trustification · desmax74 · Aug 28, 2024 · Aug 28, 2024
diff --git a/play.yml b/play.yml
@@ -3,6 +3,10 @@
   vars:
     tpa_single_node_base_hostname: trustification
     tpa_single_node_skip_os_install: true
+    tpa_single_node_config_dir: /etc/rhtpa
+    tpa_single_node_certs_dir: "{{ tpa_single_node_config_dir }}/certs"
+    tpa_single_node_kube_manifest_dir: "{{ tpa_single_node_config_dir }}/manifests"
+    tpa_single_node_kube_configmap_dir: "{{ tpa_single_node_config_dir }}/configs"
     # * tpa_single_node_registry_username
     #   * get at https://access.redhat.com/terms-based-registry
     tpa_single_node_registry_username: <YOUR_USERNAME>

diff --git a/roles/tpa_single_node/defaults/main.yml b/roles/tpa_single_node/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-# defaults file for tas_single_node
+# defaults file for tpa_single_node
 tpa_single_node_system_packages:
   - podman
   - podman-plugins
diff --git a/roles/tpa_single_node/tasks/podman/install_manifest.yml b/roles/tpa_single_node/tasks/podman/install_manifest.yml
@@ -0,0 +1,52 @@
+---
+# NOTE: determining when the service will restart with `when: ...` is not ideal, however
+# we would need a dynamic handler otherwise and these are a bit fragile.
+
+- name: Set location of Podman Play Manifest
+  ansible.builtin.set_fact:
+    kube_play_file: >-
+      {{ tpa_single_node_kube_manifest_dir + '/' + podman_spec.kube_file_content.metadata.namespace + '_'
+      + podman_spec.kube_file_content.metadata.name + '.yml' }}
+
+- name: Copy Manifest to Server
+  ansible.builtin.copy:
+    content: "{{ podman_spec.kube_file_content | to_nice_yaml(indent=2) }}"
+    dest: "{{ kube_play_file }}"
+    mode: "0600"
+  register: copy_manifest
+
+- name: Create Secret
+  # We can't use podman_secret because we support Podman 4.4.1 and the podman_secret module only
+  # supports idempotency with >= 4.7.0: https://github.com/containers/ansible-podman-collections/issues/692
+  # Unfortunately podman_play doesn't properly understand idempotency with secrets either
+  # The next best thing is to identify whether the secret file changed - this is determined from the secret_changed
+  # variable passed by the caller to this file
+  containers.podman.podman_play:
+    kube_file: "{{ podman_spec.secret }}"
+    state: "{{ podman_spec.state | default('started') }}"
+  when: podman_spec.secret is defined
+  changed_when: podman_spec.secret is defined and podman_spec.secret_changed
+
+- name: Copy Systemd file to Server
+  ansible.builtin.template:
+    src: systemd/systemd-cm.j2
+    dest: "{{ tpa_single_node_systemd_directory + '/' + podman_spec.systemd_file }}.service"
+    mode: "0600"
+  when: podman_spec.configmap is defined
+  register: copy_systemd_file
+
+- name: Copy Systemd file to Server
+  ansible.builtin.template:
+    src: systemd/systemd-nocm.j2
+    dest: "{{ tpa_single_node_systemd_directory + '/' + podman_spec.systemd_file }}.service"
+    mode: "0600"
+  when: podman_spec.configmap is not defined
+  register: copy_systemd_file
+
+- name: Restart Podman Service
+  ansible.builtin.systemd:
+    state: restarted
+    enabled: true
+    daemon_reload: true
+    name: "{{ podman_spec.systemd_file }}"
+  when: copy_manifest.changed or copy_systemd_file.changed or (podman_spec.secret is defined and podman_spec.secret_changed)
diff --git a/roles/tpa_single_node/templates/systemd/systemd-cm.j2 b/roles/tpa_single_node/templates/systemd/systemd-cm.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description="{{ podman_spec.systemd_file}}" systemd container
+Documentation=man:podman-kube-play(1)
+Wants=network-online.target
+After=network-online.target
+RequiresMountsFor=%t/containers
+
+[Service]
+Environment=PODMAN_SYSTEMD_UNIT=%n
+TimeoutStopSec=70
+ExecStart=/usr/bin/podman kube play --replace --service-container=true "{{ kube_play_file }}"  --network "{{ podman_spec.network | default('podman') }}" --configmap "{{ podman_spec.configmap | default(omit) }}"
+ExecStop=/usr/bin/podman kube down "{{ kube_play_file }}"
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=default.target
diff --git a/roles/tpa_single_node/templates/systemd/systemd-nocm.j2 b/roles/tpa_single_node/templates/systemd/systemd-nocm.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description="{{ podman_spec.systemd_file}}" systemd container
+Documentation=man:podman-kube-play(1)
+Wants=network-online.target
+After=network-online.target
+RequiresMountsFor=%t/containers
+
+[Service]
+Environment=PODMAN_SYSTEMD_UNIT=%n
+TimeoutStopSec=70
+ExecStart=/usr/bin/podman kube play --replace --service-container=true "{{ kube_play_file }}"  --network "{{ podman_spec.network | default('podman') }}"
+ExecStop=/usr/bin/podman kube down "{{ kube_play_file }}"
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=default.target