From 193ce9a534053849477b247871097265585953ba Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Mon, 18 Jul 2022 12:09:54 +0200 Subject: [PATCH] Move manifest injection to firstboot;Add SealedSecrets;Replace traefik dashboard --- .../roles/metacluster/tasks/main.yml | 44 +++++++++++++++++++ .../ansible_payload/templates/ingressroute.j2 | 7 +++ .../templates/ingressroutetcp.j2 | 0 .../roles/metacluster/tasks/components.yml | 20 ++++----- ansible/vars/metacluster.yml | 25 ++++++----- 5 files changed, 74 insertions(+), 22 deletions(-) create mode 100644 ansible/roles/firstboot/files/ansible_payload/templates/ingressroute.j2 rename ansible/roles/{metacluster => firstboot/files/ansible_payload}/templates/ingressroutetcp.j2 (100%) diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml index f8beb1d..9f32ce9 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml @@ -13,6 +13,27 @@ INSTALL_K3S_EXEC: 'server --cluster-init --disable local-storage' when: ansible_facts.services['k3s.service'] is undefined + - name: Configure Traefik dashboard ingress + ansible.builtin.template: + src: ingressroute.j2 + dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml + owner: root + group: root + mode: 0600 + vars: + name: traefik-dashboard + namespace: kube-system + config: |2 + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`ingress.{{ vapp['metacluster.fqdn'] }}`) + services: + - kind: TraefikService + name: api@internal + - name: Ensure API availability ansible.utils.cli_parse: command: curl -k https://{{ vapp['guestinfo.ipaddress'] }}:6443/livez?verbose @@ -133,6 +154,25 @@ kubeconfig: "{{ kubeconfig.path }}" values: "{{ components.gitea.chart_values }}" + - name: Configure additional SSH ingress + ansible.builtin.template: + src: ingressroutetcp.j2 + dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml + owner: root + group: root + mode: 0600 + vars: + name: gitea-ssh + namespace: gitea + config: |2 + entryPoints: + - ssh + routes: + - match: HostSNI(`*`) + services: + - name: gitea-ssh + port: 22 + - name: Ensure gitea API availability ansible.utils.cli_parse: # Available from Gitea 1.17.x @@ -256,6 +296,10 @@ password: "{{ vapp['guestinfo.rootpw'] }}" register: argocd_api_token + # - name: Create umbrella application + # ansible.builtin.template: + # + module_defaults: ansible.builtin.uri: validate_certs: no diff --git a/ansible/roles/firstboot/files/ansible_payload/templates/ingressroute.j2 b/ansible/roles/firstboot/files/ansible_payload/templates/ingressroute.j2 new file mode 100644 index 0000000..8b12efa --- /dev/null +++ b/ansible/roles/firstboot/files/ansible_payload/templates/ingressroute.j2 @@ -0,0 +1,7 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ item.name }} + namespace: {{ item.namespace }} +spec: +{{ item.config }} diff --git a/ansible/roles/metacluster/templates/ingressroutetcp.j2 b/ansible/roles/firstboot/files/ansible_payload/templates/ingressroutetcp.j2 similarity index 100% rename from ansible/roles/metacluster/templates/ingressroutetcp.j2 rename to ansible/roles/firstboot/files/ansible_payload/templates/ingressroutetcp.j2 diff --git a/ansible/roles/metacluster/tasks/components.yml b/ansible/roles/metacluster/tasks/components.yml index 9156500..220f941 100644 --- a/ansible/roles/metacluster/tasks/components.yml +++ b/ansible/roles/metacluster/tasks/components.yml @@ -55,16 +55,16 @@ chdir: /opt/metacluster/container-images loop: "{{ (containerimages.results | map(attribute='stdout_lines') | flatten) + dependencies.container_images }}" -- name: Inject manifests - ansible.builtin.template: - src: "{{ item.type }}.j2" - dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml - owner: root - group: root - mode: 0600 - loop: "{{ lookup('ansible.builtin.dict', components) | map(attribute='value.manifests') | list | select('defined') | flatten }}" - loop_control: - label: "{{ item.type + '/' + item.name }}" +# - name: Inject manifests +# ansible.builtin.template: +# src: "{{ item.type }}.j2" +# dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml +# owner: root +# group: root +# mode: 0600 +# loop: "{{ lookup('ansible.builtin.dict', components) | map(attribute='value.manifests') | list | select('defined') | flatten }}" +# loop_control: +# label: "{{ item.type + '/' + item.name }}" - name: Compress tarballs community.general.archive: diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 3dc6a39..a38684f 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -3,6 +3,10 @@ platform: k3s: version: v1.24.1+k3s1 + gitops: + # repo_ref: v0.1 + repo_ref: HEAD + packaged_components: - name: traefik namespace: kube-system @@ -14,6 +18,9 @@ platform: protocol: TCP web: redirectTo: websecure + ingressRoute: + dashboard: + enabled: false helm_repositories: - name: longhorn @@ -86,18 +93,6 @@ components: type: ClusterIP port: 22 clusterIP: - manifests: - - type: ingressroutetcp - name: gitea-ssh - namespace: gitea - config: |2 - entryPoints: - - ssh - routes: - - match: HostSNI(`*`) - services: - - name: gitea-ssh - port: 22 argo-cd: helm: @@ -116,6 +111,12 @@ components: secret: argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}" + sealed-secrets: + helm: + version: 2.4.0 # (= SealedSecrets v0.18.1) + chart: sealed-secrets + parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' + dependencies: ansible_galaxy_collections: