Install SealedSecrets;Store hypervisor credentials in secret

2022-09-03 17:44:44 +02:00
parent 6c4fe7a0e6
commit 1141225907
6 changed files with 42 additions and 37 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml
@@ -36,8 +36,7 @@
      name: "{{ item.name }}"
      namespace: "{{ item.namespace }}"
      labels: "{{ item.labels | default({}) | indent(width=4, indent=True) }}"
-      key: "{{ item.key }}"
-      value: "{{ item.value }}"
+      data: "{{ item.data }}"
  loop:
    - name: argocd-tls-certs-cm
      namespace: argo-cd
@@ -45,13 +44,15 @@
      labels: |
        app.kubernetes.io/name: argocd-cm
        app.kubernetes.io/part-of: argocd
-      key: git.{{ vapp['metacluster.fqdn'] }}
-      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+      data:
+      - key: git.{{ vapp['metacluster.fqdn'] }}
+        value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
    - name: step-certificates-certs
      namespace: kube-system
      kind: secret
-      key: root_ca.crt
-      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
+      data:
+      - key: root_ca.crt
+        value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
  loop_control:
    label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"

--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@@ -5,6 +5,7 @@
 - import_tasks: storage.yml
 - import_tasks: certauthority.yml
 - import_tasks: registry.yml
+- import_tasks: secrets.yml
 - import_tasks: git.yml
 - import_tasks: gitops.yml

--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml
@@ -0,0 +1,25 @@
+- name: Install sealed-secrets chart
+  kubernetes.core.helm:
+    name: sealed-secrets-controller
+    chart_ref: /opt/metacluster/helm-charts/sealed-secrets
+    release_namespace: kube-system
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+    values: "{{ components.sealedsecrets.chart_values }}"
+
+- name: Store hypervisor details in secret
+  kubernetes.core.k8s:
+    state: present
+    template: secret.j2
+    kubeconfig: "{{ kubeconfig.path }}"
+  vars:
+    _template:
+      name: hypervisor-credentials
+      namespace: kube-system
+      data:
+        - key: HV_FQDN
+          value: "{{ vapp['hv.fqdn'] | b64encode }}"
+        - key: HV_USERNAME
+          value: "{{ vapp['hv.username'] | b64encode }}"
+        - key: HV_PASSWORD
+          value: "{{ vapp['hv.password'] | b64encode }}"