-
Notifications
You must be signed in to change notification settings - Fork 7
/
infra-aws-windows-server.yaml
203 lines (179 loc) · 7 KB
/
infra-aws-windows-server.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: infra-aws-windows-server
labels:
app.kubernetes.io/version: "0.8.0-dev"
annotations:
tekton.dev/pipelines.minVersion: "0.24.x"
tekton.dev/categories: infrastructure
tekton.dev/tags: infrastructure, aws, windows-server
tekton.dev/displayName: "aws manager"
tekton.dev/platforms: "linux/amd64"
spec:
description: |
Task provision a windows server dedicated on host on AWS
The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine
workspaces:
- name: storage
description: volume to store outputs to connect within the target machine + state file for the infrastructure
mountPath: /opt/storage
- name: aws-credentials
description: |
ocp secret holding the aws credentials. Secret should be accessible to this task.
---
apiVersion: v1
kind: Secret
metadata:
name: aws-${name}
labels:
app.kubernetes.io/component: ${name}
app.kubernetes.io/part-of: qe-platform
type: Opaque
data:
access-key: ${access_key}
secret-key: ${secret_key}
region: ${region}
mountPath: /opt/aws-credentials
params:
# mapt params
- name: project-name
description: identifier for project.
- name: backed-url
description: |
If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket).
If default will be store on storage workspace at path set by param ws-output-path.
default: "''"
- name: ws-output-path
description: path on workspace where to store ephemeral assets related with the provisioning
- name: operation
description: operation to execute within the infrastructure. Current values (create, destroy)
# Windows params
- name: ami-name
description: name for the custom ami to be used within windows machine. Check README on how to build it
default: 'Windows_Server-2019-English-Full-HyperV-RHQE'
- name: ami-username
description: name for de default user on the custom AMI
default: 'ec2-user'
- name: ami-owner
description: alias name for the owner of the custom AMI
default: 'self'
- name: ami-lang
description: language for the ami possible values (eng, non-eng). This param is used when no ami-name is set and the action uses the default custom ami
default: 'eng'
- name: spot
description: Check best spot option to spin the machine and will create resources on that region.
default: 'true'
- name: airgap
description: |
Set the machine on an airgap scenario.
If airgap is set an extra VM is created acting as bastion, information to access bastion is also
added to the output folder.
To access the target machine we need to go through the bastion
default: 'false'
- name: tags
description: tags for the resources created on the providers
default: "''"
# Control params
- name: remove-lock
description: in case a previous run fails the stack can be locked. This value allows to control if remove lock
default: 'true'
- name: debug
description: |
Warning setting this param to true expose credentials
The parameter is intended to add verbosity on the task execution and also print credentials on stdout
to easily access to remote machice
default: 'false'
results:
- name: host
description: ip to connect to the provisioned machine
- name: username
description: username to connect to the provisioned machine
- name: key
description: filename for the private key. The key is located at workspace-resources-path
- name: bastion-host
description: if airgap is set we get the bastion host as result
- name: bastion-username
description: if airgap is set we get the bastion username to connect as result
- name: bastion-key
description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path
steps:
- name: provisioner
image: quay.io/redhat-developer/mapt:v0.8.0-dev
imagePullPolicy: Always
script: |
#!/bin/sh
# If debug add verbosity
if [[ $(params.debug) == "true" ]]; then
set -xuo
fi
# Credentials
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
# Output folder
workspace_path=/opt/storage/$(params.ws-output-path)
mkdir -p ${workspace_path}
# Remove lock
if [[ $(params.remove-lock) == "true" ]]; then
rm -rf ${workspace_path}/.pulumi/locks/*
fi
# Run mapt
cmd="mapt aws windows $(params.operation) "
cmd="$cmd --project-name $(params.project-name) "
# Set the backed url
if [[ $(params.backed-url) != "" ]]; then
cmd="$cmd --backed-url $(params.backed-url) "
else
cmd="$cmd --backed-url file://${workspace_path} "
fi
if [[ $(params.operation) == "create" ]]; then
cmd="$cmd --conn-details-output ${workspace_path} "
cmd="$cmd --ami-name $(params.ami-name) "
cmd="$cmd --ami-username $(params.ami-username) "
cmd="$cmd --ami-owner $(params.ami-owner) "
cmd="$cmd --ami-lang $(params.ami-lang) "
if [[ $(params.spot) == "true" ]]; then
cmd="$cmd --spot "
fi
if [[ $(params.airgap) == "true" ]]; then
cmd="$cmd --airgap "
fi
if [[ $(params.tags) != "" ]]; then
cmd="$cmd --tags $(params.tags) "
fi
fi
eval "${cmd}"
create_exit_code=$?
# set task results
cat "${workspace_path}/host" | tee $(results.host.path)
cat "${workspace_path}/username" | tee $(results.username.path)
echo -n "id_rsa" | tee $(results.key.path)
if [[ $(params.airgap) == "true" ]]; then
cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path)
cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path)
echo -n "bastion_id_rsa" | tee $(results.bastion-key.path)
fi
# If debug print credentials
if [[ $(params.debug) == "true" ]]; then
echo "Credentials to access target machine \n"
cat "${workspace_path}/host"
cat "${workspace_path}/username"
cat "${workspace_path}/id_rsa"
if [[ $(params.airgap) == "true" ]]; then
cat "${workspace_path}/bastion_host"
cat "${workspace_path}/bastion_username"
cat "${workspace_path}/bastion_id_rsa"
fi
fi
if [[ ${create_exit_code} -ne 0 ]]; then
exit 1
fi
resources:
requests:
memory: "200Mi"
cpu: "100m"
limits:
memory: "600Mi"
cpu: "300m"