diff --git a/ansible/roles/assets/tasks/manifests.yml b/ansible/roles/assets/tasks/manifests.yml index 2ac593c..5427cd4 100644 --- a/ansible/roles/assets/tasks/manifests.yml +++ b/ansible/roles/assets/tasks/manifests.yml @@ -1,6 +1,6 @@ - block: - - name: Aggregate chart_values into dict + - name: Aggregate meta-cluster chart_values into dict ansible.builtin.set_fact: metacluster_chartvalues: "{{ metacluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}" when: item.value.helm.chart_values is defined @@ -8,7 +8,7 @@ loop_control: label: "{{ item.key }}" - - name: Write dict to vars_file + - name: Combine and write dict to vars_file ansible.builtin.copy: dest: /opt/firstboot/ansible/vars/metacluster.yml content: >- @@ -23,9 +23,18 @@ } | to_nice_yaml(indent=2, width=4096) }} - - name: Aggregate chart_values into dict + - name: Aggregate workload-cluster chart_values into dict ansible.builtin.set_fact: - workloadcluster_chartvalues: "{{ workloadcluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.chart_values | default('') | from_yaml) } }) }}" + workloadcluster_chartvalues: | + {{ + workloadcluster_chartvalues | default({}) | combine({ + item.key: { + 'chart_values': (item.value.chart_values | default('') | from_yaml), + 'extra_manifests': (item.value.extra_manifests | default([])), + 'namespace': (item.value.namespace) + } + }) + }} loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}" loop_control: label: "{{ item.key }}" diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml index 76a6cd0..5438b5c 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml @@ -108,18 +108,35 @@ name: "{{ item.name }}" namespace: "{{ item.namespace }}" config: "{{ item.config }}" + data: "{{ item.data | default(omit) }}" + spec: "{{ item.spec | default(omit) }}" loop: - kind: oidcidentityprovider name: dex-staticpasswords namespace: pinniped-supervisor - ca_bundle: - issuer: - - + spec: |2 + issuer: https://idps.{{ vapp['metacluster.fqdn'] }} + tls: + certificateAuthorityData: {{ ca_bundle }} + authorizationConfig: + additionalScopes: [offline_access, groups, email] + allowPasswordGrant: false + claims: + username: email + groups: groups + client: + secretName: dex-clientcredentials + - kind: secret + name: dex-clientcredentials + namespace: pinniped-supervisor + type: secrets.pinniped.dev/oidc-client + data: + - clientID: pinniped-supervisor + - clientSecret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}" - kind: federationdomain name: metacluster-sso namespace: pinniped-supervisor spec: |2 - issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer + issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso tls: secretName: pinniped-supervisor-tls diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml index e426700..56eca1b 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml @@ -13,6 +13,18 @@ loop_control: label: "{{ item.path | basename }}" +- name: Write custom manifests to respective chart templates store + ansible.builtin.template: + src: "{{ src }}" + dest: /opt/workloadcluster/git-repositories/gitops/charts/{{ manifest.value.namespace }}/{{ manifest.key }}/templates/{{ (src | split('.'))[0] ~ '-' ~ _template.name ~ '.yaml' }} + vars: + manifest: "{{ item.0 }}" + src: "{{ item.1.src }}" + _template: "{{ item.1._template }}" + loop: "{{ query('ansible.builtin.subelements', query('ansible.builtin.dict', downstream_components), 'value.extra_manifests') }}" + loop_control: + label: "{{ (src | split('.'))[0] ~ '-' ~ _template.name }}" + - name: Create subfolders ansible.builtin.file: path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }} diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/jwtauthenticator.j2 b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/jwtauthenticator.j2 new file mode 100644 index 0000000..a1ef9d2 --- /dev/null +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/jwtauthenticator.j2 @@ -0,0 +1,6 @@ +apiVersion: authentication.concierge.pinniped.dev/v1alpha1 +kind: JWTAuthenticator +metadata: + name: {{ _template.name }} +spec: +{{ _template.spec }} diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2 b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2 index f03f4d7..131d0b7 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2 +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2 @@ -4,8 +4,4 @@ metadata: name: {{ _template.name }} namespace: {{ _template.namespace }} spec: - issuer: {{ _template.issuer }} - tls: - certificateAuthorityData: {{ template.ca_bundle }} - client: - secretName: {{ _template.client_secret }} +{{ _template.spec }} diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 1aa183e..e605c81 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -111,7 +111,7 @@ components: inCluster: true staticClients: - id: pinniped-supervisor - secret: pinniped-supervisor-secret + secret: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }} name: Pinniped Supervisor client redirectURIs: - https://auth.{{ vapp['metacluster.fqdn'] }}/callback diff --git a/ansible/vars/workloadcluster.yml b/ansible/vars/workloadcluster.yml index b4d0b1e..454ae6f 100644 --- a/ansible/vars/workloadcluster.yml +++ b/ansible/vars/workloadcluster.yml @@ -24,10 +24,20 @@ downstream: helm: version: 1.2.11 # (= Pinniped v0.25.0) chart: bitnami/pinniped + namespace: pinniped-concierge parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | supervisor: enabled: false + extra_manifests: !unsafe + - src: jwtauthenticator.j2 + _template: + name: metacluster-sso + spec: |2 + issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso + audience: {{ vapp['workloadcluster.name'] | lower }} + tls: + certificateAuthorityData: {{ ca_bundle }} sealed-secrets: version: 2.8.1 # (= Sealed Secrets v0.20.2)