use Quadlet

.ansible-lint-ignore

@@ -0,0 +1,8 @@
+# This file contains ignores rule violations for ansible-lint
+roles/tpa_single_node/tasks/infra/component_auth.yml name[template]
+roles/tpa_single_node/templates/branding/CND-AppSpeed-Keyart-2_at_2x.png load-failure[unicodedecodeerror]
+roles/tpa_single_node/templates/branding/android-chrome-192x192.png load-failure[unicodedecodeerror]
+roles/tpa_single_node/templates/branding/apple-touch-icon.png load-failure[unicodedecodeerror]
+roles/tpa_single_node/templates/branding/favicon-16x16.png load-failure[unicodedecodeerror]
+roles/tpa_single_node/templates/branding/favicon-32x32.png load-failure[unicodedecodeerror]
+roles/tpa_single_node/templates/branding/favicon.ico load-failure[unicodedecodeerror]

play.yml

@@ -2,8 +2,8 @@
   hosts: trustification
   vars:
     # V1.2.0
-    tpa_single_node_trustification_image: quay.io/redhat-user-workloads/trusted-content-tenant/trustification-1-2-z/trustification-product-1-2-z:4fd0c6b401b4b4a553eb2ae9897c1cc66d788391 # noqa yaml[line-length]
-    tpa_single_node_guac_image: quay.io/redhat-user-workloads/trusted-content-tenant/guac-0-7-x/guac:44ca3c7bc0bce6137acae0e7b5025d41ead11af7
+    tpa_single_node_trustification_image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:16bc624b40f2863c9e69e8cdd4d557eb0d200eaf # noqa yaml[line-length]
+    tpa_single_node_guac_image: registry.redhat.io/rhtpa/rhtpa-guac-rhel9:65220008e46d9def5314d56a351e45f918aa68d1
   vars_files:
     - vars/main.yml
   tasks:

roles/tpa_single_node/README.md

@@ -26,8 +26,8 @@ Deploy the [RHTPA](https://docs.redhat.com/en/documentation/red_hat_trusted_prof
 ### Optional
 |Option|Description|Type|Default|
 |---|---|---|---|
-| tpa_single_node_trustification_image | Trustification image. | str |  `registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:2943d20c8ac831f4ae4f209c8ca6807619404062`  |
-| tpa_single_node_guac_image | Guac image. | str |  `registry.redhat.io/rhtpa/rhtpa-guac-rhel9:f0688194637cc759052e02c350c38dbabc19484e`  |
+| tpa_single_node_trustification_image | Trustification image. | str |  `registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:16bc624b40f2863c9e69e8cdd4d557eb0d200eaf`  |
+| tpa_single_node_guac_image | Guac image. | str |  `registry.redhat.io/rhtpa/rhtpa-guac-rhel9:65220008e46d9def5314d56a351e45f918aa68d1`  |
 | tpa_single_node_base_hostname | The user name logging in to the registry to pull images. | str |  `trustification`  |
 | tpa_single_node_rhel_host | Ip of the instance. | str |  |
 | tpa_single_node_certificates_dir | Folder where to place the certificates to deploy on the instance. | str |  `certs`  |

roles/tpa_single_node/meta/argument_specs.yml

@@ -10,12 +10,12 @@ argument_specs:
         description: "Trustification image."
         type: "str"
         version_added: "0.2.0"
-        default: "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:2943d20c8ac831f4ae4f209c8ca6807619404062"
+        default: "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:16bc624b40f2863c9e69e8cdd4d557eb0d200eaf"
       tpa_single_node_guac_image:
         description: "Guac image."
         type: "str"
         version_added: "0.2.0"
-        default: "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:f0688194637cc759052e02c350c38dbabc19484e"
+        default: "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:65220008e46d9def5314d56a351e45f918aa68d1"
       tpa_single_node_base_hostname:
         description: "The user name logging in to the registry to pull images."
         type: "str"

roles/tpa_single_node/tasks/bombastic/api.yml

@@ -7,13 +7,14 @@
       type: "api"
 
 - name: Deploy bombastic-api
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: bombastic-api
+    specs:
+      service: bombastic-api
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/bombastic/api/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/bombastic/api/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/bombastic-api.yaml"
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"

roles/tpa_single_node/tasks/bombastic/indexer.yml

@@ -1,10 +1,11 @@
 - name: Deploy bombastic-indexer
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: bombastic-indexer
+    specs:
+      service: bombastic-indexer
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/bombastic/indexer/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/bombastic/indexer/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"

roles/tpa_single_node/tasks/bombastic/walker.yml

@@ -1,14 +1,16 @@
 ---
 - name: Deploy bombastic walker Pod
-  ansible.builtin.include_tasks: install_manifest_cronjob.yml
+  ansible.builtin.include_tasks: install_service.yml
   when: not tpa_single_node_bombastic_walker_suspended
   vars:
-    podman_spec:
+    specs:
+      service: bombastic-walker
       state: stopped
-      systemd_file: bombastic-walker
       network: "{{ tpa_single_node_podman_network }}"
-      timer_type: monotonic # realtime
-      time_pattern: 1h # *:0/10 for realtime instead of monotonic
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/bombastic/walker/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/bombastic/walker/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
+      timer:
+        type: monotonic # realtime
+        pattern: 1h # *:0/10 for realtime instead of monotonic

roles/tpa_single_node/tasks/collector/osv.yml

@@ -14,13 +14,14 @@
       type: "osv"
 
 - name: Deploy collector-osv
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: collector-osv
+    specs:
+      service: collector-osv
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/collector/osv/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/collector/osv/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collector-osv.yaml"
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collectorist-api-guac.yaml"

roles/tpa_single_node/tasks/collectorist/api.yml

@@ -25,13 +25,14 @@
   changed_when: false
 
 - name: Deploy collectorist-api
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: collectorist-api
+    specs:
+      service: collectorist-api
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/collectorist/api/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/collectorist/api/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collectorist-api.yaml"
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collectorist-api-guac.yaml"

roles/tpa_single_node/tasks/dataset/init.yml

@@ -1,11 +1,12 @@
 ---
 - name: Deploy init-dataset Pod
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: stopped
-      systemd_file: init-dataset
+    specs:
+      service: init-dataset
+      state: started
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/init/dataset/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/init/dataset/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"

roles/tpa_single_node/tasks/guac/bombastic_collector.yml

@@ -1,11 +1,12 @@
 ---
 - name: Deploy Guac bombastic collector
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: guac-collector-bombastic
+    specs:
+      service: guac-collector-bombastic
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/guac/bombastic-collector/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/guac/bombastic-collector/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"

roles/tpa_single_node/tasks/guac/guac_collectsub.yml

@@ -1,11 +1,12 @@
 ---
 - name: Deploy guac-collectsub Pod
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: guac-collectsub
+    specs:
+      service: guac-collectsub
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/guac/collectsub/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/guac/collectsub/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"

roles/tpa_single_node/tasks/guac/guac_graphql.yml

@@ -1,11 +1,12 @@
 ---
 - name: Deploy guac-graphql Pod
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: guac-graphql
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/guac/graphql/Deployment.yaml.j2') | from_yaml }}"
+    specs:
+      service: guac-graphql
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/guac/graphql/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"

roles/tpa_single_node/tasks/guac/vexination_collector.yml

@@ -1,11 +1,12 @@
 ---
 - name: Deploy Guac vexination collector
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: guac-collector-vexination
+    specs:
+      service: guac-collector-vexination
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/guac/vexination-collector/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/guac/vexination-collector/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"

roles/tpa_single_node/tasks/install_service.yml

@@ -0,0 +1,30 @@
+- name: Generate {{ specs.service }} deployment manifest
+  ansible.builtin.template:
+    src: "{{ specs.manifest_file }}"
+    dest: "{{ tpa_single_node_kube_manifest_dir }}/Deployments/{{ specs.service }}.yaml"
+    mode: "0600"
+  register: copy_manifest
+
+- name: Generate {{ specs.service }} Quadlet file
+  ansible.builtin.template:
+    src: "{{ specs.kube_file }}"
+    dest: "/etc/containers/systemd/{{ specs.service }}.kube"
+    mode: "0600"
+  register: copy_systemd_file
+
+- name: Add systemd timer for {{ specs.service }}
+  when: specs.timer is defined
+  ansible.builtin.template:
+    src: systemd/timer.j2
+    dest: "{{ tpa_single_node_systemd_directory + '/' + specs.service }}.timer"
+    mode: "0600"
+  register: copy_systemd_timer_file
+
+- name: Restart Podman Service for {{ specs.service }}
+  ansible.builtin.systemd:
+    state: "{{ specs.state }}"
+    enabled: true
+    daemon_reload: true
+    name: "{{ specs.service }}"
+    no_block: true
+  when: copy_manifest.changed or copy_systemd_file.changed or copy_systemd_timer_file.changed

roles/tpa_single_node/tasks/spog/api.yml

@@ -30,13 +30,14 @@
   changed_when: false
 
 - name: Deploy spog-api
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: spog-api
+    specs:
+      service: spog-api
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/spog/api/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/spog/api/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/spog-api.yaml"
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/spog-ui-config.yaml"

roles/tpa_single_node/tasks/spog/nginx.yml

@@ -20,12 +20,13 @@
     mode: "0600"
 
 - name: Deploy nginx reverse proxy
-  ansible.builtin.include_tasks: install_manifest.yml
+  ansible.builtin.include_tasks: install_service.yml
   vars:
-    podman_spec:
-      state: started
-      systemd_file: nginx
+    specs:
+      service: nginx
+      state: restarted
       network: "{{ tpa_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/nginx/Deployment.yaml.j2') | from_yaml }}"
+      kube_file: "{{ role_path }}/templates/systemd/default.kube.j2"
+      manifest_file: "{{ role_path }}/templates/manifests/nginx/Deployment.yaml.j2"
       configmaps:
         - "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/nginx.yaml"