Skip to content

Instantly share code, notes, and snippets.

@LorbusChris
Last active September 14, 2017 20:50
Show Gist options
  • Save LorbusChris/acf32b6a13614774007550a3e1c6bf6d to your computer and use it in GitHub Desktop.
Save LorbusChris/acf32b6a13614774007550a3e1c6bf6d to your computer and use it in GitHub Desktop.
{
"kind": "Template",
"apiVersion": "v1",
"metadata": {
"name": "freeipa-server",
"labels": {
"app": "${IPA_SERVER_SERVICE}"
},
"annotations": {
"openshift.io/display-name": "FreeIPA Server",
"description": "FreeIPA Server",
"tags": "quickstart,freeipa,idm,identity management"
}
},
"objects": [
{
"kind": "ImageStream",
"apiVersion": "v1",
"metadata": {
"name": "freeipa-server",
"annotations": {
"openshift.io/display-name": "FreeIPA Server"
}
},
"spec": {
"tags": [
{
"name": "latest",
"annotations": {
"openshift.io/display-name": "FreeIPA Server on Fedora 25",
"tags": "freeipa, identity management"
},
"from": {
"kind": "DockerImage",
"name": "freeipa/freeipa-server:latest"
}
},
{
"name": "centos-7",
"annotations": {
"openshift.io/display-name": "FreeIPA Server on CentOS 7",
"tags": "freeipa, identity management"
},
"from": {
"kind": "DockerImage",
"name": "freeipa/freeipa-server:centos-7"
}
}
]
}
},
{
"kind": "Route",
"apiVersion": "v1",
"metadata": {
"name": "${IPA_SERVER_SERVICE}-https",
"annotations": {
"description": "Route for FreeIPA server's HTTPS",
"kubernetes.io/tls-acme": "true",
"kubernetes.io/tls-acme-secretname": "${IPA_SERVER_SERVICE}-acme-cert",
"kubernetes.io/tls-acme-secretnamespace": "acme-example"
}
},
"spec": {
"to": {
"kind": "Service",
"name": "${IPA_SERVER_SERVICE}"
},
"port": {
"targetPort": "https"
},
"tls": {
"termination": "passthrough"
}
}
},
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "${IPA_SERVER_SERVICE}-password"
},
"stringData" : {
"admin.password": "${IPA_ADMIN_PASSWORD}"
}
},
{
"kind": "Service",
"apiVersion": "v1",
"metadata": {
"name": "${IPA_SERVER_SERVICE}"
},
"spec": {
"ports": [
{
"name": "dns-tcp",
"protocol": "TCP",
"port": 53,
"targetPort": 53
},
{
"name": "dns-udp",
"protocol": "UDP",
"port": 53,
"targetPort": 53
},
{
"name": "http",
"protocol": "TCP",
"port": 80,
"targetPort": 80
},
{
"name": "kerberos-tcp",
"protocol": "TCP",
"port": 88,
"targetPort": 88
},
{
"name": "kerberos-udp",
"protocol": "UDP",
"port": 88,
"targetPort": 88
},
{
"name": "ntp",
"protocol": "UDP",
"port": 123,
"targetPort": 123
},
{
"name": "ldap",
"protocol": "TCP",
"port": 389,
"targetPort": 389
},
{
"name": "https",
"protocol": "TCP",
"port": 443,
"targetPort": 443
},
{
"name": "kpasswd-tcp",
"protocol": "TCP",
"port": 464,
"targetPort": 464
},
{
"name": "kpasswd-udp",
"protocol": "UDP",
"port": 464,
"targetPort": 464
},
{
"name": "ldaps",
"protocol": "TCP",
"port": 636,
"targetPort": 636
},
{
"name": "ldap-replication",
"protocol": "TCP",
"port": 7389,
"targetPort": 7389
},
{
"name": "ca-webui",
"protocol": "TCP",
"port": 9443,
"targetPort": 9443
},
{
"name": "ca-https",
"protocol": "TCP",
"port": 9444,
"targetPort": 9444
},
{
"name": "ca-admin",
"protocol": "TCP",
"port": 9445,
"targetPort": 9445
}
],
"clusterIP": "${IPA_SERVER_IP}",
"selector": {
"app": "${IPA_SERVER_SERVICE}"
}
}
},
{
"kind": "DeploymentConfig",
"apiVersion": "v1",
"metadata": {
"name": "${IPA_SERVER_SERVICE}"
},
"spec": {
"strategy": {
"type": "Recreate",
"recreateParams": {
"timeoutSeconds": "${TIMEOUT}"
}
},
"triggers": [
{
"type": "ConfigChange"
},
{
"type": "ImageChange",
"imageChangeParams": {
"automatic": true,
"containerNames": [
"${IPA_SERVER_SERVICE}"
],
"from": {
"kind": "ImageStreamTag",
"name": "${IPA_SERVER_IMAGE}"
}
}
}
],
"replicas": 1,
"test": false,
"selector": {
"app": "${IPA_SERVER_SERVICE}"
},
"template": {
"metadata": {
"name": "${IPA_SERVER_SERVICE}",
"labels": {
"app": "${IPA_SERVER_SERVICE}"
}
},
"spec": {
"volumes": [
{
"name": "${IPA_SERVER_SERVICE}-data",
"persistentVolumeClaim": {
"claimName": "${IPA_SERVER_SERVICE}"
}
},
{
"name": "${IPA_SERVER_SERVICE}-run",
"emptyDir": {}
},
{
"name": "${IPA_SERVER_SERVICE}-tmp",
"emptyDir": {}
},
{
"name": "${IPA_SERVER_SERVICE}-journal",
"emptyDir": {}
},
{
"name": "${IPA_SERVER_SERVICE}-acme-cert",
"secret": {
"secretName": "${IPA_SERVER_SERVICE}-acme-cert"
}
}
],
"containers": [
{
"name": "${IPA_SERVER_SERVICE}",
"image": " ",
"ports": [
{
"containerPort": 53,
"protocol": "TCP"
},
{
"containerPort": 53,
"protocol": "UDP"
},
{
"containerPort": 80,
"protocol": "TCP"
},
{
"containerPort": 88,
"protocol": "TCP"
},
{
"containerPort": 88,
"protocol": "UDP"
},
{
"containerPort": 123,
"protocol": "UDP"
},
{
"containerPort": 389,
"protocol": "TCP"
},
{
"containerPort": 443,
"protocol": "TCP"
},
{
"containerPort": 464,
"protocol": "TCP"
},
{
"containerPort": 464,
"protocol": "UDP"
},
{
"containerPort": 636,
"protocol": "TCP"
},
{
"containerPort": 7389,
"protocol": "TCP"
},
{
"containerPort": 9443,
"protocol": "TCP"
},
{
"containerPort": 9444,
"protocol": "TCP"
},
{
"containerPort": 9445,
"protocol": "TCP"
}
],
"env": [
{
"name": "IPA_SERVER_IP",
"value": "${IPA_SERVER_IP}"
},
{
"name": "IPA_SERVER_INSTALL_OPTS",
"value": "${IPA_SERVER_INSTALL_OPTS}"
},
{
"name": "PASSWORD",
"valueFrom": {
"secretKeyRef" : {
"name" : "${IPA_SERVER_SERVICE}-password",
"key" : "admin.password"
}
}
}
],
"resources": {},
"volumeMounts": [
{
"name": "${IPA_SERVER_SERVICE}-data",
"mountPath": "/data"
},
{
"name": "${IPA_SERVER_SERVICE}-run",
"mountPath": "/run"
},
{
"name": "${IPA_SERVER_SERVICE}-tmp",
"mountPath": "/tmp"
},
{
"name": "${IPA_SERVER_SERVICE}-journal",
"mountPath": "/var/log/journal"
},
{
"name": "${IPA_SERVER_SERVICE}-acme-cert",
"mountPath": "/etc/ssl/ipa",
"readOnly": true
}
],
"readinessProbe": {
"exec": {
"command": [
"/usr/bin/systemctl", "status", "ipa"
]
},
"initialDelaySeconds": 60,
"timeoutSeconds": 10,
"periodSeconds": 10,
"successThreshold": 1,
"failureThreshold": 3
}
}
],
"restartPolicy": "Always",
"serviceAccountName": "${SERVICE_ACCOUNT_USEROOT}",
"securityContext": {}
}
}
}
},
{
"kind": "PersistentVolumeClaim",
"apiVersion": "v1",
"metadata": {
"name": "${IPA_SERVER_SERVICE}"
},
"spec": {
"accessModes": [
"ReadWriteOnce"
],
"resources": {
"requests": {
"storage": "${VOLUME_CAPACITY}"
}
}
}
}
],
"parameters": [
{
"name": "IPA_SERVER_SERVICE",
"displayName": "Service and deployment config name",
"required": true,
"value": "freeipa-server"
},
{
"name": "IPA_SERVER_IMAGE",
"displayName": "Image to use for the service",
"required": true,
"value": "freeipa-server:latest"
},
{
"name": "IPA_SERVER_IP",
"displayName": "FreeIPA server service IP address",
"required": false
},
{
"name": "IPA_SERVER_INSTALL_OPTS",
"displayName": "Options to ipa-server-install command",
"required": true,
"value": "-U -r EXAMPLE.TEST --setup-dns --no-forwarders --no-ntp"
},
{
"name": "IPA_ADMIN_PASSWORD",
"displayName": "Admin's password",
"required": false,
"from": "[a-zA-Z0-9]{32}",
"generate": "expression"
},
{
"name": "SERVICE_ACCOUNT_USEROOT",
"displayName": "Service account to use for running the pods",
"description": "It has to allow running containers as root, for example: oc create serviceaccount useroot ; oc adm policy add-scc-to-user anyuid -z useroot",
"required": false,
"value": "default"
},
{
"name": "VOLUME_CAPACITY",
"displayName": "Volume capacity",
"required": true,
"value": "1Gi"
},
{
"name": "TIMEOUT",
"displayName": "Timeout for pods to become ready (in seconds)",
"required": true,
"value": "600"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment