diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml index e2e20a2..9c9f605 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml @@ -25,7 +25,7 @@ line: 'PasswordAuthentication yes' state: absent loop_control: - label: "{{ '[' + item.regex + '] ' + item.state }}" + label: "{{ '[' + item.line + '] ' + item.state }}" - name: Create dedicated SSH keypair community.crypto.openssh_keypair: diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 0904ee8..185505e 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -34,14 +34,16 @@ platform: certResolver: stepca helm_repositories: - - name: longhorn - url: https://charts.longhorn.io - - name: harbor - url: https://helm.goharbor.io - - name: gitea-charts - url: https://dl.gitea.io/charts/ - name: argo url: https://argoproj.github.io/argo-helm + - name: gitea-charts + url: https://dl.gitea.io/charts/ + - name: harbor + url: https://helm.goharbor.io + - name: jetstack + url: https://charts.jetstack.io + - name: longhorn + url: https://charts.longhorn.io - name: sealed-secrets url: https://bitnami-labs.github.io/sealed-secrets - name: smallstep @@ -49,66 +51,30 @@ platform: components: - longhorn: + argo-cd: helm: - version: 1.3.0 - chart: longhorn/longhorn - parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag' - chart_values: !unsafe | - defaultSettings: - defaultDataPath: /mnt/blockstorage - defaultReplicaCount: 1 - ingress: - enabled: true - host: storage.{{ vapp['metacluster.fqdn'] }} - persistence: - defaultClassReplicaCount: 1 - - step-certificates: - helm: - version: 1.18.2+20220324 - chart: smallstep/step-certificates - parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u - chart_values: !unsafe | - ca: - bootstrap: - postInitHook: | - echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile - step ca provisioner add acme \ - --type ACME \ - --password-file=~/pwfile \ - --force-cn - rm ~/pwfile - dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1 - password: "{{ vapp['guestinfo.rootpw'] }}" - provisioner: - name: admin - password: "{{ vapp['guestinfo.rootpw'] }}" - inject: - secrets: - ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" - provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" - service: - targetPort: 9000 - - harbor: - helm: - version: 1.9.1 # (= Harbor v2.5.1) - chart: harbor/harbor + version: 4.9.7 # (= ArgoCD v2.4.2) + chart: argo/argo-cd parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | - expose: + configs: + secret: + argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}" + server: + extraArgs: + - --insecure ingress: - annotations: {} + enabled: true hosts: - core: registry.{{ vapp['metacluster.fqdn'] }} - tls: - certSource: none - enabled: false - externalURL: https://registry.{{ vapp['metacluster.fqdn'] }} - harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}" - notary: - enabled: false + - gitops.{{ vapp['metacluster.fqdn'] }} + + cert-manager: + helm: + version: 1.9.1 + chart: jetstack/cert-manager + parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' + # chart_values: !unsafe | + # installCRDs: true gitea: helm: @@ -141,22 +107,39 @@ components: port: 22 clusterIP: - argo-cd: + harbor: helm: - version: 4.9.7 # (= ArgoCD v2.4.2) - chart: argo/argo-cd + version: 1.9.1 # (= Harbor v2.5.1) + chart: harbor/harbor parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | - configs: - secret: - argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}" - server: - extraArgs: - - --insecure + expose: ingress: - enabled: true + annotations: {} hosts: - - gitops.{{ vapp['metacluster.fqdn'] }} + core: registry.{{ vapp['metacluster.fqdn'] }} + tls: + certSource: none + enabled: false + externalURL: https://registry.{{ vapp['metacluster.fqdn'] }} + harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}" + notary: + enabled: false + + longhorn: + helm: + version: 1.3.0 + chart: longhorn/longhorn + parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag' + chart_values: !unsafe | + defaultSettings: + defaultDataPath: /mnt/blockstorage + defaultReplicaCount: 1 + ingress: + enabled: true + host: storage.{{ vapp['metacluster.fqdn'] }} + persistence: + defaultClassReplicaCount: 1 sealed-secrets: helm: @@ -164,6 +147,33 @@ components: chart: sealed-secrets/sealed-secrets parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' + step-certificates: + helm: + version: 1.18.2+20220324 + chart: smallstep/step-certificates + parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u + chart_values: !unsafe | + ca: + bootstrap: + postInitHook: | + echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile + step ca provisioner add acme \ + --type ACME \ + --password-file=~/pwfile \ + --force-cn + rm ~/pwfile + dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1 + password: "{{ vapp['guestinfo.rootpw'] }}" + provisioner: + name: admin + password: "{{ vapp['guestinfo.rootpw'] }}" + inject: + secrets: + ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" + provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" + service: + targetPort: 9000 + dependencies: ansible_galaxy_collections: @@ -178,6 +188,8 @@ dependencies: - vmware/powerclicore:12.7 static_binaries: + - filename: clusterctl + url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/clusterctl-linux-amd64 - filename: govc url: https://github.com/vmware/govmomi/releases/download/v0.29.0/govc_Linux_x86_64.tar.gz archive: compressed