -104,7 +99,6 @@ After=iop-service-vmaas-reposcan.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target diff --git a/src/roles/iop_vulnerability/defaults/main.yaml b/src/roles/iop_vulnerability/defaults/main.yaml index 4811acf93..0c9923a4f 100644 --- a/src/roles/iop_vulnerability/defaults/main.yaml +++ b/src/roles/iop_vulnerability/defaults/main.yaml @@ -1,7 +1,6 @@ --- iop_vulnerability_container_image: "quay.io/iop/vulnerability-engine" iop_vulnerability_container_tag: "foreman-3.18" -iop_vulnerability_registry_auth_file: /etc/foreman/registry-auth.json iop_vulnerability_database_name: vulnerability_db iop_vulnerability_database_user: vulnerability_admin diff --git a/src/roles/iop_vulnerability/tasks/image.yaml b/src/roles/iop_vulnerability/tasks/image.yaml new file mode 100644 index 000000000..e1468a83d --- /dev/null +++ b/src/roles/iop_vulnerability/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-vulnerability image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-vulnerability + image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" diff --git a/src/roles/iop_vulnerability/tasks/main.yaml b/src/roles/iop_vulnerability/tasks/main.yaml index 5b4f21e2a..0ad8067bd 100644 --- a/src/roles/iop_vulnerability/tasks/main.yaml +++ b/src/roles/iop_vulnerability/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Vulnerability container image - containers.podman.podman_image: - name: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_vulnerability_registry_auth_file }}" +- name: Deploy iop-vulnerability image + ansible.builtin.include_tasks: image.yaml - name: Create vulnerability database secrets containers.podman.podman_secret: @@ -47,7 +43,7 @@ - name: Deploy Vulnerability Database Upgrade container containers.podman.podman_container: name: iop-service-vuln-dbupgrade - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -69,7 +65,6 @@ [Service] Type=oneshot RemainAfterExit=true - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability dbupgrade @@ -78,7 +73,7 @@ - name: Deploy Vulnerability Manager container containers.podman.podman_container: name: iop-service-vuln-manager - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -101,7 +96,6 @@ Requires=iop-service-vuln-dbupgrade.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability manager @@ -110,7 +104,7 @@ - name: Deploy Vulnerability Taskomatic container containers.podman.podman_container: name: iop-service-vuln-taskomatic - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -135,7 +129,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability taskomatic @@ -144,7 +137,7 @@ - name: Deploy Vulnerability Grouper container containers.podman.podman_container: name: iop-service-vuln-grouper - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -173,7 +166,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability grouper @@ -182,7 +174,7 @@ - name: Deploy Vulnerability Listener container containers.podman.podman_container: name: iop-service-vuln-listener - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -211,7 +203,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability listener @@ -220,7 +211,7 @@ - name: Deploy Vulnerability Evaluator (Recalc) container containers.podman.podman_container: name: iop-service-vuln-evaluator-recalc - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -249,7 +240,6 @@ After=iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability evaluator-recalc @@ -258,7 +248,7 @@ - name: Deploy Vulnerability Evaluator (Upload) container containers.podman.podman_container: name: iop-service-vuln-evaluator-upload - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -287,7 +277,6 @@ After=iop-service-vuln-grouper.service iop-service-vuln-manager.service [Service] Restart=on-failure - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json [Install] WantedBy=default.target notify: Restart vulnerability evaluator-upload @@ -296,7 +285,7 @@ - name: Deploy Vulnerability VMAAS Sync container containers.podman.podman_container: name: iop-service-vuln-vmaas-sync - image: "{{ iop_vulnerability_container_image }}:{{ iop_vulnerability_container_tag }}" + image: iop-vulnerability.image state: quadlet quadlet_dir: /etc/containers/systemd network: iop-core-network @@ -322,7 +311,6 @@ After=iop-service-vmaas-webapp-go.service iop-service-vuln-manager.service [Service] Type=oneshot - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json - name: Create VMAAS Sync systemd timer ansible.builtin.copy: diff --git a/src/roles/iop_vulnerability_frontend/defaults/main.yaml b/src/roles/iop_vulnerability_frontend/defaults/main.yaml index 0b8bf79c0..5b4b6cb3c 100644 --- a/src/roles/iop_vulnerability_frontend/defaults/main.yaml +++ b/src/roles/iop_vulnerability_frontend/defaults/main.yaml @@ -1,6 +1,5 @@ --- iop_vulnerability_frontend_container_image: "quay.io/iop/vulnerability-frontend" iop_vulnerability_frontend_container_tag: "foreman-3.18" -iop_vulnerability_frontend_registry_auth_file: /etc/foreman/registry-auth.json iop_vulnerability_frontend_assets_path: "/var/www/iop/assets/apps/vulnerability" iop_vulnerability_frontend_source_path: "/srv/dist/." diff --git a/src/roles/iop_vulnerability_frontend/tasks/image.yaml b/src/roles/iop_vulnerability_frontend/tasks/image.yaml new file mode 100644 index 000000000..b442eb41d --- /dev/null +++ b/src/roles/iop_vulnerability_frontend/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-vulnerability-frontend image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-vulnerability-frontend + image: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}" diff --git a/src/roles/iop_vulnerability_frontend/tasks/main.yaml b/src/roles/iop_vulnerability_frontend/tasks/main.yaml index c21cd053a..216b283b0 100644 --- a/src/roles/iop_vulnerability_frontend/tasks/main.yaml +++ b/src/roles/iop_vulnerability_frontend/tasks/main.yaml @@ -1,10 +1,15 @@ --- -- name: Pull Vulnerability Frontend container image - containers.podman.podman_image: - name: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_vulnerability_frontend_registry_auth_file }}" +- name: Deploy iop-vulnerability-frontend image + ansible.builtin.include_tasks: image.yaml + +- name: Run daemon reload for image unit + ansible.builtin.systemd: + daemon_reload: true + +- name: Pull Vulnerability Frontend image via quadlet unit + ansible.builtin.systemd: + name: iop-vulnerability-frontend-image.service + state: started - name: Ensure parent assets directory exists ansible.builtin.file: diff --git a/src/roles/iop_yuptoo/defaults/main.yaml b/src/roles/iop_yuptoo/defaults/main.yaml index 4d983f61f..28ff3a78c 100644 --- a/src/roles/iop_yuptoo/defaults/main.yaml +++ b/src/roles/iop_yuptoo/defaults/main.yaml @@ -1,4 +1,3 @@ --- iop_yuptoo_container_image: "quay.io/iop/yuptoo" iop_yuptoo_container_tag: "foreman-3.18" -iop_yuptoo_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/iop_yuptoo/tasks/image.yaml b/src/roles/iop_yuptoo/tasks/image.yaml new file mode 100644 index 000000000..e5b0f17f3 --- /dev/null +++ b/src/roles/iop_yuptoo/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy iop-yuptoo image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: iop-yuptoo + image: "{{ iop_yuptoo_container_image }}:{{ iop_yuptoo_container_tag }}" diff --git a/src/roles/iop_yuptoo/tasks/main.yaml b/src/roles/iop_yuptoo/tasks/main.yaml index 007e5ebad..35b9cf6b7 100644 --- a/src/roles/iop_yuptoo/tasks/main.yaml +++ b/src/roles/iop_yuptoo/tasks/main.yaml @@ -1,15 +1,11 @@ --- -- name: Pull Yuptoo container image - containers.podman.podman_image: - name: "{{ iop_yuptoo_container_image }}:{{ iop_yuptoo_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ iop_yuptoo_registry_auth_file }}" +- name: Deploy iop-yuptoo image + ansible.builtin.include_tasks: image.yaml - name: Deploy Yuptoo container containers.podman.podman_container: name: iop-core-yuptoo - image: "{{ iop_yuptoo_container_image }}:{{ iop_yuptoo_container_tag }}" + image: iop-yuptoo.image state: quadlet command: python -m main env: @@ -22,7 +18,6 @@ [Unit] Description=IOP Core Yuptoo Container [Service] - Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json Restart=on-failure [Install] WantedBy=default.target diff --git a/src/roles/postgresql/defaults/main.yml b/src/roles/postgresql/defaults/main.yml index 7c80c3a68..0530ec787 100644 --- a/src/roles/postgresql/defaults/main.yml +++ b/src/roles/postgresql/defaults/main.yml @@ -1,7 +1,6 @@ --- postgresql_container_image: quay.io/sclorg/postgresql-13-c9s postgresql_container_tag: "latest" -postgresql_registry_auth_file: /etc/foreman/registry-auth.json postgresql_container_name: postgresql postgresql_network: host postgresql_restart_policy: always diff --git a/src/roles/postgresql/tasks/image.yaml b/src/roles/postgresql/tasks/image.yaml new file mode 100644 index 000000000..418d6635f --- /dev/null +++ b/src/roles/postgresql/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy postgresql image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: postgresql + image: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" diff --git a/src/roles/postgresql/tasks/main.yml b/src/roles/postgresql/tasks/main.yml index fe13649ed..ec860a69a 100644 --- a/src/roles/postgresql/tasks/main.yml +++ b/src/roles/postgresql/tasks/main.yml @@ -1,10 +1,6 @@ --- -- name: Pull PostgreSQL container image - containers.podman.podman_image: - name: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ postgresql_registry_auth_file }}" +- name: Deploy postgresql image + ansible.builtin.include_tasks: image.yaml - name: Create PostgreSQL storage directory ansible.builtin.file: @@ -24,7 +20,7 @@ - name: Deploy PostgreSQL container containers.podman.podman_container: name: "{{ postgresql_container_name }}" - image: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" + image: postgresql.image state: quadlet healthcheck: pg_isready sdnotify: healthy diff --git a/src/roles/pulp/defaults/main.yaml b/src/roles/pulp/defaults/main.yaml index a4b9fa44a..ff22558db 100644 --- a/src/roles/pulp/defaults/main.yaml +++ b/src/roles/pulp/defaults/main.yaml @@ -1,7 +1,6 @@ --- pulp_container_image: quay.io/foreman/pulp pulp_container_tag: "3.73" -pulp_registry_auth_file: /etc/foreman/registry-auth.json pulp_api_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" pulp_content_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" pulp_worker_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" diff --git a/src/roles/pulp/tasks/image.yaml b/src/roles/pulp/tasks/image.yaml new file mode 100644 index 000000000..6e69de249 --- /dev/null +++ b/src/roles/pulp/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy pulp image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: pulp + image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" diff --git a/src/roles/pulp/tasks/main.yaml b/src/roles/pulp/tasks/main.yaml index 66dcad042..7eab84e07 100644 --- a/src/roles/pulp/tasks/main.yaml +++ b/src/roles/pulp/tasks/main.yaml @@ -1,24 +1,6 @@ --- -- name: Pull the Pulp API container image - containers.podman.podman_image: - name: "{{ pulp_api_image }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" - -- name: Pull the Pulp Content container image - containers.podman.podman_image: - name: "{{ pulp_content_image }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" - -- name: Pull the Pulp Worker container image - containers.podman.podman_image: - name: "{{ pulp_worker_image }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" +- name: Deploy pulp image + ansible.builtin.include_tasks: image.yaml - name: Create Pulp storage ansible.builtin.file: @@ -97,7 +79,7 @@ - name: Deploy Pulp API Container containers.podman.podman_container: name: "{{ pulp_api_container_name }}" - image: "{{ pulp_api_image }}" + image: pulp.image state: quadlet sdnotify: true command: pulp-api @@ -128,7 +110,7 @@ - name: Deploy Pulp Content Container containers.podman.podman_container: name: "{{ pulp_content_container_name }}" - image: "{{ pulp_content_image }}" + image: pulp.image state: quadlet sdnotify: true command: pulp-content @@ -160,7 +142,7 @@ containers.podman.podman_container: name: "{{ pulp_worker_container_name }}-%i" quadlet_filename: "{{ pulp_worker_container_name }}@" - image: "{{ pulp_worker_image }}" + image: pulp.image state: quadlet command: pulp-worker network: host @@ -207,17 +189,13 @@ [Install] WantedBy=foreman.target -- name: Run daemon reload to load service files - ansible.builtin.systemd: - daemon_reload: true - -- name: Migrate the Pulp database +- name: Deploy Pulp database migration container containers.podman.podman_container: name: pulpcore-manager-migrate - image: "{{ pulp_api_image }}" + state: quadlet + image: pulp.image + sdnotify: false command: pulpcore-manager migrate --noinput - detach: false - rm: true network: host volumes: "{{ pulp_volumes }}" secrets: @@ -225,14 +203,20 @@ - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD' - 'pulp-db-ca,type=mount,target={{ pulp_database_ssl_ca_path }}' env: "{{ pulp_settings_database_env }}" + quadlet_options: + - | + [Service] + Type=oneshot + RemainAfterExit=yes + TimeoutStartSec=30m -- name: Ensure Pulp admin user exists +- name: Deploy Pulp admin password container containers.podman.podman_container: name: pulpcore-manager-admin-password - image: "{{ pulp_api_image }}" + state: quadlet + image: pulp.image + sdnotify: false command: pulpcore-manager reset-admin-password --random - detach: false - rm: true network: host volumes: "{{ pulp_volumes }}" secrets: @@ -240,6 +224,30 @@ - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD' - 'pulp-db-ca,type=mount,target={{ pulp_database_ssl_ca_path }}' env: "{{ pulp_settings_database_env }}" + quadlet_options: + - | + [Service] + Type=oneshot + RemainAfterExit=yes + TimeoutStartSec=10m + +- name: Run daemon reload to load service files + ansible.builtin.systemd: + daemon_reload: true + +- name: Migrate the Pulp database + ansible.builtin.systemd: + name: pulpcore-manager-migrate.service + state: restarted + async: 1800 + poll: 10 + +- name: Ensure Pulp admin user exists + ansible.builtin.systemd: + name: pulpcore-manager-admin-password.service + state: restarted + async: 600 + poll: 10 - name: Flush handlers to restart services ansible.builtin.meta: flush_handlers diff --git a/src/roles/redis/defaults/main.yml b/src/roles/redis/defaults/main.yml index 1b0e2af3f..5c0c3e140 100644 --- a/src/roles/redis/defaults/main.yml +++ b/src/roles/redis/defaults/main.yml @@ -1,4 +1,3 @@ --- redis_container_image: quay.io/sclorg/redis-6-c9s redis_container_tag: "latest" -redis_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/redis/tasks/image.yaml b/src/roles/redis/tasks/image.yaml new file mode 100644 index 000000000..789a307be --- /dev/null +++ b/src/roles/redis/tasks/image.yaml @@ -0,0 +1,9 @@ +--- +- name: Deploy redis image unit + ansible.builtin.include_role: + name: images + tasks_from: deploy_image.yaml + vars: + images_definition: + name: redis + image: "{{ redis_container_image }}:{{ redis_container_tag }}" diff --git a/src/roles/redis/tasks/main.yaml b/src/roles/redis/tasks/main.yaml index 93837c90c..76a96378e 100644 --- a/src/roles/redis/tasks/main.yaml +++ b/src/roles/redis/tasks/main.yaml @@ -1,10 +1,6 @@ --- -- name: Pull Redis container image - containers.podman.podman_image: - name: "{{ redis_container_image }}:{{ redis_container_tag }}" - state: present - environment: - REGISTRY_AUTH_FILE: "{{ redis_registry_auth_file }}" +- name: Deploy redis image + ansible.builtin.include_tasks: image.yaml - name: Create directory for Redis data ansible.builtin.file: @@ -17,7 +13,7 @@ - name: Run Redis as a container containers.podman.podman_container: name: redis - image: "{{ redis_container_image }}:{{ redis_container_tag }}" + image: redis.image state: quadlet network: host sdnotify: true diff --git a/src/vars/images.yml b/src/vars/images.yml index 65356335f..53694f45b 100644 --- a/src/vars/images.yml +++ b/src/vars/images.yml @@ -1,23 +1,5 @@ -registry_auth_file: /etc/foreman/registry-auth.json -candlepin_registry_auth_file: "{{ registry_auth_file }}" -foreman_registry_auth_file: "{{ registry_auth_file }}" -foreman_proxy_registry_auth_file: "{{ registry_auth_file }}" -postgresql_registry_auth_file: "{{ registry_auth_file }}" -pulp_registry_auth_file: "{{ registry_auth_file }}" -redis_registry_auth_file: "{{ registry_auth_file }}" -iop_kafka_registry_auth_file: "{{ registry_auth_file }}" -iop_vmaas_registry_auth_file: "{{ registry_auth_file }}" -iop_vulnerability_registry_auth_file: "{{ registry_auth_file }}" -iop_inventory_registry_auth_file: "{{ registry_auth_file }}" -iop_remediation_registry_auth_file: "{{ registry_auth_file }}" -iop_advisor_registry_auth_file: "{{ registry_auth_file }}" -iop_gateway_registry_auth_file: "{{ registry_auth_file }}" -iop_engine_registry_auth_file: "{{ registry_auth_file }}" -iop_yuptoo_registry_auth_file: "{{ registry_auth_file }}" -iop_puptoo_registry_auth_file: "{{ registry_auth_file }}" -iop_ingress_registry_auth_file: "{{ registry_auth_file }}" -iop_vulnerability_frontend_registry_auth_file: "{{ registry_auth_file }}" -iop_advisor_frontend_registry_auth_file: "{{ registry_auth_file }}" +images_quadlet_dir: /etc/containers/systemd +images_registry_auth_file: /etc/foreman/registry-auth.json container_tag_stream: "nightly" candlepin_container_image: quay.io/foreman/candlepin @@ -33,15 +15,3 @@ pulp_container_image: quay.io/foreman/pulp pulp_container_tag: "foreman-{{ container_tag_stream }}" redis_container_image: quay.io/sclorg/redis-6-c9s redis_container_tag: "latest" - -images: - - "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" - - "{{ foreman_container_image }}:{{ foreman_container_tag }}" - - "{{ pulp_container_image }}:{{ pulp_container_tag }}" - - "{{ redis_container_image }}:{{ redis_container_tag }}" - -database_images: - - "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" - -foreman_proxy_images: - - "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" diff --git a/tests/images_test.py b/tests/images_test.py new file mode 100644 index 000000000..d708d91ec --- /dev/null +++ b/tests/images_test.py @@ -0,0 +1,58 @@ +import pytest + +CORE_IMAGES = [ + "foreman", + "candlepin", + "pulp", + "redis", +] + + +@pytest.fixture(params=CORE_IMAGES) +def core_image(request): + return request.param + + +def test_image_file_exists(server, core_image): + image_file = server.file(f"/etc/containers/systemd/{core_image}.image") + assert image_file.exists and image_file.is_file + + +def test_image_dropin_directory_exists(server, core_image): + dropin_dir = server.file(f"/etc/containers/systemd/{core_image}.image.d") + assert dropin_dir.exists and dropin_dir.is_directory + + +def test_image_service_exists(server, core_image): + service = server.service(f"{core_image}-image") + assert service.exists + + +def test_image_registry_auth_file(server, core_image): + f = server.file(f"/etc/containers/systemd/{core_image}.image") + assert "REGISTRY_AUTH_FILE" in f.content_string + + +def test_postgresql_image_file(server, database_mode): + image_file = server.file("/etc/containers/systemd/postgresql.image") + if database_mode == 'external': + assert not image_file.exists + else: + assert image_file.exists and image_file.is_file + + +def test_foreman_proxy_image_file(server, enabled_features): + image_file = server.file("/etc/containers/systemd/foreman-proxy.image") + if 'foreman-proxy' in enabled_features: + assert image_file.exists and image_file.is_file + else: + assert not image_file.exists + + +def test_foreman_proxy_image_registry_auth_file(server, enabled_features): + image_file = server.file("/etc/containers/systemd/foreman-proxy.image") + if 'foreman-proxy' in enabled_features: + assert "REGISTRY_AUTH_FILE" in image_file.content_string + else: + assert not image_file.exists + diff --git a/tests/iop/images_test.py b/tests/iop/images_test.py new file mode 100644 index 000000000..0fb6d2680 --- /dev/null +++ b/tests/iop/images_test.py @@ -0,0 +1,32 @@ +import pytest + +pytestmark = pytest.mark.feature("iop") + +IOP_IMAGES = [ + "iop-kafka", + "iop-ingress", + "iop-puptoo", + "iop-yuptoo", + "iop-engine", + "iop-gateway", + "iop-inventory", + "iop-advisor", + "iop-remediation", + "iop-vmaas", + "iop-vulnerability", + "iop-advisor-frontend", + "iop-inventory-frontend", + "iop-vulnerability-frontend", +] + + +@pytest.mark.parametrize("image_name", IOP_IMAGES) +def test_iop_image_file_exists(server, image_name): + image_file = server.file(f"/etc/containers/systemd/{image_name}.image") + assert image_file.exists and image_file.is_file + + +@pytest.mark.parametrize("image_name", IOP_IMAGES) +def test_iop_image_registry_auth_file(server, image_name): + f = server.file(f"/etc/containers/systemd/{image_name}.image") + assert "REGISTRY_AUTH_FILE" in f.content_string diff --git a/tests/target_lifecycle_test.py b/tests/target_lifecycle_test.py index f834ffc97..618f0873f 100644 --- a/tests/target_lifecycle_test.py +++ b/tests/target_lifecycle_test.py @@ -1,6 +1,6 @@ import time -FOREMAN_PING_RETRIES = 60 +FOREMAN_PING_RETRIES = 90 FOREMAN_PING_DELAY = 10 CURL_CMD = "curl --silent --output /dev/null"