Merge pull request #877 from IBM/cp4ba20241128

CP4BA 24.0.1, IPM 2.0.0, RPA 23.0.19

automation-roles/20-prepare/download-cp-dependencies/tasks/download-cp4ba-dependencies.yml

@@ -1,6 +1 @@
----
-- include_role: 
-    name: java-download
-
-- include_role:
-    name: helm-download
+---

automation-roles/50-install-cloud-pak/cp4ba/akhq/tasks/install.yml

@@ -14,23 +14,51 @@
     common_namespace_name: "{{ akhq_project_name }}"
     common_output_directory: "{{ akhq_output_directory }}"
 
-- name: Import trusted CA from SSL certificate
-  community.general.java_cert:
-    cert_url: "iaf-system-kafka-bootstrap-{{ akhq_cp4ba_project_name }}.{{ apps_endpoint_domain }}"
-    keystore_path: "{{ akhq_output_directory }}/truststore.jks"
-    keystore_pass: "{{ akhq_universal_password }}"
-    keystore_create: true
+- name: Create a pod with OpenJDK runtime image
+  kubernetes.core.k8s:
     state: present
-    cert_alias: iaf-ca
+    definition:
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: akhq-keytool
+        namespace: "{{ akhq_project_name }}"
+      spec:
+        containers:
+          - name: openjdk-container
+            image: ubi9/openjdk-17-runtime:1.21-1
+            command: ["/bin/sh", "-c", "sleep 3600"]
+    wait: true
 
-- name: Load jks data
-  ansible.builtin.slurp:
-    src: "{{ akhq_output_directory }}/truststore.jks"
-  register: slurped_jks_data
+- name: Fetch certificate, create JKS, and encode as Base64
+  kubernetes.core.k8s_exec:
+    namespace: "{{ akhq_project_name }}"
+    pod: akhq-keytool
+    container: openjdk-container
+    command: |
+      /bin/bash -c '
+      keytool -printcert -rfc -sslserver iaf-system-kafka-bootstrap-{{ akhq_cp4ba_project_name }}.{{ apps_endpoint_domain }}:443 > /tmp/cert.pem
+      keytool -importcert \
+        -file /tmp/cert.pem \
+        -alias iaf-ca \
+        -keystore /tmp/truststore.jks \
+        -storepass {{ akhq_universal_password }} \
+        -noprompt \
+        -trustcacerts
+      base64 -w 0 /tmp/truststore.jks
+      '
+  register: base64_result
 
 - name: Decode data and store as fact
   ansible.builtin.set_fact:
-    _jks: "{{ slurped_jks_data.content }}"
+    _jks: "{{ base64_result.stdout }}"
+
+- name: Cleanup pod after execution
+  kubernetes.core.k8s:
+    state: absent
+    kind: Pod
+    name: akhq-keytool
+    namespace: "{{ akhq_project_name }}"
 
 - name: Get OCP Apps Endpoint
   ansible.builtin.include_role:

automation-roles/50-install-cloud-pak/cp4ba/cerebro/templates/deployments.yaml.j2

@@ -26,7 +26,7 @@ spec:
               memory: 512Mi
             limits:
               cpu: 500m
-              memory: 1536Mi            
+              memory: 4096Mi            
           startupProbe:
             tcpSocket:
               port: 8080

automation-roles/50-install-cloud-pak/cp4ba/common/tasks/nexus-upload.yml

@@ -17,27 +17,6 @@
   vars:
     common_output_to_var: "apps_endpoint_domain"
 
-# TODO from ansible 2.10+ but line endings of jar files are changed and CP4BA components cannot use these modified jars.
-# - name: Upload to Nexus
-#   ansible.builtin.uri:
-#     url: "https://nexus.{{ apps_endpoint_domain }}/service/rest/v1/components?repository=raw-hosted"
-#     method: POST
-#     body_format: form-multipart
-#     body:
-#       raw.directory: cp4ba
-#       raw.asset1:
-#         content: "{{ lookup('file', common_file_folder_path+'/'+common_file_name) }}"
-#         filename: "{{ common_file_name }}"
-#       raw.asset1.filename: "{{ common_file_name }}"
-#     validate_certs: false
-#     status_code:
-#       - 204
-#     user: "{{ lc_principal_admin_user }}"
-#     password: "{{ lc_principal_admin_password }}"
-#     force_basic_auth: true
-#   register: nexus_upload_result
-#   ignore_errors: true
-
 - name: Upload to Nexus
   ansible.builtin.command: |
     curl -kX 'POST' \
@@ -51,6 +30,7 @@
     -s -o /dev/null -w "%{http_code}"
   register: import_curl_result
   changed_when: true
+  # noqa: command-instead-of-module
 
 - name: Restart and reupload
   when: import_curl_result.stdout != "204"
@@ -79,24 +59,6 @@
         common_retries: 80
         common_delay: 15
 
-    # TODO from ansible 2.10+ but line endings of jar files are changed and CP4BA components cannot use these modified jars.
-    # - name: Upload to Nexus
-    #   ansible.builtin.uri:
-    #     url: "https://nexus.{{ apps_endpoint_domain }}/service/rest/v1/components?repository=raw-hosted"
-    #     method: POST
-    #     body_format: form-multipart
-    #     body:
-    #       raw.directory: cp4ba
-    #       raw.asset1:
-    #         content: "{{ lookup('file', common_file_folder_path+'/'+common_file_name) }}"
-    #         filename: "{{ common_file_name }}"
-    #       raw.asset1.filename: "{{ common_file_name }}"
-    #     validate_certs: false
-    #     status_code: 204
-    #     user: "{{ lc_principal_admin_user }}"
-    #     password: "{{ lc_principal_admin_password }}"
-    #     force_basic_auth: true
-
     - name: Upload to Nexus
       ansible.builtin.command: |
         curl -kX 'POST' \
@@ -111,3 +73,4 @@
       register: import_curl_result
       failed_when: import_curl_result.stdout != "204"
       changed_when: true
+      # noqa: command-instead-of-module

automation-roles/50-install-cloud-pak/cp4ba/common/tasks/remove-postgresql-tablespace.yml

@@ -1,6 +1,6 @@
 # Example of the functionality call
 #
-# - name: Remove PostgreSQL tablespace
+# - name: Remove PostgreSQL tablespace and folder
 #   ansible.builtin.include_role:
 #     name: common
 #     tasks_from: remove-postgresql-tablespace
@@ -24,7 +24,7 @@
     command: >
       bash -c "
         psql postgresql://postgres:$POSTGRES_PASSWORD@localhost:5432 <<-EOF
-        DROP TABLESPACE IF EXISTS {{ common_postgresql_tablespace_name }}_tbs;
+        DROP TABLESPACE IF EXISTS {{ common_postgresql_tablespace_name }};
       EOF"
   register: command_status
   when: postgresql_pod.resources | length != 0

automation-roles/50-install-cloud-pak/cp4ba/common/tasks/wait-crd.yml

@@ -14,7 +14,7 @@
     name: "{{ common_crd_name }}"
   register: common_crd
   retries: 20
-  delay: 2
+  delay: 20
   until: common_crd.resources and ('True' in common_crd | json_query(condition_query) | unique )
   vars:
     condition_query: "resources[0].status.conditions[?type == 'Established'].status"

automation-roles/50-install-cloud-pak/cp4ba/config/tasks/main.yml

@@ -33,7 +33,7 @@
 
 - name: PostgreSQL config variable
   ansible.builtin.set_fact:
-    postgresql_enabled: "{{ true if _current_cp4ba_cluster.cp4ba.enabled or urrent_cp4ba_cluster.pm.enabled else false }}"
+    postgresql_enabled: "{{ true if _current_cp4ba_cluster.cp4ba.enabled or _current_cp4ba_cluster.pm.enabled else false }}"
 
 - name: Openldap config variable
   ansible.builtin.set_fact:

automation-roles/50-install-cloud-pak/cp4ba/cp4ba-cluster/tasks/install.yml

@@ -98,15 +98,15 @@
   when: _current_cp4ba_cluster.cp4ba.enabled and _current_cp4ba_cluster.cp4ba.patterns.foundation.optional_components.bai and
     _current_cp4ba_cluster.akhq_enabled
 
-# - name: Install MSSQL
-#   ansible.builtin.include_role:
-#     name: mssql
-#   when: mssql_enabled
-
-# - name: Install RPA
-#   ansible.builtin.include_role:
-#     name: rpa
-#   when: _current_cp4ba_cluster.rpa.enabled
+- name: Install MSSQL
+  ansible.builtin.include_role:
+    name: mssql
+  when: mssql_enabled
+
+- name: Install RPA
+  ansible.builtin.include_role:
+    name: rpa
+  when: _current_cp4ba_cluster.rpa.enabled
 
 - name: Install PM
   ansible.builtin.include_role:

automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/defaults/main.yml

@@ -4,19 +4,23 @@ cp4ba_dir_name: cp4ba
 ## Should not be changed in particular guide version.
 ## Version of the Subscription channel as defined on
 ## https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=cluster-setting-up-in-openshift-console
-cp4ba_operator_channel: v24.0
+cp4ba_operator_channel: v24.1
 ## Should not be changed in particular guide version.
 ## Version of cert-kubernetes folder from Cloud Pak CASE archive e.g. 21.0.1
-cp4ba_cert_k8s_branch: 24.0.0-IF002
+cp4ba_cert_k8s_branch: 24.0.1
 cp4ba_storage_class_name: ""
 cp4ba_block_storage_class_name: ""
 ## Should not be changed in particular guide version.
 ## Version of Cloud Pak e.g. 20.0.2.1, 20.0.3
-cp4ba_version: 24.0.0
+cp4ba_version: 24.0.1
 ## Version in CPFS catalog CatalogSource
-cpfs_cs_version: v4-6-5
+cpfs_cs_version: v4-9-0
 ## Version in BTS catalog CatalogSource
-cpfs_bts_version: v3-34-0
+cpfs_bts_version: v3-35-1
+## Version in Zen catalog CatalogSource
+cpfs_zen_version: 6-0-4
+## Version in IAM catalog CatalogSource
+cpfs_iam_version: 4-8-0
 ## Name of the CP4BA instance in cr.yaml at path metadata.name
 cp4ba_cr_meta_name: icp4adeploy
 ## Name of OCP CP4BA project

automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/db/aae-data-persistence.yml

@@ -14,7 +14,7 @@
   kubernetes.core.k8s_exec:
     namespace: "{{ cp4ba_postgresql_project }}"
     pod: "{{ postgresql_pod.resources[0].metadata.name }}"
-    command: mkdir -p /bitnami/postgresql/tablespaces/aeos
+    command: mkdir -p /bitnami/postgresql/tablespaces/aeos_tbs
   register: command_status
   failed_when: command_status.rc != 0 and command_status.stderr is not search('.*File exists.*')
 
@@ -26,16 +26,13 @@
       bash -c "
         psql postgresql://postgres:$POSTGRES_PASSWORD@localhost:5432 <<-EOF
         -- create user aeos
-        CREATE ROLE aeos WITH INHERIT LOGIN ENCRYPTED PASSWORD '{{ cp4ba_postgresql_universal_password }}';
+        CREATE USER aeos WITH PASSWORD '{{ cp4ba_postgresql_universal_password }}';
 
-        -- create database aeos
-        create database aeos owner aeos template template0 encoding UTF8;
-        revoke connect on database aeos from public;
-        grant all privileges on database aeos to aeos;
-        grant connect, temp, create on database aeos to aeos;
+        -- create tablespace for aeos
+        CREATE TABLESPACE aeos_tbs OWNER aeos LOCATION '/bitnami/postgresql/tablespaces/aeos_tbs';
 
-        -- please modify location follow your requirement
-        create tablespace aeos_tbs owner aeos location '/bitnami/postgresql/tablespaces/aeos';
-        grant create on tablespace aeos_tbs to aeos;
+        -- create database aeos
+        CREATE DATABASE aeos OWNER aeos TEMPLATE template0 ENCODING UTF8 TABLESPACE aeos_tbs;
+        REVOKE CONNECT ON DATABASE aeos FROM PUBLIC;
       EOF"
   register: command_status

automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/db/aae.yml

@@ -16,13 +16,11 @@
     command: >
       bash -c "
         psql postgresql://postgres:$POSTGRES_PASSWORD@localhost:5432 <<-EOF
-        -- create a new user
-        create user aaedb with password '{{ cp4ba_postgresql_universal_password }}';
+        -- create user aaedb
+        CREATE USER aaedb WITH PASSWORD '{{ cp4ba_postgresql_universal_password }}';
 
-        -- create database aaedb
-        create database aaedb owner aaedb;
-
-        -- The following grant is used for databases
-        grant all privileges on database aaedb to aaedb;
+        -- create database aaedb -- default template tablespace
+        CREATE DATABASE aaedb OWNER aaedb TEMPLATE template0 ENCODING UTF8;
+        REVOKE CONNECT ON DATABASE aaedb FROM PUBLIC;
       EOF"
   register: command_status

automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/db/adp.yml

@@ -15,12 +15,11 @@
       bash -c "
         psql postgresql://postgres:$POSTGRES_PASSWORD@localhost:5432 <<-EOF
         -- create user adpbase
-        CREATE ROLE adpbase WITH INHERIT LOGIN ENCRYPTED PASSWORD '{{ cp4ba_postgresql_universal_password }}';
+        CREATE USER adpbase WITH PASSWORD '{{ cp4ba_postgresql_universal_password }}';
 
-        -- create database adpbase
-        create database adpbase owner adpbase template template0 encoding UTF8;
-        revoke connect on database adpbase from public;
-        grant all privileges on database adpbase to adpbase;
+        -- create database adpbase -- default template tablespace
+        CREATE DATABASE adpbase OWNER adpbase TEMPLATE template0 ENCODING UTF8;
+        REVOKE CONNECT ON DATABASE adpbase FROM PUBLIC;
       EOF"
   register: command_status
 
@@ -32,12 +31,11 @@
       bash -c "
         psql postgresql://postgres:$POSTGRES_PASSWORD@localhost:5432 <<-EOF
         -- create user {{ item }}
-        CREATE ROLE {{ item }} WITH INHERIT LOGIN ENCRYPTED PASSWORD '{{ cp4ba_postgresql_universal_password }}';
+        CREATE USER {{ item }} WITH PASSWORD '{{ cp4ba_postgresql_universal_password }}';
 
-        -- create database {{ item }}
-        create database {{ item }} owner {{ item }} template template0 encoding UTF8;
-        revoke connect on database {{ item }} from public;
-        grant all privileges on database {{ item }} to {{ item }};
+        -- create database {{ item }} -- default template tablespace
+        CREATE DATABASE {{ item }} OWNER {{ item }} TEMPLATE template0 ENCODING UTF8;
+        REVOKE CONNECT ON DATABASE {{ item }} FROM PUBLIC;
       EOF"
   register: command_status
   with_items:
@@ -48,31 +46,14 @@
     - proj5
     - proj6
 
-- name: ADP proj2 DB
-  kubernetes.core.k8s_exec:
-    namespace: "{{ cp4ba_postgresql_project }}"
-    pod: "{{ postgresql_pod.resources[0].metadata.name }}"
-    command: >
-      bash -c "
-        psql postgresql://postgres:$POSTGRES_PASSWORD@localhost:5432 <<-EOF
-        -- create user proj2
-        CREATE ROLE proj2 WITH INHERIT LOGIN ENCRYPTED PASSWORD '{{ cp4ba_postgresql_universal_password }}';
-
-        -- create database proj2
-        create database proj2 owner proj2 template template0 encoding UTF8;
-        revoke connect on database proj2 from public;
-        grant all privileges on database proj2 to proj2;
-      EOF"
-  register: command_status
-
 # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=scripts-creating-databases-document-processing
 # DEVOS Based on
 # https://www.ibm.com/docs/en/filenet-p8-platform/latest?topic=vtpiicd-creating-postgresql-database-table-spaces-content-platform-engine-object-store
 - name: DEVOS1 DB prepare tablespace
   kubernetes.core.k8s_exec:
     namespace: "{{ cp4ba_postgresql_project }}"
     pod: "{{ postgresql_pod.resources[0].metadata.name }}"
-    command: mkdir -p /bitnami/postgresql/tablespaces/devos1
+    command: mkdir -p /bitnami/postgresql/tablespaces/devos1_tbs
   register: command_status
   failed_when: command_status.rc != 0 and command_status.stderr is not search('.*File exists.*')
 
@@ -84,17 +65,14 @@
       bash -c "
         psql postgresql://postgres:$POSTGRES_PASSWORD@localhost:5432 <<-EOF
         -- create user devos1
-        CREATE ROLE devos1 WITH INHERIT LOGIN ENCRYPTED PASSWORD '{{ cp4ba_postgresql_universal_password }}';
+        CREATE USER devos1 WITH PASSWORD '{{ cp4ba_postgresql_universal_password }}';
 
-        -- create database devos1
-        create database devos1 owner devos1 template template0 encoding UTF8;
-        revoke connect on database devos1 from public;
-        grant all privileges on database devos1 to devos1;
-        grant connect, temp, create on database devos1 to devos1;
+        -- create tablespace for devos1
+        CREATE TABLESPACE devos1_tbs OWNER devos1 LOCATION '/bitnami/postgresql/tablespaces/devos1_tbs';
 
-        -- please modify location follow your requirement
-        create tablespace devos1_tbs owner devos1 location '/bitnami/postgresql/tablespaces/devos1';
-        grant create on tablespace devos1_tbs to devos1;
+        -- create database devos1
+        CREATE DATABASE devos1 OWNER devos1 TEMPLATE template0 ENCODING UTF8 TABLESPACE devos1_tbs;
+        REVOKE CONNECT ON DATABASE devos1 FROM PUBLIC;
       EOF"
   register: command_status