diff --git a/ansible/roles/assets/tasks/containerimages.yml b/ansible/roles/assets/tasks/containerimages.yml index 504f49f..d09f7de 100644 --- a/ansible/roles/assets/tasks/containerimages.yml +++ b/ansible/roles/assets/tasks/containerimages.yml @@ -27,7 +27,7 @@ - name: Parse workloadcluster helm charts for container images ansible.builtin.shell: cmd: "{{ item.value.parse_logic }}" - chdir: /opt/workloadcluster/helm-charts/{{ item.key }} + chdir: /opt/workloadcluster/helm-charts/{{ item.value.namespace }}/{{ item.key }} register: chartimages_workloadcluster loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}" loop_control: diff --git a/ansible/roles/assets/tasks/helm.yml b/ansible/roles/assets/tasks/helm.yml index e511453..03071c6 100644 --- a/ansible/roles/assets/tasks/helm.yml +++ b/ansible/roles/assets/tasks/helm.yml @@ -20,7 +20,7 @@ - name: Fetch helm charts for workloadcluster ansible.builtin.command: - cmd: helm fetch {{ item.value.chart }} --untar --version {{ item.value.version }} + cmd: helm fetch {{ item.value.chart }} --untardir ./{{ item.value.namespace }} --untar --version {{ item.value.version }} chdir: /opt/workloadcluster/helm-charts register: helmcharts_workloadcluster loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}" diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml index 4d00ff4..c2799b5 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml @@ -55,7 +55,7 @@ vars: _template: application: - name: argocd-applicationset-metacluster + name: applicationset-metacluster namespace: argo-cd cluster: url: https://kubernetes.default.svc diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml index b5822a5..360e138 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml @@ -52,23 +52,6 @@ version: "{{ components.clusterapi.workload.version.k8s }}" vip: "{{ vapp['workloadcluster.vip'] }}" -# - name: WORKAROUND - Update image references to use local registry -# ansible.builtin.replace: -# dest: "{{ item }}" -# regexp: '([ ]+image:[ "]+)(?!({{ _template.pattern }}|"{{ _template.pattern }}))' -# replace: '\1{{ _template.pattern }}' -# vars: -# fileglobs: -# - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/cni-calico/' ~ components.clusterapi.workload.version.calico ~ '/*.yaml') }}" -# - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/infrastructure-vsphere/' ~ components.clusterapi.management.version.infrastructure_vsphere ~ '/*.yaml') }}" -# _template: -# pattern: registry.{{ vapp['metacluster.fqdn'] }}/library/ -# loop: "{{ fileglobs[0:] | flatten | select }}" -# loop_control: -# label: "{{ item | basename }}" -# when: -# - item is not search("components.yaml|metadata.yaml") - - name: Generate kustomization template ansible.builtin.template: src: kustomization.cluster-template.j2 @@ -155,6 +138,21 @@ -f {{ capi_clustermanifest.path }}/new-cluster.yaml \ -o {{ capi_clustermanifest.path }}/manifests +- name: Create in-cluster IpPool + ansible.builtin.template: + src: ippool.j2 + dest: "{{ capi_clustermanifest.path }}/manifests/inclusterippool-{{ _template.cluster.name }}.yml" + vars: + _template: + cluster: + name: "{{ vapp['workloadcluster.name'] | lower }}" + namespace: default + network: + startip: "{{ vapp['ippool.startip'] }}" + endip: "{{ vapp['ippool.endip'] }}" + prefix: "{{ vapp['guestinfo.prefixlength'] }}" + gateway: "{{ vapp['guestinfo.gateway'] }}" + - name: Initialize/Push git repository ansible.builtin.shell: cmd: | @@ -168,6 +166,12 @@ git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all chdir: "{{ capi_clustermanifest.path }}" +- name: Cleanup tempfolder + ansible.builtin.file: + path: "{{ capi_clustermanifest.path }}" + state: absent + when: capi_clustermanifest.path is defined + - name: Configure Cluster API repository ansible.builtin.template: src: gitrepo.j2 @@ -183,30 +187,6 @@ notify: - Apply manifests -# Temporarily disabled until manifests are properly managed by gitops -# - name: Cleanup tempfolder -# ansible.builtin.file: -# path: "{{ capi_clustermanifest.path }}" -# state: absent -# when: capi_clustermanifest.path is defined - -# TODO: Move to gitops -- name: Create in-cluster IpPool - kubernetes.core.k8s: - template: ippool.j2 - state: present - kubeconfig: "{{ kubeconfig.path }}" - vars: - _template: - cluster: - name: "{{ vapp['workloadcluster.name'] | lower }}" - namespace: default - network: - startip: "{{ vapp['ippool.startip'] }}" - endip: "{{ vapp['ippool.endip'] }}" - prefix: "{{ vapp['guestinfo.prefixlength'] }}" - gateway: "{{ vapp['guestinfo.gateway'] }}" - - name: WORKAROUND - Wait for ingress ACME requests to complete ansible.builtin.shell: cmd: >- @@ -228,7 +208,7 @@ vars: _template: application: - name: argocd-application-clusterapi + name: application-clusterapi-workloadcluster namespace: argo-cd cluster: name: https://kubernetes.default.svc diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml index 8834451..72845ea 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml @@ -26,89 +26,64 @@ git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git --all chdir: /opt/workloadcluster/git-repositories/gitops -- block: +- name: Retrieve workload-cluster kubeconfig + kubernetes.core.k8s_info: + kind: Secret + name: "{{ vapp['workloadcluster.name'] }}-kubeconfig" + namespace: default + kubeconfig: "{{ kubeconfig.path }}" + register: secret_workloadcluster_kubeconfig - # - name: Generate service account in workload-cluster - # kubernetes.core.k8s: - # template: serviceaccount.j2 - # state: present +- name: Register workload-cluster in argo-cd + kubernetes.core.k8s: + template: cluster.j2 + state: present + kubeconfig: "{{ kubeconfig.path }}" + vars: + _template: + cluster: + name: "{{ vapp['workloadcluster.name'] | lower }}" + secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }} + url: https://{{ vapp['workloadcluster.vip'] }}:6443 + kubeconfig: + ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}" + certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}" + key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}" - # - name: Retrieve service account bearer token - # kubernetes.core.k8s_info: - # kind: Secret - # name: "{{ _template.account.name }}-secret" - # namespace: "{{ _template.account.namespace }}" - # register: workloadcluster_bearertoken +- name: Configure workload-cluster GitOps repository + ansible.builtin.template: + src: gitrepo.j2 + dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml + owner: root + group: root + mode: 0600 + vars: + _template: + name: argocd-gitrepo-wl-gitopsconfig + namespace: argo-cd + url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git + notify: + - Apply manifests - - name: Retrieve workload-cluster kubeconfig - kubernetes.core.k8s_info: - kind: Secret - name: "{{ vapp['workloadcluster.name'] }}-kubeconfig" - namespace: default - kubeconfig: "{{ kubeconfig.path }}" - register: secret_workloadcluster_kubeconfig +- name: Create applicationset + ansible.builtin.template: + src: applicationset.j2 + dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml + owner: root + group: root + mode: 0600 + vars: + _template: + application: + name: applicationset-workloadcluster + namespace: argo-cd + cluster: + url: https://{{ vapp['workloadcluster.vip'] }}:6443 + repository: + url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git + revision: main + notify: + - Apply manifests - - name: Register workload-cluster in argo-cd - kubernetes.core.k8s: - template: cluster.j2 - state: present - kubeconfig: "{{ kubeconfig.path }}" - vars: - _template: - cluster: - name: "{{ vapp['workloadcluster.name'] | lower }}" - secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }} - url: https://{{ vapp['workloadcluster.vip'] }}:6443 - kubeconfig: - ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}" - certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}" - key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}" - - - name: Configure workload-cluster GitOps repository - ansible.builtin.template: - src: gitrepo.j2 - dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml - owner: root - group: root - mode: 0600 - vars: - _template: - name: argocd-gitrepo-wl-gitopsconfig - namespace: argo-cd - url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git - notify: - - Apply manifests - - - name: Create applicationset - ansible.builtin.template: - src: applicationset.j2 - dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml - owner: root - group: root - mode: 0600 - vars: - _template: - application: - name: argocd-applicationset-workloadcluster - namespace: argo-cd - cluster: - url: https://{{ vapp['workloadcluster.vip'] }}:6443 - repository: - url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git - - notify: - - Apply manifests - - - name: Trigger handlers - ansible.builtin.meta: flush_handlers - - # vars: - # _template: - # account: - # name: argocd-sa - # namespace: default - # clusterrolebinding: - # name: argocd-crb - module_defaults: - group/k8s: - kubeconfig: "{{ capi_kubeconfig.path }}" +- name: Trigger handlers + ansible.builtin.meta: flush_handlers diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 index c2ae97d..cdfd461 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 @@ -7,22 +7,25 @@ spec: generators: - git: repoURL: {{ _template.repository.url }} - revision: HEAD + revision: {{ _template.repository.revision }} directories: - - path: charts/* + - path: charts/*/* template: metadata: - name: {% raw %}'{{ path.basename }}'{% endraw +%} + name: application-{% raw %}{{ path.basename }}{% endraw +%} spec: project: default syncPolicy: automated: prune: true selfHeal: true - source: - repoURL: {{ _template.repository.url }} - targetRevision: HEAD + sources: + - repoURL: {{ _template.repository.url }} + targetRevision: {{ _template.repository.revision }} path: {% raw %}'{{ path }}'{% endraw +%} + helm: + valueFiles: + - /values/{% raw %}{{ path.basename }}{% endraw %}/values.yaml destination: server: {{ _template.cluster.url }} - namespace: default + namespace: {% raw %}'{{ path[1] }}'{% endraw +%} diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED deleted file mode 100644 index cec2c90..0000000 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ _template.account.name }} - namespace: {{ _template.account.namespace }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ _template.account.name }}-secret - namespace: {{ _template.account.namespace }} - annotations: - kubernetes.io/service-account.name: {{ _template.account.name }} -type: kubernetes.io/service-account-token ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ _template.clusterrolebinding.name }} -subjects: -- kind: ServiceAccount - name: {{ _template.account.name }} - namespace: {{ _template.account.namespace }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io diff --git a/ansible/vars/workloadcluster.yml b/ansible/vars/workloadcluster.yml index 3e090ac..9a09c14 100644 --- a/ansible/vars/workloadcluster.yml +++ b/ansible/vars/workloadcluster.yml @@ -11,46 +11,16 @@ downstream: longhorn: version: 1.4.1 chart: longhorn/longhorn + namespace: longhorn-system parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag' chart_values: !unsafe | defaultSettings: defaultDataPath: /mnt/blockstorage - global: - cattle: - systemDefaultRegistry: registry.{{ vapp['metacluster.fqdn'] }} - image: - longhorn: - engine: - repository: library/docker.io/longhornio/longhorn-engine - manager: - repository: library/docker.io/longhornio/longhorn-manager - ui: - repository: library/docker.io/longhornio/longhorn-ui - instanceManager: - repository: library/docker.io/longhornio/longhorn-instance-manager - shareManager: - repository: library/docker.io/longhornio/longhorn-share-manager - backingImageManager: - repository: library/docker.io/longhornio/backing-image-manager - supportBundleKit: - repository: library/docker.io/longhornio/support-bundle-kit - csi: - attacher: - repository: library/docker.io/longhornio/csi-attacher - provisioner: - repository: library/docker.io/longhornio/csi-provisioner - nodeDriverRegistrar: - repository: library/docker.io/longhornio/csi-node-driver-registrar - resizer: - repository: library/docker.io/longhornio/csi-resizer - snapshotter: - repository: library/docker.io/longhornio/csi-snapshotter - livenessProbe: - repository: library/docker.io/longhornio/livenessprobe sealed-secrets: version: 2.8.1 # (= Sealed Secrets v0.20.2) chart: sealed-secrets/sealed-secrets + namespace: sealed-secrets parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | # Empty