Automation to deploy the Trustification project on RH OS family
The automation within this repository establishes the components of Trustification, the downstream redistribution of Trustification project within a single Red Hat Enterprise Linux (RHEL) or Fedora machine using a standalone containerized deployment. Containers are spawned using Kubernetes based manifests using podman kube play.
The following Trustification components are deployed as part of this architecture:
The following components are used if provided by the customers:
- RH Single Sign On
- RH Kafka streams
- Postgresql
- S3 or compatible service like Minio
Utilize the steps below to understand how to setup and execute the provisioning.
A RHEL 9.2+ server should be used to run the Trustification components.
Ansible must be installed and configured on a control node that will be used to perform the automation.
Perform the following steps to prepare the control node for execution.
Install the required Ansible collections by executing the following
ansible-galaxy collection install -r requirements.yml
An installation of RH SSO/Keycloak/AWS Cognito must be provided to allow for integration with containerized Trustification.
In order to deploy Trustification on a RHEL 9.2+ VM:
- Create an
inventory.ini
file in the project with a single VM in thetrustification
group:
[trustification]
192.168.121.60 become=true
[trustification:vars]
ansible_user=vagrant
ansible_ssh_pass=vargrant
ansible_private_key_file=./vm-testing/images/rhel9-vm/.vagrant/machines/trustification/libvirt/private_key
- Create
ansible.cfg
file in the project with a single VM in thetrustification
group:
[defaults]
inventory = ./inventory.ini
host_key_checking = False
- Add the subscription, registry and certificates information :
- For Red Hat subscription define :
export TPA_SINGLE_NODE_REGISTRATION_USERNAME=<Your Red Hat subscription username>
export TPA_SINGLE_NODE_REGISTRATION_PASSWORD=<Your Red Hat subscription password>
- For Red Hat image registry define :
export TPA_SINGLE_NODE_REGISTRY_USERNAME=<Your Red Hat image registry username>
export TPA_SINGLE_NODE_REGISTRY_PASSWORD=<Your Red Hat image registry password>
Alternatively vagrant will prompt you to provide the registration username and password.
- Path for TLS certificates files:
Replace default value in play.yml and replace them accordingly
tpa_single_node_certificates_path: /tmp/certs
Default values for certificate file names are defined in roles/tpa_single_node/vars/main.yml
, they can be changed if needed :
- guac-collectsub-tls-certificate.pem"
- guac-collectsub-tls-certificate.key"
- guac-graphql-tls-certificate.pem"
- guac-graphql-tls-certificate.key"
- Create a simple Ansible playbook
play.yml
:
- hosts: trustification
vars:
base_hostname: TODO # e.g. example.com
tpa_single_node_oidc_issuers: TODO # your OIDC provider (e.g. SSO/keycloak) URL
tpa_single_node_issuer_url: TODO # your OIDC provider (e.g. SSO/keycloak) URL
tasks:
- name: Include TPA single node role
ansible.builtin.include_role:
name: tpa_single_node
- Create Environment Variables with S3 and OIDC credentails
export TPA_S3_ACCESS_KEY=<S3 Storage Access Key>
export TPA_S3_SECRET_KEY=<S3 Storage Secret Key>
export TPA_OIDC_WALKER_SECRET=<OIDC Walker Secret>
- Execute the following command (NOTE: you will have to provide credentials to authenticate to registry.redhat.io: https://access.redhat.com/RegistryAuthentication):
ANSIBLE_ROLES_PATH="roles/" ansible-playbook -i inventory.ini play.yml -vvvv -e registry_username='REGISTRY.REDHAT.IO_USERNAME' -e registry_password='REGISTRY.REDHAT.IO_PASSWORD'
The vm-testing/README.md file contains instructions on testing the deployment on a VM. Right now, only Vagrant and libvirt are supported as testing VM provisioner.
Any and all feedback is welcome. Submit an Issue or Pull Request as desired.