build: Rebase pinniped to bitnami helm chart
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
b17501ee1d
commit
1a1440f751
@ -14,15 +14,6 @@
|
|||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.dest | basename }}"
|
label: "{{ item.dest | basename }}"
|
||||||
|
|
||||||
- name: Parse pinniped manifests for container images
|
|
||||||
ansible.builtin.shell:
|
|
||||||
# The pinniped manifest specify container images with *both* tag and digest; which is not supported by skopeo
|
|
||||||
cmd: cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.) | sub("@.*", "")' | awk '!/ /'
|
|
||||||
register: pinniped_parsedmanifests
|
|
||||||
loop: "{{ pinniped_manifests.results }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.dest | basename }}"
|
|
||||||
|
|
||||||
- name: Parse metacluster helm charts for container images
|
- name: Parse metacluster helm charts for container images
|
||||||
ansible.builtin.shell:
|
ansible.builtin.shell:
|
||||||
cmd: "{{ item.value.helm.parse_logic }}"
|
cmd: "{{ item.value.helm.parse_logic }}"
|
||||||
@ -52,8 +43,6 @@
|
|||||||
results: "{{ kubeadmimages.stdout_lines }}"
|
results: "{{ kubeadmimages.stdout_lines }}"
|
||||||
- source: clusterapi
|
- source: clusterapi
|
||||||
results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
|
results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
|
||||||
- source: pinniped
|
|
||||||
results: "{{ pinniped_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
|
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.source }}"
|
label: "{{ item.source }}"
|
||||||
|
|
||||||
@ -75,4 +64,4 @@
|
|||||||
docker://{{ item }} \
|
docker://{{ item }} \
|
||||||
docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
|
docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
|
||||||
chdir: /opt/metacluster/container-images
|
chdir: /opt/metacluster/container-images
|
||||||
loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"
|
loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + dependencies.container_images) | flatten | unique | sort }}"
|
||||||
|
@ -16,7 +16,6 @@
|
|||||||
- /opt/metacluster/helm-charts
|
- /opt/metacluster/helm-charts
|
||||||
- /opt/metacluster/k3s
|
- /opt/metacluster/k3s
|
||||||
- /opt/metacluster/kube-vip
|
- /opt/metacluster/kube-vip
|
||||||
- /opt/metacluster/pinniped
|
|
||||||
- /opt/workloadcluster/git-repositories/gitops/charts
|
- /opt/workloadcluster/git-repositories/gitops/charts
|
||||||
- /opt/workloadcluster/git-repositories/gitops/values
|
- /opt/workloadcluster/git-repositories/gitops/values
|
||||||
- /opt/workloadcluster/helm-charts
|
- /opt/workloadcluster/helm-charts
|
||||||
|
@ -16,8 +16,7 @@
|
|||||||
{ 'components': (
|
{ 'components': (
|
||||||
metacluster_chartvalues |
|
metacluster_chartvalues |
|
||||||
combine({ 'clusterapi': components.clusterapi }) |
|
combine({ 'clusterapi': components.clusterapi }) |
|
||||||
combine({ 'kubevip' : components.kubevip }) |
|
combine({ 'kubevip' : components.kubevip }) ),
|
||||||
combine({ 'pinniped' : components.pinniped }) ),
|
|
||||||
'appliance': {
|
'appliance': {
|
||||||
'version': (applianceversion)
|
'version': (applianceversion)
|
||||||
}
|
}
|
||||||
@ -100,29 +99,6 @@
|
|||||||
delay: 5
|
delay: 5
|
||||||
until: kubevip_manifest is not failed
|
until: kubevip_manifest is not failed
|
||||||
|
|
||||||
- name: Download pinniped manifests
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: "{{ item.url }}"
|
|
||||||
dest: /opt/metacluster/pinniped/{{ item.dest }}
|
|
||||||
register: pinniped_manifests
|
|
||||||
loop:
|
|
||||||
# The 'supervisor' runs in the metacluster and handles authentication
|
|
||||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-supervisor.yaml
|
|
||||||
dest: pinniped-supervisor.yaml
|
|
||||||
# The 'local-user-authenticator' can be used to run a simple OIDC provider based on useraccounts defined in secrets.
|
|
||||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-local-user-authenticator.yaml
|
|
||||||
dest: local-user-authenticator.yaml
|
|
||||||
# The 'concierge' runs in downstream clusters and forwards authentication requests
|
|
||||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-crds.yaml
|
|
||||||
dest: pinniped-concierge-crds.yaml
|
|
||||||
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-resources.yaml
|
|
||||||
dest: pinniped-concierge-resources.yaml
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.dest }}"
|
|
||||||
retries: 5
|
|
||||||
delay: 5
|
|
||||||
until: pinniped_manifests is not failed
|
|
||||||
|
|
||||||
# - name: Inject manifests
|
# - name: Inject manifests
|
||||||
# ansible.builtin.template:
|
# ansible.builtin.template:
|
||||||
# src: "{{ item.type }}.j2"
|
# src: "{{ item.type }}.j2"
|
||||||
|
@ -1,29 +1,41 @@
|
|||||||
- name: Trim container image digests
|
- block:
|
||||||
ansible.builtin.lineinfile:
|
- name: Install dex
|
||||||
path: "{{ item }}"
|
kubernetes.core.helm:
|
||||||
regexp: "([ ]+image: (.*))@sha256:.*"
|
name: dex
|
||||||
line: "\\1"
|
chart_ref: /opt/metacluster/helm-charts/dex
|
||||||
state: present
|
release_namespace: dex
|
||||||
backrefs: yes
|
create_namespace: true
|
||||||
loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/pinniped/*.yaml') }}"
|
wait: false
|
||||||
|
|
||||||
- name: Install supervisor
|
|
||||||
kubernetes.core.k8s:
|
|
||||||
src: /opt/metacluster/pinniped/pinniped-supervisor.yaml
|
|
||||||
state: present
|
|
||||||
wait: yes
|
|
||||||
kubeconfig: "{{ kubeconfig.path }}"
|
kubeconfig: "{{ kubeconfig.path }}"
|
||||||
|
values: "{{ components['dex'].chart_values }}"
|
||||||
|
|
||||||
- name: Add ingress for supervisor
|
- block:
|
||||||
|
|
||||||
|
- name: Install pinniped chart
|
||||||
|
kubernetes.core.helm:
|
||||||
|
name: pinniped
|
||||||
|
chart_ref: /opt/metacluster/helm-charts/pinniped
|
||||||
|
release_namespace: pinniped
|
||||||
|
create_namespace: true
|
||||||
|
wait: false
|
||||||
|
kubeconfig: "{{ kubeconfig.path }}"
|
||||||
|
values: "{{ components['pinniped'].chart_values }}"
|
||||||
|
|
||||||
|
- name: Add ingress for supervisor
|
||||||
kubernetes.core.k8s:
|
kubernetes.core.k8s:
|
||||||
template: "ingressroute.j2"
|
template: "{{ item.kind }}.j2"
|
||||||
state: present
|
state: present
|
||||||
kubeconfig: "{{ kubeconfig.path }}"
|
kubeconfig: "{{ kubeconfig.path }}"
|
||||||
vars:
|
vars:
|
||||||
_template:
|
_template:
|
||||||
name: pinniped-supervisor-api
|
name: "{{ item.name }}"
|
||||||
|
namespace: "{{ item.namespace }}"
|
||||||
|
config: "{{ item.config }}"
|
||||||
|
loop:
|
||||||
|
- kind: ingressroute
|
||||||
|
name: pinniped-supervisor
|
||||||
namespace: pinniped-supervisor
|
namespace: pinniped-supervisor
|
||||||
config: |2
|
spec: |2
|
||||||
entryPoints:
|
entryPoints:
|
||||||
- web
|
- web
|
||||||
- websecure
|
- websecure
|
||||||
@ -32,6 +44,82 @@
|
|||||||
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
|
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
|
||||||
services:
|
services:
|
||||||
- kind: Service
|
- kind: Service
|
||||||
name: pinniped-supervisor-api
|
name: pinniped-supervisor
|
||||||
namespace: pinniped-supervisor
|
namespace: pinniped-supervisor
|
||||||
port: 443
|
port: 443
|
||||||
|
scheme: https
|
||||||
|
serversTransport: pinniped-supervisor
|
||||||
|
- kind: serverstransport
|
||||||
|
name: pinniped-supervisor
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
spec: |2
|
||||||
|
insecureSkipVerify: true
|
||||||
|
serverName: auth.{{ vapp['metacluster.fqdn'] }}
|
||||||
|
|
||||||
|
- name: Ensure pinniped API availability
|
||||||
|
ansible.builtin.uri:
|
||||||
|
url: https://auth.{{ vapp['metacluster.fqdn'] }}/healthz
|
||||||
|
method: GET
|
||||||
|
register: api_readycheck
|
||||||
|
until:
|
||||||
|
- api_readycheck.status == 200
|
||||||
|
- api_readycheck.msg is search("OK")
|
||||||
|
retries: "{{ playbook.retries }}"
|
||||||
|
delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
|
||||||
|
|
||||||
|
# TODO: Migrate to step-ca
|
||||||
|
- name: Initialize tempfile
|
||||||
|
ansible.builtin.tempfile:
|
||||||
|
state: directory
|
||||||
|
register: certificate
|
||||||
|
|
||||||
|
- name: Create private key (RSA, 4096 bits)
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ certificate.path }}/certificate.key"
|
||||||
|
|
||||||
|
- name: Create self-signed certificate
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ certificate.path }}/certificate.crt"
|
||||||
|
privatekey_path: "{{ certificate.path }}/certificate.key"
|
||||||
|
provider: selfsigned
|
||||||
|
|
||||||
|
- name: Store self-signed certificate for use by pinniped supervisor
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
template: secret.j2
|
||||||
|
state: present
|
||||||
|
kubeconfig: "{{ kubeconfig.path }}"
|
||||||
|
vars:
|
||||||
|
_template:
|
||||||
|
name: pinniped-supervisor-tls
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
type: kubernetes.io/tls
|
||||||
|
data:
|
||||||
|
- tls.crt: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}"
|
||||||
|
- tls.key: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}"
|
||||||
|
# TODO: Migrate to step-ca
|
||||||
|
|
||||||
|
- name: Create pinniped resources
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
template: "{{ item.kind }}.j2"
|
||||||
|
state: present
|
||||||
|
kubeconfig: "{{ kubeconfig.path }}"
|
||||||
|
vars:
|
||||||
|
_template:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
namespace: "{{ item.namespace }}"
|
||||||
|
config: "{{ item.config }}"
|
||||||
|
loop:
|
||||||
|
- kind: oidcidentityprovider
|
||||||
|
name: dex-staticpasswords
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
ca_bundle:
|
||||||
|
issuer:
|
||||||
|
|
||||||
|
|
||||||
|
- kind: federationdomain
|
||||||
|
name: metacluster-sso
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
spec: |2
|
||||||
|
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer
|
||||||
|
tls:
|
||||||
|
secretName: pinniped-supervisor-tls
|
||||||
|
@ -82,7 +82,7 @@
|
|||||||
_template:
|
_template:
|
||||||
name: step-ca
|
name: step-ca
|
||||||
namespace: step-ca
|
namespace: step-ca
|
||||||
config: |2
|
spec: |2
|
||||||
entryPoints:
|
entryPoints:
|
||||||
- websecure
|
- websecure
|
||||||
routes:
|
routes:
|
||||||
|
@ -32,7 +32,7 @@
|
|||||||
_template:
|
_template:
|
||||||
name: gitea-ssh
|
name: gitea-ssh
|
||||||
namespace: gitea
|
namespace: gitea
|
||||||
config: |2
|
spec: |2
|
||||||
entryPoints:
|
entryPoints:
|
||||||
- ssh
|
- ssh
|
||||||
routes:
|
routes:
|
||||||
|
@ -27,7 +27,7 @@
|
|||||||
_template:
|
_template:
|
||||||
name: traefik-dashboard
|
name: traefik-dashboard
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
config: |2
|
spec: |2
|
||||||
entryPoints:
|
entryPoints:
|
||||||
- web
|
- web
|
||||||
- websecure
|
- websecure
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
apiVersion: config.supervisor.pinniped.dev/v1alpha1
|
||||||
|
kind: FederationDomain
|
||||||
|
metadata:
|
||||||
|
name: {{ _template.name }}
|
||||||
|
namespace: {{ _template.namespace }}
|
||||||
|
spec:
|
||||||
|
{{ _template.spec }}
|
@ -4,4 +4,4 @@ metadata:
|
|||||||
name: {{ _template.name }}
|
name: {{ _template.name }}
|
||||||
namespace: {{ _template.namespace }}
|
namespace: {{ _template.namespace }}
|
||||||
spec:
|
spec:
|
||||||
{{ _template.config }}
|
{{ _template.spec }}
|
||||||
|
@ -4,4 +4,4 @@ metadata:
|
|||||||
name: {{ _template.name }}
|
name: {{ _template.name }}
|
||||||
namespace: {{ _template.namespace }}
|
namespace: {{ _template.namespace }}
|
||||||
spec:
|
spec:
|
||||||
{{ _template.config }}
|
{{ _template.spec }}
|
||||||
|
@ -0,0 +1,11 @@
|
|||||||
|
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
|
||||||
|
kind: OIDCIdentityProvider
|
||||||
|
metadata:
|
||||||
|
name: {{ _template.name }}
|
||||||
|
namespace: {{ _template.namespace }}
|
||||||
|
spec:
|
||||||
|
issuer: {{ _template.issuer }}
|
||||||
|
tls:
|
||||||
|
certificateAuthorityData: {{ template.ca_bundle }}
|
||||||
|
client:
|
||||||
|
secretName: {{ _template.client_secret }}
|
@ -3,6 +3,9 @@ kind: Secret
|
|||||||
metadata:
|
metadata:
|
||||||
name: {{ _template.name }}
|
name: {{ _template.name }}
|
||||||
namespace: {{ _template.namespace }}
|
namespace: {{ _template.namespace }}
|
||||||
|
{% if _template.type is defined %}
|
||||||
|
type: {{ _template.type }}
|
||||||
|
{% endif %}
|
||||||
data:
|
data:
|
||||||
{% for kv_pair in _template.data %}
|
{% for kv_pair in _template.data %}
|
||||||
"{{ kv_pair.key }}": {{ kv_pair.value }}
|
"{{ kv_pair.key }}": {{ kv_pair.value }}
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: ServersTransport
|
||||||
|
metadata:
|
||||||
|
name: {{ _template.name }}
|
||||||
|
namespace: {{ _template.namespace }}
|
||||||
|
spec:
|
||||||
|
{{ _template.spec }}
|
@ -33,6 +33,10 @@ platform:
|
|||||||
helm_repositories:
|
helm_repositories:
|
||||||
- name: argo
|
- name: argo
|
||||||
url: https://argoproj.github.io/argo-helm
|
url: https://argoproj.github.io/argo-helm
|
||||||
|
- name: bitnami
|
||||||
|
url: https://charts.bitnami.com/bitnami
|
||||||
|
- name: dexidp
|
||||||
|
url: https://charts.dexidp.io
|
||||||
- name: gitea-charts
|
- name: gitea-charts
|
||||||
url: https://dl.gitea.io/charts/
|
url: https://dl.gitea.io/charts/
|
||||||
- name: harbor
|
- name: harbor
|
||||||
@ -93,6 +97,38 @@ components:
|
|||||||
node_template:
|
node_template:
|
||||||
url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova
|
url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova
|
||||||
|
|
||||||
|
dex:
|
||||||
|
helm:
|
||||||
|
version: 0.15.3 # (= Dex 2.37.0)
|
||||||
|
chart: dexidp/dex
|
||||||
|
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||||
|
chart_values: !unsafe |
|
||||||
|
config:
|
||||||
|
issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
|
||||||
|
storage:
|
||||||
|
type: kubernetes
|
||||||
|
config:
|
||||||
|
inCluster: true
|
||||||
|
staticClients:
|
||||||
|
- id: pinniped-supervisor
|
||||||
|
secret: pinniped-supervisor-secret
|
||||||
|
name: Pinniped Supervisor client
|
||||||
|
redirectURIs:
|
||||||
|
- https://auth.{{ vapp['metacluster.fqdn'] }}/callback
|
||||||
|
enablePasswordDB: true
|
||||||
|
staticPasswords:
|
||||||
|
- email: admin@{{ vapp['metacluster.fqdn'] }}
|
||||||
|
hash: {{ vapp['metacluster.password'] | password_hash('bcrypt') }}
|
||||||
|
username: admin
|
||||||
|
userID: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | to_uuid }}
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
hosts:
|
||||||
|
- host: idps.{{ vapp['metacluster.fqdn'] }}
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
helm:
|
helm:
|
||||||
version: v7.0.2 # (= Gitea v1.18.3)
|
version: v7.0.2 # (= Gitea v1.18.3)
|
||||||
@ -198,8 +234,17 @@ components:
|
|||||||
defaultClassReplicaCount: 1
|
defaultClassReplicaCount: 1
|
||||||
|
|
||||||
pinniped:
|
pinniped:
|
||||||
# Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url`
|
helm:
|
||||||
version: v0.25.0
|
version: 1.2.11 # (= Pinniped v0.25.0)
|
||||||
|
chart: bitnami/pinniped
|
||||||
|
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||||
|
chart_values: !unsafe |
|
||||||
|
concierge:
|
||||||
|
enabled: false
|
||||||
|
supervisor:
|
||||||
|
service:
|
||||||
|
public:
|
||||||
|
type: ClusterIP
|
||||||
|
|
||||||
step-certificates:
|
step-certificates:
|
||||||
helm:
|
helm:
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
downstream:
|
downstream:
|
||||||
|
|
||||||
helm_repositories:
|
helm_repositories:
|
||||||
|
- name: bitnami
|
||||||
|
url: https://charts.bitnami.com/bitnami
|
||||||
- name: longhorn
|
- name: longhorn
|
||||||
url: https://charts.longhorn.io
|
url: https://charts.longhorn.io
|
||||||
- name: sealed-secrets
|
- name: sealed-secrets
|
||||||
@ -18,6 +20,15 @@ downstream:
|
|||||||
createDefaultDiskLabeledNodes: true
|
createDefaultDiskLabeledNodes: true
|
||||||
defaultDataPath: /mnt/blockstorage
|
defaultDataPath: /mnt/blockstorage
|
||||||
|
|
||||||
|
pinniped:
|
||||||
|
helm:
|
||||||
|
version: 1.2.11 # (= Pinniped v0.25.0)
|
||||||
|
chart: bitnami/pinniped
|
||||||
|
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||||
|
chart_values: !unsafe |
|
||||||
|
supervisor:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
sealed-secrets:
|
sealed-secrets:
|
||||||
version: 2.8.1 # (= Sealed Secrets v0.20.2)
|
version: 2.8.1 # (= Sealed Secrets v0.20.2)
|
||||||
chart: sealed-secrets/sealed-secrets
|
chart: sealed-secrets/sealed-secrets
|
||||||
|
Loading…
Reference in New Issue
Block a user