build: Rebase pinniped to bitnami helm chart

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml

@@ -1,37 +1,125 @@
-- name: Trim container image digests
-  ansible.builtin.lineinfile:
-    path: "{{ item }}"
-    regexp: "([ ]+image: (.*))@sha256:.*"
-    line: "\\1"
-    state: present
-    backrefs: yes
-  loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/pinniped/*.yaml') }}"
+- block:
+    - name: Install dex
+      kubernetes.core.helm:
+        name: dex
+        chart_ref: /opt/metacluster/helm-charts/dex
+        release_namespace: dex
+        create_namespace: true
+        wait: false
+        kubeconfig: "{{ kubeconfig.path }}"
+        values: "{{ components['dex'].chart_values }}"
 
-- name: Install supervisor
-  kubernetes.core.k8s:
-    src: /opt/metacluster/pinniped/pinniped-supervisor.yaml
-    state: present
-    wait: yes
-    kubeconfig: "{{ kubeconfig.path }}"
+- block:
 
-- name: Add ingress for supervisor
-  kubernetes.core.k8s:
-    template: "ingressroute.j2"
-    state: present
-    kubeconfig: "{{ kubeconfig.path }}"
-  vars:
-    _template:
-      name: pinniped-supervisor-api
-      namespace: pinniped-supervisor
-      config: |2
-          entryPoints:
-          - web
-          - websecure
-          routes:
-          - kind: Rule
-            match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
-            services:
-            - kind: Service
-              name: pinniped-supervisor-api
-              namespace: pinniped-supervisor
-              port: 443
+    - name: Install pinniped chart
+      kubernetes.core.helm:
+        name: pinniped
+        chart_ref: /opt/metacluster/helm-charts/pinniped
+        release_namespace: pinniped
+        create_namespace: true
+        wait: false
+        kubeconfig: "{{ kubeconfig.path }}"
+        values: "{{ components['pinniped'].chart_values }}"
+
+    - name: Add ingress for supervisor
+      kubernetes.core.k8s:
+        template: "{{ item.kind }}.j2"
+        state: present
+        kubeconfig: "{{ kubeconfig.path }}"
+      vars:
+        _template:
+          name: "{{ item.name }}"
+          namespace: "{{ item.namespace }}"
+          config: "{{ item.config }}"
+      loop:
+        - kind: ingressroute
+          name: pinniped-supervisor
+          namespace: pinniped-supervisor
+          spec: |2
+              entryPoints:
+              - web
+              - websecure
+              routes:
+              - kind: Rule
+                match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
+                services:
+                - kind: Service
+                  name: pinniped-supervisor
+                  namespace: pinniped-supervisor
+                  port: 443
+                  scheme: https
+                  serversTransport: pinniped-supervisor
+        - kind: serverstransport
+          name: pinniped-supervisor
+          namespace: pinniped-supervisor
+          spec: |2
+              insecureSkipVerify: true
+              serverName: auth.{{ vapp['metacluster.fqdn'] }}
+
+    - name: Ensure pinniped API availability
+      ansible.builtin.uri:
+        url: https://auth.{{ vapp['metacluster.fqdn'] }}/healthz
+        method: GET
+      register: api_readycheck
+      until:
+        - api_readycheck.status == 200
+        - api_readycheck.msg is search("OK")
+      retries: "{{ playbook.retries }}"
+      delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
+
+    # TODO: Migrate to step-ca
+    - name: Initialize tempfile
+      ansible.builtin.tempfile:
+        state: directory
+      register: certificate
+
+    - name: Create private key (RSA, 4096 bits)
+      community.crypto.openssl_privatekey:
+        path: "{{ certificate.path }}/certificate.key"
+
+    - name: Create self-signed certificate
+      community.crypto.x509_certificate:
+        path: "{{ certificate.path }}/certificate.crt"
+        privatekey_path: "{{ certificate.path }}/certificate.key"
+        provider: selfsigned
+
+    - name: Store self-signed certificate for use by pinniped supervisor
+      kubernetes.core.k8s:
+        template: secret.j2
+        state: present
+        kubeconfig: "{{ kubeconfig.path }}"
+      vars:
+        _template:
+          name: pinniped-supervisor-tls
+          namespace: pinniped-supervisor
+          type: kubernetes.io/tls
+          data:
+          - tls.crt: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}"
+          - tls.key: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}"
+    # TODO: Migrate to step-ca
+
+    - name: Create pinniped resources
+      kubernetes.core.k8s:
+        template: "{{ item.kind }}.j2"
+        state: present
+        kubeconfig: "{{ kubeconfig.path }}"
+      vars:
+        _template:
+          name: "{{ item.name }}"
+          namespace: "{{ item.namespace }}"
+          config: "{{ item.config }}"
+      loop:
+        - kind: oidcidentityprovider
+          name: dex-staticpasswords
+          namespace: pinniped-supervisor
+          ca_bundle:
+          issuer:
+          
+
+        - kind: federationdomain
+          name: metacluster-sso
+          namespace: pinniped-supervisor
+          spec: |2
+              issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer
+              tls:
+                secretName: pinniped-supervisor-tls

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml

@@ -82,7 +82,7 @@
         _template:
           name: step-ca
           namespace: step-ca
-          config: |2
+          spec: |2
               entryPoints:
                 - websecure
               routes:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml

@@ -32,7 +32,7 @@
         _template:
           name: gitea-ssh
           namespace: gitea
-          config: |2
+          spec: |2
               entryPoints:
                 - ssh
               routes:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/ingress.yml

@@ -27,7 +27,7 @@
     _template:
       name: traefik-dashboard
       namespace: kube-system
-      config: |2
+      spec: |2
           entryPoints:
           - web
           - websecure

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/federationdomain.j2

@@ -0,0 +1,7 @@
+apiVersion: config.supervisor.pinniped.dev/v1alpha1
+kind: FederationDomain
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+spec:
+{{ _template.spec }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroute.j2

@@ -4,4 +4,4 @@ metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
 spec:
-{{ _template.config }}
+{{ _template.spec }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroutetcp.j2

@@ -4,4 +4,4 @@ metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
 spec:
-{{ _template.config }}
+{{ _template.spec }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2

@@ -0,0 +1,11 @@
+apiVersion: idp.supervisor.pinniped.dev/v1alpha1
+kind: OIDCIdentityProvider
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+spec:
+  issuer: {{ _template.issuer }}
+  tls:
+    certificateAuthorityData: {{ template.ca_bundle }}
+  client:
+    secretName: {{ _template.client_secret }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2

@@ -3,6 +3,9 @@ kind: Secret
 metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
+{% if _template.type is defined %}
+type: {{ _template.type }}
+{% endif %}
 data:
 {% for kv_pair in _template.data %}
   "{{ kv_pair.key }}": {{ kv_pair.value }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serverstransport.j2

@@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+spec:
+{{ _template.spec }}