djpbessems/Packer.Images
Archived
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix/Optimize kustomization template;Simplify dictionary
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Danny Bessems
2023-01-02 21:20:08 +01:00
parent 9c6e1ff386
commit d91acb9c0d
8 changed files with 33 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/git.yml
View File

@@ -49,7 +49,7 @@
url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/users/administrator/tokens url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/users/administrator/tokens
method: POST method: POST
user: administrator user: administrator
password: "{{ vapp['guestinfo.rootpw'] }}" password: "{{ vapp['metacluster.password'] }}"
force_basic_auth: yes force_basic_auth: yes
body: body:
name: token_init_{{ lookup('password', '/dev/null length=5 chars=ascii_letters,digits') }} name: token_init_{{ lookup('password', '/dev/null length=5 chars=ascii_letters,digits') }}
@@ -124,7 +124,7 @@
ansible.builtin.shell: ansible.builtin.shell:
cmd: | cmd: |
git config --local http.sslVerify false git config --local http.sslVerify false
git remote set-url origin https://administrator:{{ vapp['guestinfo.rootpw'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.Config.git git remote set-url origin https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.Config.git
git push git push
chdir: /opt/metacluster/git-repositories/gitops chdir: /opt/metacluster/git-repositories/gitops

2
ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/gitops.yml
View File

@@ -26,7 +26,7 @@
force_basic_auth: yes force_basic_auth: yes
body: body:
username: admin username: admin
password: "{{ vapp['guestinfo.rootpw'] }}" password: "{{ vapp['metacluster.password'] }}"
register: argocd_api_token register: argocd_api_token
- name: Configure metacluster-gitops repository - name: Configure metacluster-gitops repository

2
ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/registry.yml
View File

@@ -27,7 +27,7 @@
skopeo copy \ skopeo copy \
--insecure-policy \ --insecure-policy \
--dest-tls-verify=false \ --dest-tls-verify=false \
--dest-creds admin:{{ vapp['guestinfo.rootpw'] }} \ --dest-creds admin:{{ vapp['metacluster.password'] }} \
docker-archive:./{{ item | basename }} \ docker-archive:./{{ item | basename }} \
docker://registry.{{ vapp['metacluster.fqdn'] }}/library/$( \ docker://registry.{{ vapp['metacluster.fqdn'] }}/library/$( \
skopeo list-tags \ skopeo list-tags \

2
ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml
View File

@@ -1,7 +1,7 @@
- name: Set root password - name: Set root password
ansible.builtin.user: ansible.builtin.user:
name: root name: root
password: "{{ vapp['guestinfo.rootpw'] | password_hash('sha512', 65534 | random(seed=vapp['guestinfo.hostname']) | string) }}" password: "{{ vapp['metacluster.password'] | password_hash('sha512', 65534 | random(seed=vapp['guestinfo.hostname']) | string) }}"
generate_ssh_key: yes generate_ssh_key: yes
ssh_key_bits: 2048 ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa ssh_key_file: .ssh/id_rsa

7
ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml
View File

@@ -46,7 +46,14 @@
dest: /opt/metacluster/cluster-api/infrastructure-vsphere/{{ components.clusterapi.management.version.infrastructure_vsphere }}/kustomization.yaml dest: /opt/metacluster/cluster-api/infrastructure-vsphere/{{ components.clusterapi.management.version.infrastructure_vsphere }}/kustomization.yaml
vars: vars:
_template: _template:
fqdn: "{{ vapp['metacluster.fqdn'] }}"
rootca: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}" rootca: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
script:
# Base64 encoded; to avoid variable substitution when clusterctl parses the cluster-template.yml
encoded: IyEvYmluL2Jhc2gKdm10b29sc2QgLS1jbWQgJ2luZm8tZ2V0IGd1ZXN0aW5mby5vdmZFbnYnID4gL3RtcC9vdmZlbnYKCklQQWRkcmVzcz0kKHNlZCAtbiAncy8uKlByb3BlcnR5IG9lOmtleT0iZ3Vlc3RpbmZvLmludGVyZmFjZS4wLmlwLjAuYWRkcmVzcyIgb2U6dmFsdWU9IlwoW14iXSpcKS4qL1wxL3AnIC90bXAvb3ZmZW52KQpTdWJuZXRNYXNrPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uaW50ZXJmYWNlLjAuaXAuMC5uZXRtYXNrIiBvZTp2YWx1ZT0iXChbXiJdKlwpLiovXDEvcCcgL3RtcC9vdmZlbnYpCkdhdGV3YXk9JChzZWQgLW4gJ3MvLipQcm9wZXJ0eSBvZTprZXk9Imd1ZXN0aW5mby5pbnRlcmZhY2UuMC5yb3V0ZS4wLmdhdGV3YXkiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKRE5TPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uZG5zLnNlcnZlcnMiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKTUFDQWRkcmVzcz0kKHNlZCAtbiAncy8uKnZlOkFkYXB0ZXIgdmU6bWFjPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKCm1hc2syY2lkcigpIHsKICBjPTAKICB4PTAkKCBwcmludGYgJyVvJyAkezEvLy4vIH0gKQoKICB3aGlsZSBbICR4IC1ndCAwIF07IGRvCiAgICBsZXQgYys9JCgoeCUyKSkgJ3g+Pj0xJwogIGRvbmUKCiAgZWNobyAkYwp9CgpQcmVmaXg9JChtYXNrMmNpZHIgJFN1Ym5ldE1hc2spCgpjYXQgPiAvZXRjL25ldHBsYW4vMDEtbmV0Y2ZnLnlhbWwgPDxFT0YKbmV0d29yazoKICB2ZXJzaW9uOiAyCiAgcmVuZGVyZXI6IG5ldHdvcmtkCiAgZXRoZXJuZXRzOgogICAgaWQwOgogICAgICBzZXQtbmFtZTogZXRoMAogICAgICBtYXRjaDoKICAgICAgICBtYWNhZGRyZXNzOiAkTUFDQWRkcmVzcwogICAgICBhZGRyZXNzZXM6CiAgICAgICAgLSAkSVBBZGRyZXNzLyRQcmVmaXgKICAgICAgZ2F0ZXdheTQ6ICRHYXRld2F5CiAgICAgIG5hbWVzZXJ2ZXJzOgogICAgICAgIGFkZHJlc3NlcyA6IFskRE5TXQpFT0YKcm0gL2V0Yy9uZXRwbGFuLzUwKi55YW1sIC1mCgpzdWRvIG5ldHBsYW4gYXBwbHk=
runcmds:
- update-ca-certificates
- bash /root/network.sh
- name: Initialize Cluster API management cluster - name: Initialize Cluster API management cluster
ansible.builtin.shell: ansible.builtin.shell:

25
ansible/roles/firstboot/files/ansible_payload/templates/kustomization.cluster-template.j2
View File

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- cluster-template.yaml - cluster-template.yaml
patchesStrategicMerge: patchesStrategicMerge:
- |- - |-
apiVersion: controlplane.cluster.x-k8s.io/v1beta1 apiVersion: controlplane.cluster.x-k8s.io/v1beta1
@@ -12,7 +13,7 @@ patchesStrategicMerge:
spec: spec:
kubeadmConfigSpec: kubeadmConfigSpec:
clusterConfiguration: clusterConfiguration:
imageRepository: registry.<fqdn>/kubeadm imageRepository: registry.{{ _template.fqdn }}/kubeadm
- |- - |-
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
@@ -23,7 +24,7 @@ patchesStrategicMerge:
template: template:
spec: spec:
clusterConfiguration: clusterConfiguration:
imageRepository: registry.<fqdn>/kubeadm imageRepository: registry.{{ _template.fqdn }}/kubeadm
- |- - |-
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
@@ -36,7 +37,7 @@ patchesStrategicMerge:
files: files:
- encoding: base64 - encoding: base64
content: | content: |
IyEvYmluL2Jhc2gKdm10b29sc2QgLS1jbWQgJ2luZm8tZ2V0IGd1ZXN0aW5mby5vdmZFbnYnID4gL3RtcC9vdmZlbnYKCklQQWRkcmVzcz0kKHNlZCAtbiAncy8uKlByb3BlcnR5IG9lOmtleT0iZ3Vlc3RpbmZvLmludGVyZmFjZS4wLmlwLjAuYWRkcmVzcyIgb2U6dmFsdWU9IlwoW14iXSpcKS4qL1wxL3AnIC90bXAvb3ZmZW52KQpTdWJuZXRNYXNrPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uaW50ZXJmYWNlLjAuaXAuMC5uZXRtYXNrIiBvZTp2YWx1ZT0iXChbXiJdKlwpLiovXDEvcCcgL3RtcC9vdmZlbnYpCkdhdGV3YXk9JChzZWQgLW4gJ3MvLipQcm9wZXJ0eSBvZTprZXk9Imd1ZXN0aW5mby5pbnRlcmZhY2UuMC5yb3V0ZS4wLmdhdGV3YXkiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKRE5TPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uZG5zLnNlcnZlcnMiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKTUFDQWRkcmVzcz0kKHNlZCAtbiAncy8uKnZlOkFkYXB0ZXIgdmU6bWFjPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKCm1hc2syY2lkcigpIHsKICBjPTAKICB4PTAkKCBwcmludGYgJyVvJyAkezEvLy4vIH0gKQoKICB3aGlsZSBbICR4IC1ndCAwIF07IGRvCiAgICBsZXQgYys9JCgoeCUyKSkgJ3g+Pj0xJwogIGRvbmUKCiAgZWNobyAkYwp9CgpQcmVmaXg9JChtYXNrMmNpZHIgJFN1Ym5ldE1hc2spCgpjYXQgPiAvZXRjL25ldHBsYW4vMDEtbmV0Y2ZnLnlhbWwgPDxFT0YKbmV0d29yazoKICB2ZXJzaW9uOiAyCiAgcmVuZGVyZXI6IG5ldHdvcmtkCiAgZXRoZXJuZXRzOgogICAgaWQwOgogICAgICBzZXQtbmFtZTogZXRoMAogICAgICBtYXRjaDoKICAgICAgICBtYWNhZGRyZXNzOiAkTUFDQWRkcmVzcwogICAgICBhZGRyZXNzZXM6CiAgICAgICAgLSAkSVBBZGRyZXNzLyRQcmVmaXgKICAgICAgZ2F0ZXdheTQ6ICRHYXRld2F5CiAgICAgIG5hbWVzZXJ2ZXJzOgogICAgICAgIGFkZHJlc3NlcyA6IFskRE5TXQpFT0YKcm0gL2V0Yy9uZXRwbGFuLzUwKi55YW1sIC1mCgpzdWRvIG5ldHBsYW4gYXBwbHk= {{ _template.script.encoded }}
permissions: '0744' permissions: '0744'
- content: | - content: |
network: {config: disabled} network: {config: disabled}
@@ -59,7 +60,7 @@ patchesJson6902:
value: value:
encoding: base64 encoding: base64
content: | content: |
IyEvYmluL2Jhc2gKdm10b29sc2QgLS1jbWQgJ2luZm8tZ2V0IGd1ZXN0aW5mby5vdmZFbnYnID4gL3RtcC9vdmZlbnYKCklQQWRkcmVzcz0kKHNlZCAtbiAncy8uKlByb3BlcnR5IG9lOmtleT0iZ3Vlc3RpbmZvLmludGVyZmFjZS4wLmlwLjAuYWRkcmVzcyIgb2U6dmFsdWU9IlwoW14iXSpcKS4qL1wxL3AnIC90bXAvb3ZmZW52KQpTdWJuZXRNYXNrPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uaW50ZXJmYWNlLjAuaXAuMC5uZXRtYXNrIiBvZTp2YWx1ZT0iXChbXiJdKlwpLiovXDEvcCcgL3RtcC9vdmZlbnYpCkdhdGV3YXk9JChzZWQgLW4gJ3MvLipQcm9wZXJ0eSBvZTprZXk9Imd1ZXN0aW5mby5pbnRlcmZhY2UuMC5yb3V0ZS4wLmdhdGV3YXkiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKRE5TPSQoc2VkIC1uICdzLy4qUHJvcGVydHkgb2U6a2V5PSJndWVzdGluZm8uZG5zLnNlcnZlcnMiIG9lOnZhbHVlPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKTUFDQWRkcmVzcz0kKHNlZCAtbiAncy8uKnZlOkFkYXB0ZXIgdmU6bWFjPSJcKFteIl0qXCkuKi9cMS9wJyAvdG1wL292ZmVudikKCm1hc2syY2lkcigpIHsKICBjPTAKICB4PTAkKCBwcmludGYgJyVvJyAkezEvLy4vIH0gKQoKICB3aGlsZSBbICR4IC1ndCAwIF07IGRvCiAgICBsZXQgYys9JCgoeCUyKSkgJ3g+Pj0xJwogIGRvbmUKCiAgZWNobyAkYwp9CgpQcmVmaXg9JChtYXNrMmNpZHIgJFN1Ym5ldE1hc2spCgpjYXQgPiAvZXRjL25ldHBsYW4vMDEtbmV0Y2ZnLnlhbWwgPDxFT0YKbmV0d29yazoKICB2ZXJzaW9uOiAyCiAgcmVuZGVyZXI6IG5ldHdvcmtkCiAgZXRoZXJuZXRzOgogICAgaWQwOgogICAgICBzZXQtbmFtZTogZXRoMAogICAgICBtYXRjaDoKICAgICAgICBtYWNhZGRyZXNzOiAkTUFDQWRkcmVzcwogICAgICBhZGRyZXNzZXM6CiAgICAgICAgLSAkSVBBZGRyZXNzLyRQcmVmaXgKICAgICAgZ2F0ZXdheTQ6ICRHYXRld2F5CiAgICAgIG5hbWVzZXJ2ZXJzOgogICAgICAgIGFkZHJlc3NlcyA6IFskRE5TXQpFT0YKcm0gL2V0Yy9uZXRwbGFuLzUwKi55YW1sIC1mCgpzdWRvIG5ldHBsYW4gYXBwbHk= {{ _template.script.encoded }}
permissions: '0744' permissions: '0744'
- op: add - op: add
path: /spec/kubeadmConfigSpec/files/- path: /spec/kubeadmConfigSpec/files/-
@@ -81,21 +82,19 @@ patchesJson6902:
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
name: .* name: .*
patch: |- patch: |-
{% for cmd in _template.runcmds %}
- op: add - op: add
path: /spec/template/spec/preKubeadmCommands/- path: /spec/template/spec/preKubeadmCommands/-
value: update-ca-certificates value: {{ cmd }}
- op: add {% endfor %}
path: /spec/template/spec/preKubeadmCommands/-
value: bash /root/network.sh
- target: - target:
group: controlplane.cluster.x-k8s.io group: controlplane.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: KubeadmControlPlane kind: KubeadmControlPlane
name: .* name: .*
patch: |- patch: |-
{% for cmd in _template.runcmds %}
- op: add - op: add
path: /spec/kubeadmConfigSpec/preKubeadmCommands/- path: /spec/template/spec/preKubeadmCommands/-
value: update-ca-certificates value: {{ cmd }}
- op: add {% endfor %}
path: /spec/kubeadmConfigSpec/preKubeadmCommands/-
value: bash /root/network.sh

16
ansible/vars/metacluster.yml
View File

@@ -60,7 +60,7 @@ components:
chart_values: !unsafe | chart_values: !unsafe |
configs: configs:
secret: secret:
argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}" argocdServerAdminPassword: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
server: server:
extraArgs: extraArgs:
- --insecure - --insecure
@@ -104,7 +104,7 @@ components:
gitea: gitea:
admin: admin:
username: administrator username: administrator
password: "{{ vapp['guestinfo.rootpw'] }}" password: "{{ vapp['metacluster.password'] }}"
email: admin@{{ vapp['metacluster.fqdn'] }} email: admin@{{ vapp['metacluster.fqdn'] }}
config: config:
server: server:
@@ -141,7 +141,7 @@ components:
certSource: none certSource: none
enabled: false enabled: false
externalURL: https://registry.{{ vapp['metacluster.fqdn'] }} externalURL: https://registry.{{ vapp['metacluster.fqdn'] }}
harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}" harborAdminPassword: "{{ vapp['metacluster.password'] }}"
notary: notary:
enabled: false enabled: false
persistence: persistence:
@@ -180,21 +180,21 @@ components:
ca: ca:
bootstrap: bootstrap:
postInitHook: | postInitHook: |
echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile echo '{{ vapp["metacluster.password"] }}' > ~/pwfile
step ca provisioner add acme \ step ca provisioner add acme \
--type ACME \ --type ACME \
--password-file=~/pwfile \ --password-file=~/pwfile \
--force-cn --force-cn
rm ~/pwfile rm ~/pwfile
dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1 dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
password: "{{ vapp['guestinfo.rootpw'] }}" password: "{{ vapp['metacluster.password'] }}"
provisioner: provisioner:
name: admin name: admin
password: "{{ vapp['guestinfo.rootpw'] }}" password: "{{ vapp['metacluster.password'] }}"
inject: inject:
secrets: secrets:
ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" ca_password: "{{ vapp['metacluster.password'] | b64encode }}"
provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" provisioner_password: "{{ vapp['metacluster.password'] | b64encode }}"
service: service:
targetPort: 9000 targetPort: 9000

2
scripts/Update-OvfConfiguration.yml
View File

@@ -39,7 +39,7 @@ PropertyCategories:
Configurations: '*' Configurations: '*'
UserConfigurable: true UserConfigurable: true
- Key: guestinfo.rootpw - Key: metacluster.password
Type: password(7..) Type: password(7..)
Label: Local root password* Label: Local root password*
Description: '' Description: ''