djpbessems/Packer.Images
djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Housekeeping;Move inclusterippool to gitops;Delete temporary manifests;Align resource naming;Remove redundant config;Add helm configuration
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Danny Bessems 2023-04-04 17:22:39 +02:00
parent 915660f618
commit 56a33134a0
8 changed files with 94 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/roles/assets/tasks/containerimages.yml
View File

@ -27,7 +27,7 @@
- name: Parse workloadcluster helm charts for container images - name: Parse workloadcluster helm charts for container images
ansible.builtin.shell: ansible.builtin.shell:
cmd: "{{ item.value.parse_logic }}" cmd: "{{ item.value.parse_logic }}"
chdir: /opt/workloadcluster/helm-charts/{{ item.key }} chdir: /opt/workloadcluster/helm-charts/{{ item.value.namespace }}/{{ item.key }}
register: chartimages_workloadcluster register: chartimages_workloadcluster
loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}" loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}"
loop_control: loop_control:

2
ansible/roles/assets/tasks/helm.yml
View File

@ -20,7 +20,7 @@
- name: Fetch helm charts for workloadcluster - name: Fetch helm charts for workloadcluster
ansible.builtin.command: ansible.builtin.command:
cmd: helm fetch {{ item.value.chart }} --untar --version {{ item.value.version }} cmd: helm fetch {{ item.value.chart }} --untardir ./{{ item.value.namespace }} --untar --version {{ item.value.version }}
chdir: /opt/workloadcluster/helm-charts chdir: /opt/workloadcluster/helm-charts
register: helmcharts_workloadcluster register: helmcharts_workloadcluster
loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}" loop: "{{ lookup('ansible.builtin.dict', downstream.helm_charts) }}"

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml
View File

@ -55,7 +55,7 @@
vars: vars:
_template: _template:
application: application:
name: argocd-applicationset-metacluster name: applicationset-metacluster
namespace: argo-cd namespace: argo-cd
cluster: cluster:
url: https://kubernetes.default.svc url: https://kubernetes.default.svc

64
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml
View File

@ -52,23 +52,6 @@
version: "{{ components.clusterapi.workload.version.k8s }}" version: "{{ components.clusterapi.workload.version.k8s }}"
vip: "{{ vapp['workloadcluster.vip'] }}" vip: "{{ vapp['workloadcluster.vip'] }}"
# - name: WORKAROUND - Update image references to use local registry
# ansible.builtin.replace:
# dest: "{{ item }}"
# regexp: '([ ]+image:[ "]+)(?!({{ _template.pattern }}|"{{ _template.pattern }}))'
# replace: '\1{{ _template.pattern }}'
# vars:
# fileglobs:
# - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/cni-calico/' ~ components.clusterapi.workload.version.calico ~ '/*.yaml') }}"
# - "{{ query('ansible.builtin.fileglob', '/opt/metacluster/cluster-api/infrastructure-vsphere/' ~ components.clusterapi.management.version.infrastructure_vsphere ~ '/*.yaml') }}"
# _template:
# pattern: registry.{{ vapp['metacluster.fqdn'] }}/library/
# loop: "{{ fileglobs[0:] | flatten | select }}"
# loop_control:
# label: "{{ item | basename }}"
# when:
# - item is not search("components.yaml|metadata.yaml")
- name: Generate kustomization template - name: Generate kustomization template
ansible.builtin.template: ansible.builtin.template:
src: kustomization.cluster-template.j2 src: kustomization.cluster-template.j2
@ -155,6 +138,21 @@
-f {{ capi_clustermanifest.path }}/new-cluster.yaml \ -f {{ capi_clustermanifest.path }}/new-cluster.yaml \
-o {{ capi_clustermanifest.path }}/manifests -o {{ capi_clustermanifest.path }}/manifests
- name: Create in-cluster IpPool
ansible.builtin.template:
src: ippool.j2
dest: "{{ capi_clustermanifest.path }}/manifests/inclusterippool-{{ _template.cluster.name }}.yml"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
namespace: default
network:
startip: "{{ vapp['ippool.startip'] }}"
endip: "{{ vapp['ippool.endip'] }}"
prefix: "{{ vapp['guestinfo.prefixlength'] }}"
gateway: "{{ vapp['guestinfo.gateway'] }}"
- name: Initialize/Push git repository - name: Initialize/Push git repository
ansible.builtin.shell: ansible.builtin.shell:
cmd: | cmd: |
@ -168,6 +166,12 @@
git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all
chdir: "{{ capi_clustermanifest.path }}" chdir: "{{ capi_clustermanifest.path }}"
- name: Cleanup tempfolder
ansible.builtin.file:
path: "{{ capi_clustermanifest.path }}"
state: absent
when: capi_clustermanifest.path is defined
- name: Configure Cluster API repository - name: Configure Cluster API repository
ansible.builtin.template: ansible.builtin.template:
src: gitrepo.j2 src: gitrepo.j2
@ -183,30 +187,6 @@
notify: notify:
- Apply manifests - Apply manifests
# Temporarily disabled until manifests are properly managed by gitops
# - name: Cleanup tempfolder
# ansible.builtin.file:
# path: "{{ capi_clustermanifest.path }}"
# state: absent
# when: capi_clustermanifest.path is defined
# TODO: Move to gitops
- name: Create in-cluster IpPool
kubernetes.core.k8s:
template: ippool.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
namespace: default
network:
startip: "{{ vapp['ippool.startip'] }}"
endip: "{{ vapp['ippool.endip'] }}"
prefix: "{{ vapp['guestinfo.prefixlength'] }}"
gateway: "{{ vapp['guestinfo.gateway'] }}"
- name: WORKAROUND - Wait for ingress ACME requests to complete - name: WORKAROUND - Wait for ingress ACME requests to complete
ansible.builtin.shell: ansible.builtin.shell:
cmd: >- cmd: >-
@ -228,7 +208,7 @@
vars: vars:
_template: _template:
application: application:
name: argocd-application-clusterapi name: application-clusterapi-workloadcluster
namespace: argo-cd namespace: argo-cd
cluster: cluster:
name: https://kubernetes.default.svc name: https://kubernetes.default.svc

139
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
View File

@ -26,89 +26,64 @@
git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git --all git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git --all
chdir: /opt/workloadcluster/git-repositories/gitops chdir: /opt/workloadcluster/git-repositories/gitops
- block: - name: Retrieve workload-cluster kubeconfig
kubernetes.core.k8s_info:
kind: Secret
name: "{{ vapp['workloadcluster.name'] }}-kubeconfig"
namespace: default
kubeconfig: "{{ kubeconfig.path }}"
register: secret_workloadcluster_kubeconfig
# - name: Generate service account in workload-cluster - name: Register workload-cluster in argo-cd
# kubernetes.core.k8s: kubernetes.core.k8s:
# template: serviceaccount.j2 template: cluster.j2
# state: present state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }}
url: https://{{ vapp['workloadcluster.vip'] }}:6443
kubeconfig:
ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}"
certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}"
key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}"
# - name: Retrieve service account bearer token - name: Configure workload-cluster GitOps repository
# kubernetes.core.k8s_info: ansible.builtin.template:
# kind: Secret src: gitrepo.j2
# name: "{{ _template.account.name }}-secret" dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
# namespace: "{{ _template.account.namespace }}" owner: root
# register: workloadcluster_bearertoken group: root
mode: 0600
vars:
_template:
name: argocd-gitrepo-wl-gitopsconfig
namespace: argo-cd
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
notify:
- Apply manifests
- name: Retrieve workload-cluster kubeconfig - name: Create applicationset
kubernetes.core.k8s_info: ansible.builtin.template:
kind: Secret src: applicationset.j2
name: "{{ vapp['workloadcluster.name'] }}-kubeconfig" dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml
namespace: default owner: root
kubeconfig: "{{ kubeconfig.path }}" group: root
register: secret_workloadcluster_kubeconfig mode: 0600
vars:
_template:
application:
name: applicationset-workloadcluster
namespace: argo-cd
cluster:
url: https://{{ vapp['workloadcluster.vip'] }}:6443
repository:
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
revision: main
notify:
- Apply manifests
- name: Register workload-cluster in argo-cd - name: Trigger handlers
kubernetes.core.k8s: ansible.builtin.meta: flush_handlers
template: cluster.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
cluster:
name: "{{ vapp['workloadcluster.name'] | lower }}"
secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }}
url: https://{{ vapp['workloadcluster.vip'] }}:6443
kubeconfig:
ca: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] }}"
certificate: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] }}"
key: "{{ (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] }}"
- name: Configure workload-cluster GitOps repository
ansible.builtin.template:
src: gitrepo.j2
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
owner: root
group: root
mode: 0600
vars:
_template:
name: argocd-gitrepo-wl-gitopsconfig
namespace: argo-cd
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
notify:
- Apply manifests
- name: Create applicationset
ansible.builtin.template:
src: applicationset.j2
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.application.name }}-manifest.yaml
owner: root
group: root
mode: 0600
vars:
_template:
application:
name: argocd-applicationset-workloadcluster
namespace: argo-cd
cluster:
url: https://{{ vapp['workloadcluster.vip'] }}:6443
repository:
url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
notify:
- Apply manifests
- name: Trigger handlers
ansible.builtin.meta: flush_handlers
# vars:
# _template:
# account:
# name: argocd-sa
# namespace: default
# clusterrolebinding:
# name: argocd-crb
module_defaults:
group/k8s:
kubeconfig: "{{ capi_kubeconfig.path }}"

17
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2
View File

@ -7,22 +7,25 @@ spec:
generators: generators:
- git: - git:
repoURL: {{ _template.repository.url }} repoURL: {{ _template.repository.url }}
revision: HEAD revision: {{ _template.repository.revision }}
directories: directories:
- path: charts/* - path: charts/*/*
template: template:
metadata: metadata:
name: {% raw %}'{{ path.basename }}'{% endraw +%} name: application-{% raw %}{{ path.basename }}{% endraw +%}
spec: spec:
project: default project: default
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
source: sources:
repoURL: {{ _template.repository.url }} - repoURL: {{ _template.repository.url }}
targetRevision: HEAD targetRevision: {{ _template.repository.revision }}
path: {% raw %}'{{ path }}'{% endraw +%} path: {% raw %}'{{ path }}'{% endraw +%}
helm:
valueFiles:
- /values/{% raw %}{{ path.basename }}{% endraw %}/values.yaml
destination: destination:
server: {{ _template.cluster.url }} server: {{ _template.cluster.url }}
namespace: default namespace: {% raw %}'{{ path[1] }}'{% endraw +%}

27
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED
View File

@ -1,27 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ _template.account.name }}
namespace: {{ _template.account.namespace }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ _template.account.name }}-secret
namespace: {{ _template.account.namespace }}
annotations:
kubernetes.io/service-account.name: {{ _template.account.name }}
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ _template.clusterrolebinding.name }}
subjects:
- kind: ServiceAccount
name: {{ _template.account.name }}
namespace: {{ _template.account.namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

34
ansible/vars/workloadcluster.yml
View File

@ -11,46 +11,16 @@ downstream:
longhorn: longhorn:
version: 1.4.1 version: 1.4.1
chart: longhorn/longhorn chart: longhorn/longhorn
namespace: longhorn-system
parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag' parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
chart_values: !unsafe | chart_values: !unsafe |
defaultSettings: defaultSettings:
defaultDataPath: /mnt/blockstorage defaultDataPath: /mnt/blockstorage
global:
cattle:
systemDefaultRegistry: registry.{{ vapp['metacluster.fqdn'] }}
image:
longhorn:
engine:
repository: library/docker.io/longhornio/longhorn-engine
manager:
repository: library/docker.io/longhornio/longhorn-manager
ui:
repository: library/docker.io/longhornio/longhorn-ui
instanceManager:
repository: library/docker.io/longhornio/longhorn-instance-manager
shareManager:
repository: library/docker.io/longhornio/longhorn-share-manager
backingImageManager:
repository: library/docker.io/longhornio/backing-image-manager
supportBundleKit:
repository: library/docker.io/longhornio/support-bundle-kit
csi:
attacher:
repository: library/docker.io/longhornio/csi-attacher
provisioner:
repository: library/docker.io/longhornio/csi-provisioner
nodeDriverRegistrar:
repository: library/docker.io/longhornio/csi-node-driver-registrar
resizer:
repository: library/docker.io/longhornio/csi-resizer
snapshotter:
repository: library/docker.io/longhornio/csi-snapshotter
livenessProbe:
repository: library/docker.io/longhornio/livenessprobe
sealed-secrets: sealed-secrets:
version: 2.8.1 # (= Sealed Secrets v0.20.2) version: 2.8.1 # (= Sealed Secrets v0.20.2)
chart: sealed-secrets/sealed-secrets chart: sealed-secrets/sealed-secrets
namespace: sealed-secrets
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe | chart_values: !unsafe |
# Empty # Empty