# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Secret metadata: name: aiap-secret labels: aiap: aiap data: AIRSHIPCTL_REPO_AUTH_USERNAME: "" AIRSHIPCTL_REPO_AUTH_HTTP_PASSWORD: "" AIRSHIPCTL_REPO_AUTH_SSH_KEY: "" AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_USERNAME: "" AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_HTTP_PASSWORD: "" AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_SSH_PASSWORD: "" SOPS_IMPORT_PGP: "" --- apiVersion: v1 kind: Pod metadata: name: airship-in-a-pod labels: aiap: aiap spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: aiap operator: Exists topologyKey: kubernetes.io/hostname hostNetwork: false restartPolicy: Never containers: - name: libvirt image: quay.io/airshipit/libvirt:aiap-v1 imagePullPolicy: IfNotPresent securityContext: privileged: true #SYS_ADMIN required for systemd, need to work out reqs for libvirt command: - bash - -cex - "exec /usr/lib/systemd/systemd" env: - name: container value: docker readinessProbe: exec: command: - virsh - version initialDelaySeconds: 5 periodSeconds: 5 startupProbe: exec: command: - systemctl - is-active - --quiet - libvirtd initialDelaySeconds: 5 periodSeconds: 5 volumeMounts: - name: var-run-aiap mountPath: /var/run/aiap/ - name: dev mountPath: /dev - name: tmp mountPath: /tmp - name: run mountPath: /run - name: var-lib-libvirt-images mountPath: /var/lib/libvirt/images - name: var-lib-libvirt-default mountPath: /var/lib/libvirt/default - name: var-run-libvirt mountPath: /var/run/libvirt - name: sys-fs-cgroup mountPath: /sys/fs/cgroup readOnly: false - name: logs mountPath: /var/log/ - name: sushy image: quay.io/metal3-io/sushy-tools imagePullPolicy: IfNotPresent command: - bash - -cex - | tee /csr_details.txt << EOF [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] CN = localhost [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = DNS.2 = ::1 EOF openssl req \ -newkey rsa:2048 \ -nodes \ -keyout /airship_gate_redfish_auth.key \ -x509 \ -days 365 \ -out /airship_gate_redfish_auth.pem \ -config <(cat /csr_details.txt) \ -extensions 'req_ext' # Wait for infrastructure to come up while (! grep -sq "SUCCESS" "/tmp/status/infra-builder"); do printf "Waiting on infra-builder...\n"; sleep 1; done sushy-emulator \ --debug \ --interface \ --port 8443 \ --ssl-key /airship_gate_redfish_auth.key \ --ssl-certificate /airship_gate_redfish_auth.pem volumeMounts: - name: var-run-libvirt mountPath: /var/run/libvirt - name: status mountPath: /tmp/status - name: nginx image: nginx:latest imagePullPolicy: IfNotPresent command: - bash - -cex - | tee /etc/nginx/nginx.conf <<'EOF' user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; server { listen 8099; listen [::]:8099; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /srv/images; autoindex on; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } } EOF exec nginx -g 'daemon off;' volumeMounts: - name: srv mountPath: /srv/ - name: dind image: docker:stable-dind imagePullPolicy: IfNotPresent securityContext: privileged: true volumeMounts: - name: var-run-aiap mountPath: /var/run/aiap/ - name: dind-storage mountPath: /var/lib/docker - name: var-run-docker mountPath: /var/run/ - name: srv mountPath: /srv/ - name: airship-config mountPath: /root/.airship - name: var-run-libvirt mountPath: /var/run/libvirt - name: artifact-setup image: quay.io/airshipit/aiap-artifact-setup:latest imagePullPolicy: IfNotPresent command: - bash - -cex - /entrypoint.sh env: - name: CACHE_DIR value: /opt/aiap-files/cache - name: USE_CACHED_AIRSHIPCTL value: "false" - name: ARTIFACTS_DIR value: /opt/aiap-files/artifacts - name: AIRSHIPCTL_REPO_URL value: https://opendev.org/airship/airshipctl - name: AIRSHIPCTL_REPO_REF value: master - name: AIRSHIPCTL_REPO_AUTH_TYPE value: "none" - name: USE_PROXY value: - name: no_proxy value: - name: http_proxy value: - name: https_proxy value: volumeMounts: - name: tmp mountPath: /tmp - name: aiap-files mountPath: /opt/aiap-files - name: status mountPath: /tmp/status - name: var-run-docker mountPath: /var/run - name: var-run-libvirt mountPath: /var/run/libvirt - name: aiap-secret-volume mountPath: /opt/aiap-secret-volume - name: infra-builder image: quay.io/airshipit/aiap-infra-builder:latest imagePullPolicy: IfNotPresent securityContext: privileged: true command: - bash - -cex - /entrypoint.sh env: - name: CACHE_DIR value: /opt/aiap-files/cache - name: ARTIFACTS_DIR value: /opt/aiap-files/artifacts - name: USE_PROXY value: - name: no_proxy value: - name: http_proxy value: - name: https_proxy value: volumeMounts: - name: aiap-files mountPath: /opt/aiap-files - name: status mountPath: /tmp/status - name: tmp mountPath: /tmp - name: var-run-aiap mountPath: /var/run/aiap/ - name: var-lib-libvirt-images mountPath: /var/lib/libvirt/images - name: var-lib-libvirt-default mountPath: /var/lib/libvirt/default - name: var-run-libvirt mountPath: /var/run/libvirt - name: logs mountPath: /var/log/ - name: var-run-docker mountPath: /var/run - name: runner image: quay.io/airshipit/aiap-runner:latest imagePullPolicy: IfNotPresent command: - bash - -cex - /entrypoint.sh env: - name: CACHE_DIR value: /opt/aiap-files/cache - name: ARTIFACTS_DIR value: /opt/aiap-files/artifacts - name: USE_CACHED_ISO value: "false" - name: AIRSHIP_CONFIG_PHASE_REPO_URL value: https://review.opendev.org/airship/airshipctl - name: AIRSHIP_CONFIG_PHASE_REPO_BRANCH value: master - name: AIRSHIP_CONFIG_PHASE_REPO_REF value: - name: USE_PROXY value: - name: no_proxy value: - name: http_proxy value: - name: https_proxy value: - name: AIRSHIP_CONFIG_MANIFEST_REPO_AUTH_TYPE value: "none" - name: SKIP_REGENERATE value: volumeMounts: - name: aiap-files mountPath: /opt/aiap-files - name: status mountPath: /tmp/status - name: tmp mountPath: /tmp - name: var-run-aiap mountPath: /var/run/aiap/ - name: srv mountPath: /srv/ - name: run mountPath: /run - name: var-run-libvirt mountPath: /var/run/libvirt - name: logs mountPath: /var/log/ - name: var-run-docker mountPath: /var/run - name: airship-config mountPath: /root/.airship - mountPath: /opt/aiap-secret-volume name: aiap-secret-volume - name: status-checker image: quay.io/airshipit/aiap-status-checker:latest volumeMounts: - name: status mountPath: /tmp/status initContainers: - name: init-aiap-files image: ubuntu:20.04 command: - bash - -cex - | mkdir -p /opt/aiap-files/artifacts mkdir -p /opt/aiap-files/cache volumeMounts: - name: aiap-files mountPath: /opt/aiap-files volumes: - name: aiap-files persistentVolumeClaim: claimName: aiap-pv-files-claim - name: status emptyDir: {} - name: dev hostPath: path: /dev - name: tmp emptyDir: medium: "Memory" - name: airship-config emptyDir: {} - name: run emptyDir: medium: "Memory" - name: var-lib-libvirt-images emptyDir: {} - name: var-lib-libvirt-default emptyDir: {} - name: var-run-libvirt emptyDir: medium: "Memory" - name: var-run-aiap emptyDir: medium: "Memory" - name: sys-fs-cgroup hostPath: path: /sys/fs/cgroup - name: srv emptyDir: {} - name: logs emptyDir: {} - name: var-run-docker emptyDir: medium: "Memory" - name: dind-storage emptyDir: {} - name: aiap-secret-volume secret: secretName: aiap-secret