From 114122590726dfb1e7c8a285840bcb9221bf511d Mon Sep 17 00:00:00 2001
From: Danny Bessems <danny@bessems.eu>
Date: Sat, 3 Sep 2022 17:44:44 +0200
Subject: [PATCH] Install SealedSecrets;Store hypervisor credentials in secret

---
 .../roles/metacluster/tasks/certauthority.yml | 13 ++++----
 .../roles/metacluster/tasks/main.yml          |  1 +
 .../roles/metacluster/tasks/secrets.yml       | 25 +++++++++++++++
 .../ansible_payload/templates/configmap.j2    |  4 ++-
 .../files/ansible_payload/templates/secret.j2 |  4 ++-
 ansible/vars/metacluster.yml                  | 32 ++-----------------
 6 files changed, 42 insertions(+), 37 deletions(-)
 create mode 100644 ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml

diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml
index d1bbdd3..00e5dc0 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml
@@ -36,8 +36,7 @@
       name: "{{ item.name }}"
       namespace: "{{ item.namespace }}"
       labels: "{{ item.labels | default({}) | indent(width=4, indent=True) }}"
-      key: "{{ item.key }}"
-      value: "{{ item.value }}"
+      data: "{{ item.data }}"
   loop:
     - name: argocd-tls-certs-cm
       namespace: argo-cd
@@ -45,13 +44,15 @@
       labels: |
         app.kubernetes.io/name: argocd-cm
         app.kubernetes.io/part-of: argocd
-      key: git.{{ vapp['metacluster.fqdn'] }}
-      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+      data:
+      - key: git.{{ vapp['metacluster.fqdn'] }}
+        value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
     - name: step-certificates-certs
       namespace: kube-system
       kind: secret
-      key: root_ca.crt
-      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
+      data:
+      - key: root_ca.crt
+        value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
   loop_control:
     label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"
 
diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
index 7c96fbf..2b6bf8c 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@@ -5,6 +5,7 @@
 - import_tasks: storage.yml
 - import_tasks: certauthority.yml
 - import_tasks: registry.yml
+- import_tasks: secrets.yml
 - import_tasks: git.yml
 - import_tasks: gitops.yml
 
diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml
new file mode 100644
index 0000000..c26edb8
--- /dev/null
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml
@@ -0,0 +1,25 @@
+- name: Install sealed-secrets chart
+  kubernetes.core.helm:
+    name: sealed-secrets-controller
+    chart_ref: /opt/metacluster/helm-charts/sealed-secrets
+    release_namespace: kube-system
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+    values: "{{ components.sealedsecrets.chart_values }}"
+
+- name: Store hypervisor details in secret
+  kubernetes.core.k8s:
+    state: present
+    template: secret.j2
+    kubeconfig: "{{ kubeconfig.path }}"
+  vars:
+    _template:
+      name: hypervisor-credentials
+      namespace: kube-system
+      data:
+        - key: HV_FQDN
+          value: "{{ vapp['hv.fqdn'] | b64encode }}"
+        - key: HV_USERNAME
+          value: "{{ vapp['hv.username'] | b64encode }}"
+        - key: HV_PASSWORD
+          value: "{{ vapp['hv.password'] | b64encode }}"
diff --git a/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2 b/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2
index fe4a625..3926bdd 100644
--- a/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2
@@ -6,4 +6,6 @@ metadata:
   labels:
 {{ _template.labels }}
 data:
-  "{{ _template.key }}": {{ _template.value }}
+{% for kv_pair in _template.data %}
+  "{{ kv_pair.key }}": {{ kv_pair.value }}
+{% endfor %}
diff --git a/ansible/roles/firstboot/files/ansible_payload/templates/secret.j2 b/ansible/roles/firstboot/files/ansible_payload/templates/secret.j2
index 01f4726..9537088 100644
--- a/ansible/roles/firstboot/files/ansible_payload/templates/secret.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/templates/secret.j2
@@ -4,4 +4,6 @@ metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
 data:
-  "{{ _template.key }}": {{ _template.value }}
+{% for kv_pair in _template.data %}
+  "{{ kv_pair.key }}": {{ kv_pair.value }}
+{% endfor %}
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index ac9dbbb..b04d08f 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -150,26 +150,6 @@ components:
         configs:
           secret:
             argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}"
-        # controller:
-        #   volumeMounts:
-        #     - name: custom-ca-certificates
-        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-        #       subPath: custom-ca-certificates.crt
-        #   volumes:
-        #     - name: custom-ca-certificates
-        #       secret:
-        #         defaultMode: 420
-        #         secretName: step-certificates-certs
-        # repoServer:
-        #   volumeMounts:
-        #     - name: custom-ca-certificates
-        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-        #       subPath: custom-ca-certificates.crt
-        #   volumes:
-        #     - name: custom-ca-certificates
-        #       secret:
-        #         defaultMode: 420
-        #         secretName: step-certificates-certs
         server:
           extraArgs:
             - --insecure
@@ -177,15 +157,6 @@ components:
             enabled: true
             hosts:
               - gitops.{{ vapp['metacluster.fqdn'] }}
-        #   volumeMounts:
-        #     - name: custom-ca-certificates
-        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-        #       subPath: custom-ca-certificates.crt
-        #   volumes:
-        #     - name: custom-ca-certificates
-        #       secret:
-        #         defaultMode: 420
-        #         secretName: step-certificates-certs
 
   sealed-secrets:
     helm:
@@ -214,6 +185,9 @@ dependencies:
       url: https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz
       archive: compressed
       extra_opts: --strip-components=1
+    - filename: kubeseal
+      url: https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.2/kubeseal-0.18.2-linux-amd64.tar.gz
+      archive: compressed
     - filename: skopeo
       url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.9.1/skopeo
     - filename: step