diff --git a/README.md b/README.md index d528066..7b3f73f 100644 --- a/README.md +++ b/README.md @@ -43,13 +43,13 @@ This repository has `.tf` configuration for the deployment of Agent infrastructu ## Using tar files -The respository contains the solution templates in the form of `tar` files to install the `Agent infrastructure` and deploy the `Agent service`. Perform following steps to use the `tar` file. +The release contains the solution templates in the form of `tar` files to install the `Agent infrastructure` and deploy the `Agent service`. Perform following steps to use the `tar` file. -- Download the `/templates/templates.zip` file to your local system. -- From your terminal extract the content of `zip` file using the command. `unzip templates.zip` +- Download the schematics-agents release to your local system. +- From your terminal extract the content of `schematics-agents.tgz` - The templates as TAR files should now be available as - The `agent-infrastructure-templates.tar` for setting up the VPC, IKS cluster, and LogDNA services infrastructure. - - The `agent-service-templates.tar` to deploy the Agent service into your infrastructure. + - The `agent-service-templates.tar` to deploy the Agent service into your infrastructure. ## Infrastructure @@ -76,17 +76,14 @@ Click [here](https://cloud.ibm.com/docs/schematics?topic=schematics-agents-setup | ---------- | -------- | -------------- | ---------- | ----------- | ----------- | | agent_prefix | You will use this prefix, for `vpc`, `cluster`, and `observability`. (Maximum length 27 chars) | | | my-project | | | location | Location of the Agent infrastructure. Note: For Beta, the Agent must be deployed in a freshly provisioned `VPC`, `IKS Cluster`, `Log Analysis` instances. | | | `us-south` | | -| resource_group_name | Name of resource group used where Agent infrastructure was provisioned. | string | ✓ | | | | tags | A list of tags for the Agent infrastructure | list(string) | | my-project:agent | | | ibmcloud_api_key | The IBM Cloud API Key used to provision the schematics Agent infrastructure resources. If not provided, then resources will be provisioned in currently logged in user account. | string | | | ✓ | | agent_name | Name of the agent. | string | | my-project | | | location| Location of the agent services. It must be the same as the agent infrastructure/cluster location. | string | | us-south | | -| resource_group_name | Name of resource group used where agent infrastructure was provisioned. | string | ✓ | | | | profile_id | The IBM Cloud IAM Trusted Profile ID which provides authorization for agents to process jobs. More info can be found [here](https://cloud.ibm.com/docs/account?topic=account-create-trusted-profile&interface=ui) | string | ✓ | | ✓ | | schematics_endpoint_location | Location of the schematics endpoint. This location is used to connect your agent with schematics service. The valid locations are us/eu/us-south/us-east/eu-de/eu-gb | string | | `us-south` | | | cluster_id | ID of the cluster used to run the agent service. | string | ✓ | | | | logdna_name | Name of the IBM Log Analysis service instance, used to send the agent logs. | string | ✓ | | | -| ibmcloud_api_key | The IBM Cloud API Key used to deploy the schematics agent resources. If not provided, resources will be deployed using the logged in user credentials. | string | | | ✓ | ## Outputs diff --git a/cli-helper/Readme.md b/cli-helper/Readme.md new file mode 100644 index 0000000..9c46778 --- /dev/null +++ b/cli-helper/Readme.md @@ -0,0 +1,57 @@ +# schematics-agents-CLI + +Use ibmcloud schematics CLI to create workspace and upload agent tar files. + +## Create Agent Infrastructure Workspace + +Use create_agent_infra_workspace.json with ibmcloud schematics cli to create workspace for infrastructure. Edit the json to update the inputs. + +#### Inputs + +| name | description | type | required | default | sensitive | +| ---------- | -------- | -------------- | ---------- | ----------- | ----------- | +| agent_prefix | You will use this prefix, for `vpc`, `cluster`, and `observability`. (Maximum length 27 chars) | | | my-project | | +| location | Location of the Agent infrastructure. Note: For Beta, the Agent must be deployed in a freshly provisioned `VPC`, `IKS Cluster`, `Log Analysis` instances. | | | `us-south` | | +| resource_group_name | Name of resource group used where Agent infrastructure was provisioned. | string | ✓ | | | +| tags | A list of tags for the Agent infrastructure | list(string) | | my-project:agent | | + +#### Example + +``` +ibmcloud schematics workspace create new --file create_agent_infra_workspace.json +``` + +## Create Agent Services Workspace + +Use create_agent_service_workspace.json with ibmcloud schematics cli to deploy services on the provisioned Agent Infrastructure. Edit the json to update the inputs. + +| name | description | type | required | default | sensitive | +| ---------- | -------- | -------------- | ---------- | ----------- | ----------- | +| ibmcloud_api_key | The IBM Cloud API Key used to provision the schematics Agent infrastructure resources. If not provided, then resources will be provisioned in currently logged in user account. | string | | | ✓ | +| agent_name | Name of the agent. | string | | my-project | | +| location| Location of the agent services. It must be the same as the agent infrastructure/cluster location. | string | | us-south | | +| resource_group_name | Name of resource group used where agent infrastructure was provisioned. | string | ✓ | | | +| profile_id | The IBM Cloud IAM Trusted Profile ID which provides authorization for agents to process jobs. More info can be found [here](https://cloud.ibm.com/docs/account?topic=account-create-trusted-profile&interface=ui) | string | ✓ | | ✓ | +| schematics_endpoint_location | Location of the schematics endpoint. This location is used to connect your agent with schematics service. The valid locations are us/eu/us-south/us-east/eu-de/eu-gb | string | | `us-south` | | +| cluster_id | ID of the cluster used to run the agent service. | string | ✓ | | | +| logdna_name | Name of the IBM Log Analysis service instance, used to send the agent logs. | string | ✓ | | | + + +#### Example + +``` +ibmcloud schematics workspace create new --file create_agent_service_workspace.json +``` + +## Next Steps + +Download the schematics-agents release to your local system. +- From your terminal extract the schematics-agents.tgz +- The templates as TAR files should now be available as + - The `agent-infrastructure-templates.tar` for setting up the VPC, IKS cluster, and LogDNA services infrastructure. + - The `agent-service-templates.tar` to deploy the Agent service into your infrastructure. +- Use ibmcloud schematics cli to upload the tar files to respective workspace +``` +ex: +ibmcloud schematics workspace upload --id us-east.workspace.schematics-remote-service-workspace.f3c5bfe2 --file ./agent-service-templates.tar -tid 9bfe4530-cfb2-41 +``` \ No newline at end of file diff --git a/tarfiles/create_agent_infra_workspace.json b/cli-helper/create_agent_infra_workspace.json similarity index 100% rename from tarfiles/create_agent_infra_workspace.json rename to cli-helper/create_agent_infra_workspace.json diff --git a/tarfiles/create_agent_service_workspace.json b/cli-helper/create_agent_service_workspace.json similarity index 100% rename from tarfiles/create_agent_service_workspace.json rename to cli-helper/create_agent_service_workspace.json diff --git a/tarfiles/Readme.md b/tarfiles/Readme.md deleted file mode 100644 index fce1fcf..0000000 --- a/tarfiles/Readme.md +++ /dev/null @@ -1,13 +0,0 @@ -# schematics-agents-tarfiles -Solution Templates for Schematics Agent - Templates as TAR files. - -Download the `templates.zip` file to your local system. - -Extract the content of zip file using the command - ` unzip templates.zip` - -The templates as TAR files should now be available as - -i. `agent-infrastructure-templates.tar` - -ii. `agent-service-templates.tar` - diff --git a/tarfiles/templates.zip b/tarfiles/templates.zip deleted file mode 100644 index a285588..0000000 Binary files a/tarfiles/templates.zip and /dev/null differ diff --git a/templates/service/locals.tf b/templates/service/locals.tf index d97fde5..acf93f4 100644 --- a/templates/service/locals.tf +++ b/templates/service/locals.tf @@ -21,6 +21,10 @@ locals { schematics_jobrunner_image = "icr.io/schematics-remote/schematics-job-runner:eb8ca280-179" #Schematics agent job12 image ID schematics_runtime_job_image = "icr.io/schematics-remote/schematics-agent-ws-job-20220704:60824f4e-276" + #Schematics agent ansible image ID + schematics_runtime_ansible_job_image = "us.icr.io/schematics/schematics-ansible-job:b164f614-171" + #Schematics agent adapter image ID + schematics_runtime_adapter_job_image = "us.icr.io/schematics/schematics-data-adapter:48537ed2-62" #schematics_sandbox_image schematics_sandbox_image = "icr.io/schematics-remote/schematics-sandbox:9bdc3645-283" #Schematics environment (dev|stage|prod) diff --git a/templates/service/runtime-ansible-job.tf b/templates/service/runtime-ansible-job.tf new file mode 100755 index 0000000..5f2fa2d --- /dev/null +++ b/templates/service/runtime-ansible-job.tf @@ -0,0 +1,323 @@ +############################################################################### +# IBM Confidential +# OCO Source Materials +# IBM Cloud Schematics +# (C) Copyright IBM Corp. 2022 All Rights Reserved. +# The source code for this program is not published or otherwise divested of +# its trade secrets, irrespective of what has been deposited with +# the U.S. Copyright Office. +############################################################################### + +############################################################################## +# Job 12 blocks +############################################################################## + +resource "kubernetes_config_map" "runtime_ansible_job_configmap" { + metadata { + name = "schematics-runtime-ansible-job-config" + namespace = "schematics-runtime" + } + + data = { + ANSIBLE_JOB_HTTPADDR = "" + ANSIBLE_JOB_HTTPPORT = 3006 + ANSIBLE_JOB_KEEPWORKFILES = true + ANSIBLE_JOB_SINGLEACTIONMODE = true + ANSIBLE_JOB_LOGGERLEVEL = "0" + ANSIBLE_JOB_ATLOGGERLEVEL = "-1" + ANSIBLE_JOB_EXTLOGGERLEVEL = "-1" + ANSIBLE_JOB_EXTLOGPATH = "/var/log/schematics/%s.log" + ANSIBLE_JOB_WHITELISTEXTN = ".tf,.tfvars,.md,.yaml,.sh,.txt,.yml,.html,.gitignore,.tf.json,license,.js,.pub,.service,_rsa,.py,.json,.tpl,.cfg,.ps1,.j2,.zip,.conf,.crt,.key,.der,.jacl,.properties,.cer,.pem,.tmpl,.netrc" + ANSIBLE_JOB_ANSIBLEACTIONWHITELISTEXTN = ".tf,.tfvars,.md,.yaml,.sh,.txt,.yml,.html,.gitignore,.tf.json,license,.js,.pub,.service,_rsa,.py,.json,.tpl,.cfg,.ps1,.j2,.zip,.conf,.crt,.key,.der,.cer,.pem,.bash,.tmpl" + ANSIBLE_JOB_BLACKLISTEXTN = ".php5,.pht,.phtml,.shtml,.asa,.asax,.swf,.xap,.tfstate,.tfstate.backup,.exe" + IBMCLOUD_ACCOUNT_MANAGEMENT_API_ENDPOINT = "" + IBMCLOUD_CF_API_ENDPOINT = "" + IBMCLOUD_CS_API_ENDPOINT = "" + IBMCLOUD_CR_API_ENDPOINT = "" + IBMCLOUD_CIS_API_ENDPOINT = "" + IBMCLOUD_GS_API_ENDPOINT = "" + IBMCLOUD_GT_API_ENDPOINT = "" + IBMCLOUD_IAM_API_ENDPOINT = "" + IBMCLOUD_IAMPAP_API_ENDPOINT = "" + IBMCLOUD_ICD_API_ENDPOINT = "" + IBMCLOUD_MCCP_API_ENDPOINT = "" + IBMCLOUD_RESOURCE_MANAGEMENT_API_ENDPOINT = "" + IBMCLOUD_RESOURCE_CONTROLLER_API_ENDPOINT = "" + IBMCLOUD_RESOURCE_CATALOG_API_ENDPOINT = "" + IBMCLOUD_UAA_ENDPOINT = "" + IBMCLOUD_CSE_ENDPOINT = "" + IBMCLOUD_IS_API_ENDPOINT = "" + IBMCLOUD_IS_NG_API_ENDPOINT = "" + IBMCLOUD_COS_CONFIG_ENDPOINT = "" + IBMCLOUD_API_GATEWAY_ENDPOINT = "" + IBMCLOUD_DL_API_ENDPOINT = "" + IBMCLOUD_DL_PROVIDER_API_ENDPOINT = "" + IBMCLOUD_TG_API_ENDPOINT = "" + IBMCLOUD_HPCS_API_ENDPOINT = "" + IBMCLOUD_FUNCTIONS_API_ENDPOINT = "" + IBMCLOUD_SATELLITE_API_ENDPOINT = "" + IBMCLOUD_ENTERPRISE_API_ENDPOINT = "" + IBMCLOUD_PUSH_API_ENDPOINT = "" + IBMCLOUD_CATALOG_MANAGEMENT_API_ENDPOINT = "" + IBMCLOUD_HPCS_TKE_ENDPOINT = "" + ANSIBLE_JOB_ENABLETLS = false + ANSIBLE_JOB_OPPONENTSCA = "" + #ANSIBLE_JOB_CERTPEM = "" + #ANSIBLE_JOB_KEYPEM = "" + } + + depends_on = [kubernetes_namespace.namespace] + +} + +resource "kubernetes_config_map" "runtime_adapter_job_configmap" { + metadata { + name = "schematics-runtime-adapter-job-config" + namespace = "schematics-runtime" + } + + data = { + ADAPTER_HTTPPORT = "4001" + ADAPTER_MAXRETRIES = "" + ADAPTER_LOCATION = "us-south" + ADAPTER_LOGGERLEVEL = "-1" + ADAPTER_ATLOGGERLEVEL = "-1" + ADAPTER_EXTLOGGERLEVEL = "-1" + ADAPTER_EXTLOGPATH = "/var/log/schematics/%s.log" + ADAPTER_PLUGINHOME = "/go/src/github.ibm.com/blueprint/schematics-data-adapter/plugins" + } + + depends_on = [kubernetes_namespace.namespace] + +} + +resource "kubernetes_service" "ansible_job_service" { + metadata { + name = "ansible-job-service" + namespace = "schematics-runtime" + } + + spec { + port { + name = "grpc-job" + port = 3006 + target_port = "grpc-job" + } + + selector = { + app = "runtime-ansible-job" + } + + type = "ClusterIP" + } + + depends_on = [kubernetes_namespace.namespace] +} + +//creating image pull secret for ansible job +// TODO Remove this once the Ansible and adpater is released +resource "kubernetes_secret" "schematics-ansible-secret" { + metadata { + name = "schematics-runtime-ansible-job-image-secret" + namespace = "schematics-runtime" + } + data = { + ".dockerconfigjson" = jsonencode({ + auths = { + "us.icr.io" = { + auth = base64encode("iamapikey:${var.ansible_pull_ibmcloud_api_key}") + } + } + }) + } + type = "kubernetes.io/dockerconfigjson" + depends_on = [kubernetes_namespace.namespace] +} + + +resource "kubernetes_deployment" "runtime_ansible_job" { + timeouts { + create = "60m" + delete = "60m" + } + metadata { + name = "runtime-ansible-job" + namespace = "schematics-runtime" + + + labels = { + app = "runtime-ansible-job" + } + + annotations = { + "kubernetes.io/change-cause" = "schematics-ansible-job_1338" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + app = "runtime-ansible-job" + } + } + + template { + metadata { + labels = { + app = "runtime-ansible-job" + build = "ansible-job-1338" + } + } + + spec { + volume { + name = "at-events" + + host_path { + path = "/var/log/at" + } + } + + volume { + name = "ext-logs" + + host_path { + path = "/var/log/schematics" + } + } + + init_container { + name = "fix-permissions" + image = "icr.io/schematics-remote/ubi-minimal:8.6" + command = ["sh", "-c", "chmod -R a+rwx /var/log/at"] + + volume_mount { + name = "at-events" + mount_path = "/var/log/at" + } + } + + init_container { + name = "fix-permissions-extlog" + image = "icr.io/schematics-remote/ubi-minimal:8.6" + command = ["sh", "-c", "chmod -R a+rwx /var/log/schematics"] + + volume_mount { + name = "ext-logs" + mount_path = "/var/log/schematics" + } + } + + image_pull_secrets { + name = "schematics-runtime-ansible-job-image-secret" + } + + container { + name = "runtime-ansible-job" + image = local.schematics_runtime_ansible_job_image + port { + name = "grpc-job" + container_port = 3006 + } + + env_from { + config_map_ref { + name = "schematics-runtime-ansible-job-config" + } + } + + resources { + limits = { + cpu = "500m" + memory = "1Gi" + } + + requests = { + cpu = "500m" + memory = "1Gi" + } + } + + volume_mount { + name = "at-events" + mount_path = "/var/log/at" + } + + volume_mount { + name = "ext-logs" + mount_path = "/var/log/schematics" + } + + lifecycle { + pre_stop { + exec { + command = ["/home/nobody/scripts/pre-stop.sh"] + } + } + } + + security_context { + run_as_user = 1001 + run_as_group = 1001 + run_as_non_root = true + } + } + container { + name = "adapter" + image = local.schematics_runtime_adapter_job_image + + env_from { + config_map_ref { + name = "schematics-runtime-adapter-job-config" + } + } + + port { + name = "http-adapter" + container_port = 4001 + } + resources { + limits = { + cpu = "500m" + memory = "1Gi" + } + + requests = { + cpu = "500m" + memory = "1Gi" + } + } + + volume_mount { + name = "at-events" + mount_path = "/var/log/at" + } + + volume_mount { + name = "ext-logs" + mount_path = "/var/log/schematics" + } + } + + restart_policy = "Always" + termination_grace_period_seconds = 180000 + } + } + strategy { + type = "RollingUpdate" + + rolling_update { + max_unavailable = "1" + max_surge = "1" + } + } + + revision_history_limit = 5 + } + + depends_on = [kubernetes_service.job_service, kubernetes_config_map.runtime_ansible_job_configmap,kubernetes_config_map.runtime_adapter_job_configmap, kubernetes_namespace.namespace] +} + +############################################################################## \ No newline at end of file diff --git a/templates/service/variables.tf b/templates/service/variables.tf index 37e2474..c454f15 100644 --- a/templates/service/variables.tf +++ b/templates/service/variables.tf @@ -85,4 +85,12 @@ variable "ibmcloud_api_key" { default = "" } + +variable "ansible_pull_ibmcloud_api_key" { + description = "The IBM Cloud API Key used to pull ansible images" + type = string + sensitive = true + default = "" +} + ############################################################################## \ No newline at end of file