fix: Rebase pinniped-concierge on workload-cluster to bitnami chart

2023-08-22 12:54:07 +02:00
parent 1a1440f751
commit 423ecc2f95
7 changed files with 65 additions and 15 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
@ -108,18 +108,35 @@
          name: "{{ item.name }}"
          namespace: "{{ item.namespace }}"
          config: "{{ item.config }}"
+          data: "{{ item.data | default(omit) }}"
+          spec: "{{ item.spec | default(omit) }}"
      loop:
        - kind: oidcidentityprovider
          name: dex-staticpasswords
          namespace: pinniped-supervisor
-          ca_bundle:
-          issuer:
-          
-
+          spec: |2
+              issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
+              tls:
+                certificateAuthorityData: {{ ca_bundle }}
+              authorizationConfig:
+                additionalScopes: [offline_access, groups, email]
+                allowPasswordGrant: false
+              claims:
+                username: email
+                groups: groups
+              client:
+                secretName: dex-clientcredentials
+        - kind: secret
+          name: dex-clientcredentials
+          namespace: pinniped-supervisor
+          type: secrets.pinniped.dev/oidc-client
+          data:
+            - clientID: pinniped-supervisor
+            - clientSecret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}"
        - kind: federationdomain
          name: metacluster-sso
          namespace: pinniped-supervisor
          spec: |2
-              issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer
+              issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
              tls:
                secretName: pinniped-supervisor-tls
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
@ -13,6 +13,18 @@
  loop_control:
    label: "{{ item.path | basename }}"

+- name: Write custom manifests to respective chart templates store
+  ansible.builtin.template:
+    src: "{{ src }}"
+    dest: /opt/workloadcluster/git-repositories/gitops/charts/{{ manifest.value.namespace }}/{{ manifest.key }}/templates/{{ (src | split('.'))[0] ~ '-' ~ _template.name ~ '.yaml' }}
+  vars:
+    manifest: "{{ item.0 }}"
+    src: "{{ item.1.src }}"
+    _template: "{{ item.1._template }}"
+  loop: "{{ query('ansible.builtin.subelements', query('ansible.builtin.dict', downstream_components), 'value.extra_manifests') }}"
+  loop_control:
+    label: "{{ (src | split('.'))[0] ~ '-' ~ _template.name }}"
+
 - name: Create subfolders
  ansible.builtin.file:
    path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }}
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/jwtauthenticator.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/jwtauthenticator.j2
@ -0,0 +1,6 @@
+apiVersion: authentication.concierge.pinniped.dev/v1alpha1
+kind: JWTAuthenticator
+metadata:
+  name: {{ _template.name }}
+spec:
+{{ _template.spec }}
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2
@ -4,8 +4,4 @@ metadata:
  name: {{ _template.name }}
  namespace: {{ _template.namespace }}
 spec:
-  issuer: {{ _template.issuer }}
-  tls:
-    certificateAuthorityData: {{ template.ca_bundle }}
-  client:
-    secretName: {{ _template.client_secret }}
+{{ _template.spec }}