djpbessems/Packer.Images
djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Housekeeping;Move inclusterippool to gitops;Delete temporary manifests;Align resource naming;Remove redundant config;Add helm configuration
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Danny Bessems 2023-04-04 17:22:39 +02:00
parent 915660f618
commit 56a33134a0
8 changed files with 94 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/roles/assets/tasks/containerimages.yml
View File

@ -27,7 +27,7 @@
- name: Parse workloadcluster helm charts for container images
ansible.builtin.shell:
cmd: "{{ item.value.parse_logic }}"
chdir: /opt/workloadcluster/helm-charts/{{ item.key }}
chdir: /opt/workloadcluster/helm-charts/{{ item.value.namespace }}/{{ item.key }}
register: chartimages_workloadcluster
loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}"
loop_control:

2
ansible/roles/assets/tasks/helm.yml
View File

@ -20,7 +20,7 @@
- name: Fetch helm charts for workloadcluster
ansible.builtin.command:
cmd: helm fetch {{ item.value.chart }} --untar --version {{ item.value.version }}
cmd: helm fetch {{ item.value.chart }} --untardir ./{{ item.value.namespace }} --untar --version {{ item.value.version }}
chdir: /opt/workloadcluster/helm-charts
register: helmcharts_workloadcluster
loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}"

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml
View File

@ -55,7 +55,7 @@
vars:
_template:
application:
name: argocd-applicationset-metacluster
name: applicationset-metacluster
namespace: argo-cd
cluster:
url: https://kubernetes.default.svc

64
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml
View File

@ -52,23 +52,6 @@
version: "{{ components.clusterapi.workload.version.k8s }}"
vip: "{{ vapp['workloadcluster.vip'] }}"
# - name: WORKAROUND - Update image references to use local registry
# ansible.builtin.replace:
# dest: "{{ item }}"
# regexp: '([ ]+image:[ "]+)(?!({{ _template.pattern }}|"{{ _template.pattern }}))'
# replace: '\1{{ _template.pattern }}'
# vars:
# fileglobs:
# - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/cni-calico/' ~ components.clusterapi.workload.version.calico ~ '/*.yaml') }}"
# - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/infrastructure-vsphere/' ~ components.clusterapi.management.version.infrastructure_vsphere ~ '/*.yaml') }}"
# _template:
# pattern: registry.{{ vapp['metacluster.fqdn'] }}/library/
# loop: "{{ fileglobs[0:] | flatten | select }}"
# loop_control:
# label: "{{ item | basename }}"
# when:
# - item is not search("components.yaml|metadata.yaml")
- name: Generate kustomization template
ansible.builtin.template:
src: kustomization.cluster-template.j2
@ -155,6 +138,21 @@
-f {{ capi_clustermanifest.path }}/new-cluster.yaml \
-o {{ capi_clustermanifest.path }}/manifests
- name: Create in-cluster IpPool
ansible.builtin.template:
src: ippool.j2
dest: "{{ capi_clustermanifest.path }}/manifests/inclusterippool-{{ _template.cluster.name }}.yml"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
namespace: default
network:
startip: "{{ vapp['ippool.startip'] }}"
endip: "{{ vapp['ippool.endip'] }}"
prefix: "{{ vapp['guestinfo.prefixlength'] }}"
gateway: "{{ vapp['guestinfo.gateway'] }}"
- name: Initialize/Push git repository
ansible.builtin.shell:
cmd: |
@ -168,6 +166,12 @@
git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all
chdir: "{{ capi_clustermanifest.path }}"
- name: Cleanup tempfolder
ansible.builtin.file:
path: "{{ capi_clustermanifest.path }}"
state: absent
when: capi_clustermanifest.path is defined
- name: Configure Cluster API repository
ansible.builtin.template:
src: gitrepo.j2
@ -183,30 +187,6 @@
notify:
- Apply manifests
# Temporarily disabled until manifests are properly managed by gitops
# - name: Cleanup tempfolder
# ansible.builtin.file:
# path: "{{ capi_clustermanifest.path }}"
# state: absent
# when: capi_clustermanifest.path is defined
# TODO: Move to gitops
- name: Create in-cluster IpPool
kubernetes.core.k8s:
template: ippool.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
namespace: default
network:
startip: "{{ vapp['ippool.startip'] }}"
endip: "{{ vapp['ippool.endip'] }}"
prefix: "{{ vapp['guestinfo.prefixlength'] }}"
gateway: "{{ vapp['guestinfo.gateway'] }}"
- name: WORKAROUND - Wait for ingress ACME requests to complete
ansible.builtin.shell:
cmd: >-
@ -228,7 +208,7 @@
vars:
_template:
application:
name: argocd-application-clusterapi
name: application-clusterapi-workloadcluster
namespace: argo-cd
cluster:
name: https://kubernetes.default.svc

139
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
View File

@ -26,89 +26,64 @@
git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git --all
chdir: /opt/workloadcluster/git-repositories/gitops
- block:
- name: Retrieve workload-cluster kubeconfig
kubernetes.core.k8s_info:
kind: Secret
name: "{{ vapp['workloadcluster.name'] }}-kubeconfig"
namespace: default
kubeconfig: "{{ kubeconfig.path }}"
register: secret_workloadcluster_kubeconfig
# - name: Generate service account in workload-cluster
# kubernetes.core.k8s:
# template: serviceaccount.j2
# state: present
- name: Register workload-cluster in argo-cd
kubernetes.core.k8s:
template: cluster.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }}
url: https://{{ vapp['workloadcluster.vip'] }}:6443
kubeconfig:
ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}"
certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}"
key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}"
# - name: Retrieve service account bearer token
# kubernetes.core.k8s_info:
# kind: Secret
# name: "{{ _template.account.name }}-secret"
# namespace: "{{ _template.account.namespace }}"
# register: workloadcluster_bearertoken
- name: Configure workload-cluster GitOps repository
ansible.builtin.template:
src: gitrepo.j2
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
owner: root
group: root
mode: 0600
vars:
_template:
name: argocd-gitrepo-wl-gitopsconfig
namespace: argo-cd
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
notify:
- Apply manifests
- name: Retrieve workload-cluster kubeconfig
kubernetes.core.k8s_info:
kind: Secret
name: "{{ vapp['workloadcluster.name'] }}-kubeconfig"
namespace: default
kubeconfig: "{{ kubeconfig.path }}"
register: secret_workloadcluster_kubeconfig
- name: Create applicationset
ansible.builtin.template:
src: applicationset.j2
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml
owner: root
group: root
mode: 0600
vars:
_template:
application:
name: applicationset-workloadcluster
namespace: argo-cd
cluster:
url: https://{{ vapp['workloadcluster.vip'] }}:6443
repository:
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
revision: main
notify:
- Apply manifests
- name: Register workload-cluster in argo-cd
kubernetes.core.k8s:
template: cluster.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }}
url: https://{{ vapp['workloadcluster.vip'] }}:6443
kubeconfig:
ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}"
certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}"
key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}"
- name: Configure workload-cluster GitOps repository
ansible.builtin.template:
src: gitrepo.j2
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
owner: root
group: root
mode: 0600
vars:
_template:
name: argocd-gitrepo-wl-gitopsconfig
namespace: argo-cd
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
notify:
- Apply manifests
- name: Create applicationset
ansible.builtin.template:
src: applicationset.j2
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml
owner: root
group: root
mode: 0600
vars:
_template:
application:
name: argocd-applicationset-workloadcluster
namespace: argo-cd
cluster:
url: https://{{ vapp['workloadcluster.vip'] }}:6443
repository:
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
notify:
- Apply manifests
- name: Trigger handlers
ansible.builtin.meta: flush_handlers
# vars:
# _template:
# account:
# name: argocd-sa
# namespace: default
# clusterrolebinding:
# name: argocd-crb
module_defaults:
group/k8s:
kubeconfig: "{{ capi_kubeconfig.path }}"
- name: Trigger handlers
ansible.builtin.meta: flush_handlers

17
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2
View File

@ -7,22 +7,25 @@ spec:
generators:
- git:
repoURL: {{ _template.repository.url }}
revision: HEAD
revision: {{ _template.repository.revision }}
directories:
- path: charts/*
- path: charts/*/*
template:
metadata:
name: {% raw %}'{{ path.basename }}'{% endraw +%}
name: application-{% raw %}{{ path.basename }}{% endraw +%}
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
source:
repoURL: {{ _template.repository.url }}
targetRevision: HEAD
sources:
- repoURL: {{ _template.repository.url }}
targetRevision: {{ _template.repository.revision }}
path: {% raw %}'{{ path }}'{% endraw +%}
helm:
valueFiles:
- /values/{% raw %}{{ path.basename }}{% endraw %}/values.yaml
destination:
server: {{ _template.cluster.url }}
namespace: default
namespace: {% raw %}'{{ path[1] }}'{% endraw +%}

27
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED
View File

@ -1,27 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ _template.account.name }}
namespace: {{ _template.account.namespace }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ _template.account.name }}-secret
namespace: {{ _template.account.namespace }}
annotations:
kubernetes.io/service-account.name: {{ _template.account.name }}
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ _template.clusterrolebinding.name }}
subjects:
- kind: ServiceAccount
name: {{ _template.account.name }}
namespace: {{ _template.account.namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

34
ansible/vars/workloadcluster.yml
View File

@ -11,46 +11,16 @@ downstream:
longhorn:
version: 1.4.1
chart: longhorn/longhorn
namespace: longhorn-system
parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
chart_values: !unsafe |
defaultSettings:
defaultDataPath: /mnt/blockstorage
global:
cattle:
systemDefaultRegistry: registry.{{ vapp['metacluster.fqdn'] }}
image:
longhorn:
engine:
repository: library/docker.io/longhornio/longhorn-engine
manager:
repository: library/docker.io/longhornio/longhorn-manager
ui:
repository: library/docker.io/longhornio/longhorn-ui
instanceManager:
repository: library/docker.io/longhornio/longhorn-instance-manager
shareManager:
repository: library/docker.io/longhornio/longhorn-share-manager
backingImageManager:
repository: library/docker.io/longhornio/backing-image-manager
supportBundleKit:
repository: library/docker.io/longhornio/support-bundle-kit
csi:
attacher:
repository: library/docker.io/longhornio/csi-attacher
provisioner:
repository: library/docker.io/longhornio/csi-provisioner
nodeDriverRegistrar:
repository: library/docker.io/longhornio/csi-node-driver-registrar
resizer:
repository: library/docker.io/longhornio/csi-resizer
snapshotter:
repository: library/docker.io/longhornio/csi-snapshotter
livenessProbe:
repository: library/docker.io/longhornio/livenessprobe
sealed-secrets:
version: 2.8.1 # (= Sealed Secrets v0.20.2)
chart: sealed-secrets/sealed-secrets
namespace: sealed-secrets
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe |
# Empty