Skip to content

Instantly share code, notes, and snippets.

@LorbusChris
Last active September 26, 2017 21:41
Show Gist options
  • Save LorbusChris/865dd59b715cc5a0cad8d17c519615ce to your computer and use it in GitHub Desktop.
Save LorbusChris/865dd59b715cc5a0cad8d17c519615ce to your computer and use it in GitHub Desktop.
---
kind: Template
apiVersion: v1
metadata:
name: freeipa-server
labels:
app: "${IPA_SERVER_SERVICE}"
annotations:
openshift.io/display-name: FreeIPA Server
description: FreeIPA Server
tags: quickstart,freeipa,idm,identity management
objects:
- kind: ImageStream
apiVersion: v1
metadata:
name: freeipa-server
annotations:
openshift.io/display-name: FreeIPA Server
spec:
tags:
- name: latest
annotations:
openshift.io/display-name: FreeIPA Server on Fedora 25
tags: freeipa, identity management
from:
kind: DockerImage
name: freeipa/freeipa-server:latest
- name: centos-7
annotations:
openshift.io/display-name: FreeIPA Server on CentOS 7
tags: freeipa, identity management
from:
kind: DockerImage
name: freeipa/freeipa-server:centos-7
- kind: Route
apiVersion: v1
metadata:
name: "${IPA_SERVER_SERVICE}-https"
annotations:
description: Route for FreeIPA server's HTTPS
kubernetes.io/tls-acme: 'true'
kubernetes.io/tls-acme-secretname: "${IPA_SERVER_SERVICE}-acme-cert"
kubernetes.io/tls-acme-secretnamespace: acme-example
spec:
to:
kind: Service
name: "${IPA_SERVER_SERVICE}"
port:
targetPort: https
tls:
termination: passthrough
- kind: Secret
apiVersion: v1
metadata:
name: "${IPA_SERVER_SERVICE}-password"
stringData:
admin.password: "${IPA_ADMIN_PASSWORD}"
- kind: Service
apiVersion: v1
metadata:
name: "${IPA_SERVER_SERVICE}"
spec:
ports:
- name: dns-tcp
protocol: TCP
port: 53
targetPort: 53
- name: dns-udp
protocol: UDP
port: 53
targetPort: 53
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: kerberos-tcp
protocol: TCP
port: 88
targetPort: 88
- name: kerberos-udp
protocol: UDP
port: 88
targetPort: 88
- name: ntp
protocol: UDP
port: 123
targetPort: 123
- name: ldap
protocol: TCP
port: 389
targetPort: 389
- name: https
protocol: TCP
port: 443
targetPort: 443
- name: kpasswd-tcp
protocol: TCP
port: 464
targetPort: 464
- name: kpasswd-udp
protocol: UDP
port: 464
targetPort: 464
- name: ldaps
protocol: TCP
port: 636
targetPort: 636
- name: ldap-replication
protocol: TCP
port: 7389
targetPort: 7389
- name: ca-webui
protocol: TCP
port: 9443
targetPort: 9443
- name: ca-https
protocol: TCP
port: 9444
targetPort: 9444
- name: ca-admin
protocol: TCP
port: 9445
targetPort: 9445
clusterIP: "${IPA_SERVER_IP}"
selector:
app: "${IPA_SERVER_SERVICE}"
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: "${IPA_SERVER_SERVICE}"
spec:
strategy:
type: Recreate
recreateParams:
timeoutSeconds: "${TIMEOUT}"
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- "${IPA_SERVER_SERVICE}"
from:
kind: ImageStreamTag
name: "${IPA_SERVER_IMAGE}"
replicas: 1
test: false
selector:
app: "${IPA_SERVER_SERVICE}"
template:
metadata:
name: "${IPA_SERVER_SERVICE}"
labels:
app: "${IPA_SERVER_SERVICE}"
spec:
volumes:
- name: "${IPA_SERVER_SERVICE}-data"
persistentVolumeClaim:
claimName: "${IPA_SERVER_SERVICE}"
- name: "${IPA_SERVER_SERVICE}-run"
emptyDir: {}
- name: "${IPA_SERVER_SERVICE}-tmp"
emptyDir: {}
- name: "${IPA_SERVER_SERVICE}-journal"
emptyDir: {}
- name: "${IPA_SERVER_SERVICE}-acme-cert"
secret:
secretName: "${IPA_SERVER_SERVICE}-acme-cert"
containers:
- name: "${IPA_SERVER_SERVICE}"
image: " "
ports:
- containerPort: 53
protocol: TCP
- containerPort: 53
protocol: UDP
- containerPort: 80
protocol: TCP
- containerPort: 88
protocol: TCP
- containerPort: 88
protocol: UDP
- containerPort: 123
protocol: UDP
- containerPort: 389
protocol: TCP
- containerPort: 443
protocol: TCP
- containerPort: 464
protocol: TCP
- containerPort: 464
protocol: UDP
- containerPort: 636
protocol: TCP
- containerPort: 7389
protocol: TCP
- containerPort: 9443
protocol: TCP
- containerPort: 9444
protocol: TCP
- containerPort: 9445
protocol: TCP
env:
- name: IPA_SERVER_IP
value: "${IPA_SERVER_IP}"
- name: IPA_SERVER_INSTALL_OPTS
value: "${IPA_SERVER_INSTALL_OPTS}"
- name: PASSWORD
valueFrom:
secretKeyRef:
name: "${IPA_SERVER_SERVICE}-password"
key: admin.password
resources: {}
volumeMounts:
- name: "${IPA_SERVER_SERVICE}-data"
mountPath: "/data"
- name: "${IPA_SERVER_SERVICE}-run"
mountPath: "/run"
- name: "${IPA_SERVER_SERVICE}-tmp"
mountPath: "/tmp"
- name: "${IPA_SERVER_SERVICE}-journal"
mountPath: "/var/log/journal"
- name: "${IPA_SERVER_SERVICE}-acme-cert"
mountPath: "/etc/ssl/ipa"
readOnly: true
readinessProbe:
exec:
command:
- "/usr/bin/systemctl"
- status
- ipa
initialDelaySeconds: 60
timeoutSeconds: 10
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
restartPolicy: Always
serviceAccountName: "${SERVICE_ACCOUNT_USEROOT}"
securityContext: {}
- kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: "${IPA_SERVER_SERVICE}"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "${VOLUME_CAPACITY}"
parameters:
- name: IPA_SERVER_SERVICE
displayName: Service and deployment config name
required: true
value: freeipa-server
- name: IPA_SERVER_IMAGE
displayName: Image to use for the service
required: true
value: freeipa-server:latest
- name: IPA_SERVER_IP
displayName: FreeIPA server service IP address
required: false
- name: IPA_SERVER_INSTALL_OPTS
displayName: Options to ipa-server-install command
required: true
value: "-U -r EXAMPLE.TEST --setup-dns --no-forwarders --no-ntp"
- name: IPA_ADMIN_PASSWORD
displayName: Admin's password
required: false
from: "[a-zA-Z0-9]{32}"
generate: expression
- name: SERVICE_ACCOUNT_USEROOT
displayName: Service account to use for running the pods
description: 'It has to allow running containers as root, for example: oc create
serviceaccount useroot ; oc adm policy add-scc-to-user anyuid -z useroot'
required: false
value: default
- name: VOLUME_CAPACITY
displayName: Volume capacity
required: true
value: 1Gi
- name: TIMEOUT
displayName: Timeout for pods to become ready (in seconds)
required: true
value: '600'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment