From 89cf69adc7f1be189a8c5df63177eacba3d84347 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Sun, 2 Apr 2023 22:36:23 +0200 Subject: [PATCH] Refactor cluster registration --- .../roles/metacluster/tasks/gitops.yml | 2 +- .../roles/workloadcluster/tasks/gitops.yml | 46 +++++++++++-------- .../bootstrap/templates/applicationset.j2 | 2 +- .../bootstrap/templates/cluster.j2 | 6 ++- ...eaccount.j2 => serviceaccount.j2.DISABLED} | 0 5 files changed, 34 insertions(+), 22 deletions(-) rename ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/{serviceaccount.j2 => serviceaccount.j2.DISABLED} (100%) diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml index 915950d..4d00ff4 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/gitops.yml @@ -58,7 +58,7 @@ name: argocd-applicationset-metacluster namespace: argo-cd cluster: - name: https://kubernetes.default.svc + url: https://kubernetes.default.svc repository: url: https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.Config.git notify: diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml index 9cf5f65..1f32468 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml @@ -28,19 +28,26 @@ - block: - - name: Generate service account in workload cluster - kubernetes.core.k8s: - template: serviceaccount.j2 - state: present + # - name: Generate service account in workload-cluster + # kubernetes.core.k8s: + # template: serviceaccount.j2 + # state: present - - name: Retrieve service account bearer token + # - name: Retrieve service account bearer token + # kubernetes.core.k8s_info: + # kind: Secret + # name: "{{ _template.account.name }}-secret" + # namespace: "{{ _template.account.namespace }}" + # register: workloadcluster_bearertoken + + - name: Retrieve workload-cluster kubeconfig kubernetes.core.k8s_info: kind: Secret - name: "{{ _template.account.name }}-secret" - namespace: "{{ _template.account.namespace }}" - register: workloadcluster_bearertoken + name: "{{ vapp['workloadcluster.name'] }}-kubeconfig" + namespace: default + register: secret_workloadcluster_kubeconfig - - name: Register workload cluster in argo-cd + - name: Register workload-cluster in argo-cd kubernetes.core.k8s: template: cluster.j2 state: present @@ -51,7 +58,10 @@ name: "{{ vapp['workloadcluster.name'] | lower }}" secret: argocd-cluster-{{ vapp['workloadcluster.name'] | lower }} url: https://{{ vapp['workloadcluster.vip'] }}:6443 - token: "{{ workloadcluster_bearertoken.resources | json_query('[].data.token') }}" + kubeconfig: + ca: (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).clusters[0].cluster['certificate-authority-data'] | b64encode + certificate: (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-certificate-data'] | b64encode + key: (secret_workloadcluster_kubeconfig.resources[0].data.value | b64decode | from_yaml).users[0].user['client-key-data'] | b64encode - name: Configure workload-cluster GitOps repository ansible.builtin.template: @@ -81,7 +91,7 @@ name: argocd-applicationset-workloadcluster namespace: argo-cd cluster: - name: "{{ vapp['workloadcluster.name'] | lower }}" + url: https://{{ vapp['workloadcluster.vip'] }}:6443 repository: url: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git @@ -91,13 +101,13 @@ - name: Trigger handlers ansible.builtin.meta: flush_handlers - vars: - _template: - account: - name: argocd-sa - namespace: default - clusterrolebinding: - name: argocd-crb + # vars: + # _template: + # account: + # name: argocd-sa + # namespace: default + # clusterrolebinding: + # name: argocd-crb module_defaults: group/k8s: kubeconfig: "{{ capi_kubeconfig.path }}" diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 index 5417227..4160fe4 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/applicationset.j2 @@ -24,5 +24,5 @@ spec: targetRevision: HEAD path: {% raw %}'{{ path }}'{% endraw +%} destination: - server: {{ _template.cluster.name }} + server: {{ _template.cluster.url }} namespace: default diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/cluster.j2 b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/cluster.j2 index bbaec5c..0d932a8 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/cluster.j2 +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/cluster.j2 @@ -11,8 +11,10 @@ stringData: server: {{ _template.cluster.url }} config: | { - "bearerToken": "{{ _template.cluster.token }}", "tlsClientConfig": { - "insecure": true + "insecure": false, + "caData": "{{ _template.kubeconfig.ca }}", + "certData": "{{ _template.kubeconfig.certificate }}", + "keyData": "{{ _template.kubeconfig.key }}" } } diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2 b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED similarity index 100% rename from ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2 rename to ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serviceaccount.j2.DISABLED