diff --git a/ansible/roles/assets/tasks/containerimages.yml b/ansible/roles/assets/tasks/containerimages.yml index 664fce9..ee70631 100644 --- a/ansible/roles/assets/tasks/containerimages.yml +++ b/ansible/roles/assets/tasks/containerimages.yml @@ -1,4 +1,4 @@ -- name: Parse manifests for container images +- name: Parse Cluster-API manifests for container images ansible.builtin.shell: # This set of commands is necessary to deal with multi-line scalar values # eg.: @@ -9,11 +9,19 @@ cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /'; cat {{ item.dest }} | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)'; cat {{ item.dest }} | yq --no-doc eval '.. | .files? | with_entries(select(.value.path == "*.yaml")).[0].content' | awk '!/null/' | yq eval '.. | .image? | select(.)' - register: parsedmanifests + register: clusterapi_parsedmanifests loop: "{{ clusterapi_manifests.results }}" loop_control: label: "{{ item.dest | basename }}" +- name: Parse pinniped manifests for container images + ansible.builtin.shell: + cmd: cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /' + register: pinniped_parsedmanifests + loop: "{{ pinniped_manifests.results }}" + loop_control: + label: "{{ item.dest | basename }}" + - name: Parse metacluster helm charts for container images ansible.builtin.shell: cmd: "{{ item.value.helm.parse_logic }}" @@ -41,8 +49,10 @@ results: "{{ (chartimages_metacluster | json_query('results[*].stdout_lines')) + (chartimages_workloadcluster | json_query('results[*].stdout_lines')) | select() | flatten | list }}" - source: kubeadm results: "{{ kubeadmimages.stdout_lines }}" - - source: manifests - results: "{{ parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}" + - source: clusterapi + results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}" + - source: pinniped + results: "{{ pinniped_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}" loop_control: label: "{{ item.source }}" @@ -64,4 +74,4 @@ docker://{{ item }} \ docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }} chdir: /opt/metacluster/container-images - loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_manifests + dependencies.container_images) | flatten | unique | sort }}" + loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}" diff --git a/ansible/roles/assets/tasks/main.yml b/ansible/roles/assets/tasks/main.yml index ad8bc81..cbcefeb 100644 --- a/ansible/roles/assets/tasks/main.yml +++ b/ansible/roles/assets/tasks/main.yml @@ -16,6 +16,7 @@ - /opt/metacluster/helm-charts - /opt/metacluster/k3s - /opt/metacluster/kube-vip + - /opt/metacluster/pinniped - /opt/workloadcluster/git-repositories/gitops/charts - /opt/workloadcluster/git-repositories/gitops/values - /opt/workloadcluster/helm-charts diff --git a/ansible/roles/assets/tasks/manifests.yml b/ansible/roles/assets/tasks/manifests.yml index ef537f3..910bfea 100644 --- a/ansible/roles/assets/tasks/manifests.yml +++ b/ansible/roles/assets/tasks/manifests.yml @@ -16,7 +16,8 @@ { 'components': ( metacluster_chartvalues | combine({ 'clusterapi': components.clusterapi }) | - combine({ 'kubevip' : components.kubevip }) ), + combine({ 'kubevip' : components.kubevip }) | + combine({ 'pinniped' : components.pinniped }) ), 'appliance': { 'version': (applianceversion) } @@ -39,7 +40,7 @@ } | to_nice_yaml(indent=2, width=4096) }} -- name: Download ClusterAPI manifests +- name: Download Cluster-API manifests ansible.builtin.get_url: url: "{{ item.url }}" dest: /opt/metacluster/cluster-api/{{ item.dest }} @@ -99,6 +100,29 @@ delay: 5 until: kubevip_manifest is not failed +- name: Download pinniped manifests + ansible.builtin.get_url: + url: "{{ item.url }}" + dest: /opt/metacluster/pinniped/{{ item.dest }} + register: pinniped_manifests + loop: + # The 'supervisor' runs in the metacluster and handles authentication + - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-supervisor.yaml + dest: pinniped-supervisor.yaml + # The 'local-user-authenticator' can be used to run a simple OIDC provider based on useraccounts defined in secrets. + - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-local-user-authenticator.yaml + dest: local-user-authenticator.yaml + # The 'concierge' runs in downstream clusters and forwards authentication requests + - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-crds.yaml + dest: pinniped-concierge-crds.yaml + - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-resources.yaml + dest: pinniped-concierge-resources.yaml + loop_control: + label: "{{ item.dest }}" + retries: 5 + delay: 5 + until: pinniped_manifests is not failed + # - name: Inject manifests # ansible.builtin.template: # src: "{{ item.type }}.j2" diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml @@ -0,0 +1 @@ +# diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml index 8b5f726..f3b96e1 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml @@ -1,11 +1,12 @@ - import_tasks: init.yml - import_tasks: k3s.yml - import_tasks: assets.yml -- import_tasks: kube-vip.yml -- import_tasks: json-server.yml +- import_tasks: virtualip.yml +- import_tasks: metadata.yml - import_tasks: storage.yml - import_tasks: ingress.yml - import_tasks: certauthority.yml - import_tasks: registry.yml - import_tasks: git.yml - import_tasks: gitops.yml +- import_tasks: authentication.yml diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/json-server.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/metadata.yml similarity index 100% rename from ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/json-server.yml rename to ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/metadata.yml diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/kube-vip.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/virtualip.yml similarity index 100% rename from ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/kube-vip.yml rename to ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/virtualip.yml diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 7fec177..2729a71 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -33,8 +33,6 @@ platform: helm_repositories: - name: argo url: https://argoproj.github.io/argo-helm - - name: authentik - url: https://charts.goauthentik.io - name: gitea-charts url: https://dl.gitea.io/charts/ - name: harbor @@ -69,32 +67,6 @@ components: hosts: - gitops.{{ vapp['metacluster.fqdn'] }} - authentik: - helm: - version: 2023.3.1 - chart: authentik/authentik - parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' - chart_values: !unsafe | - authentik: - avatars: none - secret_key: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}" - postgresql: - password: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}" - env: - AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ vapp['metacluster.password'] }}" - ingress: - enabled: true - hosts: - - host: auth.{{ vapp['metacluster.fqdn'] }} - paths: - - path: "/" - pathType: Prefix - postgresql: - enabled: true - postgresqlPassword: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}" - redis: - enabled: true - cert-manager: helm: version: 1.11.0 @@ -225,6 +197,10 @@ components: persistence: defaultClassReplicaCount: 1 + pinniped: + # Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url` + version: v0.25.0 + step-certificates: helm: version: 1.23.0 @@ -282,6 +258,8 @@ dependencies: - filename: kubectl-slice url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz archive: compressed + - filename: pinniped + url: https://github.com/vmware-tanzu/pinniped/releases/download/v0.25.0/pinniped-cli-linux-amd64 - filename: skopeo url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64 - filename: step