fix: Rebase pinniped-concierge on workload-cluster to bitnami chart
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
1a1440f751
commit
423ecc2f95
@ -1,6 +1,6 @@
|
||||
- block:
|
||||
|
||||
- name: Aggregate chart_values into dict
|
||||
- name: Aggregate meta-cluster chart_values into dict
|
||||
ansible.builtin.set_fact:
|
||||
metacluster_chartvalues: "{{ metacluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}"
|
||||
when: item.value.helm.chart_values is defined
|
||||
@ -8,7 +8,7 @@
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
|
||||
- name: Write dict to vars_file
|
||||
- name: Combine and write dict to vars_file
|
||||
ansible.builtin.copy:
|
||||
dest: /opt/firstboot/ansible/vars/metacluster.yml
|
||||
content: >-
|
||||
@ -23,9 +23,18 @@
|
||||
} | to_nice_yaml(indent=2, width=4096)
|
||||
}}
|
||||
|
||||
- name: Aggregate chart_values into dict
|
||||
- name: Aggregate workload-cluster chart_values into dict
|
||||
ansible.builtin.set_fact:
|
||||
workloadcluster_chartvalues: "{{ workloadcluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.chart_values | default('') | from_yaml) } }) }}"
|
||||
workloadcluster_chartvalues: |
|
||||
{{
|
||||
workloadcluster_chartvalues | default({}) | combine({
|
||||
item.key: {
|
||||
'chart_values': (item.value.chart_values | default('') | from_yaml),
|
||||
'extra_manifests': (item.value.extra_manifests | default([])),
|
||||
'namespace': (item.value.namespace)
|
||||
}
|
||||
})
|
||||
}}
|
||||
loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
|
||||
@ -108,18 +108,35 @@
|
||||
name: "{{ item.name }}"
|
||||
namespace: "{{ item.namespace }}"
|
||||
config: "{{ item.config }}"
|
||||
data: "{{ item.data | default(omit) }}"
|
||||
spec: "{{ item.spec | default(omit) }}"
|
||||
loop:
|
||||
- kind: oidcidentityprovider
|
||||
name: dex-staticpasswords
|
||||
namespace: pinniped-supervisor
|
||||
ca_bundle:
|
||||
issuer:
|
||||
|
||||
|
||||
spec: |2
|
||||
issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
|
||||
tls:
|
||||
certificateAuthorityData: {{ ca_bundle }}
|
||||
authorizationConfig:
|
||||
additionalScopes: [offline_access, groups, email]
|
||||
allowPasswordGrant: false
|
||||
claims:
|
||||
username: email
|
||||
groups: groups
|
||||
client:
|
||||
secretName: dex-clientcredentials
|
||||
- kind: secret
|
||||
name: dex-clientcredentials
|
||||
namespace: pinniped-supervisor
|
||||
type: secrets.pinniped.dev/oidc-client
|
||||
data:
|
||||
- clientID: pinniped-supervisor
|
||||
- clientSecret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}"
|
||||
- kind: federationdomain
|
||||
name: metacluster-sso
|
||||
namespace: pinniped-supervisor
|
||||
spec: |2
|
||||
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer
|
||||
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
|
||||
tls:
|
||||
secretName: pinniped-supervisor-tls
|
||||
|
||||
@ -13,6 +13,18 @@
|
||||
loop_control:
|
||||
label: "{{ item.path | basename }}"
|
||||
|
||||
- name: Write custom manifests to respective chart templates store
|
||||
ansible.builtin.template:
|
||||
src: "{{ src }}"
|
||||
dest: /opt/workloadcluster/git-repositories/gitops/charts/{{ manifest.value.namespace }}/{{ manifest.key }}/templates/{{ (src | split('.'))[0] ~ '-' ~ _template.name ~ '.yaml' }}
|
||||
vars:
|
||||
manifest: "{{ item.0 }}"
|
||||
src: "{{ item.1.src }}"
|
||||
_template: "{{ item.1._template }}"
|
||||
loop: "{{ query('ansible.builtin.subelements', query('ansible.builtin.dict', downstream_components), 'value.extra_manifests') }}"
|
||||
loop_control:
|
||||
label: "{{ (src | split('.'))[0] ~ '-' ~ _template.name }}"
|
||||
|
||||
- name: Create subfolders
|
||||
ansible.builtin.file:
|
||||
path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }}
|
||||
|
||||
@ -0,0 +1,6 @@
|
||||
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
|
||||
kind: JWTAuthenticator
|
||||
metadata:
|
||||
name: {{ _template.name }}
|
||||
spec:
|
||||
{{ _template.spec }}
|
||||
@ -4,8 +4,4 @@ metadata:
|
||||
name: {{ _template.name }}
|
||||
namespace: {{ _template.namespace }}
|
||||
spec:
|
||||
issuer: {{ _template.issuer }}
|
||||
tls:
|
||||
certificateAuthorityData: {{ template.ca_bundle }}
|
||||
client:
|
||||
secretName: {{ _template.client_secret }}
|
||||
{{ _template.spec }}
|
||||
|
||||
@ -111,7 +111,7 @@ components:
|
||||
inCluster: true
|
||||
staticClients:
|
||||
- id: pinniped-supervisor
|
||||
secret: pinniped-supervisor-secret
|
||||
secret: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}
|
||||
name: Pinniped Supervisor client
|
||||
redirectURIs:
|
||||
- https://auth.{{ vapp['metacluster.fqdn'] }}/callback
|
||||
|
||||
@ -24,10 +24,20 @@ downstream:
|
||||
helm:
|
||||
version: 1.2.11 # (= Pinniped v0.25.0)
|
||||
chart: bitnami/pinniped
|
||||
namespace: pinniped-concierge
|
||||
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||
chart_values: !unsafe |
|
||||
supervisor:
|
||||
enabled: false
|
||||
extra_manifests: !unsafe
|
||||
- src: jwtauthenticator.j2
|
||||
_template:
|
||||
name: metacluster-sso
|
||||
spec: |2
|
||||
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
|
||||
audience: {{ vapp['workloadcluster.name'] | lower }}
|
||||
tls:
|
||||
certificateAuthorityData: {{ ca_bundle }}
|
||||
|
||||
sealed-secrets:
|
||||
version: 2.8.1 # (= Sealed Secrets v0.20.2)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user