diff --git a/play.yml b/play.yml index 5acbb93..3359a7b 100644 --- a/play.yml +++ b/play.yml @@ -3,6 +3,10 @@ vars: tpa_single_node_base_hostname: trustification tpa_single_node_skip_os_install: true + tpa_single_node_config_dir: /etc/rhtpa + tpa_single_node_certs_dir: "{{ tpa_single_node_config_dir }}/certs" + tpa_single_node_kube_manifest_dir: "{{ tpa_single_node_config_dir }}/manifests" + tpa_single_node_kube_configmap_dir: "{{ tpa_single_node_config_dir }}/configs" # * tpa_single_node_registry_username # * get at https://access.redhat.com/terms-based-registry tpa_single_node_registry_username: diff --git a/roles/tpa_single_node/defaults/main.yml b/roles/tpa_single_node/defaults/main.yml index 5e1264e..2a9c68e 100644 --- a/roles/tpa_single_node/defaults/main.yml +++ b/roles/tpa_single_node/defaults/main.yml @@ -1,5 +1,5 @@ --- -# defaults file for tas_single_node +# defaults file for tpa_single_node tpa_single_node_system_packages: - podman - podman-plugins diff --git a/roles/tpa_single_node/tasks/podman/install_manifest.yml b/roles/tpa_single_node/tasks/podman/install_manifest.yml new file mode 100644 index 0000000..3b0f78e --- /dev/null +++ b/roles/tpa_single_node/tasks/podman/install_manifest.yml @@ -0,0 +1,52 @@ +--- +# NOTE: determining when the service will restart with `when: ...` is not ideal, however +# we would need a dynamic handler otherwise and these are a bit fragile. + +- name: Set location of Podman Play Manifest + ansible.builtin.set_fact: + kube_play_file: >- + {{ tpa_single_node_kube_manifest_dir + '/' + podman_spec.kube_file_content.metadata.namespace + '_' + + podman_spec.kube_file_content.metadata.name + '.yml' }} + +- name: Copy Manifest to Server + ansible.builtin.copy: + content: "{{ podman_spec.kube_file_content | to_nice_yaml(indent=2) }}" + dest: "{{ kube_play_file }}" + mode: "0600" + register: copy_manifest + +- name: Create Secret + # We can't use podman_secret because we support Podman 4.4.1 and the podman_secret module only + # supports idempotency with >= 4.7.0: https://github.com/containers/ansible-podman-collections/issues/692 + # Unfortunately podman_play doesn't properly understand idempotency with secrets either + # The next best thing is to identify whether the secret file changed - this is determined from the secret_changed + # variable passed by the caller to this file + containers.podman.podman_play: + kube_file: "{{ podman_spec.secret }}" + state: "{{ podman_spec.state | default('started') }}" + when: podman_spec.secret is defined + changed_when: podman_spec.secret is defined and podman_spec.secret_changed + +- name: Copy Systemd file to Server + ansible.builtin.template: + src: systemd/systemd-cm.j2 + dest: "{{ tpa_single_node_systemd_directory + '/' + podman_spec.systemd_file }}.service" + mode: "0600" + when: podman_spec.configmap is defined + register: copy_systemd_file + +- name: Copy Systemd file to Server + ansible.builtin.template: + src: systemd/systemd-nocm.j2 + dest: "{{ tpa_single_node_systemd_directory + '/' + podman_spec.systemd_file }}.service" + mode: "0600" + when: podman_spec.configmap is not defined + register: copy_systemd_file + +- name: Restart Podman Service + ansible.builtin.systemd: + state: restarted + enabled: true + daemon_reload: true + name: "{{ podman_spec.systemd_file }}" + when: copy_manifest.changed or copy_systemd_file.changed or (podman_spec.secret is defined and podman_spec.secret_changed) diff --git a/roles/tpa_single_node/templates/systemd/systemd-cm.j2 b/roles/tpa_single_node/templates/systemd/systemd-cm.j2 new file mode 100644 index 0000000..c3da662 --- /dev/null +++ b/roles/tpa_single_node/templates/systemd/systemd-cm.j2 @@ -0,0 +1,17 @@ +[Unit] +Description="{{ podman_spec.systemd_file}}" systemd container +Documentation=man:podman-kube-play(1) +Wants=network-online.target +After=network-online.target +RequiresMountsFor=%t/containers + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +TimeoutStopSec=70 +ExecStart=/usr/bin/podman kube play --replace --service-container=true "{{ kube_play_file }}" --network "{{ podman_spec.network | default('podman') }}" --configmap "{{ podman_spec.configmap | default(omit) }}" +ExecStop=/usr/bin/podman kube down "{{ kube_play_file }}" +Type=notify +NotifyAccess=all + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/roles/tpa_single_node/templates/systemd/systemd-nocm.j2 b/roles/tpa_single_node/templates/systemd/systemd-nocm.j2 new file mode 100644 index 0000000..dfa37b9 --- /dev/null +++ b/roles/tpa_single_node/templates/systemd/systemd-nocm.j2 @@ -0,0 +1,17 @@ +[Unit] +Description="{{ podman_spec.systemd_file}}" systemd container +Documentation=man:podman-kube-play(1) +Wants=network-online.target +After=network-online.target +RequiresMountsFor=%t/containers + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +TimeoutStopSec=70 +ExecStart=/usr/bin/podman kube play --replace --service-container=true "{{ kube_play_file }}" --network "{{ podman_spec.network | default('podman') }}" +ExecStop=/usr/bin/podman kube down "{{ kube_play_file }}" +Type=notify +NotifyAccess=all + +[Install] +WantedBy=default.target \ No newline at end of file