build: Rebase pinniped to bitnami helm chart
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
b17501ee1d
commit
1a1440f751
@ -14,15 +14,6 @@
|
||||
loop_control:
|
||||
label: "{{ item.dest | basename }}"
|
||||
|
||||
- name: Parse pinniped manifests for container images
|
||||
ansible.builtin.shell:
|
||||
# The pinniped manifest specify container images with *both* tag and digest; which is not supported by skopeo
|
||||
cmd: cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.) | sub("@.*", "")' | awk '!/ /'
|
||||
register: pinniped_parsedmanifests
|
||||
loop: "{{ pinniped_manifests.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.dest | basename }}"
|
||||
|
||||
- name: Parse metacluster helm charts for container images
|
||||
ansible.builtin.shell:
|
||||
cmd: "{{ item.value.helm.parse_logic }}"
|
||||
@ -52,8 +43,6 @@
|
||||
results: "{{ kubeadmimages.stdout_lines }}"
|
||||
- source: clusterapi
|
||||
results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
|
||||
- source: pinniped
|
||||
results: "{{ pinniped_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
|
||||
loop_control:
|
||||
label: "{{ item.source }}"
|
||||
|
||||
@ -75,4 +64,4 @@
|
||||
docker://{{ item }} \
|
||||
docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
|
||||
chdir: /opt/metacluster/container-images
|
||||
loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"
|
||||
loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + dependencies.container_images) | flatten | unique | sort }}"
|
||||
|
@ -16,7 +16,6 @@
|
||||
- /opt/metacluster/helm-charts
|
||||
- /opt/metacluster/k3s
|
||||
- /opt/metacluster/kube-vip
|
||||
- /opt/metacluster/pinniped
|
||||
- /opt/workloadcluster/git-repositories/gitops/charts
|
||||
- /opt/workloadcluster/git-repositories/gitops/values
|
||||
- /opt/workloadcluster/helm-charts
|
||||
|
@ -16,8 +16,7 @@
|
||||
{ 'components': (
|
||||
metacluster_chartvalues |
|
||||
combine({ 'clusterapi': components.clusterapi }) |
|
||||
combine({ 'kubevip' : components.kubevip }) |
|
||||
combine({ 'pinniped' : components.pinniped }) ),
|
||||
combine({ 'kubevip' : components.kubevip }) ),
|
||||
'appliance': {
|
||||
'version': (applianceversion)
|
||||
}
|
||||
@ -100,29 +99,6 @@
|
||||
delay: 5
|
||||
until: kubevip_manifest is not failed
|
||||
|
||||
- name: Download pinniped manifests
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ item.url }}"
|
||||
dest: /opt/metacluster/pinniped/{{ item.dest }}
|
||||
register: pinniped_manifests
|
||||
loop:
|
||||
# The 'supervisor' runs in the metacluster and handles authentication
|
||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-supervisor.yaml
|
||||
dest: pinniped-supervisor.yaml
|
||||
# The 'local-user-authenticator' can be used to run a simple OIDC provider based on useraccounts defined in secrets.
|
||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-local-user-authenticator.yaml
|
||||
dest: local-user-authenticator.yaml
|
||||
# The 'concierge' runs in downstream clusters and forwards authentication requests
|
||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-crds.yaml
|
||||
dest: pinniped-concierge-crds.yaml
|
||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-resources.yaml
|
||||
dest: pinniped-concierge-resources.yaml
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
until: pinniped_manifests is not failed
|
||||
|
||||
# - name: Inject manifests
|
||||
# ansible.builtin.template:
|
||||
# src: "{{ item.type }}.j2"
|
||||
|
@ -1,37 +1,125 @@
|
||||
- name: Trim container image digests
|
||||
ansible.builtin.lineinfile:
|
||||
path: "{{ item }}"
|
||||
regexp: "([ ]+image: (.*))@sha256:.*"
|
||||
line: "\\1"
|
||||
state: present
|
||||
backrefs: yes
|
||||
loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/pinniped/*.yaml') }}"
|
||||
- block:
|
||||
- name: Install dex
|
||||
kubernetes.core.helm:
|
||||
name: dex
|
||||
chart_ref: /opt/metacluster/helm-charts/dex
|
||||
release_namespace: dex
|
||||
create_namespace: true
|
||||
wait: false
|
||||
kubeconfig: "{{ kubeconfig.path }}"
|
||||
values: "{{ components['dex'].chart_values }}"
|
||||
|
||||
- name: Install supervisor
|
||||
kubernetes.core.k8s:
|
||||
src: /opt/metacluster/pinniped/pinniped-supervisor.yaml
|
||||
state: present
|
||||
wait: yes
|
||||
kubeconfig: "{{ kubeconfig.path }}"
|
||||
- block:
|
||||
|
||||
- name: Add ingress for supervisor
|
||||
kubernetes.core.k8s:
|
||||
template: "ingressroute.j2"
|
||||
state: present
|
||||
kubeconfig: "{{ kubeconfig.path }}"
|
||||
vars:
|
||||
_template:
|
||||
name: pinniped-supervisor-api
|
||||
namespace: pinniped-supervisor
|
||||
config: |2
|
||||
entryPoints:
|
||||
- web
|
||||
- websecure
|
||||
routes:
|
||||
- kind: Rule
|
||||
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
|
||||
services:
|
||||
- kind: Service
|
||||
name: pinniped-supervisor-api
|
||||
namespace: pinniped-supervisor
|
||||
port: 443
|
||||
- name: Install pinniped chart
|
||||
kubernetes.core.helm:
|
||||
name: pinniped
|
||||
chart_ref: /opt/metacluster/helm-charts/pinniped
|
||||
release_namespace: pinniped
|
||||
create_namespace: true
|
||||
wait: false
|
||||
kubeconfig: "{{ kubeconfig.path }}"
|
||||
values: "{{ components['pinniped'].chart_values }}"
|
||||
|
||||
- name: Add ingress for supervisor
|
||||
kubernetes.core.k8s:
|
||||
template: "{{ item.kind }}.j2"
|
||||
state: present
|
||||
kubeconfig: "{{ kubeconfig.path }}"
|
||||
vars:
|
||||
_template:
|
||||
name: "{{ item.name }}"
|
||||
namespace: "{{ item.namespace }}"
|
||||
config: "{{ item.config }}"
|
||||
loop:
|
||||
- kind: ingressroute
|
||||
name: pinniped-supervisor
|
||||
namespace: pinniped-supervisor
|
||||
spec: |2
|
||||
entryPoints:
|
||||
- web
|
||||
- websecure
|
||||
routes:
|
||||
- kind: Rule
|
||||
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
|
||||
services:
|
||||
- kind: Service
|
||||
name: pinniped-supervisor
|
||||
namespace: pinniped-supervisor
|
||||
port: 443
|
||||
scheme: https
|
||||
serversTransport: pinniped-supervisor
|
||||
- kind: serverstransport
|
||||
name: pinniped-supervisor
|
||||
namespace: pinniped-supervisor
|
||||
spec: |2
|
||||
insecureSkipVerify: true
|
||||
serverName: auth.{{ vapp['metacluster.fqdn'] }}
|
||||
|
||||
- name: Ensure pinniped API availability
|
||||
ansible.builtin.uri:
|
||||
url: https://auth.{{ vapp['metacluster.fqdn'] }}/healthz
|
||||
method: GET
|
||||
register: api_readycheck
|
||||
until:
|
||||
- api_readycheck.status == 200
|
||||
- api_readycheck.msg is search("OK")
|
||||
retries: "{{ playbook.retries }}"
|
||||
delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
|
||||
|
||||
# TODO: Migrate to step-ca
|
||||
- name: Initialize tempfile
|
||||
ansible.builtin.tempfile:
|
||||
state: directory
|
||||
register: certificate
|
||||
|
||||
- name: Create private key (RSA, 4096 bits)
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ certificate.path }}/certificate.key"
|
||||
|
||||
- name: Create self-signed certificate
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ certificate.path }}/certificate.crt"
|
||||
privatekey_path: "{{ certificate.path }}/certificate.key"
|
||||
provider: selfsigned
|
||||
|
||||
- name: Store self-signed certificate for use by pinniped supervisor
|
||||
kubernetes.core.k8s:
|
||||
template: secret.j2
|
||||
state: present
|
||||
kubeconfig: "{{ kubeconfig.path }}"
|
||||
vars:
|
||||
_template:
|
||||
name: pinniped-supervisor-tls
|
||||
namespace: pinniped-supervisor
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
- tls.crt: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}"
|
||||
- tls.key: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}"
|
||||
# TODO: Migrate to step-ca
|
||||
|
||||
- name: Create pinniped resources
|
||||
kubernetes.core.k8s:
|
||||
template: "{{ item.kind }}.j2"
|
||||
state: present
|
||||
kubeconfig: "{{ kubeconfig.path }}"
|
||||
vars:
|
||||
_template:
|
||||
name: "{{ item.name }}"
|
||||
namespace: "{{ item.namespace }}"
|
||||
config: "{{ item.config }}"
|
||||
loop:
|
||||
- kind: oidcidentityprovider
|
||||
name: dex-staticpasswords
|
||||
namespace: pinniped-supervisor
|
||||
ca_bundle:
|
||||
issuer:
|
||||
|
||||
|
||||
- kind: federationdomain
|
||||
name: metacluster-sso
|
||||
namespace: pinniped-supervisor
|
||||
spec: |2
|
||||
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer
|
||||
tls:
|
||||
secretName: pinniped-supervisor-tls
|
||||
|
@ -82,7 +82,7 @@
|
||||
_template:
|
||||
name: step-ca
|
||||
namespace: step-ca
|
||||
config: |2
|
||||
spec: |2
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
|
@ -32,7 +32,7 @@
|
||||
_template:
|
||||
name: gitea-ssh
|
||||
namespace: gitea
|
||||
config: |2
|
||||
spec: |2
|
||||
entryPoints:
|
||||
- ssh
|
||||
routes:
|
||||
|
@ -27,7 +27,7 @@
|
||||
_template:
|
||||
name: traefik-dashboard
|
||||
namespace: kube-system
|
||||
config: |2
|
||||
spec: |2
|
||||
entryPoints:
|
||||
- web
|
||||
- websecure
|
||||
|
@ -0,0 +1,7 @@
|
||||
apiVersion: config.supervisor.pinniped.dev/v1alpha1
|
||||
kind: FederationDomain
|
||||
metadata:
|
||||
name: {{ _template.name }}
|
||||
namespace: {{ _template.namespace }}
|
||||
spec:
|
||||
{{ _template.spec }}
|
@ -4,4 +4,4 @@ metadata:
|
||||
name: {{ _template.name }}
|
||||
namespace: {{ _template.namespace }}
|
||||
spec:
|
||||
{{ _template.config }}
|
||||
{{ _template.spec }}
|
||||
|
@ -4,4 +4,4 @@ metadata:
|
||||
name: {{ _template.name }}
|
||||
namespace: {{ _template.namespace }}
|
||||
spec:
|
||||
{{ _template.config }}
|
||||
{{ _template.spec }}
|
||||
|
@ -0,0 +1,11 @@
|
||||
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
|
||||
kind: OIDCIdentityProvider
|
||||
metadata:
|
||||
name: {{ _template.name }}
|
||||
namespace: {{ _template.namespace }}
|
||||
spec:
|
||||
issuer: {{ _template.issuer }}
|
||||
tls:
|
||||
certificateAuthorityData: {{ template.ca_bundle }}
|
||||
client:
|
||||
secretName: {{ _template.client_secret }}
|
@ -3,6 +3,9 @@ kind: Secret
|
||||
metadata:
|
||||
name: {{ _template.name }}
|
||||
namespace: {{ _template.namespace }}
|
||||
{% if _template.type is defined %}
|
||||
type: {{ _template.type }}
|
||||
{% endif %}
|
||||
data:
|
||||
{% for kv_pair in _template.data %}
|
||||
"{{ kv_pair.key }}": {{ kv_pair.value }}
|
||||
|
@ -0,0 +1,7 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: ServersTransport
|
||||
metadata:
|
||||
name: {{ _template.name }}
|
||||
namespace: {{ _template.namespace }}
|
||||
spec:
|
||||
{{ _template.spec }}
|
@ -33,6 +33,10 @@ platform:
|
||||
helm_repositories:
|
||||
- name: argo
|
||||
url: https://argoproj.github.io/argo-helm
|
||||
- name: bitnami
|
||||
url: https://charts.bitnami.com/bitnami
|
||||
- name: dexidp
|
||||
url: https://charts.dexidp.io
|
||||
- name: gitea-charts
|
||||
url: https://dl.gitea.io/charts/
|
||||
- name: harbor
|
||||
@ -93,6 +97,38 @@ components:
|
||||
node_template:
|
||||
url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova
|
||||
|
||||
dex:
|
||||
helm:
|
||||
version: 0.15.3 # (= Dex 2.37.0)
|
||||
chart: dexidp/dex
|
||||
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||
chart_values: !unsafe |
|
||||
config:
|
||||
issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
|
||||
storage:
|
||||
type: kubernetes
|
||||
config:
|
||||
inCluster: true
|
||||
staticClients:
|
||||
- id: pinniped-supervisor
|
||||
secret: pinniped-supervisor-secret
|
||||
name: Pinniped Supervisor client
|
||||
redirectURIs:
|
||||
- https://auth.{{ vapp['metacluster.fqdn'] }}/callback
|
||||
enablePasswordDB: true
|
||||
staticPasswords:
|
||||
- email: admin@{{ vapp['metacluster.fqdn'] }}
|
||||
hash: {{ vapp['metacluster.password'] | password_hash('bcrypt') }}
|
||||
username: admin
|
||||
userID: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | to_uuid }}
|
||||
ingress:
|
||||
enabled: true
|
||||
hosts:
|
||||
- host: idps.{{ vapp['metacluster.fqdn'] }}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
gitea:
|
||||
helm:
|
||||
version: v7.0.2 # (= Gitea v1.18.3)
|
||||
@ -198,8 +234,17 @@ components:
|
||||
defaultClassReplicaCount: 1
|
||||
|
||||
pinniped:
|
||||
# Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url`
|
||||
version: v0.25.0
|
||||
helm:
|
||||
version: 1.2.11 # (= Pinniped v0.25.0)
|
||||
chart: bitnami/pinniped
|
||||
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||
chart_values: !unsafe |
|
||||
concierge:
|
||||
enabled: false
|
||||
supervisor:
|
||||
service:
|
||||
public:
|
||||
type: ClusterIP
|
||||
|
||||
step-certificates:
|
||||
helm:
|
||||
|
@ -1,6 +1,8 @@
|
||||
downstream:
|
||||
|
||||
helm_repositories:
|
||||
- name: bitnami
|
||||
url: https://charts.bitnami.com/bitnami
|
||||
- name: longhorn
|
||||
url: https://charts.longhorn.io
|
||||
- name: sealed-secrets
|
||||
@ -18,6 +20,15 @@ downstream:
|
||||
createDefaultDiskLabeledNodes: true
|
||||
defaultDataPath: /mnt/blockstorage
|
||||
|
||||
pinniped:
|
||||
helm:
|
||||
version: 1.2.11 # (= Pinniped v0.25.0)
|
||||
chart: bitnami/pinniped
|
||||
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||
chart_values: !unsafe |
|
||||
supervisor:
|
||||
enabled: false
|
||||
|
||||
sealed-secrets:
|
||||
version: 2.8.1 # (= Sealed Secrets v0.20.2)
|
||||
chart: sealed-secrets/sealed-secrets
|
||||
|
Loading…
Reference in New Issue
Block a user