first commit

cmoa_install.yaml

@@ -4,7 +4,10 @@
   gather_facts: true
   environment:
     KUBECONFIG: /root/.kube/ansible_config
+  vars:
+    REGISTRY: 10.10.31.243:5000
+    PullSecret: regcred
   roles:
-    #- role: cmoa_reset
+    #- role: cmoa_os_setting
     - role: cmoa_install
       delegate_to: 127.0.0.1

roles/agent_os_setting/tasks/00-centos-os-main.yml

@@ -6,7 +6,7 @@
 
 - name: Install yum packages
   yum:
-    name: ['cloud-utils', 'ca-certificates', 'socat', 'conntrack', 'gnupg', 'bash-completion', 'net-tools']
+    name: ['yum-utils', 'ca-certificates', 'socat', 'conntrack', 'gnupg', 'bash-completion', 'net-tools']
     state: present
 
 - name: Disable firewalld

roles/cmoa_install/files/values/base.j2

@@ -0,0 +1,73 @@
+global:
+  # cluster variables
+  CLUSTER_ID: cloudmoa
+
+  # default storageClass
+  DEFAULT_STORAGE_CLASS: exem-local-storage
+
+  # nodeAffinity
+  affinity_key: cmoa
+  affinity_value1: worker1
+  affinity_value2: worker2
+  affinity_value3: worker2
+
+  # postgres variables
+  IMXC_POSTGRES_PV_PATH: /media/data/postgres/postgres-data-0
+
+  #elastic variables
+  ELASTICSEARCH_PATH1: /media/data/elasticsearch/elasticsearch-data-0
+  ELASTICSEARCH_PATH2: /media/data/elasticsearch/elasticsearch-data-1
+
+  CMOA_ES_ID: elastic
+  CMOA_ES_PW: elastic
+
+  # zookeeper variables
+  IMXC_ZOOKEEPER_PATH1: /media/data/zookeeper/zookeeper-data-0
+  IMXC_ZOOKEEPER_PATH2: /media/data/zookeeper/zookeeper-data-1
+  IMXC_ZOOKEEPER_PATH3: /media/data/zookeeper/zookeeper-data-2
+
+  # kafka variables
+  IMXC_KAFKA_PV_PATH1: /media/data/kafka/kafka-data-0
+  IMXC_KAFKA_PV_PATH2: /media/data/kafka/kafka-data-1
+  IMXC_KAFKA_PV_PATH3: /media/data/kafka/kafka-data-2
+  KAFKA_BROKER_CONFIG: "{{index .metadata.labels \"failure-domain.beta.kubernetes.io/zone\"}}"
+
+  # cortex variables
+  IMXC_INGESTER_PV_PATH1: /media/cloudmoa/ingester/ingester-data-1
+  IMXC_INGESTER_PV_PATH2: /media/cloudmoa/ingester/ingester-data-2
+  IMXC_INGESTER_PV_PATH3: /media/cloudmoa/ingester/ingester-data-3
+
+  # redis variables
+  IMXC_REDIS_PV_PATH1: /media/data/redis/redis-data-0
+  IMXC_REDIS_PV_PATH2: /media/data/redis/redis-data-1
+  IMXC_REDIS_PV_PATH3: /media/data/redis/redis-data-2
+
+  # rabbitmq variables
+  RABBITMQ_PATH: /media/data/rabbitmq
+
+  # custom or etc variables
+  # IMXC_WORKER_NODE_NAME: $IMXC_WORKER_NODE_NAME # deprecated 2021.10.21
+  # IMXC_MASTER_IP: 10.10.30.202
+  IMXC_API_SERVER_DNS: imxc-api-service
+
+  METRIC_ANALYZER_MASTER_VERSION: rel0.0.0
+  METRIC_ANALYZER_WORKER_VERSION: rel0.0.0
+  ELASTICSEARCH_VERSION: v1.0.0
+  KAFKA_MANAGER_VERSION: v1.0.0
+  KAFKA_INITUTILS_VERSION: v1.0.0
+  #KAFKA_VERSION: v1.0.0
+  KAFKA_VERSION: v1.0.1
+  METRICS_SERVER_VERSION: v1.0.0
+  POSTGRES_VERSION: v1.0.0
+  CASSANDRA_VERSION: v1.0.0
+  RABBITMQ_VERSION: v1.0.0
+  CORTEX_VERSION: v1.11.0  #v1.9.0
+  #CONSUL_VERSION: 0.7.1
+
+  # 레지스트리 변수화 (Public Cloud 대비 / 아래 값 적절히 수정해서 사용할 것)
+  IMXC_IN_REGISTRY: 10.10.31.243:5000/cmoa3
+
+  rabbitmq:
+    image:
+      registry: 10.10.31.243:5000/cmoa3 # {{ .Values.global.IMXC_REGISTRY }}
+      tag: v1.0.0 # {{ .Values.global.RABBITMQ_VERSION }}

roles/cmoa_install/files/values/imxc-ui.j2

@@ -0,0 +1,95 @@
+# Default values for imxc.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: 10.10.31.243:5000/cmoa3/nginx
+  tag: stable
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+global:
+  INTERMAX_IP: 
+  INTERMAX_PORT: 
+  SERVELET_URL_PROTOCOL : http
+  DEMO_SERVELET_URL_PROTOCOL : http
+  KEYCLOAK_AUTH_SERVER_URL: http://111.111.111.111:31082/auth
+  KEYCLOAK_RESOURCE: authorization_server
+  KEYCLOAK_REALM: exem
+
+  IMXC_IN_REGISTRY: 10.10.31.243:5000/cmoa3
+
+  ZUUL_SERVER_IP: 111.111.111.111
+  ZUUL_SERVER_PORT: 31081
+
+  NOTI_SERVER_IP: 111.111.111.111
+  NOTI_SERVER_PORT: 31083
+
+  CMOA_MANUAL_SERVER_IP: 111.111.111.111
+  CMOA_MANUAL_PORT: 31090
+
+  OFFLINEACCESS: false
+  BACKLOGIN: false
+
+  CLOUDMOA_VERSION: rel0.0.0
+  UI_SERVER_VERSION: rel0.0.0 
+  CMOA_MANUAL_VERSION: rel0.0.0

roles/cmoa_install/files/values/imxc.j2

@@ -0,0 +1,159 @@
+# Default values for imxc.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: 10.10.31.243:5000/cmoa3/nginx
+  tag: stable
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+global:
+  IMXC_LDAP_USE: false
+  IMXC_ADMIN_SERVER_DNS: imxc-admin-service
+  AUDITLOG_PATH: /var/log
+  KAFKA_IP: kafka-broker
+  # 로드밸런서 안 쓴다고 가정했을때 입니다..
+  KAFKA_INTERFACE_PORT: 9094
+  APISERVER_NETTY_PORT: 10100
+  #REGISTRY_URL: cdm-dev.exem-oss.org:5050
+  #REGISTRY_URL: 10.10.31.243:5000/cmoa
+  IMXC_ADMIN_SERVER_DNS: imxc-admin-service
+  AGENT_IMAGE_TAG: rel0.0.0
+  # Jaeger 관련변수
+  JAEGER_AGENT_CLUSTERIP: 10.98.94.198
+  JAEGER_JAVA_SPECIALAGENT_CLASSPATH: classpath:/install/opentracing-specialagent-1.7.4.jar
+  # added by DongWoo Kim 2021-06-21
+  KEYCLOAK_AUTH_SERVER_URL: http://111.111.111.111:31082/auth
+  KEYCLOAK_RESOURCE: authorization_server
+  KEYCLOAK_MASTER_USERNAME: admin 
+  KEYCLOAK_MASTER_PASSWORD: admin
+  IMXC_PORTAL_INFO_URL: 
+  KEYCLOAK_REALM: exem
+  # added by EunHye Kim 2021-08-25
+  #DATAGATE_URLS: datagate
+  #DATAGATE_IP: 111.111.111.111
+  #DATAGATE_PORT: 14268
+  DATAGATE_INSIDE_IP: datagate
+  DATAGATE_INSIDE_PORT: 14268
+  DATAGATE_OUTSIDE_IP: 111.111.111.111
+  DATAGATE_OUTSIDE_PORT: 30051
+  REDIS_URLS: redis-master
+  REDIS_PORT: 6379
+  REDIS_PASSWORD: dkagh1234!
+  # added by DongWoo Kim 2021-08-31 (version of each module)
+  DATAGATE_VERSION: rel0.0.0
+  #ADMIN_SERVER_VERSION: v1.0.0
+  #API_SERVER_VERSION: CLOUD-172
+  API_SERVER_VERSION: rel0.0.0
+  COLLECTOR_VERSION: rel0.0.0
+  #release-3.3.0
+  TOPOLOGY_AGENT_VERSION: rel0.0.0
+  METRIC_COLLECTOR_VERSION: rel0.0.0
+  #v1.0.0
+  METRIC_AGENT_VERSION: rel0.0.0
+  # spring cloud
+  ZUUL_SERVER_VERSION: rel0.0.0  
+  #CMOA-1269
+  EUREKA_SERVER_VERSION: rel0.0.0
+  AUTH_SERVER_VERSION: rel0.0.0
+  NOTI_SERVER_VERSION: rel0.0.0
+  KAFKA_STREAM_VERSION: rel0.0.0
+  CMOA_MANUAL_VERSION: rel0.0.0
+  KUBE_INFO_FLAT_VERSION: rel0.0.0
+  KUBE_INFO_BATCH_VERSION: rel0.0.0
+  KUBE_INFO_CONNECTOR_VERSION: rel0.0.0
+
+
+  CMOA_MANUAL_PORT: 31090
+  IMXC_UI_URL: 111.111.111.111
+
+
+  # Keycloak
+  #KEYCLOAK_VERSION: v1.0.0
+
+  # 레지스트리 변수화 (Public Cloud 대비 / 아래 값 적절히 수정해서 사용할 것)
+  #IMXC_REGISTRY: 10.10.31.243:5000
+  IMXC_IN_REGISTRY: 10.10.31.243:5000/cmoa3
+
+
+  # namespace 추가
+  IMXC_NAMESPACE: imxc
+  
+  # ZUUL 8080으로 열어놓을것
+
+  CMOA_ES_ID: elastic
+  CMOA_ES_PW: elastic
+
+  JDBC_KIND: 'postgres'
+  JDBC_SERVER: 'postgres:5432'
+  JDBC_DB: 'postgresdb'
+  JDBC_USER: 'admin'
+  JDBC_PWD: 'eorbahrhkswp'
+
+  KAFKA_INPUT_TOPIC: 'kubernetes_info'
+
+  TABLE_PREFIX: 'cmoa_'
+  BLACK_LIST: 'cronjob_active,endpoint_base,endpoint_addresses,endpoint_notreadyaddresses,endpoint_ports,event_base,node_image,resourcequota_base,resourcequota_scopeselector'
+  BLACK_LIST_FLAT: 'cronjob_active,endpoint_base,endpoint_addresses,endpoint_notreadyaddresses,endpoint_ports,event_base,node_image,resourcequota_base,resourcequota_scopeselector,storageclass_base,ingress_base'
+  DELETE_HOUR: '15'
+  BACKLOGIN: false

roles/cmoa_install/files/values/keycloak.j2

@@ -0,0 +1,552 @@
+# Optionally override the fully qualified name
+fullnameOverride: "imxc-keycloak"
+
+# Optionally override the name
+nameOverride: ""
+
+# The number of replicas to create (has no effect if autoscaling enabled)
+replicas: 2
+
+image:
+  # The Keycloak image repository
+  #repository: cdm-dev.exem-oss.org/keycloak/keycloak
+  repository: 10.10.31.243:5000/cmoa3/keycloak
+  # Overrides the Keycloak image tag whose default is the chart version
+  tag: "11.0.1"
+  # The Keycloak image pull policy
+  pullPolicy: Always
+
+# Image pull secrets for the Pod
+#imagePullSecrets: []
+# - name: myRegistrKeySecretName
+imagePullSecrets:
+  - name: regcred
+
+# Mapping between IPs and hostnames that will be injected as entries in the Pod's hosts files
+hostAliases: []
+# - ip: "1.2.3.4"
+#   hostnames:
+#     - "my.host.com"
+
+# Indicates whether information about services should be injected into Pod's environment variables, matching the syntax of Docker links
+enableServiceLinks: true
+
+# Pod management policy. One of `Parallel` or `OrderedReady`
+podManagementPolicy: Parallel
+
+# Pod restart policy. One of `Always`, `OnFailure`, or `Never`
+restartPolicy: Always
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+  # Additional annotations for the ServiceAccount
+  annotations: {}
+  # Additional labels for the ServiceAccount
+  labels: {}
+  # Image pull secrets that are attached to the ServiceAccount
+  #imagePullSecrets: []
+  imagePullSecrets:
+    - name: regcred
+
+rbac:
+  create: true
+  rules:
+  # RBAC rules for KUBE_PING
+    - apiGroups:
+        - ""
+      resources:
+        - pods
+      verbs:
+        - get
+        - list
+
+# SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this)
+podSecurityContext:
+  fsGroup: 1000
+
+# SecurityContext for the Keycloak container
+securityContext:
+  runAsUser: 1000
+  runAsNonRoot: true
+
+# Additional init containers, e. g. for providing custom themes
+extraInitContainers: |
+  - name: theme-provider
+    image: 10.10.31.243:5000/cmoa3/theme-provider:latest
+    imagePullPolicy: IfNotPresent
+    command:
+      - sh
+    args:
+      - -c
+      - |
+        echo "Copying theme ..."
+        cp -R /mytheme/* /theme
+    volumeMounts:
+      - name: theme
+        mountPath: /theme
+
+#extraInitContainers: ""
+
+# Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
+extraContainers: ""
+
+# Lifecycle hooks for the Keycloak container
+lifecycleHooks: |
+#  postStart:
+#    exec:
+#      command:
+#        - /bin/sh
+#        - -c
+#        - ls
+
+# Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance
+terminationGracePeriodSeconds: 60
+
+# The internal Kubernetes cluster domain
+clusterDomain: cluster.local
+
+## Overrides the default entrypoint of the Keycloak container
+command: []
+
+## Overrides the default args for the Keycloak container
+#args: ["-Dkeycloak.profile.feature.scripts=enabled", "-Dkeycloak.profile.feature.upload_scripts=enabled", "-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"]
+args: ["-Dkeycloak.profile.feature.scripts=enabled", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
+
+# Additional environment variables for Keycloak
+extraEnv: |
+  # HA settings
+  - name: PROXY_ADDRESS_FORWARDING
+    value: "true"
+  - name: JGROUPS_DISCOVERY_PROTOCOL
+    value: kubernetes.KUBE_PING
+  - name: KUBERNETES_NAMESPACE
+    valueFrom:
+      fieldRef:
+        apiVersion: v1
+        fieldPath: metadata.namespace
+  - name: CACHE_OWNERS_COUNT
+    value: "2"
+  - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
+    value: "2"
+  # postgresql settings
+  - name: DB_VENDOR
+    value: postgres
+  - name: DB_ADDR
+    value: postgres
+  - name: DB_PORT
+    value: "5432"
+  - name: DB_DATABASE
+    value: keycloak
+  - name: DB_USER
+    value: admin
+  - name: DB_PASSWORD
+    value: eorbahrhkswp
+#  - name: KEYCLOAK_USER
+#    value: keycloak
+#  - name: KEYCLOAK_PASSWORD
+#    value: keycloak 
+#extraEnv: ""
+  # - name: KEYCLOAK_LOGLEVEL
+  #   value: DEBUG
+  # - name: WILDFLY_LOGLEVEL
+  #   value: DEBUG
+  # - name: CACHE_OWNERS_COUNT
+  #   value: "2"
+  # - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
+  #   value: "2"
+#extraEnv: |
+#  - name: JGROUPS_DISCOVERY_PROTOCOL
+#    value: dns.DNS_PING
+#  - name: JGROUPS_DISCOVERY_PROPERTIES
+#    value: 'dns_query={{ include "keycloak.serviceDnsName" . }}'
+#  - name: CACHE_OWNERS_COUNT
+#    value: "2"
+#  - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
+#    value: "2"
+# Additional environment variables for Keycloak mapped from Secret or ConfigMap
+extraEnvFrom: ""
+
+#  Pod priority class name
+#priorityClassName: "manual"
+
+# Pod affinity
+affinity: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchLabels:
+            {{- include "keycloak.selectorLabels" . | nindent 10 }}
+          matchExpressions:
+            - key: app.kubernetes.io/component
+              operator: NotIn
+              values:
+                - test
+        topologyKey: kubernetes.io/hostname
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchLabels:
+              {{- include "keycloak.selectorLabels" . | nindent 12 }}
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: NotIn
+                values:
+                  - test
+          topologyKey: failure-domain.beta.kubernetes.io/zone
+
+#affinity: {}
+
+# Node labels for Pod assignment
+nodeSelector: {}
+
+# Node taints to tolerate
+tolerations: []
+
+# Additional Pod labels
+podLabels: {}
+
+# Additional Pod annotations
+podAnnotations: {}
+
+# Liveness probe configuration
+livenessProbe: |
+  httpGet:
+    path: /auth/
+    port: http
+  initialDelaySeconds: 300
+  timeoutSeconds: 5
+
+# Readiness probe configuration
+readinessProbe: |
+  httpGet:
+    path: /auth/realms/master
+    port: http
+  initialDelaySeconds: 30
+  timeoutSeconds: 1
+
+# Pod resource requests and limits
+#resources: {}
+  # requests:
+  #   cpu: "500m"
+  #   memory: "1024Mi"
+  # limits:
+  #   cpu: "500m"
+  #   memory: "1024Mi"
+resources:
+  requests:
+    memory: "200Mi"
+    cpu: "10m"
+
+# Startup scripts to run before Keycloak starts up
+startupScripts:
+  # WildFly CLI script for configuring the node-identifier
+  keycloak.cli: |
+    {{- .Files.Get "scripts/keycloak.cli" }}
+  # mystartup.sh: |
+  #   #!/bin/sh
+  #
+  # echo 'Hello from my custom startup script!'
+
+# Add additional volumes, e. g. for custom themes
+extraVolumes: |
+  - name: theme
+    emptyDir: {}
+#extraVolumes: ""
+
+# Add additional volumes mounts, e. g. for custom themes
+extraVolumeMounts: |
+  - name: theme
+    mountPath: /opt/jboss/keycloak/themes
+#extraVolumeMounts: ""
+
+# Add additional ports, e. g. for admin console or exposing JGroups ports
+extraPorts: []
+
+# Pod disruption budget
+podDisruptionBudget: {}
+#  maxUnavailable: 1
+#  minAvailable: 1
+
+# Annotations for the StatefulSet
+statefulsetAnnotations: {}
+
+# Additional labels for the StatefulSet
+statefulsetLabels: {}
+
+# Configuration for secrets that should be created
+secrets: {}
+  # mysecret:
+  #   type: {}
+  #   annotations: {}
+  #   labels: {}
+  #   stringData: {}
+  #   data: {}
+
+service:
+  # Annotations for headless and HTTP Services
+  annotations: {}
+  # Additional labels for headless and HTTP Services
+  labels: {}
+  # key: value
+  # The Service type
+  type: NodePort
+  # Optional IP for the load balancer. Used for services of type LoadBalancer only
+  loadBalancerIP: ""
+  # The http Service port
+  httpPort: 80
+  # The HTTP Service node port if type is NodePort
+  httpNodePort: 31082
+  # The HTTPS Service port
+  httpsPort: 8443
+  # The HTTPS Service node port if type is NodePort
+  httpsNodePort: null
+  # The WildFly management Service port
+  httpManagementPort: 9990
+  # The WildFly management Service node port if type is NodePort
+  httpManagementNodePort: 31990
+  # Additional Service ports, e. g. for custom admin console
+  extraPorts: []
+  # When using Service type LoadBalancer, you can restrict source ranges allowed
+  # to connect to the LoadBalancer, e. g. will result in Security Groups
+  # (or equivalent) with inbound source ranges allowed to connect
+  loadBalancerSourceRanges: []
+  # Session affinity
+  # See https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-userspace
+  sessionAffinity: ""
+  # Session affinity config
+  sessionAffinityConfig: {}
+
+ingress:
+  # If `true`, an Ingress is created
+  enabled: false
+  # The Service port targeted by the Ingress
+  servicePort: http
+  # Ingress annotations
+  annotations: {}
+    ## Resolve HTTP 502 error using ingress-nginx:
+    ## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response
+    # nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
+
+  # Additional Ingress labels
+  labels: {}
+   # List of rules for the Ingress
+  rules:
+    -
+      # Ingress host
+      host: '{{ .Release.Name }}.keycloak.example.com'
+      # Paths for the host
+      paths:
+        - /
+  # TLS configuration
+  tls:
+    - hosts:
+        - keycloak.example.com
+      secretName: ""
+
+  # ingress for console only (/auth/admin)
+  console:
+    # If `true`, an Ingress is created for console path only
+    enabled: false
+    # Ingress annotations for console ingress only
+    # Useful to set nginx.ingress.kubernetes.io/whitelist-source-range particularly
+    annotations: {}
+    rules:
+      -
+        # Ingress host
+        host: '{{ .Release.Name }}.keycloak.example.com'
+        # Paths for the host
+        paths:
+          - /auth/admin/
+
+## Network policy configuration
+networkPolicy:
+  # If true, the Network policies are deployed
+  enabled: false
+
+  # Additional Network policy labels
+  labels: {}
+
+  # Define all other external allowed source
+  # See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#networkpolicypeer-v1-networking-k8s-io
+  extraFrom: []
+
+route:
+  # If `true`, an OpenShift Route is created
+  enabled: false
+  # Path for the Route
+  path: /
+  # Route annotations
+  annotations: {}
+  # Additional Route labels
+  labels: {}
+  # Host name for the Route
+  host: ""
+  # TLS configuration
+  tls:
+    # If `true`, TLS is enabled for the Route
+    enabled: false
+    # Insecure edge termination policy of the Route. Can be `None`, `Redirect`, or `Allow`
+    insecureEdgeTerminationPolicy: Redirect
+    # TLS termination of the route. Can be `edge`, `passthrough`, or `reencrypt`
+    termination: edge
+
+pgchecker:
+  image:
+    # Docker image used to check Postgresql readiness at startup
+    #repository: cdm-dev.exem-oss.org/keycloak/busybox
+    #repository: {{ .Values.global.IMXC_REGISTRY }}/keycloak/busybox
+    repository: 10.10.31.243:5000/cmoa3/busybox
+    # Image tag for the pgchecker image
+    tag: 1.32
+    # Image pull policy for the pgchecker image
+    pullPolicy: Always
+  # SecurityContext for the pgchecker contai/docker.ner
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+  # Resource requests and limits for the pgchecker container
+  resources:
+    requests:
+      cpu: "10m"
+      memory: "16Mi"
+    limits:
+      cpu: "10m"
+      memory: "16Mi"
+
+postgresql:
+  # If `true`, the Postgresql dependency is enabled
+  enabled: false
+  # PostgreSQL User to create
+  postgresqlUsername: keycloak
+  # PostgreSQL Password for the new user
+  postgresqlPassword: keycloak
+  # PostgreSQL Database to create
+  postgresqlDatabase: keycloak
+  # PostgreSQL network policy configuration
+  networkPolicy:
+    enabled: false
+
+serviceMonitor:
+  # If `true`, a ServiceMonitor resource for the prometheus-operator is created
+  enabled: false
+  # Optionally sets a target namespace in which to deploy the ServiceMonitor resource
+  namespace: ""
+  # Optionally sets a namespace for the ServiceMonitor
+  namespaceSelector: {}
+  # Annotations for the ServiceMonitor
+  annotations: {}
+  # Additional labels for the ServiceMonitor
+  labels: {}
+  # Interval at which Prometheus scrapes metrics
+  interval: 10s
+  # Timeout for scraping
+  scrapeTimeout: 10s
+  # The path at which metrics are served
+  path: /metrics
+  # The Service port at which metrics are served
+  port: http-management
+
+extraServiceMonitor:
+  # If `true`, a ServiceMonitor resource for the prometheus-operator is created
+  enabled: false
+  # Optionally sets a target namespace in which to deploy the ServiceMonitor resource
+  namespace: ""
+  # Optionally sets a namespace for the ServiceMonitor
+  namespaceSelector: {}
+  # Annotations for the ServiceMonitor
+  annotations: {}
+  # Additional labels for the ServiceMonitor
+  labels: {}
+  # Interval at which Prometheus scrapes metrics
+  interval: 10s
+  # Timeout for scraping
+  scrapeTimeout: 10s
+  # The path at which metrics are served
+  path: /auth/realms/master/metrics
+  # The Service port at which metrics are served
+  port: http
+
+prometheusRule:
+  # If `true`, a PrometheusRule resource for the prometheus-operator is created
+  enabled: false
+  # Annotations for the PrometheusRule
+  annotations: {}
+  # Additional labels for the PrometheusRule
+  labels: {}
+  # List of rules for Prometheus
+  rules: []
+  # - alert: keycloak-IngressHigh5xxRate
+  #   annotations:
+  #     message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 1%.
+  #   expr: |
+  #     (
+  #       sum(
+  #         rate(
+  #           nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]
+  #         )
+  #       )
+  #       /
+  #       sum(
+  #         rate(
+  #           nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m]
+  #         )
+  #       )
+  #     ) * 100 > 1
+  #   for: 5m
+  #   labels:
+  #     severity: warning
+
+autoscaling:
+  # If `true`, a autoscaling/v2beta2 HorizontalPodAutoscaler resource is created (requires Kubernetes 1.18 or above)
+  # Autoscaling seems to be most reliable when using KUBE_PING service discovery (see README for details)
+  # This disables the `replicas` field in the StatefulSet
+  enabled: false
+  # Additional HorizontalPodAutoscaler labels
+  labels: {}
+  # The minimum and maximum number of replicas for the Keycloak StatefulSet
+  minReplicas: 3
+  maxReplicas: 10
+  # The metrics to use for scaling
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 80
+  # The scaling policy to use. This will scale up quickly but only scale down a single Pod per 5 minutes.
+  # This is important because caches are usually only replicated to 2 Pods and if one of those Pods is terminated this will give the cluster time to recover.
+  behavior:
+    scaleDown:
+      stabilizationWindowSeconds: 300
+      policies:
+        - type: Pods
+          value: 1
+          periodSeconds: 300
+
+test:
+  # If `true`, test resources are created
+  enabled: false
+  image:
+    # The image for the test Pod
+    #repository: docker.io/unguiculus/docker-python3-phantomjs-selenium
+    repository: 10.10.31.243:5000/docker-python3-phantomjs-selenium
+    # The tag for the test Pod image
+    tag: v1
+    # The image pull policy for the test Pod image
+    pullPolicy: IfNotPresent
+  # SecurityContext for the entire test Pod
+  podSecurityContext:
+    fsGroup: 1000
+  # SecurityContext for the test container
+  securityContext:
+    runAsUser: 1000
+    runAsNonRoot: true
+

roles/cmoa_install/files/values/minio.j2

@@ -0,0 +1,461 @@
+## Provide a name in place of minio for `app:` labels
+##
+nameOverride: ""
+
+## Provide a name to substitute for the full names of resources
+##
+fullnameOverride: ""
+
+## set kubernetes cluster domain where minio is running
+##
+clusterDomain: cluster.local
+
+## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
+##
+image:
+  repository: 10.10.31.243:5000/cmoa3/minio
+  tag: RELEASE.2022-05-08T23-50-31Z
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: 
+  - name: "regcred"
+# - name: "image-pull-secret"
+
+## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
+## client used to create a default bucket).
+##
+mcImage:
+  repository: 10.10.31.243:5000/cmoa3/mc
+  tag: RELEASE.2022-05-09T04-08-26Z
+  pullPolicy: IfNotPresent
+
+## minio mode, i.e. standalone or distributed or gateway.
+mode: distributed ## other supported values are "standalone", "gateway"
+
+## Additional labels to include with deployment or statefulset
+additionalLabels: []
+
+## Additional annotations to include with deployment or statefulset
+additionalAnnotations: []
+
+## Typically the deployment/statefulset includes checksums of secrets/config,
+## So that when these change on a subsequent helm install, the deployment/statefulset 
+## is restarted. This can result in unnecessary restarts under GitOps tooling such as 
+## flux, so set to "true" to disable this behaviour.
+ignoreChartChecksums: false
+
+## Additional arguments to pass to minio binary
+extraArgs: []
+
+## Port number for MinIO S3 API Access
+minioAPIPort: "9000"
+
+## Port number for MinIO Browser COnsole Access
+minioConsolePort: "9001"
+
+## Update strategy for Deployments
+DeploymentUpdate:
+  type: RollingUpdate
+  maxUnavailable: 0
+  maxSurge: 100%
+
+## Update strategy for StatefulSets
+StatefulSetUpdate:
+  updateStrategy: RollingUpdate
+
+## Pod priority settings
+## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+##
+priorityClassName: ""
+
+## Set default rootUser, rootPassword
+## AccessKey and secretKey is generated when not set
+## Distributed MinIO ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide
+##
+rootUser: "admin"
+rootPassword: "passW0rd"
+
+## Use existing Secret that store following variables:
+##
+## | Chart var             | .data.<key> in Secret    |
+## |:----------------------|:-------------------------|
+## | rootUser              | rootUser                 |
+## | rootPassword          | rootPassword             |
+##
+## All mentioned variables will be ignored in values file.
+## .data.rootUser and .data.rootPassword are mandatory,
+## others depend on enabled status of corresponding sections.
+existingSecret: ""
+
+## Directory on the MinIO pof
+certsPath: "/etc/minio/certs/"
+configPathmc: "/etc/minio/mc/"
+
+## Path where PV would be mounted on the MinIO Pod
+mountPath: "/export"
+## Override the root directory which the minio server should serve from.
+## If left empty, it defaults to the value of {{ .Values.mountPath }}
+## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
+##
+bucketRoot: ""
+
+# Number of drives attached to a node
+drivesPerNode: 2
+# Number of MinIO containers running
+#replicas: 16
+replicas: 2
+# Number of expanded MinIO clusters
+pools: 1
+
+# Deploy if 'mode == gateway' - 4 replicas.
+gateway:
+  type: "nas" # currently only "nas" are supported.
+  replicas: 4
+
+## TLS Settings for MinIO
+tls:
+  enabled: false
+  ## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
+  certSecret: ""
+  publicCrt: public.crt
+  privateKey: private.key
+
+## Trusted Certificates Settings for MinIO. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas
+## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
+## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt.
+## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
+trustedCertsSecret: ""
+
+## Enable persistence using Persistent Volume Claims
+## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+##
+persistence:
+  enabled: true
+  annotations: {}
+
+  ## A manually managed Persistent Volume and Claim
+  ## Requires persistence.enabled: true
+  ## If defined, PVC must be created manually before volume will be bound
+  existingClaim: ""
+
+  ## minio data Persistent Volume Storage Class
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  ## Storage class of PV to bind. By default it looks for standard storage class.
+  ## If the PV uses a different storage class, specify that here.
+  storageClass: "exem-local-storage"
+  VolumeName: ""
+  accessMode: ReadWriteOnce
+  size: 50Gi
+
+  ## If subPath is set mount a sub folder of a volume instead of the root of the volume.
+  ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs).
+  ##
+  subPath: ""
+
+## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service).
+## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
+## ref: http://kubernetes.io/docs/user-guide/services/
+##
+#service:
+#  type: NodePort
+#  clusterIP: ~
+  ## Make sure to match it to minioAPIPort
+#  port: "9000"
+#  nodePort: "32002"
+
+service:
+  type: ClusterIP
+  clusterIP: ~
+  ## Make sure to match it to minioAPIPort
+  port: "9000"
+
+## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
+##
+
+ingress:
+  enabled: false
+  # ingressClassName: ""
+  labels: {}
+    # node-role.kubernetes.io/ingress: platform
+
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    # kubernetes.io/ingress.allow-http: "false"
+    # kubernetes.io/ingress.global-static-ip-name: ""
+    # nginx.ingress.kubernetes.io/secure-backends: "true"
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
+  path: /
+  hosts:
+    - minio-example.local
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+consoleService:
+  type: NodePort
+  clusterIP: ~
+  ## Make sure to match it to minioConsolePort
+  port: "9001"
+  nodePort: "32001"
+
+consoleIngress:
+  enabled: false
+  # ingressClassName: ""
+  labels: {}
+    # node-role.kubernetes.io/ingress: platform
+
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    # kubernetes.io/ingress.allow-http: "false"
+    # kubernetes.io/ingress.global-static-ip-name: ""
+    # nginx.ingress.kubernetes.io/secure-backends: "true"
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
+  path: /
+  hosts:
+    - console.minio-example.local
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+## Add stateful containers to have security context, if enabled MinIO will run as this
+## user and group NOTE: securityContext is only enabled if persistence.enabled=true
+securityContext:
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
+# Additational pod annotations
+podAnnotations: {}
+
+# Additional pod labels
+podLabels: {}
+
+## Configure resource requests and limits
+## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+##
+resources:
+  requests:
+    #memory: 16Gi
+    memory: 1Gi
+    cpu: 200m
+
+## List of policies to be created after minio install
+##
+## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
+## you can define additional policies with custom supported actions and resources
+policies: []
+## writeexamplepolicy policy grants creation or deletion of buckets with name 
+## starting with example. In addition, grants objects write permissions on buckets starting with
+## example.
+# - name: writeexamplepolicy
+#   statements:
+#     - resources: 
+#         - 'arn:aws:s3:::example*/*'
+#       actions:
+#         - "s3:AbortMultipartUpload"
+#         - "s3:GetObject"
+#         - "s3:DeleteObject"
+#         - "s3:PutObject"
+#         - "s3:ListMultipartUploadParts"
+#     - resources: 
+#         - 'arn:aws:s3:::example*'
+#       actions:
+#         - "s3:CreateBucket"
+#         - "s3:DeleteBucket"
+#         - "s3:GetBucketLocation"
+#         - "s3:ListBucket"
+#         - "s3:ListBucketMultipartUploads"
+## readonlyexamplepolicy policy grants access to buckets with name starting with example. 
+## In addition, grants objects read permissions on buckets starting with example.
+# - name: readonlyexamplepolicy
+#   statements:
+#     - resources: 
+#         - 'arn:aws:s3:::example*/*'
+#       actions:
+#         - "s3:GetObject"
+#     - resources: 
+#         - 'arn:aws:s3:::example*'
+#       actions:
+#         - "s3:GetBucketLocation"
+#         - "s3:ListBucket"
+#         - "s3:ListBucketMultipartUploads"
+## Additional Annotations for the Kubernetes Job makePolicyJob
+makePolicyJob:
+  podAnnotations:
+  annotations:
+  securityContext:
+    enabled: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  resources:
+    requests:
+      memory: 128Mi
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+## List of users to be created after minio install
+##
+users:
+  ## Username, password and policy to be assigned to the user
+  ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
+  ## Add new policies as explained here https://docs.min.io/docs/minio-multi-user-quickstart-guide.html
+  ## NOTE: this will fail if LDAP is enabled in your MinIO deployment
+  ## make sure to disable this if you are using LDAP.
+  - accessKey: cloudmoa
+    secretKey: admin1234
+    policy: consoleAdmin
+  # Or you can refer to specific secret
+  #- accessKey: externalSecret
+  #  existingSecret: my-secret
+  #  existingSecretKey: password
+  #  policy: readonly
+
+
+## Additional Annotations for the Kubernetes Job makeUserJob
+makeUserJob:
+  podAnnotations:
+  annotations:
+  securityContext:
+    enabled: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  resources:
+    requests:
+      memory: 128Mi
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+## List of buckets to be created after minio install
+##
+buckets:
+  - name: cortex-bucket
+    policy: none
+    purge: false
+    versioning: false
+
+  #   # Name of the bucket
+  # - name: bucket1
+  #   # Policy to be set on the
+  #   # bucket [none|download|upload|public]
+  #   policy: none
+  #   # Purge if bucket exists already
+  #   purge: false
+  #   # set versioning for
+  #   # bucket [true|false]
+  #   versioning: false
+  # - name: bucket2
+  #   policy: none
+  #   purge: false
+  #   versioning: true
+
+## Additional Annotations for the Kubernetes Job makeBucketJob
+makeBucketJob:
+  podAnnotations:
+  annotations:
+  securityContext:
+    enabled: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  resources:
+    requests:
+      memory: 128Mi
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+## List of command to run after minio install
+## NOTE: the mc command TARGET is always "myminio"
+customCommands:
+  # - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'"
+
+## Additional Annotations for the Kubernetes Job customCommandJob
+customCommandJob:
+  podAnnotations:
+  annotations:
+  securityContext:
+    enabled: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  resources:
+    requests:
+      memory: 128Mi
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s)
+## when Chart is deployed
+environment:
+  ## Please refer for comprehensive list https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html
+  ## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io"
+  ## MINIO_BROWSER: "off"
+
+## The name of a secret in the same kubernetes namespace which contain secret values
+## This can be useful for LDAP password, etc
+## The key in the secret must be 'config.env'
+##
+# extraSecret: minio-extraenv
+
+networkPolicy:
+  enabled: false
+  allowExternal: true
+
+## PodDisruptionBudget settings
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+##
+podDisruptionBudget:
+  enabled: false
+  maxUnavailable: 1
+
+## Specify the service account to use for the MinIO pods. If 'create' is set to 'false'
+## and 'name' is left unspecified, the account 'default' will be used.
+serviceAccount:
+  create: true
+  ## The name of the service account to use. If 'create' is 'true', a service account with that name
+  ## will be created.
+  name: "minio-sa"
+
+metrics:
+  serviceMonitor:
+    enabled: false
+    public: true
+    additionalLabels: {}
+    relabelConfigs: {}
+    # namespace: monitoring
+    # interval: 30s
+    # scrapeTimeout: 10s
+
+## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md
+## Define endpoints to enable this section.
+etcd:
+  endpoints: []
+  pathPrefix: ""
+  corednsPathPrefix: ""
+  clientCert: ""
+  clientCertKey: ""

roles/cmoa_install/tasks/01-storage-install.yml

@@ -18,6 +18,13 @@
     release_state: present
     values_files:
     - "{{ role_path }}/files/01-storage/{{item}}/values.yaml"
+    values:
+      image:
+        repository: "{{ REGISTRY }}/cmoa3/minio"
+      imagePullSecrets:
+        - name: "{{ PullSecret }}"
+      mcImage:
+        repository: "{{ REGISTRY }}/cmoa3/mc"
   with_items:
     - minio
 

roles/cmoa_install/tasks/02-base-install.yml

@@ -27,6 +27,12 @@
     release_state: present
     values_files:
     - "{{ role_path }}/files/02-base/{{item}}/values.yaml"
+    values:
+      global:
+        IMXC_IN_REGISTRY: "{{ REGISTRY }}/cmoa3"
+        rabbitmq:
+          image:
+            registry: "{{ REGISTRY }}/cmoa3"
   with_items:
     - base
 

roles/cmoa_install/tasks/04-keycloak-install.yml

@@ -9,6 +9,28 @@
     release_state: present
     values_files:
     - "{{ role_path }}/files/04-keycloak/values.yaml"
+    values:
+      image:
+        repository: "{{ REGISTRY }}/cmoa3/keycloak"
+      imagePullSecrets:
+        - name: "{{ PullSecret }}"
+      extraInitContainers: |
+        - name: theme-provider
+          image: "{{ REGISTRY }}/cmoa3/theme-provider:latest"
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+          args:
+            - -c
+            - |
+              echo "Copying theme ..."
+              cp -R /mytheme/* /theme
+      pgchecker:
+        image:
+          repository: "{{ REGISTRY }}/cmoa3/busybox"
+    volumeMounts:
+      - name: theme
+        mountPath: /theme
   with_items:
     - keycloak
 

roles/cmoa_install/tasks/05-imxc-install.yml

@@ -9,6 +9,11 @@
     release_state: present
     values_files:
     - "{{ role_path }}/files/05-imxc/values.yaml"
+    values:
+      image:
+        repository: "{{ REGISTRY }}/cmoa3/nginx"
+      global:
+        IMXC_IN_REGISTRY: "{{ REGISTRY }}/cmoa3"
   with_items:
     - imxc
 

roles/cmoa_install/tasks/06-imxc-ui-install.yml

@@ -9,6 +9,11 @@
     release_state: present
     values_files:
     - "{{ role_path }}/files/06-imxc-ui/{{ item }}/values.yaml"
+    values:
+      image:
+        repository: "{{ REGISTRY }}/cmoa3/nginx"
+      global:
+        IMXC_IN_REGISTRY: "{{ REGISTRY }}/cmoa3"
   with_items:
     - imxc-ui
   ignore_errors: true

roles/cmoa_install/tasks/main.yml

@@ -3,8 +3,6 @@
   tags: worker-dir
   when: kubernetes_role == 'node'
 
-    #- include: helm-install.yml
-    #  tags: helm-install
 
 - include: 00-default-settings-master.yml
   tags: default_setting