fix: Rebase pinniped-concierge on workload-cluster to bitnami chart
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
1a1440f751
commit
423ecc2f95
@ -1,6 +1,6 @@
|
|||||||
- block:
|
- block:
|
||||||
|
|
||||||
- name: Aggregate chart_values into dict
|
- name: Aggregate meta-cluster chart_values into dict
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
metacluster_chartvalues: "{{ metacluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}"
|
metacluster_chartvalues: "{{ metacluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}"
|
||||||
when: item.value.helm.chart_values is defined
|
when: item.value.helm.chart_values is defined
|
||||||
@ -8,7 +8,7 @@
|
|||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.key }}"
|
label: "{{ item.key }}"
|
||||||
|
|
||||||
- name: Write dict to vars_file
|
- name: Combine and write dict to vars_file
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
dest: /opt/firstboot/ansible/vars/metacluster.yml
|
dest: /opt/firstboot/ansible/vars/metacluster.yml
|
||||||
content: >-
|
content: >-
|
||||||
@ -23,9 +23,18 @@
|
|||||||
} | to_nice_yaml(indent=2, width=4096)
|
} | to_nice_yaml(indent=2, width=4096)
|
||||||
}}
|
}}
|
||||||
|
|
||||||
- name: Aggregate chart_values into dict
|
- name: Aggregate workload-cluster chart_values into dict
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
workloadcluster_chartvalues: "{{ workloadcluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.chart_values | default('') | from_yaml) } }) }}"
|
workloadcluster_chartvalues: |
|
||||||
|
{{
|
||||||
|
workloadcluster_chartvalues | default({}) | combine({
|
||||||
|
item.key: {
|
||||||
|
'chart_values': (item.value.chart_values | default('') | from_yaml),
|
||||||
|
'extra_manifests': (item.value.extra_manifests | default([])),
|
||||||
|
'namespace': (item.value.namespace)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}}
|
||||||
loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}"
|
loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.key }}"
|
label: "{{ item.key }}"
|
||||||
|
|||||||
@ -108,18 +108,35 @@
|
|||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
namespace: "{{ item.namespace }}"
|
namespace: "{{ item.namespace }}"
|
||||||
config: "{{ item.config }}"
|
config: "{{ item.config }}"
|
||||||
|
data: "{{ item.data | default(omit) }}"
|
||||||
|
spec: "{{ item.spec | default(omit) }}"
|
||||||
loop:
|
loop:
|
||||||
- kind: oidcidentityprovider
|
- kind: oidcidentityprovider
|
||||||
name: dex-staticpasswords
|
name: dex-staticpasswords
|
||||||
namespace: pinniped-supervisor
|
namespace: pinniped-supervisor
|
||||||
ca_bundle:
|
spec: |2
|
||||||
issuer:
|
issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
|
||||||
|
tls:
|
||||||
|
certificateAuthorityData: {{ ca_bundle }}
|
||||||
|
authorizationConfig:
|
||||||
|
additionalScopes: [offline_access, groups, email]
|
||||||
|
allowPasswordGrant: false
|
||||||
|
claims:
|
||||||
|
username: email
|
||||||
|
groups: groups
|
||||||
|
client:
|
||||||
|
secretName: dex-clientcredentials
|
||||||
|
- kind: secret
|
||||||
|
name: dex-clientcredentials
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
type: secrets.pinniped.dev/oidc-client
|
||||||
|
data:
|
||||||
|
- clientID: pinniped-supervisor
|
||||||
|
- clientSecret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}"
|
||||||
- kind: federationdomain
|
- kind: federationdomain
|
||||||
name: metacluster-sso
|
name: metacluster-sso
|
||||||
namespace: pinniped-supervisor
|
namespace: pinniped-supervisor
|
||||||
spec: |2
|
spec: |2
|
||||||
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer
|
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
|
||||||
tls:
|
tls:
|
||||||
secretName: pinniped-supervisor-tls
|
secretName: pinniped-supervisor-tls
|
||||||
|
|||||||
@ -13,6 +13,18 @@
|
|||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.path | basename }}"
|
label: "{{ item.path | basename }}"
|
||||||
|
|
||||||
|
- name: Write custom manifests to respective chart templates store
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ src }}"
|
||||||
|
dest: /opt/workloadcluster/git-repositories/gitops/charts/{{ manifest.value.namespace }}/{{ manifest.key }}/templates/{{ (src | split('.'))[0] ~ '-' ~ _template.name ~ '.yaml' }}
|
||||||
|
vars:
|
||||||
|
manifest: "{{ item.0 }}"
|
||||||
|
src: "{{ item.1.src }}"
|
||||||
|
_template: "{{ item.1._template }}"
|
||||||
|
loop: "{{ query('ansible.builtin.subelements', query('ansible.builtin.dict', downstream_components), 'value.extra_manifests') }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ (src | split('.'))[0] ~ '-' ~ _template.name }}"
|
||||||
|
|
||||||
- name: Create subfolders
|
- name: Create subfolders
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }}
|
path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }}
|
||||||
|
|||||||
@ -0,0 +1,6 @@
|
|||||||
|
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
|
||||||
|
kind: JWTAuthenticator
|
||||||
|
metadata:
|
||||||
|
name: {{ _template.name }}
|
||||||
|
spec:
|
||||||
|
{{ _template.spec }}
|
||||||
@ -4,8 +4,4 @@ metadata:
|
|||||||
name: {{ _template.name }}
|
name: {{ _template.name }}
|
||||||
namespace: {{ _template.namespace }}
|
namespace: {{ _template.namespace }}
|
||||||
spec:
|
spec:
|
||||||
issuer: {{ _template.issuer }}
|
{{ _template.spec }}
|
||||||
tls:
|
|
||||||
certificateAuthorityData: {{ template.ca_bundle }}
|
|
||||||
client:
|
|
||||||
secretName: {{ _template.client_secret }}
|
|
||||||
|
|||||||
@ -111,7 +111,7 @@ components:
|
|||||||
inCluster: true
|
inCluster: true
|
||||||
staticClients:
|
staticClients:
|
||||||
- id: pinniped-supervisor
|
- id: pinniped-supervisor
|
||||||
secret: pinniped-supervisor-secret
|
secret: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}
|
||||||
name: Pinniped Supervisor client
|
name: Pinniped Supervisor client
|
||||||
redirectURIs:
|
redirectURIs:
|
||||||
- https://auth.{{ vapp['metacluster.fqdn'] }}/callback
|
- https://auth.{{ vapp['metacluster.fqdn'] }}/callback
|
||||||
|
|||||||
@ -24,10 +24,20 @@ downstream:
|
|||||||
helm:
|
helm:
|
||||||
version: 1.2.11 # (= Pinniped v0.25.0)
|
version: 1.2.11 # (= Pinniped v0.25.0)
|
||||||
chart: bitnami/pinniped
|
chart: bitnami/pinniped
|
||||||
|
namespace: pinniped-concierge
|
||||||
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
|
||||||
chart_values: !unsafe |
|
chart_values: !unsafe |
|
||||||
supervisor:
|
supervisor:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
extra_manifests: !unsafe
|
||||||
|
- src: jwtauthenticator.j2
|
||||||
|
_template:
|
||||||
|
name: metacluster-sso
|
||||||
|
spec: |2
|
||||||
|
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
|
||||||
|
audience: {{ vapp['workloadcluster.name'] | lower }}
|
||||||
|
tls:
|
||||||
|
certificateAuthorityData: {{ ca_bundle }}
|
||||||
|
|
||||||
sealed-secrets:
|
sealed-secrets:
|
||||||
version: 2.8.1 # (= Sealed Secrets v0.20.2)
|
version: 2.8.1 # (= Sealed Secrets v0.20.2)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user