feat: add openshift single region reference arch (#49)

Author: leiicamundi

aws/rosa-hcp-dual-region/README.md

@@ -0,0 +1,4 @@
+# Camunda on AWS ROSA with Dual-Region
+
+This folder describes the IaC of Camunda on AWS ROSA.
+Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup/

aws/rosa-hcp/README.md

@@ -0,0 +1,4 @@
+# Camunda on AWS ROSA
+
+This folder describes the IaC of Camunda on AWS ROSA.
+Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup/

aws/rosa-hcp/camunda-versions/8.6/.tool-versions

@@ -0,0 +1 @@
+# TODO: must be filled for tests integration

aws/rosa-hcp/camunda-versions/8.6/cluster.tf

@@ -0,0 +1,67 @@
+locals {
+  rosa_cluster_name = "my-rosa" # Change this to a name of your choice
+
+  rosa_cluster_zones = ["eu-north-1a", "eu-north-1b", "eu-north-1c"] # Adjust to your needs and align with your value of AWS_REGION
+
+  rosa_admin_username = "kubeadmin"
+  rosa_admin_password = "CHANGEME1234r!" # Change the password of your admin password
+}
+
+module "rosa_cluster" {
+  source = "git::https://github.com/camunda/camunda-tf-rosa//modules/rosa-hcp?ref=v2.0.0"
+
+  cluster_name = local.rosa_cluster_name
+
+  availability_zones = local.rosa_cluster_zones
+
+  # Set CIDR ranges or use the defaults
+  vpc_cidr_block     = "10.0.0.0/16"
+  machine_cidr_block = "10.0.0.0/18"
+  service_cidr_block = "10.0.128.0/18"
+  pod_cidr_block     = "10.0.64.0/18"
+
+  # admin access
+  htpasswd_username = local.rosa_admin_username
+  htpasswd_password = local.rosa_admin_password
+
+  # Default node type for the OpenShift cluster
+  compute_node_instance_type = "m7i.xlarge"
+  replicas                   = 6
+}
+
+# Outputs of the parent module
+
+output "public_subnet_ids" {
+  value       = module.rosa_cluster.public_subnet_ids
+  description = "A comma-separated list of public subnet IDs in the VPC. These subnets are typically used for resources that require internet access."
+}
+
+output "private_subnet_ids" {
+  value       = module.rosa_cluster.private_subnet_ids
+  description = "A comma-separated list of private subnet IDs in the VPC. These subnets are typically used for internal resources that do not require direct internet access."
+}
+
+output "cluster_id" {
+  value       = module.rosa_cluster.cluster_id
+  description = "The unique identifier of the OpenShift cluster created on Red Hat OpenShift Service on AWS (ROSA). This ID is used to reference the cluster in subsequent operations."
+}
+
+output "oidc_provider_id" {
+  value       = module.rosa_cluster.oidc_provider_id
+  description = "OIDC provider for the ROSA cluster. Allows adding additional IAM Role for Service Accounts (IRSA) mappings."
+}
+
+output "aws_caller_identity_account_id" {
+  value       = module.rosa_cluster.aws_caller_identity_account_id
+  description = "The AWS account ID of the caller. This is the account under which the Terraform code is being executed."
+}
+
+output "openshift_api_url" {
+  value       = module.rosa_cluster.openshift_api_url
+  description = "The endpoint URL for accessing the OpenShift API. This endpoint is used to interact with the OpenShift cluster's API server."
+}
+
+output "cluster_console_url" {
+  value       = module.rosa_cluster.cluster_console_url
+  description = "The URL endpoint for accessing the OpenShift web console. This endpoint provides a web-based user interface for managing the OpenShift cluster."
+}

aws/rosa-hcp/camunda-versions/8.6/config.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.35.0"
+    }
+    rhcs = {
+      version = "1.6.6"
+      source  = "terraform-redhat/rhcs"
+    }
+  }
+
+  backend "s3" {
+    encrypt = true
+  }
+}
+
+# ensure  RHCS_TOKEN env variable is set with a value from https://console.redhat.com/openshift/token/rosa
+provider "rhcs" {}

aws/rosa-hcp/camunda-versions/8.6/procedure/install/.shellcheckrc

@@ -0,0 +1 @@
+disable=SC2148,SC2155

aws/rosa-hcp/camunda-versions/8.6/procedure/install/chart-env.sh

@@ -0,0 +1,3 @@
+# The Camunda 8 Helm Chart version
+# renovate: datasource=helm depName=camunda-platform versioning=regex:^11(\.(?<minor>\d+))?(\.(?<patch>\d+))?$ registryUrl=https://helm.camunda.io
+export CAMUNDA_HELM_CHART_VERSION="11.0.4"

aws/rosa-hcp/camunda-versions/8.6/procedure/install/create-identity-secret.sh

@@ -0,0 +1,10 @@
+kubectl create secret generic identity-secret-for-components \
+  --namespace camunda \
+  --from-literal=connectors-secret="$CONNECTORS_SECRET" \
+  --from-literal=console-secret="$CONSOLE_SECRET" \
+  --from-literal=operate-secret="$OPERATE_SECRET" \
+  --from-literal=optimize-secret="$OPTIMIZE_SECRET" \
+  --from-literal=tasklist-secret="$TASKLIST_SECRET" \
+  --from-literal=zeebe-secret="$ZEEBE_SECRET" \
+  --from-literal=admin-password="$ADMIN_PASSWORD" \
+  --from-literal=smtp-password=""

aws/rosa-hcp/camunda-versions/8.6/procedure/install/generate-passwords.sh

@@ -0,0 +1,7 @@
+export CONNECTORS_SECRET="$(openssl rand -hex 16)"
+export CONSOLE_SECRET="$(openssl rand -hex 16)"
+export OPERATE_SECRET="$(openssl rand -hex 16)"
+export OPTIMIZE_SECRET="$(openssl rand -hex 16)"
+export TASKLIST_SECRET="$(openssl rand -hex 16)"
+export ZEEBE_SECRET="$(openssl rand -hex 16)"
+export ADMIN_PASSWORD="$(openssl rand -hex 16)"

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/base.yml

@@ -0,0 +1,21 @@
+---
+global:
+    elasticsearch:
+        enabled: true # use the embbeded elasticsearch
+
+identityKeycloak:
+    postgresql:
+        enabled: true # use the embbeded database
+    auth:
+        existingSecret: identity-secret-for-components
+
+console:
+    enabled: false # by default, console is not enabled
+
+webModeler:
+    enabled: false # by default, webModeler is not enabled
+
+    restapi:
+        mail:
+            existingSecret: identity-secret-for-components # reference the smtp password
+            fromAddress: [email protected]   # change this required value