MAS DevOps Ansible Collection Ansible CLI
Edit on GitHub Home Ansible Automation Platform OCP Install Cloud Pak For Data Install Core Add AIBroker Add IoT Add Manage Add Monitor Add Optimizer Add Predict Add Visual Inspection Update Upgrade Uninstall Core Backup & Restore ocp_cluster_monitoring ocp_config ocp_deprovision ocp_efs ocp_github_oauth ocp_login ocp_node_config ocp_provision ocp_roks_upgrade_registry_storage ocp_upgrade ocp_verify appconnect aws_bucket_access_point aws_documentdb_user aws_policy aws_route53 aws_user_creation aws_vpc cert_manager cis common-services configure_manage_eventstreams cos cos_bucket cp4d_admin_pwd_update cp4d cp4d_service db2 dro eck grafana ibm_catalogs kafka nvidia_gpu mongodb ocs sls turbonomic uds mirror_case_prepare mirror_extras_prepare mirror_images mirror_ocp ocp_idms ocp_simulate_disconnected_network registry suite_app_config suite_app_install suite_app_uninstall suite_app_upgrade suite_app_rollback suite_app_backup_restore suite_certs suite_config suite_db2_setup_for_manage suite_dns suite_install suite_manage_attachments_config suite_manage_birt_report_config suite_manage_bim_config suite_manage_customer_files_config suite_manage_imagestitching_config suite_manage_import_certs_config suite_manage_load_dbc_scripts suite_manage_logging_config suite_manage_pvc_config suite_uninstall suite_upgrade suite_rollback suite_verify suite_backup_restore ansible_version_check entitlement_key_rotation gencfg_jdbc gencfg_watsonstudio gencfg_workspace gencfg_mongo
Home Roles: Suite Mgmt suite_certs Directory structure example, TLS Secret Role Variables Role Variables - CIS as DNS Provider (Optional) Example Playbook More Detailed View of Directory Structure License

suite_certs¤

This role iterates through the subdirectories in $MAS_CONFIG_DIR/certs which are named as core or name of the apps like monitor, manage, iot and so on. It looks for tls.crt, tls.key and ca.crt in these subdirectories. The names of the subdirectories in $MAS_CONFIG_DIR/certs are used to construct namespace to create/identify it and also creates the TLS secret with the tls/ca certs in those namespaces. So these subdirectories should be named correctly as the app names used in namespace suffixes.

Directory structure example,¤

$MAS_CONFIG_DIR/certs/core/tls.crt
$MAS_CONFIG_DIR/certs/core/tls.key
$MAS_CONFIG_DIR/certs/core/ca.crt
$MAS_CONFIG_DIR/certs/<apps>/tls.crt
$MAS_CONFIG_DIR/certs/<apps>/tls.key
$MAS_CONFIG_DIR/certs/<apps>/ca.crt

TLS Secret¤

tls.crt, tls.key and ca.crt are mandatory files in these subdirectories. They are used to create TLS secret in each applications' namespace. The role will fail if an empty app subdirectory is present or an app subdirectory missing a mandatory file

Note:¤

Currently the secret names for core and each app are maintained in suite_certs/defaults/main.yml. Any changes to the existing secret name or adding new apps needs to be done here.

Role Variables¤

mas_instance_id¤

The instance ID of the Maximo Application Suite installation to verify.

mas_manual_cert_mgmt¤

Set this to True if you want to enable manual certificate management mode.

mas_config_dir¤

Path to the mas config directory.

gitops¤

Boolean flag to indicate whether to run role in gitops mode. True means that no openshift resources are created on the cluster.

Role Variables - CIS as DNS Provider (Optional)¤

Optional variables for users using IBM Cloud Internet Services to manage DNS. This role will guarantee that your CNAMES related to MAS routes are created or updated in the informed CIS instance.

dns_provider¤

Set this to cis if you manage DNS using IBM Cloud Internet. If this variable is informed with a value different than cis it results in error (except blank, as it is optional).

mas_workspace_id¤

Workspace Id will be used as part of CNAMES definition when using cis as dns_provider.

cis_crn¤

CRN Key identifying the CIS in IBM Cloud. You can find that information in the page of your CIS instance.

cis_apikey¤

API Key used to access the CIS in IBM CLoud.

cis_subdomain¤

Subdomain will be used as part of CNAMES definition when using cis as dns_provider.

cis_proxy¤

Set this to True if you want enable proxy in your CIS CNames leveraging security rules defined for this software.

The directory structure for the certificates must be like below

$MAS_CONFIG_DIR/certs/core/tls.crt
$MAS_CONFIG_DIR/certs/core/tls.key
$MAS_CONFIG_DIR/certs/core/ca.crt
$MAS_CONFIG_DIR/certs/manage/tls.crt
$MAS_CONFIG_DIR/certs/manage/tls.key
$MAS_CONFIG_DIR/certs/manage/ca.crt
$MAS_CONFIG_DIR/certs/<app>/tls.crt
$MAS_CONFIG_DIR/certs/<app>/tls.key
$MAS_CONFIG_DIR/certs/<app>/ca.crt

the subdirectory name in the $MAS_CONFIG_DIR/certs directory is used to construct the namespace where the TLS secret will be applied to. So name the directory approriately.

Example Playbook¤

- hosts: localhost
  any_errors_fatal: true
  vars:
    mas_instance_id: masinst1
    mas_manual_cert_mgmt: True
    mas_config_dir: /Users/johnbarnes/Document/masconfig
  roles:
    - ibm.mas_devops.suite_certs

More Detailed View of Directory Structure¤

MAS_CONFIG_DIR
|
|---certs
|     |
|     |
|     |---core
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt
|     |---iot
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt
|     |---monitor
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt
|     |---manage
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt
|     |---add
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt
|     |---assist
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt
|     |---optimizer
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt
|     |---visualinspection
|     |    |
|     |    |---tls.crt
|     |    |---tls.key
|     |    |---ca.crt

License¤

EPL-2.0