feat: Switch authentication provider to pinniped

2023-08-21 09:02:33 +02:00 · 2023-08-21 09:02:33 +02:00 · 05b271214c
parent 455a2e14be
commit 05b271214c
8 changed files with 52 additions and 37 deletions
--- a/ansible/roles/assets/tasks/containerimages.yml
+++ b/ansible/roles/assets/tasks/containerimages.yml
@ -1,4 +1,4 @@
- name: Parse manifests for container images
+- name: Parse Cluster-API manifests for container images
  ansible.builtin.shell:
    # This set of commands is necessary to deal with multi-line scalar values
    # eg.:
@ -9,11 +9,19 @@
      cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
      cat {{ item.dest }} | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)';
      cat {{ item.dest }} | yq --no-doc eval '.. | .files? | with_entries(select(.value.path == "*.yaml")).[0].content' | awk '!/null/' | yq eval '.. | .image? | select(.)'
-  register: parsedmanifests
+  register: clusterapi_parsedmanifests
  loop: "{{ clusterapi_manifests.results }}"
  loop_control:
    label: "{{ item.dest | basename }}"

+- name: Parse pinniped manifests for container images
+  ansible.builtin.shell:
+    cmd: cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /'
+  register: pinniped_parsedmanifests
+  loop: "{{ pinniped_manifests.results }}"
+  loop_control:
+    label: "{{ item.dest | basename }}"
+
 - name: Parse metacluster helm charts for container images
  ansible.builtin.shell:
    cmd: "{{ item.value.helm.parse_logic }}"
@ -41,8 +49,10 @@
      results: "{{ (chartimages_metacluster | json_query('results[*].stdout_lines')) + (chartimages_workloadcluster | json_query('results[*].stdout_lines')) | select() | flatten | list }}"
    - source: kubeadm
      results: "{{ kubeadmimages.stdout_lines }}"
-    - source: manifests
-      results: "{{ parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+    - source: clusterapi
+      results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+    - source: pinniped
+      results: "{{ pinniped_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
  loop_control:
    label: "{{ item.source }}"

@ -64,4 +74,4 @@
        docker://{{ item }} \
        docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
    chdir: /opt/metacluster/container-images
-  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_manifests + dependencies.container_images) | flatten | unique | sort }}"
+  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"
--- a/ansible/roles/assets/tasks/main.yml
+++ b/ansible/roles/assets/tasks/main.yml
@ -16,6 +16,7 @@
    - /opt/metacluster/helm-charts
    - /opt/metacluster/k3s
    - /opt/metacluster/kube-vip
+    - /opt/metacluster/pinniped
    - /opt/workloadcluster/git-repositories/gitops/charts
    - /opt/workloadcluster/git-repositories/gitops/values
    - /opt/workloadcluster/helm-charts
--- a/ansible/roles/assets/tasks/manifests.yml
+++ b/ansible/roles/assets/tasks/manifests.yml
@ -16,7 +16,8 @@
            { 'components': (
              metacluster_chartvalues |
              combine({ 'clusterapi': components.clusterapi }) |
-              combine({ 'kubevip'   : components.kubevip }) ),
+              combine({ 'kubevip'   : components.kubevip }) |
+              combine({ 'pinniped'  : components.pinniped }) ),
              'appliance': {
                'version': (applianceversion)
              }
@ -39,7 +40,7 @@
            } | to_nice_yaml(indent=2, width=4096)
          }}

- name: Download ClusterAPI manifests
+- name: Download Cluster-API manifests
  ansible.builtin.get_url:
    url: "{{ item.url }}"
    dest: /opt/metacluster/cluster-api/{{ item.dest }}
@ -99,6 +100,29 @@
  delay: 5
  until: kubevip_manifest is not failed

+- name: Download pinniped manifests
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: /opt/metacluster/pinniped/{{ item.dest }}
+  register: pinniped_manifests
+  loop:
+    # The 'supervisor' runs in the metacluster and handles authentication
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-supervisor.yaml
+      dest: pinniped-supervisor.yaml
+    # The 'local-user-authenticator' can be used to run a simple OIDC provider based on useraccounts defined in secrets.
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-local-user-authenticator.yaml
+      dest: local-user-authenticator.yaml
+    # The 'concierge' runs in downstream clusters and forwards authentication requests
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-crds.yaml
+      dest: pinniped-concierge-crds.yaml
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-resources.yaml
+      dest: pinniped-concierge-resources.yaml
+  loop_control:
+    label: "{{ item.dest }}"
+  retries: 5
+  delay: 5
+  until: pinniped_manifests is not failed
+
 # - name: Inject manifests
 #   ansible.builtin.template:
 #     src: "{{ item.type }}.j2"
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
@ -0,0 +1 @@
+#
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml
@ -1,11 +1,12 @@
 - import_tasks: init.yml
 - import_tasks: k3s.yml
 - import_tasks: assets.yml
- import_tasks: kube-vip.yml
- import_tasks: json-server.yml
+- import_tasks: virtualip.yml
+- import_tasks: metadata.yml
 - import_tasks: storage.yml
 - import_tasks: ingress.yml
 - import_tasks: certauthority.yml
 - import_tasks: registry.yml
 - import_tasks: git.yml
 - import_tasks: gitops.yml
+- import_tasks: authentication.yml
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/json-server.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/json-server.yml
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/virtualip.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/virtualip.yml
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -33,8 +33,6 @@ platform:
  helm_repositories:
    - name: argo
      url: https://argoproj.github.io/argo-helm
-    - name: authentik
-      url: https://charts.goauthentik.io
    - name: gitea-charts
      url: https://dl.gitea.io/charts/
    - name: harbor
@ -69,32 +67,6 @@ components:
            hosts:
              - gitops.{{ vapp['metacluster.fqdn'] }}

-  authentik:
-    helm:
-      version: 2023.3.1
-      chart: authentik/authentik
-      parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
-        authentik:
-          avatars: none
-          secret_key: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-          postgresql:
-            password: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-        env:
-          AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ vapp['metacluster.password'] }}"
-        ingress:
-          enabled: true
-          hosts:
-            - host: auth.{{ vapp['metacluster.fqdn'] }}
-              paths:
-                - path: "/"
-                  pathType: Prefix
-        postgresql:
-          enabled: true
-          postgresqlPassword: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-        redis:
-          enabled: true
-
  cert-manager:
    helm:
      version: 1.11.0
@ -225,6 +197,10 @@ components:
        persistence:
          defaultClassReplicaCount: 1

+  pinniped:
+    # Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url`
+    version: v0.25.0
+
  step-certificates:
    helm:
      version: 1.23.0
@ -282,6 +258,8 @@ dependencies:
    - filename: kubectl-slice
      url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz
      archive: compressed
+    - filename: pinniped
+      url: https://github.com/vmware-tanzu/pinniped/releases/download/v0.25.0/pinniped-cli-linux-amd64
    - filename: skopeo
      url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64
    - filename: step