Merge pull request #1 from trustification/init

initial commit

.ansible-lint

@@ -0,0 +1,4 @@
+---
+exclude_paths:
+  - .github
+  - vm-testing

.gitignore

@@ -0,0 +1,20 @@
+venv/
+vm-testing/inventory
+vm-testing/vars.yml
+vm-testing/**/.terraform*
+vm-testing/**/terraform.tfvars
+vm-testing/**/terraform.tfstate*
+env/
+.venv/
+venv/
+.env/
+.vagrant
+# artifacts/ directory produced by ansible-runner
+artifacts/
+# context/ directory produced by ansible-builder
+context/
+*.log
+*+00:00.json
+*.swp
+.vscode/
+.idea

README.md

@@ -1,2 +1,101 @@
-# trutification-ansible
+# trustification-ansible
 Automation to deploy the Trustification project on RH OS family
+
+:warning: **The contents of this repository are a Work in Progress.**
+
+## Overview
+
+The automation within this repository establishes the components of Trustification, the downstream redistribution of [Trustification project](https://github.com/trustification/trustification) within a single Red Hat Enterprise Linux (RHEL) or Fedora machine using a standalone containerized deployment. Containers are spawned using Kubernetes based manifests using
+[podman kube play](https://docs.podman.io/en/latest/markdown/podman-kube-play.1.html).
+
+The following Trustification components are deployed as part of this architecture:
+* [Trustification](https://github.com/trustification/trustification)
+* [Guac](https://github.com/trustification/guac)
+
+The following components are used if provided by the customers:
+
+* RH Single Sign On
+* RH Kafka streams
+* Postgresql
+* S3 or compatible service like Minio
+
+Utilize the steps below to understand how to setup and execute the provisioning.
+
+## Prerequisites
+
+A RHEL 9.2+ server should be used to run the Trustification components.
+
+Ansible must be installed and configured on a control node that will be used to perform the automation.
+
+Perform the following steps to prepare the control node for execution.
+
+### Dependencies
+
+Install the required Ansible collections by executing the following
+
+```shell
+ansible-galaxy collection install -r requirements.yml
+```
+
+### OIDC provider
+
+An installation of RH SSO/Keycloak/AWS Cognito must be provided to allow for integration with containerized Trustification.
+
+## Provision
+#### https://developer.hashicorp.com/vagrant/docs/provisioning/ansible
+#### https://docs.ansible.com/ansible/2.9/scenario_guides/guide_vagrant.html
+
+In order to deploy Trustification on a RHEL 9.2+ VM:
+
+1. Create an `inventory.ini` file  in the project with a single VM in the `trustification` group:
+```
+[trustification]
+192.168.121.60 become=true
+
+[trustification:vars]
+ansible_user=vagrant
+ansible_ssh_pass=vargrant
+ansible_private_key_file=./vm-testing/images/rhel9-vm/.vagrant/machines/trustification/libvirt/private_key
+```
+
+2. Create  `ansible.cfg` file  in the project with a single VM in the `trustification` group:
+```
+[defaults]
+inventory = ./inventory.ini
+host_key_checking = False
+```
+3. Add your RH credentials, choose one:
+ - as a env variables `SUBSCRIPTION_USERNAME` and `SUBSCRIPTION_PASSWORD` 
+ - in the Vagrant file `config.registration.username` and `config.registration.password`
+ - during the vagrant up in the registration prompt
+
+
+4. Create a simple Ansible playbook `play.yml`:
+  ```
+  - hosts: trustification
+    vars:
+      base_hostname: TODO # e.g. example.com
+      tpa_single_node_oidc_issuers: TODO # your OIDC provider (e.g. SSO/keycloak) URL
+      tpa_single_node_issuer_url: TODO # your OIDC provider (e.g. SSO/keycloak) URL
+    tasks:
+      - name: Include TPA single node role
+        ansible.builtin.include_role:
+          name: tpa_single_node
+  ```
+
+5. Execute the following command (NOTE: you will have to provide credentials to authenticate to registry.redhat.io: https://access.redhat.com/RegistryAuthentication):
+  ```shell
+  ANSIBLE_ROLES_PATH="roles/" ansible-playbook -i inventory.ini play.yml -vvvv -e registry_username='REGISTRY.REDHAT.IO_USERNAME' -e registry_password='REGISTRY.REDHAT.IO_PASSWORD'
+  ```
+
+
+## Contributing
+
+### Testing Deployment on a VM
+
+The [vm-testing/README.md](vm-testing/README.md) file contains instructions on testing the deployment on a VM. Right now, only Vagrant and libvirt are supported as testing VM provisioner.
+
+## Feedback
+
+Any and all feedback is welcome. Submit an [Issue](https://github.com/trustification/trustification-ansible/issues) or [Pull Request](https://github.com/trustification/trustification-ansible/pulls) as desired.
+

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory = ./inventory.ini
+host_key_checking = False

galaxy.yml

@@ -0,0 +1,20 @@
+---
+namespace: redhat
+name: trusted_profile_analyzer
+version: 1.0.0
+
+readme: README.md
+authors:
+  - Red Hat
+description: TODO
+license_file: Apache-2.0
+tags: [rhtpa, tpa, trusted profile analyzer, security, application, tools]
+# NOTE: when updating, also update dependencies in requirements.yml
+dependencies:
+  containers.podman: ">=1.15.0"
+repository: https://github.com/trustification/trustification-ansible
+documentation: http://TODO.com
+homepage: https://TODO.com
+issues: https://github.com/trustification/trustification-ansible/issues
+
+build_ignore: [.ansible-lint, .github, .gitignore, .vscode, requirements-testing.txt, vm-testing, .idea]

inventory.ini

@@ -0,0 +1,10 @@
+[trustification]
+192.168.121.60 become=true
+
+[trustification:vars]
+ansible_user=vagrant
+ansible_ssh_pass=vargrant
+ansible_private_key_file=./vm-testing/images/rhel9-vm/.vagrant/machines/trustification/libvirt/private_key
+
+[local]
+

meta/runtime.yml

@@ -0,0 +1 @@
+requires_ansible: '>=2.16.0'

requirements-testing.txt

@@ -0,0 +1 @@
+ansible-lint==24.6.1

requirements.yml

@@ -0,0 +1,4 @@
+---
+collections:
+  - name: containers.podman
+    version: ">=1.15.4"

roles/tpa_single_node/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for tpa_single_node

roles/tpa_single_node/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for tpa_single_node

roles/tpa_single_node/meta/main.yml

@@ -0,0 +1,56 @@
+---
+galaxy_info:
+  author: Red Hat
+  description: Install Trustification on a single node
+  company: Red Hat
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: Apache-2.0
+
+  min_ansible_version: "2.16"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+# List tags for your role here, one per line. A tag is a keyword that describes
+# and categorizes the role. Users find roles by searching for tags. Be sure to
+# remove the '[]' above, if you add tags to this list.
+#
+# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+#       Maximum 20 tags per role.
+
+dependencies: []
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+
+collections:
+  - containers.podman

roles/tpa_single_node/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/tpa_single_node/tests/test.yml

@@ -0,0 +1,6 @@
+---
+- name: Install TPA locally
+  hosts: localhost
+  remote_user: root
+  roles:
+    - tpa_single_node

roles/tpa_single_node/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for tpa_scaffolding

vm-testing/README.md

@@ -0,0 +1,61 @@
+# VM testing
+
+This directory contains tooling to (manually) test the collection using Vagrant.
+
+General prerequisites:
+```
+dnf install @virtualization @vagrant libvirt-devel
+systemctl enable --now virtqemud.service
+systemctl enable --now virtnetworkd.service
+usermod -aG libvirt $USER
+loginctl terminate-user $USER
+vagrant plugin install vagrant-libvirt
+vagrant plugin install vagrant-registration
+systemctl enable --now libvirtd
+systemctl restart libvirtd
+```
+
+## Vagrant
+First setup
+```
+cd images/rhel9-vm
+vagrant up
+```
+If you haven't provided the subscription details on the Vagrantfile, or as a env variables
+during the startup will be asked you RH username and password to enable the repos on RHEL.
+Without can't be installed podman and the other libs.
+```
+==> trustification: Registering box with vagrant-registration...
+trustification: Would you like to register the system now (default: yes)? [y|n]y
+trustification: username: <your subscription username>
+trustification: password: <your subscription password>
+```
+To enter in the running instance
+```
+vagrant ssh-config
+vagrant ssh
+hostnamectl
+ansible all -m ping
+```
+
+Stop
+This unregister and stop your instance
+```
+vagrant halt
+```
+
+Destroy
+```
+vagrant destroy
+```
+
+Reload
+```
+vagrant reload --provision
+```
+
+## Ansible 
+From the root of the project
+
+
+

vm-testing/images/rhel9-vm/Vagrantfile

@@ -0,0 +1,33 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+
+    #config.registration.username = '<your Red Hat username>'
+    #config.registration.password = '<your Red Hat password>'
+    config.registration.username = ENV['SUBSCRIPTION_USERNAME']
+    config.registration.password = ENV['SUBSCRIPTION_PASSWORD']
+
+    config.vm.define "trustification" do |main_server|
+          main_server.vm.box = "generic-x64/rhel9"
+          #main_server.vm.box = "fedora/40-cloud-base"
+          main_server.vm.hostname = "trustification"
+          main_server.vm.network "private_network", ip: "192.168.121.60"
+          main_server.vm.network "forwarded_port", guest: 80, host: 8080
+
+          main_server.vm.provider "libvirt" do |libvirt|
+              libvirt.memory = "4096"
+              libvirt.cpus = "2"
+              # libvirt.qemu_use_session = "false"
+          end
+
+          main_server.vm.provision "ansible" do |ansible|
+             ansible.verbose = "v"
+             ansible.compatibility_mode = "2.0"
+             ansible.playbook = "./../../../play.yml"
+             ansible.galaxy_role_file = "./../../../requirements.yml"
+             #ansible.galaxy_command = "ansible-galaxy collection install -r %{role_file}"
+           end
+      end
+
+end

vm-testing/play_.yml

@@ -0,0 +1,17 @@
+- hosts: trustification
+  vars:
+    tpa_single_node_base_hostname: trustification
+    tpa_single_node_skip_os_install: true  # TODO: temporary until we get a VM properly registered to insights
+  vars_files:
+    # vars.yml should contain:
+    # * tpa_single_node_registry_username
+    #   * get at https://access.redhat.com/terms-based-registry
+    # * tpa_single_node_registry_password
+    #   * get at https://access.redhat.com/terms-based-registry
+    # * tpa_single_node_oidc_issuers
+    # * tpa_single_node_issuer_url
+    - vars.yml
+  tasks:
+    - name: Include TPA single node
+      ansible.builtin.include_role:
+        name: tpa_single_node

vm-testing/requirements.yml

@@ -0,0 +1,5 @@
+---
+
+  collections:
+  - name: containers.podman
+    version: "1.15.2"