Housekeeping;Move inclusterippool to gitops;Delete temporary manifests;Align resource naming;Remove redundant config;Add helm configuration

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml

@@ -55,7 +55,7 @@
       vars:
         _template:
           application:
-            name: argocd-applicationset-metacluster
+            name: applicationset-metacluster
             namespace: argo-cd
           cluster:
             url: https://kubernetes.default.svc

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml

@@ -52,23 +52,6 @@
         version: "{{ components.clusterapi.workload.version.k8s }}"
         vip: "{{ vapp['workloadcluster.vip'] }}"
 
-# - name: WORKAROUND - Update image references to use local registry
-#   ansible.builtin.replace:
-#     dest: "{{ item }}"
-#     regexp: '([ ]+image:[ "]+)(?!({{ _template.pattern }}|"{{ _template.pattern }}))'
-#     replace: '\1{{ _template.pattern }}'
-#   vars:
-#     fileglobs:
-#       - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/cni-calico/' ~ components.clusterapi.workload.version.calico ~ '/*.yaml') }}"
-#       - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/infrastructure-vsphere/' ~ components.clusterapi.management.version.infrastructure_vsphere ~ '/*.yaml') }}"
-#     _template:
-#       pattern: registry.{{ vapp['metacluster.fqdn'] }}/library/
-#   loop: "{{ fileglobs[0:] | flatten | select }}"
-#   loop_control:
-#     label: "{{ item | basename }}"
-#   when:
-#     - item is not search("components.yaml|metadata.yaml")
-
 - name: Generate kustomization template
   ansible.builtin.template:
     src: kustomization.cluster-template.j2
@@ -155,6 +138,21 @@
         -f {{ capi_clustermanifest.path }}/new-cluster.yaml \
         -o {{ capi_clustermanifest.path }}/manifests
 
+- name: Create in-cluster IpPool
+  ansible.builtin.template:
+    src: ippool.j2
+    dest: "{{ capi_clustermanifest.path }}/manifests/inclusterippool-{{ _template.cluster.name }}.yml"
+  vars:
+    _template:
+      cluster:
+        name: "{{ vapp['workloadcluster.name'] | lower }}"
+        namespace: default
+        network:
+          startip: "{{ vapp['ippool.startip'] }}"
+          endip: "{{ vapp['ippool.endip'] }}"
+          prefix: "{{ vapp['guestinfo.prefixlength'] }}"
+          gateway: "{{ vapp['guestinfo.gateway'] }}"
+
 - name: Initialize/Push git repository
   ansible.builtin.shell:
     cmd: |
@@ -168,6 +166,12 @@
       git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all
     chdir: "{{ capi_clustermanifest.path }}"
 
+- name: Cleanup tempfolder
+  ansible.builtin.file:
+    path: "{{ capi_clustermanifest.path }}"
+    state: absent
+  when: capi_clustermanifest.path is defined
+
 - name: Configure Cluster API repository
   ansible.builtin.template:
     src: gitrepo.j2
@@ -183,30 +187,6 @@
   notify:
     - Apply manifests
 
-# Temporarily disabled until manifests are properly managed by gitops
-# - name: Cleanup tempfolder
-#   ansible.builtin.file:
-#     path: "{{ capi_clustermanifest.path }}"
-#     state: absent
-#   when: capi_clustermanifest.path is defined
-
-# TODO: Move to gitops
-- name: Create in-cluster IpPool
-  kubernetes.core.k8s:
-    template: ippool.j2
-    state: present
-    kubeconfig: "{{ kubeconfig.path }}"
-  vars:
-    _template:
-      cluster:
-        name: "{{ vapp['workloadcluster.name'] | lower }}"
-        namespace: default
-        network:
-          startip: "{{ vapp['ippool.startip'] }}"
-          endip: "{{ vapp['ippool.endip'] }}"
-          prefix: "{{ vapp['guestinfo.prefixlength'] }}"
-          gateway: "{{ vapp['guestinfo.gateway'] }}"
-
 - name: WORKAROUND - Wait for ingress ACME requests to complete
   ansible.builtin.shell:
     cmd: >-
@@ -228,7 +208,7 @@
   vars:
     _template:
       application:
-        name: argocd-application-clusterapi
+        name: application-clusterapi-workloadcluster
         namespace: argo-cd
       cluster:
         name: https://kubernetes.default.svc

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml

@@ -26,89 +26,64 @@
       git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git --all
     chdir: /opt/workloadcluster/git-repositories/gitops
 
-- block:
+- name: Retrieve workload-cluster kubeconfig
+  kubernetes.core.k8s_info:
+    kind: Secret
+    name: "{{ vapp['workloadcluster.name'] }}-kubeconfig"
+    namespace: default
+    kubeconfig: "{{ kubeconfig.path }}"
+  register: secret_workloadcluster_kubeconfig
 
-    # - name: Generate service account in workload-cluster
-    #   kubernetes.core.k8s:
-    #     template: serviceaccount.j2
-    #     state: present
+- name: Register workload-cluster in argo-cd
+  kubernetes.core.k8s:
+    template: cluster.j2
+    state: present
+    kubeconfig: "{{ kubeconfig.path }}"
+  vars:
+    _template:
+      cluster:
+        name: "{{ vapp['workloadcluster.name'] | lower }}"
+        secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }}
+        url: https://{{ vapp['workloadcluster.vip'] }}:6443
+      kubeconfig:
+        ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}"
+        certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}"
+        key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}"
 
-    # - name: Retrieve service account bearer token
-    #   kubernetes.core.k8s_info:
-    #     kind: Secret
-    #     name: "{{ _template.account.name }}-secret"
-    #     namespace: "{{ _template.account.namespace }}"
-    #   register: workloadcluster_bearertoken
+- name: Configure workload-cluster GitOps repository
+  ansible.builtin.template:
+    src: gitrepo.j2
+    dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
+    owner: root
+    group: root
+    mode: 0600
+  vars:
+    _template:
+      name: argocd-gitrepo-wl-gitopsconfig
+      namespace: argo-cd
+      url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
+  notify:
+    - Apply manifests
 
-    - name: Retrieve workload-cluster kubeconfig
-      kubernetes.core.k8s_info:
-        kind: Secret
-        name: "{{ vapp['workloadcluster.name'] }}-kubeconfig"
-        namespace: default
-        kubeconfig: "{{ kubeconfig.path }}"
-      register: secret_workloadcluster_kubeconfig
+- name: Create applicationset
+  ansible.builtin.template:
+    src: applicationset.j2
+    dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml
+    owner: root
+    group: root
+    mode: 0600
+  vars:
+    _template:
+      application:
+        name: applicationset-workloadcluster
+        namespace: argo-cd
+      cluster:
+        url: https://{{ vapp['workloadcluster.vip'] }}:6443
+      repository:
+        url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
+        revision: main
+  notify:
+    - Apply manifests
 
-    - name: Register workload-cluster in argo-cd
-      kubernetes.core.k8s:
-        template: cluster.j2
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-      vars:
-        _template:
-          cluster:
-            name: "{{ vapp['workloadcluster.name'] | lower }}"
-            secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }}
-            url: https://{{ vapp['workloadcluster.vip'] }}:6443
-          kubeconfig:
-            ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}"
-            certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}"
-            key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}"
-
-    - name: Configure workload-cluster GitOps repository
-      ansible.builtin.template:
-        src: gitrepo.j2
-        dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
-        owner: root
-        group: root
-        mode: 0600
-      vars:
-        _template:
-          name: argocd-gitrepo-wl-gitopsconfig
-          namespace: argo-cd
-          url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
-      notify:
-        - Apply manifests
-
-    - name: Create applicationset
-      ansible.builtin.template:
-        src: applicationset.j2
-        dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml
-        owner: root
-        group: root
-        mode: 0600
-      vars:
-        _template:
-          application:
-            name: argocd-applicationset-workloadcluster
-            namespace: argo-cd
-          cluster:
-            url: https://{{ vapp['workloadcluster.vip'] }}:6443
-          repository:
-            url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
-
-      notify:
-        - Apply manifests
-
-    - name: Trigger handlers
-      ansible.builtin.meta: flush_handlers
-
-  # vars:
-  #   _template:
-  #     account:
-  #       name: argocd-sa
-  #       namespace: default
-  #     clusterrolebinding:
-  #       name: argocd-crb
-  module_defaults:
-    group/k8s:
-      kubeconfig: "{{ capi_kubeconfig.path }}"
+- name: Trigger handlers
+  ansible.builtin.meta: flush_handlers

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2

@@ -7,22 +7,25 @@ spec:
   generators:
   - git:
       repoURL: {{ _template.repository.url }}
-      revision: HEAD
+      revision: {{ _template.repository.revision }}
       directories:
-      - path: charts/*
+      - path: charts/*/*
   template:
     metadata:
-      name: {% raw %}'{{ path.basename }}'{% endraw +%}
+      name: application-{% raw %}{{ path.basename }}{% endraw +%}
     spec:
       project: default
       syncPolicy:
         automated:
           prune: true
           selfHeal: true
-      source:
-        repoURL: {{ _template.repository.url }}
-        targetRevision: HEAD
+      sources:
+      - repoURL: {{ _template.repository.url }}
+        targetRevision: {{ _template.repository.revision }}
         path: {% raw %}'{{ path }}'{% endraw +%}
+        helm:
+          valueFiles:
+          - /values/{% raw %}{{ path.basename }}{% endraw %}/values.yaml
       destination:
         server: {{ _template.cluster.url }}
-        namespace: default
+        namespace: {% raw %}'{{ path[1] }}'{% endraw +%}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ _template.account.name }}
-  namespace: {{ _template.account.namespace }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ _template.account.name }}-secret
-  namespace: {{ _template.account.namespace }}
-  annotations:
-    kubernetes.io/service-account.name: {{ _template.account.name }}
-type: kubernetes.io/service-account-token
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ _template.clusterrolebinding.name }}
-subjects:
-- kind: ServiceAccount
-  name: {{ _template.account.name }}
-  namespace: {{ _template.account.namespace }}
-roleRef:
-  kind: ClusterRole
-  name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io