Refactor cluster registration

2023-04-02 22:36:23 +02:00 · 2023-04-02 22:36:23 +02:00 · 89cf69adc7
commit 89cf69adc7
parent 3f9fc4b7aa
5 changed files with 34 additions and 22 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml
@ -58,7 +58,7 @@
            name: argocd-applicationset-metacluster
            namespace: argo-cd
          cluster:
-            name: https://kubernetes.default.svc
+            url: https://kubernetes.default.svc
          repository:
            url: https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.Config.git
      notify:
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
@ -28,19 +28,26 @@

 - block:

-    - name: Generate service account in workload cluster
-      kubernetes.core.k8s:
-        template: serviceaccount.j2
-        state: present
+    # - name: Generate service account in workload-cluster
+    #   kubernetes.core.k8s:
+    #     template: serviceaccount.j2
+    #     state: present

-    - name: Retrieve service account bearer token
+    # - name: Retrieve service account bearer token
+    #   kubernetes.core.k8s_info:
+    #     kind: Secret
+    #     name: "{{ _template.account.name }}-secret"
+    #     namespace: "{{ _template.account.namespace }}"
+    #   register: workloadcluster_bearertoken
+
+    - name: Retrieve workload-cluster kubeconfig
      kubernetes.core.k8s_info:
        kind: Secret
-        name: "{{ _template.account.name }}-secret"
-        namespace: "{{ _template.account.namespace }}"
-      register: workloadcluster_bearertoken
+        name: "{{ vapp['workloadcluster.name'] }}-kubeconfig"
+        namespace: default
+      register: secret_workloadcluster_kubeconfig

-    - name: Register workload cluster in argo-cd
+    - name: Register workload-cluster in argo-cd
      kubernetes.core.k8s:
        template: cluster.j2
        state: present
@ -51,7 +58,10 @@
            name: "{{ vapp['workloadcluster.name'] | lower }}"
            secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }}
            url: https://{{ vapp['workloadcluster.vip'] }}:6443
-            token: "{{ workloadcluster_bearertoken.resources | json_query('[].data.token') }}"
+          kubeconfig:
+            ca: (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] | b64encode
+            certificate: (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] | b64encode
+            key: (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] | b64encode

    - name: Configure workload-cluster GitOps repository
      ansible.builtin.template:
@ -81,7 +91,7 @@
            name: argocd-applicationset-workloadcluster
            namespace: argo-cd
          cluster:
-            name: "{{ vapp['workloadcluster.name'] | lower }}"
+            url: https://{{ vapp['workloadcluster.vip'] }}:6443
          repository:
            url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git

@ -91,13 +101,13 @@
    - name: Trigger handlers
      ansible.builtin.meta: flush_handlers

-  vars:
-    _template:
-      account:
-        name: argocd-sa
-        namespace: default
-      clusterrolebinding:
-        name: argocd-crb
+  # vars:
+  #   _template:
+  #     account:
+  #       name: argocd-sa
+  #       namespace: default
+  #     clusterrolebinding:
+  #       name: argocd-crb
  module_defaults:
    group/k8s:
      kubeconfig: "{{ capi_kubeconfig.path }}"
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2
@ -24,5 +24,5 @@ spec:
        targetRevision: HEAD
        path: {% raw %}'{{ path }}'{% endraw +%}
      destination:
-        server: {{ _template.cluster.name }}
+        server: {{ _template.cluster.url }}
        namespace: default
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/cluster.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/cluster.j2
@ -11,8 +11,10 @@ stringData:
  server: {{ _template.cluster.url }}
  config: |
    {
-      "bearerToken": "{{ _template.cluster.token }}",
      "tlsClientConfig": {
-        "insecure": true
+        "insecure": false,
+        "caData": "{{ _template.kubeconfig.ca }}",
+        "certData": "{{ _template.kubeconfig.certificate }}",
+        "keyData": "{{ _template.kubeconfig.key }}"
      }
    }
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED