diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/git.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/git.yml index 757b604..9212531 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/git.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/git.yml @@ -49,7 +49,7 @@ url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/users/administrator/tokens method: POST user: administrator - password: "{{ vapp['guestinfo.rootpw'] }}" + password: "{{ vapp['metacluster.password'] }}" force_basic_auth: yes body: name: token_init_{{ lookup('password', '/dev/null length=5 chars=ascii_letters,digits') }} @@ -124,7 +124,7 @@ ansible.builtin.shell: cmd: | git config --local http.sslVerify false - git remote set-url origin https://administrator:{{ vapp['guestinfo.rootpw'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.Config.git + git remote set-url origin https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.Config.git git push chdir: /opt/metacluster/git-repositories/gitops diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/gitops.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/gitops.yml index b8d4fb0..3e395c6 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/gitops.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/gitops.yml @@ -26,7 +26,7 @@ force_basic_auth: yes body: username: admin - password: "{{ vapp['guestinfo.rootpw'] }}" + password: "{{ vapp['metacluster.password'] }}" register: argocd_api_token - name: Configure metacluster-gitops repository diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/registry.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/registry.yml index 5212759..eece196 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/registry.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/registry.yml @@ -27,7 +27,7 @@ skopeo copy \ --insecure-policy \ --dest-tls-verify=false \ - --dest-creds admin:{{ vapp['guestinfo.rootpw'] }} \ + --dest-creds admin:{{ vapp['metacluster.password'] }} \ docker-archive:./{{ item | basename }} \ docker://registry.{{ vapp['metacluster.fqdn'] }}/library/$( \ skopeo list-tags \ diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml index e2e20a2..d689ea3 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml @@ -1,7 +1,7 @@ - name: Set root password ansible.builtin.user: name: root - password: "{{ vapp['guestinfo.rootpw'] | password_hash('sha512', 65534 | random(seed=vapp['guestinfo.hostname']) | string) }}" + password: "{{ vapp['metacluster.password'] | password_hash('sha512', 65534 | random(seed=vapp['guestinfo.hostname']) | string) }}" generate_ssh_key: yes ssh_key_bits: 2048 ssh_key_file: .ssh/id_rsa diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml index 6b21509..8d46462 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml @@ -46,7 +46,14 @@ dest: /opt/metacluster/cluster-api/infrastructure-vsphere/{{ components.clusterapi.management.version.infrastructure_vsphere }}/kustomization.yaml vars: _template: + fqdn: "{{ vapp['metacluster.fqdn'] }}" rootca: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}" + script: + # Base64 encoded; to avoid variable substitution when clusterctl parses the cluster-template.yml + encoded: IyEvYmluL2Jhc2gKdm10b29sc2QgLS1jbWQgJ2luZm8tZ2V0IGd1ZXN0aW5mby5vdmZFbnYnID4gL3RtcC9vdmZlbnYKCklQQWRkcmVzcz0kKHNlZCAtbiAncy8uKlByb3BlcnR5IG9lOmtleT0iZ3Vlc3RpbmZvLmludGVyZmFjZS4wLmlwLjAuYWRkcmVzcyIgb2U6dmFsdWU9IlwoW14iXSpcKS4qL1wxL3AnIC90bXAvb3ZmZW52KQpTdWJuZXRNYXNrPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uaW50ZXJmYWNlLjAuaXAuMC5uZXRtYXNrIiBvZTp2YWx1ZT0iXChbXiJdKlwpLiovXDEvcCcgL3RtcC9vdmZlbnYpCkdhdGV3YXk9JChzZWQgLW4gJ3MvLipQcm9wZXJ0eSBvZTprZXk9Imd1ZXN0aW5mby5pbnRlcmZhY2UuMC5yb3V0ZS4wLmdhdGV3YXkiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKRE5TPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uZG5zLnNlcnZlcnMiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKTUFDQWRkcmVzcz0kKHNlZCAtbiAncy8uKnZlOkFkYXB0ZXIgdmU6bWFjPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKCm1hc2syY2lkcigpIHsKICBjPTAKICB4PTAkKCBwcmludGYgJyVvJyAkezEvLy4vIH0gKQoKICB3aGlsZSBbICR4IC1ndCAwIF07IGRvCiAgICBsZXQgYys9JCgoeCUyKSkgJ3g+Pj0xJwogIGRvbmUKCiAgZWNobyAkYwp9CgpQcmVmaXg9JChtYXNrMmNpZHIgJFN1Ym5ldE1hc2spCgpjYXQgPiAvZXRjL25ldHBsYW4vMDEtbmV0Y2ZnLnlhbWwgPDxFT0YKbmV0d29yazoKICB2ZXJzaW9uOiAyCiAgcmVuZGVyZXI6IG5ldHdvcmtkCiAgZXRoZXJuZXRzOgogICAgaWQwOgogICAgICBzZXQtbmFtZTogZXRoMAogICAgICBtYXRjaDoKICAgICAgICBtYWNhZGRyZXNzOiAkTUFDQWRkcmVzcwogICAgICBhZGRyZXNzZXM6CiAgICAgICAgLSAkSVBBZGRyZXNzLyRQcmVmaXgKICAgICAgZ2F0ZXdheTQ6ICRHYXRld2F5CiAgICAgIG5hbWVzZXJ2ZXJzOgogICAgICAgIGFkZHJlc3NlcyA6IFskRE5TXQpFT0YKcm0gL2V0Yy9uZXRwbGFuLzUwKi55YW1sIC1mCgpzdWRvIG5ldHBsYW4gYXBwbHk= + runcmds: + - update-ca-certificates + - bash /root/network.sh - name: Initialize Cluster API management cluster ansible.builtin.shell: diff --git a/ansible/roles/firstboot/files/ansible_payload/templates/kustomization.cluster-template.j2 b/ansible/roles/firstboot/files/ansible_payload/templates/kustomization.cluster-template.j2 index ae8a6cd..09e382d 100644 --- a/ansible/roles/firstboot/files/ansible_payload/templates/kustomization.cluster-template.j2 +++ b/ansible/roles/firstboot/files/ansible_payload/templates/kustomization.cluster-template.j2 @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - cluster-template.yaml + patchesStrategicMerge: - |- apiVersion: controlplane.cluster.x-k8s.io/v1beta1 @@ -12,7 +13,7 @@ patchesStrategicMerge: spec: kubeadmConfigSpec: clusterConfiguration: - imageRepository: registry./kubeadm + imageRepository: registry.{{ _template.fqdn }}/kubeadm - |- apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 kind: KubeadmConfigTemplate @@ -23,7 +24,7 @@ patchesStrategicMerge: template: spec: clusterConfiguration: - imageRepository: registry./kubeadm + imageRepository: registry.{{ _template.fqdn }}/kubeadm - |- apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 kind: KubeadmConfigTemplate @@ -36,7 +37,7 @@ patchesStrategicMerge: files: - encoding: base64 content: | - IyEvYmluL2Jhc2gKdm10b29sc2QgLS1jbWQgJ2luZm8tZ2V0IGd1ZXN0aW5mby5vdmZFbnYnID4gL3RtcC9vdmZlbnYKCklQQWRkcmVzcz0kKHNlZCAtbiAncy8uKlByb3BlcnR5IG9lOmtleT0iZ3Vlc3RpbmZvLmludGVyZmFjZS4wLmlwLjAuYWRkcmVzcyIgb2U6dmFsdWU9IlwoW14iXSpcKS4qL1wxL3AnIC90bXAvb3ZmZW52KQpTdWJuZXRNYXNrPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uaW50ZXJmYWNlLjAuaXAuMC5uZXRtYXNrIiBvZTp2YWx1ZT0iXChbXiJdKlwpLiovXDEvcCcgL3RtcC9vdmZlbnYpCkdhdGV3YXk9JChzZWQgLW4gJ3MvLipQcm9wZXJ0eSBvZTprZXk9Imd1ZXN0aW5mby5pbnRlcmZhY2UuMC5yb3V0ZS4wLmdhdGV3YXkiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKRE5TPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uZG5zLnNlcnZlcnMiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKTUFDQWRkcmVzcz0kKHNlZCAtbiAncy8uKnZlOkFkYXB0ZXIgdmU6bWFjPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKCm1hc2syY2lkcigpIHsKICBjPTAKICB4PTAkKCBwcmludGYgJyVvJyAkezEvLy4vIH0gKQoKICB3aGlsZSBbICR4IC1ndCAwIF07IGRvCiAgICBsZXQgYys9JCgoeCUyKSkgJ3g+Pj0xJwogIGRvbmUKCiAgZWNobyAkYwp9CgpQcmVmaXg9JChtYXNrMmNpZHIgJFN1Ym5ldE1hc2spCgpjYXQgPiAvZXRjL25ldHBsYW4vMDEtbmV0Y2ZnLnlhbWwgPDxFT0YKbmV0d29yazoKICB2ZXJzaW9uOiAyCiAgcmVuZGVyZXI6IG5ldHdvcmtkCiAgZXRoZXJuZXRzOgogICAgaWQwOgogICAgICBzZXQtbmFtZTogZXRoMAogICAgICBtYXRjaDoKICAgICAgICBtYWNhZGRyZXNzOiAkTUFDQWRkcmVzcwogICAgICBhZGRyZXNzZXM6CiAgICAgICAgLSAkSVBBZGRyZXNzLyRQcmVmaXgKICAgICAgZ2F0ZXdheTQ6ICRHYXRld2F5CiAgICAgIG5hbWVzZXJ2ZXJzOgogICAgICAgIGFkZHJlc3NlcyA6IFskRE5TXQpFT0YKcm0gL2V0Yy9uZXRwbGFuLzUwKi55YW1sIC1mCgpzdWRvIG5ldHBsYW4gYXBwbHk= + {{ _template.script.encoded }} permissions: '0744' - content: | network: {config: disabled} @@ -59,7 +60,7 @@ patchesJson6902: value: encoding: base64 content: | - IyEvYmluL2Jhc2gKdm10b29sc2QgLS1jbWQgJ2luZm8tZ2V0IGd1ZXN0aW5mby5vdmZFbnYnID4gL3RtcC9vdmZlbnYKCklQQWRkcmVzcz0kKHNlZCAtbiAncy8uKlByb3BlcnR5IG9lOmtleT0iZ3Vlc3RpbmZvLmludGVyZmFjZS4wLmlwLjAuYWRkcmVzcyIgb2U6dmFsdWU9IlwoW14iXSpcKS4qL1wxL3AnIC90bXAvb3ZmZW52KQpTdWJuZXRNYXNrPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uaW50ZXJmYWNlLjAuaXAuMC5uZXRtYXNrIiBvZTp2YWx1ZT0iXChbXiJdKlwpLiovXDEvcCcgL3RtcC9vdmZlbnYpCkdhdGV3YXk9JChzZWQgLW4gJ3MvLipQcm9wZXJ0eSBvZTprZXk9Imd1ZXN0aW5mby5pbnRlcmZhY2UuMC5yb3V0ZS4wLmdhdGV3YXkiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKRE5TPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uZG5zLnNlcnZlcnMiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKTUFDQWRkcmVzcz0kKHNlZCAtbiAncy8uKnZlOkFkYXB0ZXIgdmU6bWFjPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKCm1hc2syY2lkcigpIHsKICBjPTAKICB4PTAkKCBwcmludGYgJyVvJyAkezEvLy4vIH0gKQoKICB3aGlsZSBbICR4IC1ndCAwIF07IGRvCiAgICBsZXQgYys9JCgoeCUyKSkgJ3g+Pj0xJwogIGRvbmUKCiAgZWNobyAkYwp9CgpQcmVmaXg9JChtYXNrMmNpZHIgJFN1Ym5ldE1hc2spCgpjYXQgPiAvZXRjL25ldHBsYW4vMDEtbmV0Y2ZnLnlhbWwgPDxFT0YKbmV0d29yazoKICB2ZXJzaW9uOiAyCiAgcmVuZGVyZXI6IG5ldHdvcmtkCiAgZXRoZXJuZXRzOgogICAgaWQwOgogICAgICBzZXQtbmFtZTogZXRoMAogICAgICBtYXRjaDoKICAgICAgICBtYWNhZGRyZXNzOiAkTUFDQWRkcmVzcwogICAgICBhZGRyZXNzZXM6CiAgICAgICAgLSAkSVBBZGRyZXNzLyRQcmVmaXgKICAgICAgZ2F0ZXdheTQ6ICRHYXRld2F5CiAgICAgIG5hbWVzZXJ2ZXJzOgogICAgICAgIGFkZHJlc3NlcyA6IFskRE5TXQpFT0YKcm0gL2V0Yy9uZXRwbGFuLzUwKi55YW1sIC1mCgpzdWRvIG5ldHBsYW4gYXBwbHk= + {{ _template.script.encoded }} permissions: '0744' - op: add path: /spec/kubeadmConfigSpec/files/- @@ -81,21 +82,19 @@ patchesJson6902: kind: KubeadmConfigTemplate name: .* patch: |- +{% for cmd in _template.runcmds %} - op: add path: /spec/template/spec/preKubeadmCommands/- - value: update-ca-certificates - - op: add - path: /spec/template/spec/preKubeadmCommands/- - value: bash /root/network.sh + value: {{ cmd }} +{% endfor %} - target: group: controlplane.cluster.x-k8s.io version: v1beta1 kind: KubeadmControlPlane name: .* patch: |- +{% for cmd in _template.runcmds %} - op: add - path: /spec/kubeadmConfigSpec/preKubeadmCommands/- - value: update-ca-certificates - - op: add - path: /spec/kubeadmConfigSpec/preKubeadmCommands/- - value: bash /root/network.sh + path: /spec/template/spec/preKubeadmCommands/- + value: {{ cmd }} +{% endfor %} diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 95584b3..c2315d0 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -60,7 +60,7 @@ components: chart_values: !unsafe | configs: secret: - argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}" + argocdServerAdminPassword: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}" server: extraArgs: - --insecure @@ -104,7 +104,7 @@ components: gitea: admin: username: administrator - password: "{{ vapp['guestinfo.rootpw'] }}" + password: "{{ vapp['metacluster.password'] }}" email: admin@{{ vapp['metacluster.fqdn'] }} config: server: @@ -141,7 +141,7 @@ components: certSource: none enabled: false externalURL: https://registry.{{ vapp['metacluster.fqdn'] }} - harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}" + harborAdminPassword: "{{ vapp['metacluster.password'] }}" notary: enabled: false persistence: @@ -180,21 +180,21 @@ components: ca: bootstrap: postInitHook: | - echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile + echo '{{ vapp["metacluster.password"] }}' > ~/pwfile step ca provisioner add acme \ --type ACME \ --password-file=~/pwfile \ --force-cn rm ~/pwfile dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1 - password: "{{ vapp['guestinfo.rootpw'] }}" + password: "{{ vapp['metacluster.password'] }}" provisioner: name: admin - password: "{{ vapp['guestinfo.rootpw'] }}" + password: "{{ vapp['metacluster.password'] }}" inject: secrets: - ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" - provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" + ca_password: "{{ vapp['metacluster.password'] | b64encode }}" + provisioner_password: "{{ vapp['metacluster.password'] | b64encode }}" service: targetPort: 9000 diff --git a/scripts/Update-OvfConfiguration.yml b/scripts/Update-OvfConfiguration.yml index 5f176d2..a097a47 100644 --- a/scripts/Update-OvfConfiguration.yml +++ b/scripts/Update-OvfConfiguration.yml @@ -39,7 +39,7 @@ PropertyCategories: Configurations: '*' UserConfigurable: true - - Key: guestinfo.rootpw + - Key: metacluster.password Type: password(7..) Label: Local root password* Description: ''