Add preflight check;Refactor readychecks;Quote input variables;Fix kustomization template;Apply kustomization;Generate new cluster-api manifest
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Danny Bessems 2023-01-04 13:22:35 +01:00
parent 31a91d826f
commit d343b84b30
11 changed files with 201 additions and 136 deletions

View File

@ -8,6 +8,7 @@
roles:
- vapp
- network
- preflight
- users
- disks
- metacluster

View File

@ -1,14 +1,27 @@
- name: Install step-ca chart
- block:
- name: Install step-ca chart
kubernetes.core.helm:
name: step-certificates
chart_ref: /opt/metacluster/helm-charts/step-certificates
release_namespace: step-ca
create_namespace: yes
wait: yes
wait: no
kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components.stepcertificates.chart_values }}"
- name: Retrieve configmap w/ root certificate
- name: Ensure step-ca API availability
ansible.builtin.uri:
url: https://ca.{{ vapp['metacluster.fqdn'] }}/health
method: GET
register: api_readycheck
until:
- api_readycheck.json.status is defined
- api_readycheck.json.status == 'ok'
retries: 5
delay: 60
- name: Retrieve configmap w/ root certificate
kubernetes.core.k8s_info:
kind: ConfigMap
name: step-certificates-certs
@ -16,7 +29,7 @@
kubeconfig: "{{ kubeconfig.path }}"
register: stepca_cm_certs
- name: Create target namespaces
- name: Create target namespaces
kubernetes.core.k8s:
kind: Namespace
name: "{{ item }}"
@ -26,7 +39,7 @@
- argo-cd
# - kube-system
- name: Store root certificate in namespaced configmaps/secrets
- name: Store root certificate in namespaced configmaps/secrets
kubernetes.core.k8s:
state: present
template: "{{ item.kind }}.j2"
@ -61,7 +74,7 @@
loop_control:
label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"
- name: Configure step-ca passthrough ingress
- name: Configure step-ca passthrough ingress
ansible.builtin.template:
src: ingressroutetcp.j2
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
@ -85,7 +98,7 @@
notify:
- Apply manifests
- name: Inject step-ca certificate into traefik container
- name: Inject step-ca certificate into traefik container
ansible.builtin.blockinfile:
path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
block: |2
@ -100,10 +113,10 @@
notify:
- Apply manifests
- name: Trigger handlers
- name: Trigger handlers
ansible.builtin.meta: flush_handlers
- name: Retrieve step-ca configuration
- name: Retrieve step-ca configuration
kubernetes.core.k8s_info:
kind: ConfigMap
name: step-certificates-config
@ -111,7 +124,7 @@
kubeconfig: "{{ kubeconfig.path }}"
register: stepca_cm_config
- name: Install root CA in system truststore
- name: Install root CA in system truststore
ansible.builtin.shell:
cmd: >-
step ca bootstrap \
@ -120,3 +133,9 @@
--install \
--force
update-ca-certificates
module_defaults:
ansible.builtin.uri:
validate_certs: no
status_code: [200, 201]
body_format: json

View File

@ -15,9 +15,11 @@
url: https://git.{{ vapp['metacluster.fqdn'] }}/api/healthz
method: GET
register: api_readycheck
until: api_readycheck.json.status is defined
until:
- api_readycheck.json.status is defined
- api_readycheck.json.status == 'pass'
retries: 5
delay: 30
delay: 60
- name: Configure additional SSH ingress
ansible.builtin.template:

View File

@ -6,7 +6,7 @@
chart_ref: /opt/metacluster/helm-charts/argo-cd
release_namespace: argo-cd
create_namespace: yes
wait: yes
wait: no
kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components.argocd.chart_values }}"
@ -15,9 +15,10 @@
url: https://gitops.{{ vapp['metacluster.fqdn'] }}/api/version
method: GET
register: api_readycheck
until: api_readycheck.json.Version is defined
until:
- api_readycheck.json.Version is defined
retries: 5
delay: 30
delay: 60
- name: Generate argo-cd API token
ansible.builtin.uri:

View File

@ -6,7 +6,7 @@
chart_ref: /opt/metacluster/helm-charts/harbor
release_namespace: harbor
create_namespace: yes
wait: yes
wait: no
kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components.harbor.chart_values }}"
@ -19,7 +19,7 @@
- api_readycheck.json.status is defined
- api_readycheck.json.status == 'healthy'
retries: 5
delay: 30
delay: 60
- name: Push images to registry
ansible.builtin.shell:

View File

@ -17,7 +17,7 @@
until:
- api_readycheck is not failed
retries: 5
delay: 30
delay: 60
module_defaults:
ansible.builtin.uri:

View File

@ -0,0 +1,7 @@
- name: Check for vCenter connectivity
community.vmware.vmware_vcenter_settings_info:
hostname: "{{ vapp['hv.fqdn'] }}"
username: "{{ vapp['hv.username'] }}"
password: "{{ vapp['hv.password'] }}"
schema: vsphere
register: vcenter_info

View File

@ -55,6 +55,11 @@
- update-ca-certificates
- bash /root/network.sh
- name: Store custom cluster-template
ansible.builtin.copy:
dest: /opt/metacluster/cluster-api/custom-cluster-template.yaml
content: "{{ lookup('kubernetes.core.kustomize', dir='/opt/metacluster/cluster-api/infrastructure-vsphere/' + {{ components.clusterapi.management.version.infrastructure_vsphere }}) }}"
- name: Initialize Cluster API management cluster
ansible.builtin.shell:
cmd: >-
@ -65,3 +70,29 @@
--config ./clusterctl.yaml \
--kubeconfig {{ kubeconfig.path }}
chdir: /opt/metacluster/cluster-api
- name: Parse vApp for workload cluster sizing
ansible.builtin.set_fact:
clustersize: >-
{{ {
'controlplane': vapp['deployment.type'] | regex_findall('^cp(\d)+') | first,
'workers': vapp['deployment.type'] | regex_findall('w(\d)+$') | first
} }}
- name: Generate workload cluster manifest
ansible.builtin.shell:
cmd: >-
clusterctl generate cluster \
vapp['workloadcluster.name'] \
--control-plane-machine-count {{ clustersize.controlplane }} \
--worker-machine-count {{ clustersize.workers }} \
--from ./custom-cluster-template.yaml \
--config ./clusterctl.yaml \
--kubeconfig {{ kubeconfig.path }}
chdir: /opt/metacluster/cluster-api
register: clusterctl_newcluster
- name: Save workload cluster manifest
ansible.builtin.copy:
dest: /opt/metacluster/cluster-api/new-cluster.yaml
content: "{{ clusterctl_newcluster.stdout }}"

View File

@ -60,12 +60,12 @@
ansible.builtin.shell:
cmd: >-
npp-prepper \
--server {{ vapp['hv.fqdn'] }} \
--username {{ vapp['hv.username'] }} \
--password {{ vapp['hv.password'] }} \
--server "{{ vapp['hv.fqdn'] }}" \
--username "{{ vapp['hv.username'] }}" \
--password "{{ vapp['hv.password'] }}" \
dc \
--name {{ vcenter_info.datacenter }} \
--portgroup {{ vcenter_info.network }} \
--name "{{ vcenter_info.datacenter }}" \
--portgroup "{{ vcenter_info.network }}" \
--startaddress {{ vapp['ippool.startip'] }} \
--endaddress {{ vapp['ippool.endip'] }} \
--netmask {{ (vapp['guestinfo.ipaddress'] + '/' + vapp['guestinfo.prefixlength']) | ansible.utils.ipaddr('netmask') }} \

View File

@ -41,13 +41,13 @@
ansible.builtin.shell:
cmd: >-
npp-prepper \
--server {{ vapp['hv.fqdn'] }} \
--username {{ vapp['hv.username'] }} \
--password {{ vapp['hv.password'] }} \
--server "{{ vapp['hv.fqdn'] }}" \
--username "{{ vapp['hv.username'] }}" \
--password "{{ vapp['hv.password'] }}" \
vm \
--datacenter {{ vcenter_info.datacenter }} \
--portgroup {{ vcenter_info.network }} \
--name {{ item.instance.hw_name }}
--datacenter "{{ vcenter_info.datacenter }}" \
--portgroup "{{ vcenter_info.network }}" \
--name "{{ item.instance.hw_name }}"
when: existing_ova.results[index] is failed
loop: "{{ ova_deploy.results }}"
loop_control:

View File

@ -39,12 +39,14 @@ patchesStrategicMerge:
content: |
{{ _template.script.encoded }}
permissions: '0744'
owner: root:root
path: /root/network.sh
- content: |
network: {config: disabled}
owner: root:root
path: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
- content: |
{{ _template.rootca | indent(width=6, first=True) }}
{{ _template.rootca | indent(width=14, first=False) | trim }}
owner: root:root
path: /usr/local/share/ca-certificates/root_ca.crt
@ -61,6 +63,8 @@ patchesJson6902:
encoding: base64
content: |
{{ _template.script.encoded }}
owner: root:root
path: /root/network.sh
permissions: '0744'
- op: add
path: /spec/kubeadmConfigSpec/files/-
@ -73,7 +77,7 @@ patchesJson6902:
path: /spec/kubeadmConfigSpec/files/-
value:
content: |
{{ _template.rootca | indent(width=8, first=True) }}
{{ _template.rootca | indent(width=12, first=False) | trim }}
owner: root:root
path: /usr/local/share/ca-certificates/root_ca.crt
- target:
@ -95,6 +99,6 @@ patchesJson6902:
patch: |-
{% for cmd in _template.runcmds %}
- op: add
path: /spec/template/spec/preKubeadmCommands/-
path: /spec/kubeadmConfigSpec/preKubeadmCommands/-
value: {{ cmd }}
{% endfor %}