djpbessems/Packer.Images
djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: Fix/Remove incorrect/redundant key references
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Danny Bessems 2023-08-22 21:17:18 +02:00
parent 2110eb9e2c
commit b009395f62
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
View File

@ -15,7 +15,7 @@
kubernetes.core.helm: kubernetes.core.helm:
name: pinniped name: pinniped
chart_ref: /opt/metacluster/helm-charts/pinniped chart_ref: /opt/metacluster/helm-charts/pinniped
release_namespace: pinniped release_namespace: pinniped-supervisor
create_namespace: true create_namespace: true
wait: false wait: false
kubeconfig: "{{ kubeconfig.path }}" kubeconfig: "{{ kubeconfig.path }}"
@ -30,7 +30,7 @@
_template: _template:
name: "{{ item.name }}" name: "{{ item.name }}"
namespace: "{{ item.namespace }}" namespace: "{{ item.namespace }}"
config: "{{ item.config }}" spec: "{{ item.spec }}"
loop: loop:
- kind: ingressroute - kind: ingressroute
name: pinniped-supervisor name: pinniped-supervisor
@ -55,6 +55,8 @@
spec: |2 spec: |2
insecureSkipVerify: true insecureSkipVerify: true
serverName: auth.{{ vapp['metacluster.fqdn'] }} serverName: auth.{{ vapp['metacluster.fqdn'] }}
loop_control:
label: "{{ item.kind ~ '/' ~ item.name ~ ' (' ~ item.namespace ~ ')' }}"
- name: Ensure pinniped API availability - name: Ensure pinniped API availability
ansible.builtin.uri: ansible.builtin.uri:
@ -94,10 +96,13 @@
namespace: pinniped-supervisor namespace: pinniped-supervisor
type: kubernetes.io/tls type: kubernetes.io/tls
data: data:
- tls.crt: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}" - key: tls.crt
- tls.key: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}" value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}"
- key: tls.key
value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}"
# TODO: Migrate to step-ca # TODO: Migrate to step-ca
-
- name: Create pinniped resources - name: Create pinniped resources
kubernetes.core.k8s: kubernetes.core.k8s:
template: "{{ item.kind }}.j2" template: "{{ item.kind }}.j2"
@ -107,7 +112,6 @@
_template: _template:
name: "{{ item.name }}" name: "{{ item.name }}"
namespace: "{{ item.namespace }}" namespace: "{{ item.namespace }}"
config: "{{ item.config }}"
data: "{{ item.data | default(omit) }}" data: "{{ item.data | default(omit) }}"
spec: "{{ item.spec | default(omit) }}" spec: "{{ item.spec | default(omit) }}"
loop: loop:
@ -117,7 +121,7 @@
spec: |2 spec: |2
issuer: https://idps.{{ vapp['metacluster.fqdn'] }} issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
tls: tls:
certificateAuthorityData: {{ ca_bundle }} certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
authorizationConfig: authorizationConfig:
additionalScopes: [offline_access, groups, email] additionalScopes: [offline_access, groups, email]
allowPasswordGrant: false allowPasswordGrant: false
@ -131,8 +135,10 @@
namespace: pinniped-supervisor namespace: pinniped-supervisor
type: secrets.pinniped.dev/oidc-client type: secrets.pinniped.dev/oidc-client
data: data:
- clientID: pinniped-supervisor - key: clientID
- clientSecret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}" value: "{{ 'pinniped-supervisor' | b64encode }}"
- key: clientSecret
value: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | b64encode }}"
- kind: federationdomain - kind: federationdomain
name: metacluster-sso name: metacluster-sso
namespace: pinniped-supervisor namespace: pinniped-supervisor
@ -140,3 +146,5 @@
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
tls: tls:
secretName: pinniped-supervisor-tls secretName: pinniped-supervisor-tls
loop_control:
label: "{{ item.kind ~ '/' ~ item.name }}"

2
ansible/vars/workloadcluster.yml
View File

@ -37,7 +37,7 @@ downstream:
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
audience: {{ vapp['workloadcluster.name'] | lower }} audience: {{ vapp['workloadcluster.name'] | lower }}
tls: tls:
certificateAuthorityData: {{ ca_bundle }} certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
sealed-secrets: sealed-secrets:
version: 2.8.1 # (= Sealed Secrets v0.20.2) version: 2.8.1 # (= Sealed Secrets v0.20.2)