Move manifest injection to firstboot;Add SealedSecrets;Replace traefik dashboard

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml

@@ -13,6 +13,27 @@
         INSTALL_K3S_EXEC: 'server --cluster-init --disable local-storage'
       when: ansible_facts.services['k3s.service'] is undefined
 
+    - name: Configure Traefik dashboard ingress
+      ansible.builtin.template:
+        src: ingressroute.j2
+        dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml
+        owner: root
+        group: root
+        mode: 0600
+      vars:
+        name: traefik-dashboard
+        namespace: kube-system
+        config: |2
+            entryPoints:
+            - web
+            - websecure
+            routes:
+            - kind: Rule
+              match: Host(`ingress.{{ vapp['metacluster.fqdn'] }}`)
+              services:
+              - kind: TraefikService
+                name: api@internal
+
     - name: Ensure API availability
       ansible.utils.cli_parse:
         command: curl -k https://{{ vapp['guestinfo.ipaddress'] }}:6443/livez?verbose
@@ -133,6 +154,25 @@
         kubeconfig: "{{ kubeconfig.path }}"
         values: "{{ components.gitea.chart_values }}"
 
+    - name: Configure additional SSH ingress
+      ansible.builtin.template:
+        src: ingressroutetcp.j2
+        dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml
+        owner: root
+        group: root
+        mode: 0600
+      vars:
+        name: gitea-ssh
+        namespace: gitea
+        config: |2
+            entryPoints:
+              - ssh
+            routes:
+            - match: HostSNI(`*`)
+              services:
+              - name: gitea-ssh
+                port: 22
+
     - name: Ensure gitea API availability
       ansible.utils.cli_parse:
         # Available from Gitea 1.17.x
@@ -256,6 +296,10 @@
           password: "{{ vapp['guestinfo.rootpw'] }}"
       register: argocd_api_token
 
+    # - name: Create umbrella application
+    #   ansible.builtin.template:
+    #
+
   module_defaults:
     ansible.builtin.uri:
       validate_certs: no

ansible/roles/firstboot/files/ansible_payload/templates/ingressroute.j2

@@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ item.name }}
+  namespace: {{ item.namespace }}
+spec:
+{{ item.config }}

ansible/roles/metacluster/tasks/components.yml

@@ -55,16 +55,16 @@
     chdir: /opt/metacluster/container-images
   loop: "{{ (containerimages.results | map(attribute='stdout_lines') | flatten) + dependencies.container_images }}"
 
-- name: Inject manifests
-  ansible.builtin.template:
-    src: "{{ item.type }}.j2"
-    dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml
-    owner: root
-    group: root
-    mode: 0600
-  loop: "{{ lookup('ansible.builtin.dict', components) | map(attribute='value.manifests') | list | select('defined') | flatten }}"
-  loop_control:
-    label: "{{ item.type + '/' + item.name }}"
+# - name: Inject manifests
+#   ansible.builtin.template:
+#     src: "{{ item.type }}.j2"
+#     dest: /var/lib/rancher/k3s/server/manifests/{{ item.name }}-manifest.yaml
+#     owner: root
+#     group: root
+#     mode: 0600
+#   loop: "{{ lookup('ansible.builtin.dict', components) | map(attribute='value.manifests') | list | select('defined') | flatten }}"
+#   loop_control:
+#     label: "{{ item.type + '/' + item.name }}"
 
 - name: Compress tarballs
   community.general.archive: