feat: Switch authentication provider to pinniped

ansible/roles/assets/tasks/containerimages.yml

@@ -1,4 +1,4 @@
-- name: Parse manifests for container images
+- name: Parse Cluster-API manifests for container images
   ansible.builtin.shell:
     # This set of commands is necessary to deal with multi-line scalar values
     # eg.:
@@ -9,11 +9,19 @@
       cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
       cat {{ item.dest }} | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)';
       cat {{ item.dest }} | yq --no-doc eval '.. | .files? | with_entries(select(.value.path == "*.yaml")).[0].content' | awk '!/null/' | yq eval '.. | .image? | select(.)'
-  register: parsedmanifests
+  register: clusterapi_parsedmanifests
   loop: "{{ clusterapi_manifests.results }}"
   loop_control:
     label: "{{ item.dest | basename }}"
 
+- name: Parse pinniped manifests for container images
+  ansible.builtin.shell:
+    cmd: cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /'
+  register: pinniped_parsedmanifests
+  loop: "{{ pinniped_manifests.results }}"
+  loop_control:
+    label: "{{ item.dest | basename }}"
+
 - name: Parse metacluster helm charts for container images
   ansible.builtin.shell:
     cmd: "{{ item.value.helm.parse_logic }}"
@@ -41,8 +49,10 @@
       results: "{{ (chartimages_metacluster | json_query('results[*].stdout_lines')) + (chartimages_workloadcluster | json_query('results[*].stdout_lines')) | select() | flatten | list }}"
     - source: kubeadm
       results: "{{ kubeadmimages.stdout_lines }}"
-    - source: manifests
+    - source: clusterapi
-      results: "{{ parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+      results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+    - source: pinniped
+      results: "{{ pinniped_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
   loop_control:
     label: "{{ item.source }}"
 
@@ -64,4 +74,4 @@
         docker://{{ item }} \
         docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
     chdir: /opt/metacluster/container-images
-  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_manifests + dependencies.container_images) | flatten | unique | sort }}"
+  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"

ansible/roles/assets/tasks/main.yml

@@ -16,6 +16,7 @@
     - /opt/metacluster/helm-charts
     - /opt/metacluster/k3s
     - /opt/metacluster/kube-vip
+    - /opt/metacluster/pinniped
     - /opt/workloadcluster/git-repositories/gitops/charts
     - /opt/workloadcluster/git-repositories/gitops/values
     - /opt/workloadcluster/helm-charts

ansible/roles/assets/tasks/manifests.yml

@@ -16,7 +16,8 @@
             { 'components': (
               metacluster_chartvalues |
               combine({ 'clusterapi': components.clusterapi }) |
-              combine({ 'kubevip'   : components.kubevip }) ),
+              combine({ 'kubevip'   : components.kubevip }) |
+              combine({ 'pinniped'  : components.pinniped }) ),
               'appliance': {
                 'version': (applianceversion)
               }
@@ -39,7 +40,7 @@
             } | to_nice_yaml(indent=2, width=4096)
           }}
 
-- name: Download ClusterAPI manifests
+- name: Download Cluster-API manifests
   ansible.builtin.get_url:
     url: "{{ item.url }}"
     dest: /opt/metacluster/cluster-api/{{ item.dest }}
@@ -99,6 +100,29 @@
   delay: 5
   until: kubevip_manifest is not failed
 
+- name: Download pinniped manifests
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: /opt/metacluster/pinniped/{{ item.dest }}
+  register: pinniped_manifests
+  loop:
+    # The 'supervisor' runs in the metacluster and handles authentication
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-supervisor.yaml
+      dest: pinniped-supervisor.yaml
+    # The 'local-user-authenticator' can be used to run a simple OIDC provider based on useraccounts defined in secrets.
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-local-user-authenticator.yaml
+      dest: local-user-authenticator.yaml
+    # The 'concierge' runs in downstream clusters and forwards authentication requests
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-crds.yaml
+      dest: pinniped-concierge-crds.yaml
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-resources.yaml
+      dest: pinniped-concierge-resources.yaml
+  loop_control:
+    label: "{{ item.dest }}"
+  retries: 5
+  delay: 5
+  until: pinniped_manifests is not failed
+
 # - name: Inject manifests
 #   ansible.builtin.template:
 #     src: "{{ item.type }}.j2"

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml

@@ -0,0 +1 @@
+#

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml

@@ -1,11 +1,12 @@
 - import_tasks: init.yml
 - import_tasks: k3s.yml
 - import_tasks: assets.yml
-- import_tasks: kube-vip.yml
+- import_tasks: virtualip.yml
-- import_tasks: json-server.yml
+- import_tasks: metadata.yml
 - import_tasks: storage.yml
 - import_tasks: ingress.yml
 - import_tasks: certauthority.yml
 - import_tasks: registry.yml
 - import_tasks: git.yml
 - import_tasks: gitops.yml
+- import_tasks: authentication.yml

ansible/vars/metacluster.yml

@@ -33,8 +33,6 @@ platform:
   helm_repositories:
     - name: argo
       url: https://argoproj.github.io/argo-helm
-    - name: authentik
-      url: https://charts.goauthentik.io
     - name: gitea-charts
       url: https://dl.gitea.io/charts/
     - name: harbor
@@ -69,32 +67,6 @@ components:
             hosts:
               - gitops.{{ vapp['metacluster.fqdn'] }}
 
-  authentik:
-    helm:
-      version: 2023.3.1
-      chart: authentik/authentik
-      parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
-        authentik:
-          avatars: none
-          secret_key: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-          postgresql:
-            password: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-        env:
-          AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ vapp['metacluster.password'] }}"
-        ingress:
-          enabled: true
-          hosts:
-            - host: auth.{{ vapp['metacluster.fqdn'] }}
-              paths:
-                - path: "/"
-                  pathType: Prefix
-        postgresql:
-          enabled: true
-          postgresqlPassword: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-        redis:
-          enabled: true
-
   cert-manager:
     helm:
       version: 1.11.0
@@ -225,6 +197,10 @@ components:
         persistence:
           defaultClassReplicaCount: 1
 
+  pinniped:
+    # Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url`
+    version: v0.25.0
+
   step-certificates:
     helm:
       version: 1.23.0
@@ -282,6 +258,8 @@ dependencies:
     - filename: kubectl-slice
       url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz
       archive: compressed
+    - filename: pinniped
+      url: https://github.com/vmware-tanzu/pinniped/releases/download/v0.25.0/pinniped-cli-linux-amd64
     - filename: skopeo
       url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64
     - filename: step