Add preflight check;Refactor readychecks;Quote input variables;Fix kustomization template;Apply kustomization;Generate new cluster-api manifest

ansible/roles/firstboot/files/ansible_payload/playbook.yml

@@ -8,6 +8,7 @@
   roles:
     - vapp
     - network
+    - preflight
     - users
     - disks
     - metacluster

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml

@@ -1,14 +1,27 @@
-- name: Install step-ca chart
+- block:
+
+    - name: Install step-ca chart
       kubernetes.core.helm:
         name: step-certificates
         chart_ref: /opt/metacluster/helm-charts/step-certificates
         release_namespace: step-ca
         create_namespace: yes
-    wait: yes
+        wait: no
         kubeconfig: "{{ kubeconfig.path }}"
         values: "{{ components.stepcertificates.chart_values }}"
 
-- name: Retrieve configmap w/ root certificate
+    - name: Ensure step-ca API availability
+      ansible.builtin.uri:
+        url: https://ca.{{ vapp['metacluster.fqdn'] }}/health
+        method: GET
+      register: api_readycheck
+      until:
+        - api_readycheck.json.status is defined
+        - api_readycheck.json.status == 'ok'
+      retries: 5
+      delay: 60
+
+    - name: Retrieve configmap w/ root certificate
       kubernetes.core.k8s_info:
         kind: ConfigMap
         name: step-certificates-certs
@@ -16,7 +29,7 @@
         kubeconfig: "{{ kubeconfig.path }}"
       register: stepca_cm_certs
 
-- name: Create target namespaces
+    - name: Create target namespaces
       kubernetes.core.k8s:
         kind: Namespace
         name: "{{ item }}"
@@ -26,7 +39,7 @@
         - argo-cd
         # - kube-system
 
-- name: Store root certificate in namespaced configmaps/secrets
+    - name: Store root certificate in namespaced configmaps/secrets
       kubernetes.core.k8s:
         state: present
         template: "{{ item.kind }}.j2"
@@ -61,7 +74,7 @@
       loop_control:
         label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"
 
-- name: Configure step-ca passthrough ingress
+    - name: Configure step-ca passthrough ingress
       ansible.builtin.template:
         src: ingressroutetcp.j2
         dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
@@ -85,7 +98,7 @@
       notify:
         - Apply manifests
 
-- name: Inject step-ca certificate into traefik container
+    - name: Inject step-ca certificate into traefik container
       ansible.builtin.blockinfile:
         path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
         block: |2
@@ -100,10 +113,10 @@
       notify:
         - Apply manifests
 
-- name: Trigger handlers
+    - name: Trigger handlers
       ansible.builtin.meta: flush_handlers
 
-- name: Retrieve step-ca configuration
+    - name: Retrieve step-ca configuration
       kubernetes.core.k8s_info:
         kind: ConfigMap
         name: step-certificates-config
@@ -111,7 +124,7 @@
         kubeconfig: "{{ kubeconfig.path }}"
       register: stepca_cm_config
 
-- name: Install root CA in system truststore
+    - name: Install root CA in system truststore
       ansible.builtin.shell:
         cmd: >-
           step ca bootstrap \
@@ -120,3 +133,9 @@
             --install \
             --force
           update-ca-certificates
+
+  module_defaults:
+    ansible.builtin.uri:
+      validate_certs: no
+      status_code: [200, 201]
+      body_format: json

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/git.yml

@@ -15,9 +15,11 @@
         url: https://git.{{ vapp['metacluster.fqdn'] }}/api/healthz
         method: GET
       register: api_readycheck
-      until: api_readycheck.json.status is defined
+      until:
+        - api_readycheck.json.status is defined
+        - api_readycheck.json.status == 'pass'
       retries: 5
-      delay: 30
+      delay: 60
 
     - name: Configure additional SSH ingress
       ansible.builtin.template:

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/gitops.yml

@@ -6,7 +6,7 @@
         chart_ref: /opt/metacluster/helm-charts/argo-cd
         release_namespace: argo-cd
         create_namespace: yes
-        wait: yes
+        wait: no
         kubeconfig: "{{ kubeconfig.path }}"
         values: "{{ components.argocd.chart_values }}"
 
@@ -15,9 +15,10 @@
         url: https://gitops.{{ vapp['metacluster.fqdn'] }}/api/version
         method: GET
       register: api_readycheck
-      until: api_readycheck.json.Version is defined
+      until:
+        - api_readycheck.json.Version is defined
       retries: 5
-      delay: 30
+      delay: 60
 
     - name: Generate argo-cd API token
       ansible.builtin.uri:

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/registry.yml

@@ -6,7 +6,7 @@
         chart_ref: /opt/metacluster/helm-charts/harbor
         release_namespace: harbor
         create_namespace: yes
-        wait: yes
+        wait: no
         kubeconfig: "{{ kubeconfig.path }}"
         values: "{{ components.harbor.chart_values }}"
 
@@ -19,7 +19,7 @@
         - api_readycheck.json.status is defined
         - api_readycheck.json.status == 'healthy'
       retries: 5
-      delay: 30
+      delay: 60
 
     - name: Push images to registry
       ansible.builtin.shell:

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/storage.yml

@@ -17,7 +17,7 @@
       until:
         - api_readycheck is not failed
       retries: 5
-      delay: 30
+      delay: 60
 
   module_defaults:
     ansible.builtin.uri:

ansible/roles/firstboot/files/ansible_payload/roles/preflight/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Check for vCenter connectivity
+  community.vmware.vmware_vcenter_settings_info:
+    hostname: "{{ vapp['hv.fqdn'] }}"
+    username: "{{ vapp['hv.username'] }}"
+    password: "{{ vapp['hv.password'] }}"
+    schema: vsphere
+  register: vcenter_info

ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml

@@ -55,6 +55,11 @@
         - update-ca-certificates
         - bash /root/network.sh
 
+- name: Store custom cluster-template
+  ansible.builtin.copy:
+    dest: /opt/metacluster/cluster-api/custom-cluster-template.yaml
+    content: "{{ lookup('kubernetes.core.kustomize', dir='/opt/metacluster/cluster-api/infrastructure-vsphere/' + {{ components.clusterapi.management.version.infrastructure_vsphere }}) }}"
+
 - name: Initialize Cluster API management cluster
   ansible.builtin.shell:
     cmd: >-
@@ -65,3 +70,29 @@
         --config ./clusterctl.yaml \
         --kubeconfig {{ kubeconfig.path }}
     chdir: /opt/metacluster/cluster-api
+
+- name: Parse vApp for workload cluster sizing
+  ansible.builtin.set_fact:
+    clustersize: >-
+      {{ {
+        'controlplane': vapp['deployment.type'] | regex_findall('^cp(\d)+') | first,
+        'workers': vapp['deployment.type'] | regex_findall('w(\d)+$') | first
+      } }}
+
+- name: Generate workload cluster manifest
+  ansible.builtin.shell:
+    cmd: >-
+      clusterctl generate cluster \
+        vapp['workloadcluster.name'] \
+        --control-plane-machine-count {{ clustersize.controlplane }} \
+        --worker-machine-count {{ clustersize.workers }} \
+        --from ./custom-cluster-template.yaml \
+        --config ./clusterctl.yaml \
+        --kubeconfig {{ kubeconfig.path }}
+    chdir: /opt/metacluster/cluster-api
+  register: clusterctl_newcluster
+
+- name: Save workload cluster manifest
+  ansible.builtin.copy:
+    dest: /opt/metacluster/cluster-api/new-cluster.yaml
+    content: "{{ clusterctl_newcluster.stdout }}"

ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/hypervisor.yml

@@ -60,12 +60,12 @@
   ansible.builtin.shell:
     cmd: >-
       npp-prepper \
-        --server {{ vapp['hv.fqdn'] }} \
-        --username {{ vapp['hv.username'] }} \
-        --password {{ vapp['hv.password'] }} \
+        --server "{{ vapp['hv.fqdn'] }}" \
+        --username "{{ vapp['hv.username'] }}" \
+        --password "{{ vapp['hv.password'] }}" \
         dc \
-        --name {{ vcenter_info.datacenter }} \
-        --portgroup {{ vcenter_info.network }} \
+        --name "{{ vcenter_info.datacenter }}" \
+        --portgroup "{{ vcenter_info.network }}" \
         --startaddress {{ vapp['ippool.startip'] }} \
         --endaddress {{ vapp['ippool.endip'] }} \
         --netmask {{ (vapp['guestinfo.ipaddress'] + '/' + vapp['guestinfo.prefixlength']) | ansible.utils.ipaddr('netmask') }} \

ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/nodetemplates.yml

@@ -41,13 +41,13 @@
       ansible.builtin.shell:
         cmd: >-
           npp-prepper \
-            --server {{ vapp['hv.fqdn'] }} \
-            --username {{ vapp['hv.username'] }} \
-            --password {{ vapp['hv.password'] }} \
+            --server "{{ vapp['hv.fqdn'] }}" \
+            --username "{{ vapp['hv.username'] }}" \
+            --password "{{ vapp['hv.password'] }}" \
             vm \
-            --datacenter {{ vcenter_info.datacenter }} \
-            --portgroup {{ vcenter_info.network }} \
-            --name {{ item.instance.hw_name }}
+            --datacenter "{{ vcenter_info.datacenter }}" \
+            --portgroup "{{ vcenter_info.network }}" \
+            --name "{{ item.instance.hw_name }}"
       when: existing_ova.results[index] is failed
       loop: "{{ ova_deploy.results }}"
       loop_control:

ansible/roles/firstboot/files/ansible_payload/templates/kustomization.cluster-template.j2

@@ -39,12 +39,14 @@ patchesStrategicMerge:
             content: |
               {{ _template.script.encoded }}
             permissions: '0744'
+            owner: root:root
+            path: /root/network.sh
           - content: |
               network: {config: disabled}
             owner: root:root
             path: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
           - content: |
-              {{ _template.rootca | indent(width=6, first=True) }}
+              {{ _template.rootca | indent(width=14, first=False) | trim }}
             owner: root:root
             path: /usr/local/share/ca-certificates/root_ca.crt
 
@@ -61,6 +63,8 @@ patchesJson6902:
           encoding: base64
           content: |
             {{ _template.script.encoded }}
+          owner: root:root
+          path: /root/network.sh
           permissions: '0744'
       - op: add
         path: /spec/kubeadmConfigSpec/files/-
@@ -73,7 +77,7 @@ patchesJson6902:
         path: /spec/kubeadmConfigSpec/files/-
         value:
           content: |
-            {{ _template.rootca | indent(width=8, first=True) }}
+            {{ _template.rootca | indent(width=12, first=False) | trim }}
           owner: root:root
           path: /usr/local/share/ca-certificates/root_ca.crt
   - target:
@@ -95,6 +99,6 @@ patchesJson6902:
     patch: |-
 {% for cmd in _template.runcmds %}
       - op: add
-        path: /spec/template/spec/preKubeadmCommands/-
+        path: /spec/kubeadmConfigSpec/preKubeadmCommands/-
         value: {{ cmd }}
 {% endfor %}