Add iop_vmaas and iop_vulnerability

Signed-off-by: Eric D. Helms <[email protected]>

Author: ehelms

src/playbooks/deploy/deploy.yaml

@@ -16,6 +16,7 @@
     - name: Add iop databases
       when:
         - "'iop' in enabled_features"
+        - database_mode == 'internal'
       block:
         - name: Include iop databases
           ansible.builtin.include_vars:
@@ -47,6 +48,7 @@
     - role: iop_core
       when:
         - "'iop' in enabled_features"
+        - database_mode == 'internal'
     - role: foreman_proxy
       when:
         - "'foreman-proxy' in enabled_features"

src/roles/iop_core/tasks/main.yaml

@@ -38,3 +38,11 @@
 - name: Deploy IOP Remediation service
   ansible.builtin.include_role:
     name: iop_remediation
+
+- name: Deploy IOP VMAAS service
+  ansible.builtin.include_role:
+    name: iop_vmaas
+
+- name: Deploy IOP Vulnerability service
+  ansible.builtin.include_role:
+    name: iop_vulnerability

src/roles/iop_remediation/defaults/main.yaml

@@ -5,5 +5,5 @@ iop_remediation_container_tag: "foreman-3.16"
 iop_remediation_database_name: remediations_db
 iop_remediation_database_user: remediations_user
 iop_remediation_database_password: CHANGEME
-iop_remediation_database_host: "localhost"
+iop_remediation_database_host: "host.containers.internal"
 iop_remediation_database_port: "5432"

src/roles/iop_vmaas/defaults/main.yaml

@@ -0,0 +1,9 @@
+---
+iop_vmaas_container_image: "quay.io/iop/vmaas"
+iop_vmaas_container_tag: "foreman-3.16"
+
+iop_vmaas_database_name: vmaas_db
+iop_vmaas_database_user: vmaas_admin
+iop_vmaas_database_password: CHANGEME
+iop_vmaas_database_host: "host.containers.internal"
+iop_vmaas_database_port: "5432"

src/roles/iop_vmaas/handlers/main.yaml

@@ -0,0 +1,28 @@
+---
+- name: Check if vmaas reposcan service exists
+  ansible.builtin.systemd:
+    name: iop-service-vmaas-reposcan
+  register: iop_vmaas_reposcan_service_status
+  failed_when: false
+  listen: restart vmaas
+
+- name: Restart vmaas reposcan
+  ansible.builtin.systemd:
+    name: iop-service-vmaas-reposcan
+    state: restarted
+  when: iop_vmaas_reposcan_service_status.status is defined and iop_vmaas_reposcan_service_status.status.LoadState != "not-found"
+  listen: restart vmaas
+
+- name: Check if vmaas webapp-go service exists
+  ansible.builtin.systemd:
+    name: iop-service-vmaas-webapp-go
+  register: iop_vmaas_webapp_service_status
+  failed_when: false
+  listen: restart vmaas
+
+- name: Restart vmaas webapp-go
+  ansible.builtin.systemd:
+    name: iop-service-vmaas-webapp-go
+    state: restarted
+  when: iop_vmaas_webapp_service_status.status is defined and iop_vmaas_webapp_service_status.status.LoadState != "not-found"
+  listen: restart vmaas

src/roles/iop_vmaas/tasks/main.yaml

@@ -0,0 +1,110 @@
+---
+- name: Create VMAAS database secrets
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.data }}"
+    state: present
+  loop:
+    - name: "iop-service-vmaas-reposcan-database-username"
+      data: "{{ iop_vmaas_database_user }}"
+    - name: "iop-service-vmaas-reposcan-database-password"
+      data: "{{ iop_vmaas_database_password }}"
+    - name: "iop-service-vmaas-reposcan-database-name"
+      data: "{{ iop_vmaas_database_name }}"
+    - name: "iop-service-vmaas-reposcan-database-host"
+      data: "{{ iop_vmaas_database_host }}"
+    - name: "iop-service-vmaas-reposcan-database-port"
+      data: "{{ iop_vmaas_database_port }}"
+  no_log: true
+
+- name: Create VMAAS data volume
+  containers.podman.podman_volume:
+    name: iop-service-vmaas-data
+    state: present
+
+- name: Deploy VMAAS Reposcan container
+  containers.podman.podman_container:
+    name: iop-service-vmaas-reposcan
+    image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}"
+    state: quadlet
+    quadlet_dir: /etc/containers/systemd
+    network: iop-core-network
+    volumes:
+      - iop-service-vmaas-data:/data
+    command: "/vmaas/entrypoint.sh database-upgrade reposcan"
+    env:
+      PROMETHEUS_PORT: "8085"
+      PROMETHEUS_MULTIPROC_DIR: "/tmp/prometheus_multiproc_dir"
+      SYNC_REPO_LIST_SOURCE: "katello"
+      SYNC_REPOS: "yes"
+      SYNC_CVE_MAP: "yes"
+      SYNC_CPE: "no"
+      SYNC_CSAF: "no"
+      SYNC_RELEASES: "no"
+      SYNC_RELEASE_GRAPH: "no"
+      KATELLO_URL: "http://iop-core-gateway:9090"
+      REDHAT_CVEMAP_URL: "http://iop-core-gateway:9090/pub/iop/data/meta/v1/cvemap.xml"
+      POSTGRESQL_SSL_MODE: "disable"
+    secrets:
+      - "iop-service-vmaas-reposcan-database-username,type=env,target=POSTGRESQL_USER"
+      - "iop-service-vmaas-reposcan-database-password,type=env,target=POSTGRESQL_PASSWORD"
+      - "iop-service-vmaas-reposcan-database-name,type=env,target=POSTGRESQL_DATABASE"
+      - "iop-service-vmaas-reposcan-database-host,type=env,target=POSTGRESQL_HOST"
+      - "iop-service-vmaas-reposcan-database-port,type=env,target=POSTGRESQL_PORT"
+    quadlet_options:
+      - |
+        [Unit]
+        Description=VMAAS Reposcan Service
+        [Service]
+        Restart=on-failure
+        Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json
+        [Install]
+        WantedBy=default.target
+
+- name: Deploy VMAAS Webapp-Go container
+  containers.podman.podman_container:
+    name: iop-service-vmaas-webapp-go
+    image: "{{ iop_vmaas_container_image }}:{{ iop_vmaas_container_tag }}"
+    state: quadlet
+    quadlet_dir: /etc/containers/systemd
+    network: iop-core-network
+    command: "/vmaas/entrypoint.sh webapp-go"
+    env:
+      REPOSCAN_PUBLIC_URL: "http://iop-service-vmaas-reposcan:8000"
+      REPOSCAN_PRIVATE_URL: "http://iop-service-vmaas-reposcan:10000"
+      CSAF_UNFIXED_EVAL_ENABLED: "FALSE"
+      GIN_MODE: "release"
+      POSTGRESQL_SSL_MODE: "disable"
+    secrets:
+      - "iop-service-vmaas-reposcan-database-username,type=env,target=POSTGRESQL_USER"
+      - "iop-service-vmaas-reposcan-database-password,type=env,target=POSTGRESQL_PASSWORD"
+      - "iop-service-vmaas-reposcan-database-name,type=env,target=POSTGRESQL_DATABASE"
+      - "iop-service-vmaas-reposcan-database-host,type=env,target=POSTGRESQL_HOST"
+      - "iop-service-vmaas-reposcan-database-port,type=env,target=POSTGRESQL_PORT"
+    quadlet_options:
+      - |
+        [Unit]
+        Description=VMAAS Webapp-Go Service
+        Wants=iop-service-vmaas-reposcan.service
+        After=iop-service-vmaas-reposcan.service
+        [Service]
+        Restart=on-failure
+        Environment=REGISTRY_AUTH_FILE=/etc/foreman/registry-auth.json
+        [Install]
+        WantedBy=default.target
+
+- name: Run daemon reload to make Quadlet create the service files
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Start VMAAS Reposcan service
+  ansible.builtin.systemd:
+    name: iop-service-vmaas-reposcan
+    enabled: true
+    state: started
+
+- name: Start VMAAS Webapp-Go service
+  ansible.builtin.systemd:
+    name: iop-service-vmaas-webapp-go
+    enabled: true
+    state: started

src/roles/iop_vulnerability/defaults/main.yaml

@@ -0,0 +1,13 @@
+---
+iop_vulnerability_container_image: "quay.io/iop/vulnerability-engine"
+iop_vulnerability_container_tag: "foreman-3.16"
+
+iop_vulnerability_database_name: vulnerability_db
+iop_vulnerability_database_user: vulnerability_admin
+iop_vulnerability_database_password: CHANGEME
+iop_vulnerability_database_host: "host.containers.internal"
+iop_vulnerability_database_port: "5432"
+
+# Taskomatic configuration
+iop_vulnerability_taskomatic_jobs: "stale_systems:5,delete_systems:30,cacheman:5"
+iop_vulnerability_taskomatic_startup: "cacheman"

src/roles/iop_vulnerability/handlers/main.yaml

@@ -0,0 +1,24 @@
+---
+- name: Check if vulnerability services exist
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+  register: iop_vulnerability_services_status
+  failed_when: false
+  loop:
+    - iop-service-vuln-dbupgrade
+    - iop-service-vuln-manager
+    - iop-service-vuln-taskomatic
+    - iop-service-vuln-grouper
+    - iop-service-vuln-listener
+    - iop-service-vuln-evaluator-recalc
+    - iop-service-vuln-evaluator-upload
+    - iop-service-vuln-vmaas-sync
+  listen: restart vulnerability
+
+- name: Restart vulnerability services
+  ansible.builtin.systemd:
+    name: "{{ item.item }}"
+    state: restarted
+  when: item.status is defined and item.status.LoadState != "not-found"
+  loop: "{{ iop_vulnerability_services_status.results }}"
+  listen: restart vulnerability