feat:Explicitly configure NTP servers (WIP)

.drone.yml

@@ -0,0 +1,188 @@
+kind: pipeline
+type: kubernetes
+name: 'Packer Build'
+
+volumes:
+- name: output
+  claim:
+    name: flexvolsmb-drone-output
+- name: scratch
+  claim:
+    name: flexvolsmb-drone-scratch
+
+steps:
+- name: Debugging information
+  image: bv11-cr01.bessems.eu/library/packer-extended
+  pull: always
+  commands:
+  - ansible --version
+  - ovftool --version
+  - packer --version
+  - yamllint --version
+
+- name: Linting
+  depends_on:
+  - Debugging information
+  image: bv11-cr01.bessems.eu/library/packer-extended
+  pull: always
+  commands:
+  - |
+    yamllint -d "{extends: relaxed, rules: {line-length: disable}}" \
+      ansible \
+      packer/preseed/UbuntuServer22.04/user-data \
+      scripts
+
+- name: Install Ansible Galaxy collections
+  depends_on:
+  - Linting
+  image: bv11-cr01.bessems.eu/library/packer-extended
+  pull: always
+  commands:
+  - |
+    ansible-galaxy collection install \
+      -r ansible/requirements.yml \
+      -p ./ansible/collections
+  volumes:
+  - name: scratch
+    path: /scratch
+
+- name: Kubernetes Bootstrap Appliance
+  depends_on:
+  - Install Ansible Galaxy collections
+  image: bv11-cr01.bessems.eu/library/packer-extended
+  pull: always
+  commands:
+  - |
+    sed -i -e "s/<<img-password>>/$${SSH_PASSWORD}/g" \
+      packer/preseed/UbuntuServer22.04/user-data
+  - |
+    export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
+  - |
+    packer init -upgrade \
+      ./packer
+  - |
+    packer validate \
+      -only=vsphere-iso.bootstrap \
+      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
+      -var docker_username=$${DOCKER_USERNAME} \
+      -var docker_password=$${DOCKER_PASSWORD} \
+      -var repo_username=$${REPO_USERNAME} \
+      -var repo_password=$${REPO_PASSWORD} \
+      -var ssh_password=$${SSH_PASSWORD} \
+      -var vsphere_password=$${VSPHERE_PASSWORD} \
+      -var k8s_version=$K8S_VERSION \
+      ./packer
+  - |
+    packer build \
+      -on-error=cleanup -timestamp-ui \
+      -only=vsphere-iso.bootstrap \
+      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
+      -var docker_username=$${DOCKER_USERNAME} \
+      -var docker_password=$${DOCKER_PASSWORD} \
+      -var repo_username=$${REPO_USERNAME} \
+      -var repo_password=$${REPO_PASSWORD} \
+      -var ssh_password=$${SSH_PASSWORD} \
+      -var vsphere_password=$${VSPHERE_PASSWORD} \
+      -var k8s_version=$K8S_VERSION \
+      ./packer
+  environment:
+    DOCKER_USERNAME:
+      from_secret: docker_username
+    DOCKER_PASSWORD:
+      from_secret: docker_password
+    # PACKER_LOG: 1
+    REPO_USERNAME:
+      from_secret: repo_username
+    REPO_PASSWORD:
+      from_secret: repo_password
+    SSH_PASSWORD:
+      from_secret: ssh_password
+    VSPHERE_PASSWORD:
+      from_secret: vsphere_password
+  volumes:
+  - name: output
+    path: /output
+  - name: scratch
+    path: /scratch
+
+- name: Kubernetes Upgrade Appliance
+  depends_on:
+  - Install Ansible Galaxy collections
+  image: bv11-cr01.bessems.eu/library/packer-extended
+  pull: alwaysquery(
+  commands:
+  - |
+    sed -i -e "s/<<img-password>>/$${SSH_PASSWORD}/g" \
+      packer/preseed/UbuntuServer22.04/user-data
+  - |
+    export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
+  - |
+    packer init -upgrade \
+      ./packer
+  - |
+    packer validate \
+      -only=vsphere-iso.upgrade \
+      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
+      -var docker_username=$${DOCKER_USERNAME} \
+      -var docker_password=$${DOCKER_PASSWORD} \
+      -var repo_username=$${REPO_USERNAME} \
+      -var repo_password=$${REPO_PASSWORD} \
+      -var ssh_password=$${SSH_PASSWORD} \
+      -var vsphere_password=$${VSPHERE_PASSWORD} \
+      -var k8s_version=$K8S_VERSION \
+      ./packer
+  - |
+    packer build \
+      -on-error=cleanup -timestamp-ui \
+      -only=vsphere-iso.upgrade \
+      -var vm_name=${DRONE_BUILD_NUMBER}-${DRONE_COMMIT_SHA:0:10}-$(openssl rand -hex 3) \
+      -var docker_username=$${DOCKER_USERNAME} \
+      -var docker_password=$${DOCKER_PASSWORD} \
+      -var repo_username=$${REPO_USERNAME} \
+      -var repo_password=$${REPO_PASSWORD} \
+      -var ssh_password=$${SSH_PASSWORD} \
+      -var vsphere_password=$${VSPHERE_PASSWORD} \
+      -var k8s_version=$K8S_VERSION \
+      ./packer
+  environment:
+    DOCKER_USERNAME:
+      from_secret: docker_username
+    DOCKER_PASSWORD:
+      from_secret: docker_password
+    # PACKER_LOG: 1
+    REPO_USERNAME:
+      from_secret: repo_username
+    REPO_PASSWORD:
+      from_secret: repo_password
+    SSH_PASSWORD:
+      from_secret: ssh_password
+    VSPHERE_PASSWORD:
+      from_secret: vsphere_password
+  volumes:
+  - name: output
+    path: /output
+  - name: scratch
+    path: /scratch
+
+- name: Remove temporary resources
+  depends_on:
+  - Kubernetes Bootstrap Appliance
+  - Kubernetes Upgrade Appliance
+  image: bv11-cr01.bessems.eu/library/packer-extended
+  commands:
+  - |
+    pwsh -file scripts/Remove-Resources.ps1 \
+      -VMName $DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
+      -VSphereFQDN 'bv11-vc.bessems.lan' \
+      -VSphereUsername 'administrator@vsphere.local' \
+      -VSpherePassword $${VSPHERE_PASSWORD}
+  environment:
+    VSPHERE_PASSWORD:
+      from_secret: vsphere_password
+  volumes:
+  - name: scratch
+    path: /scratch
+  when:
+    status:
+    - success
+    - failure

.gitea/workflows/actions.yaml

@@ -1,145 +0,0 @@
-name: Container & Helm chart
-on: [push]
-
-jobs:
-  linting:
-    name: Linting
-    runs-on: dind-rootless
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v4
-      - name: yamllint
-        uses: bewuethr/yamllint-action@v1
-        with:
-          config-file: .yamllint.yaml
-
-  semrel_dryrun:
-    name: Semantic Release (Dry-run)
-    runs-on: dind-rootless
-    outputs:
-      version: ${{ steps.sem_rel.outputs.version }}
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v4
-      - name: Setup Node
-        uses: actions/setup-node@v3
-        with:
-          node-version: 20
-      - name: Install dependencies
-        run: |
-          npm install \
-            semantic-release \
-            @semantic-release/commit-analyzer \
-            @semantic-release/exec
-      - name: Semantic Release (dry-run)
-        id: sem_rel
-        run: |
-          npx semantic-release \
-            --package @semantic-release/exec \
-            --package semantic-release \
-            --branches ${{ gitea.refname }} \
-            --tag-format 'v${version}' \
-            --dry-run \
-            --plugins @semantic-release/commit-analyzer,@semantic-release/exec \
-            --analyzeCommits @semantic-release/commit-analyzer \
-            --verifyRelease @semantic-release/exec \
-            --verifyReleaseCmd 'echo "version=${nextRelease.version}" >> $GITHUB_OUTPUT'
-        env:
-          GIT_CREDENTIALS: ${{ secrets.GIT_USERNAME }}:${{ secrets.GIT_APIKEY }}
-      - name: Assert semantic release output
-        run: |
-          [[ -z "${{ steps.sem_rel.outputs.version }}" ]] && {
-            echo 'No release tag - exiting'; exit 1
-          } || {
-            echo 'Release tag set correctly: ${{ steps.sem_rel.outputs.version }}'; exit 0
-          }
-
-  build_image:
-    name: Kubernetes Bootstrap Appliance
-    container: code.spamasaurus.com/djpbessems/packer-extended:1.3.0
-    runs-on: dind-rootless
-    needs: [semrel_dryrun, linting]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Parse Kubernetes version
-        uses: mikefarah/yq@master
-        id: get_k8sversion
-        with:
-          cmd: yq '.components.clusterapi.workload.version.k8s' ansible/vars/metacluster.yml
-      - name: Set up packer
-        uses: hashicorp/setup-packer@main
-        id: setup
-        with:
-          version: "latest"
-      - name: Prepare build environment
-        id: init
-        run: |
-          packer init -upgrade ./packer
-
-          ansible-galaxy collection install \
-            -r ansible/requirements.yml \
-            -p ./ansible/collections
-
-          echo "BUILD_COMMIT=$(echo ${{ gitea.sha }} | cut -c 1-10)" >> $GITHUB_ENV
-          echo "BUILD_SUFFIX=$(openssl rand -hex 3)" >> $GITHUB_ENV
-      - name: Validate packer template files
-        id: validate
-        run: |
-          packer validate \
-            -only=vsphere-iso.bootstrap \
-            -var vm_name=${{ gitea.run_number }}-${BUILD_COMMIT}-${BUILD_SUFFIX} \
-            -var docker_username=${{ secrets.DOCKER_USERNAME }} \
-            -var docker_password=${{ secrets.DOCKER_PASSWORD }} \
-            -var repo_username=${{ secrets.REPO_USERNAME }} \
-            -var repo_password=${{ secrets.REPO_PASSWORD }} \
-            -var ssh_password=${{ secrets.SSH_PASSWORD }} \
-            -var hv_password=${{ secrets.HV_PASSWORD }} \
-            -var k8s_version=${{ steps.get_k8sversion.outputs.result }} \
-            -var appliance_version=${{ needs.semrel_dryrun.outputs.version }} \
-            ./packer
-      - name: Build packer template
-        run: |
-          packer build \
-            -on-error=cleanup -timestamp-ui \
-            -only=vsphere-iso.bootstrap \
-            -var vm_name=${{ gitea.run_number }}-${BUILD_COMMIT}-${BUILD_SUFFIX} \
-            -var docker_username=${{ secrets.DOCKER_USERNAME }} \
-            -var docker_password=${{ secrets.DOCKER_PASSWORD }} \
-            -var repo_username=${{ secrets.REPO_USERNAME }} \
-            -var repo_password=${{ secrets.REPO_PASSWORD }} \
-            -var ssh_password=${{ secrets.SSH_PASSWORD }} \
-            -var hv_password=${{ secrets.HV_PASSWORD }} \
-            -var k8s_version=${{ steps.get_k8sversion.outputs.result }} \
-            -var appliance_version=${{ needs.semrel_dryrun.outputs.version }} \
-            ./packer
-        # env:
-        #   PACKER_LOG: 1
-
-  # semrel:
-  #   name: Semantic Release
-  #   runs-on: dind-rootless
-  #   needs: [build_container, build_chart]
-  #   steps:
-  #     - name: Check out repository code
-  #       uses: actions/checkout@v3
-  #     - name: Setup Node
-  #       uses: actions/setup-node@v3
-  #       with:
-  #         node-version: 20
-  #     - name: Install dependencies
-  #       run: |
-  #         npm install \
-  #           semantic-release \
-  #           @semantic-release/changelog \
-  #           @semantic-release/commit-analyzer \
-  #           @semantic-release/git \
-  #           @semantic-release/release-notes-generator
-  #     - name: Semantic Release
-  #       run: |
-  #         npx semantic-release \
-  #           --branches ${{ gitea.refname }} \
-  #           --tag-format 'v${version}' \
-  #           --plugins @semantic-release/commit-analyzer,@semantic-release/release-notes-generator,@semantic-release/changelog,@semantic-release/git
-  #       env:
-  #         GIT_CREDENTIALS: ${{ secrets.GIT_USERNAME }}:${{ secrets.GIT_APIKEY }}

.gitignore

@@ -1,4 +0,0 @@
-**/hv.vcenter.yaml
-**/ova.bootstrap.yaml
-**/pb.secrets.yaml
-**/pwdfile

.yamllint.yaml

@@ -1,4 +0,0 @@
-extends: relaxed
-
-rules:
-  line-length: disable

ansible/roles/assets/tasks/containerimages.yml

@@ -1,4 +1,4 @@
-- name: Parse Cluster-API manifests for container images
+- name: Parse manifests for container images
   ansible.builtin.shell:
     # This set of commands is necessary to deal with multi-line scalar values
     # eg.:
@@ -9,17 +9,11 @@
       cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
       cat {{ item.dest }} | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)';
       cat {{ item.dest }} | yq --no-doc eval '.. | .files? | with_entries(select(.value.path == "*.yaml")).[0].content' | awk '!/null/' | yq eval '.. | .image? | select(.)'
-  register: clusterapi_parsedmanifests
+  register: parsedmanifests
   loop: "{{ clusterapi_manifests.results }}"
   loop_control:
     label: "{{ item.dest | basename }}"
 
-- name: Parse pinniped manifest for container images
-  ansible.builtin.shell:
-    cmd: >-
-      cat {{ pinniped_manifest.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
-  register: pinniped_parsedmanifest
-
 - name: Parse metacluster helm charts for container images
   ansible.builtin.shell:
     cmd: "{{ item.value.helm.parse_logic }}"
@@ -47,10 +41,8 @@
       results: "{{ (chartimages_metacluster | json_query('results[*].stdout_lines')) + (chartimages_workloadcluster | json_query('results[*].stdout_lines')) | select() | flatten | list }}"
     - source: kubeadm
       results: "{{ kubeadmimages.stdout_lines }}"
-    - source: clusterapi
+    - source: manifests
-      results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+      results: "{{ parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
-    - source: pinniped
-      results: "{{ pinniped_parsedmanifest.stdout_lines }}"
   loop_control:
     label: "{{ item.source }}"
 
@@ -72,4 +64,4 @@
         docker://{{ item }} \
         docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
     chdir: /opt/metacluster/container-images
-  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"
+  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_manifests + dependencies.container_images) | flatten | unique | sort }}"

ansible/roles/assets/tasks/main.yml

@@ -16,7 +16,8 @@
     - /opt/metacluster/helm-charts
     - /opt/metacluster/k3s
     - /opt/metacluster/kube-vip
-    - /opt/metacluster/pinniped
+    - /opt/workloadcluster/git-repositories/gitops/charts
+    - /opt/workloadcluster/git-repositories/gitops/values
     - /opt/workloadcluster/helm-charts
     - /opt/workloadcluster/node-templates
     - /var/lib/rancher/k3s/agent/images
@@ -29,3 +30,4 @@
 - import_tasks: manifests.yml
 - import_tasks: kubeadm.yml
 - import_tasks: containerimages.yml
+- import_tasks: nodetemplates.yml

ansible/roles/assets/tasks/manifests.yml

@@ -1,6 +1,6 @@
 - block:
 
-    - name: Aggregate meta-cluster chart_values into dict
+    - name: Aggregate chart_values into dict
       ansible.builtin.set_fact:
         metacluster_chartvalues: "{{ metacluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}"
       when: item.value.helm.chart_values is defined
@@ -8,34 +8,22 @@
       loop_control:
         label: "{{ item.key }}"
 
-    - name: Combine and write dict to vars_file
+    - name: Write dict to vars_file
       ansible.builtin.copy:
         dest: /opt/firstboot/ansible/vars/metacluster.yml
         content: >-
           {{
             { 'components': (
               metacluster_chartvalues |
-              combine({ 'clusterapi'            : components['clusterapi'] }) |
+              combine({ 'clusterapi': components.clusterapi }) |
-              combine({ 'kubevip'               : components['kubevip'] }) |
+              combine({ 'kubevip'   : components.kubevip }) )
-              combine({ 'localuserauthenticator': components['pinniped']['local-user-authenticator'] })),
-              'appliance': {
-                'version': (applianceversion)
-              }
             } | to_nice_yaml(indent=2, width=4096)
           }}
 
-    - name: Aggregate workload-cluster chart_values into dict
+    - name: Aggregate chart_values into dict
       ansible.builtin.set_fact:
-        workloadcluster_chartvalues: |
+        workloadcluster_chartvalues: "{{ workloadcluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.chart_values | default('') | from_yaml) } }) }}"
-          {{
+      # when: item.value.chart_values is defined
-            workloadcluster_chartvalues | default({}) | combine({
-              item.key: {
-                'chart_values': (item.value.chart_values | default('') | from_yaml),
-                'extra_manifests': (item.value.extra_manifests | default([])),
-                'namespace': (item.value.namespace)
-              }
-            })
-          }}
       loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}"
       loop_control:
         label: "{{ item.key }}"
@@ -49,7 +37,7 @@
             } | to_nice_yaml(indent=2, width=4096)
           }}
 
-- name: Download Cluster-API manifests
+- name: Download ClusterAPI manifests
   ansible.builtin.get_url:
     url: "{{ item.url }}"
     dest: /opt/metacluster/cluster-api/{{ item.dest }}
@@ -109,22 +97,6 @@
   delay: 5
   until: kubevip_manifest is not failed
 
-- name: Download pinniped local-user-authenticator manifest
-  ansible.builtin.get_url:
-    url: https://get.pinniped.dev/{{ components.pinniped['local-user-authenticator'].version }}/install-local-user-authenticator.yaml
-    dest: /opt/metacluster/pinniped/local-user-authenticator.yaml
-  register: pinniped_manifest
-  retries: 5
-  delay: 5
-  until: pinniped_manifest is not failed
-
-- name: Trim image hash from manifest
-  ansible.builtin.replace:
-    path: /opt/metacluster/pinniped/local-user-authenticator.yaml
-    regexp: '([ ]*image: .*)@.*'
-    replace: '\1'
-  no_log: true
-
 # - name: Inject manifests
 #   ansible.builtin.template:
 #     src: "{{ item.type }}.j2"

ansible/roles/assets/tasks/nodetemplates.yml

@@ -0,0 +1,4 @@
+- name: Download node-template image
+  ansible.builtin.uri:
+    url: "{{ components.clusterapi.workload.node_template.url }}"
+    dest: /opt/workloadcluster/node-templates/{{ components.clusterapi.workload.node_template.url | basename}}

ansible/roles/firstboot/files/ansible_payload/bootstrap/playbook.yml

@@ -2,9 +2,6 @@
 - hosts: 127.0.0.1
   connection: local
   gather_facts: true
-  vars:
-    # Needed by some templating in various tasks
-    _newline: "\n"
   vars_files:
     - defaults.yml
     - metacluster.yml

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/filter_plugins/netaddr.py

@@ -0,0 +1,14 @@
+import netaddr
+
+def netaddr_iter_iprange(ip_start, ip_end):
+    return [str(ip) for ip in netaddr.iter_iprange(ip_start, ip_end)]
+
+class FilterModule(object):
+        ''' Ansible filter. Interface to netaddr methods.
+            https://pypi.org/project/netaddr/
+        '''
+
+        def filters(self):
+            return {
+                'netaddr_iter_iprange': netaddr_iter_iprange
+            }

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml

@@ -1,176 +0,0 @@
-- block:
-
-    - name: Install dex
-      kubernetes.core.helm:
-        name: dex
-        chart_ref: /opt/metacluster/helm-charts/dex
-        release_namespace: dex
-        create_namespace: true
-        wait: false
-        kubeconfig: "{{ kubeconfig.path }}"
-        values: "{{ components['dex'].chart_values }}"
-
-- block:
-
-    - name: Install pinniped local-user-authenticator
-      kubernetes.core.k8s:
-        src: /opt/metacluster/pinniped/local-user-authenticator.yaml
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-
-    - name: Create local-user-authenticator accounts
-      kubernetes.core.k8s:
-        template: secret.j2
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-      vars:
-        _template:
-          name: "{{ item.username }}"
-          namespace: local-user-authenticator
-          type: ''
-          data:
-            - key: groups
-              value: "{{ 'group1,group2' | b64encode }}"
-            - key: passwordHash
-              value: "{{ item.password | b64encode }}"
-      loop: "{{ components['localuserauthenticator'].users }}"
-
-- block:
-
-    - name: Install pinniped chart
-      kubernetes.core.helm:
-        name: pinniped
-        chart_ref: /opt/metacluster/helm-charts/pinniped
-        release_namespace: pinniped-supervisor
-        create_namespace: true
-        wait: false
-        kubeconfig: "{{ kubeconfig.path }}"
-        values: "{{ components['pinniped'].chart_values }}"
-
-    - name: Add ingress for supervisor
-      kubernetes.core.k8s:
-        template: "{{ item.kind }}.j2"
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-      vars:
-        _template:
-          name: "{{ item.name }}"
-          namespace: "{{ item.namespace }}"
-          spec: "{{ item.spec }}"
-      loop:
-        - kind: ingressroute
-          name: pinniped-supervisor
-          namespace: pinniped-supervisor
-          spec: |2
-              entryPoints:
-              - web
-              - websecure
-              routes:
-              - kind: Rule
-                match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
-                services:
-                - kind: Service
-                  name: pinniped-supervisor
-                  namespace: pinniped-supervisor
-                  port: 443
-                  scheme: https
-                  serversTransport: pinniped-supervisor
-        - kind: serverstransport
-          name: pinniped-supervisor
-          namespace: pinniped-supervisor
-          spec: |2
-              insecureSkipVerify: true
-              serverName: auth.{{ vapp['metacluster.fqdn'] }}
-      loop_control:
-        label: "{{ item.kind ~ '/' ~ item.name ~ ' (' ~ item.namespace ~ ')' }}"
-
-    - name: Ensure pinniped API availability
-      ansible.builtin.uri:
-        url: https://auth.{{ vapp['metacluster.fqdn'] }}/healthz
-        method: GET
-      register: api_readycheck
-      until:
-        - api_readycheck.status == 200
-        - api_readycheck.msg is search("OK")
-      retries: "{{ playbook.retries }}"
-      delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
-
-    # TODO: Migrate to step-ca
-    - name: Initialize tempfile
-      ansible.builtin.tempfile:
-        state: directory
-      register: certificate
-
-    - name: Create private key (RSA, 4096 bits)
-      community.crypto.openssl_privatekey:
-        path: "{{ certificate.path }}/certificate.key"
-
-    - name: Create self-signed certificate
-      community.crypto.x509_certificate:
-        path: "{{ certificate.path }}/certificate.crt"
-        privatekey_path: "{{ certificate.path }}/certificate.key"
-        provider: selfsigned
-
-    - name: Store self-signed certificate for use by pinniped supervisor
-      kubernetes.core.k8s:
-        template: secret.j2
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-      vars:
-        _template:
-          name: pinniped-supervisor-tls
-          namespace: pinniped-supervisor
-          type: kubernetes.io/tls
-          data:
-            - key: tls.crt
-              value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') | b64encode }}"
-            - key: tls.key
-              value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') | b64encode }}"
-    # TODO: Migrate to step-ca
-
-    - name: Create pinniped resources
-      kubernetes.core.k8s:
-        template: "{{ item.kind }}.j2"
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-      vars:
-        _template:
-          name: "{{ item.name }}"
-          namespace: "{{ item.namespace }}"
-          type: "{{ item.type | default('') }}"
-          data: "{{ item.data | default(omit) }}"
-          spec: "{{ item.spec | default(omit) }}"
-      loop:
-        - kind: oidcidentityprovider
-          name: dex-staticpasswords
-          namespace: pinniped-supervisor
-          spec: |2
-              issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
-              tls:
-                certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
-              authorizationConfig:
-                additionalScopes: [offline_access, groups, email]
-                allowPasswordGrant: false
-              claims:
-                username: email
-                groups: groups
-              client:
-                secretName: dex-clientcredentials
-        - kind: secret
-          name: dex-clientcredentials
-          namespace: pinniped-supervisor
-          type: secrets.pinniped.dev/oidc-client
-          data:
-            - key: clientID
-              value: "{{ 'pinniped-supervisor' | b64encode }}"
-            - key: clientSecret
-              value: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | b64encode }}"
-        - kind: federationdomain
-          name: metacluster-sso
-          namespace: pinniped-supervisor
-          spec: |2
-              issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
-              tls:
-                secretName: pinniped-supervisor-tls
-      loop_control:
-        label: "{{ item.kind ~ '/' ~ item.name }}"

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml

@@ -1,40 +1,15 @@
 - block:
 
-    - name: Import generated values file into dictionary and combine with custom values
+    - name: Initialize tempfile
-      ansible.builtin.set_fact:
+      ansible.builtin.tempfile:
-        values_initial: |
+        state: file
-          {{
+      register: values_file
-            lookup('ansible.builtin.file', stepconfig.path) | from_yaml |
-            combine( components['step-certificates'].chart_values | from_yaml, recursive=True, list_merge='append')
-          }}
 
-    - name: Duplicate default provisioner with modified claims
+    - name: Write chart values w/ password to tempfile
-      ansible.builtin.set_fact:
+      ansible.builtin.copy:
-        values_new: |
+        dest: "{{ values_file.path }}"
-          {{
+        content: "{{ stepca_values.stdout | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}"
-            values_initial |
+      no_log: true
-              combine({'inject':{'config':{'files':{'ca.json':{'authority': {'provisioners': [
-                values_initial.inject.config.files['ca.json'].authority.provisioners[0] | combine({'name':'long-lived', 'claims':{'maxTLSCertDuration':'87660h'}})
-              ]}}}}}}, list_merge='append_rp', recursive=true)
-          }}
-
-    # We're facing several bugs or niche cases that result in incorrect output, despite being behaviour by design:
-    # - Ansible's `to_yaml` filter, sees `\n` escape sequences in PEM certificate strings and correctly converts them to actual newlines - without any way to prevent this
-    #   So we cannot rely on Ansible to (re)create the helm chart values file
-    # - Python's yaml interpreter sees strings with a value of `y` as short for `yes` or `true`, even when that string is a key name.
-    #   So we cannot use a straightforward yaml document as input for the Ansible helm module (which is written in Python)
-    #
-    # Lets explain the following workaround steps:
-    # - First we convert the dictionary to a json-object (through Ansible), so that yq can read it
-    # - Second we convert the json-object in its entirety to yaml (through yq), so that yq can actually manipulate it.
-    # - Finally, we take one specific subkey's contents (list of dictionaries) and iterate over each with the following steps (with `map`):
-    #   - Convert the dictionary to json with `tojson`
-    #   - Remove newlines (and spaces) with `sub`
-    #   - Remove outer quotes (') with `sed`
-    - name: Save updated values file
-      ansible.builtin.shell:
-        cmd: |
-          echo '{{ values_new | to_nice_json }}' | yq -p json -o yaml | yq e '.inject.config.files["ca.json"].authority.provisioners |= map(tojson | sub("[\n ]";""))' | sed -e "s/- '/- /;s/'$//" > {{ stepconfig.path }}
 
     - name: Install step-ca chart
       kubernetes.core.helm:
@@ -46,7 +21,13 @@
         wait: true
         kubeconfig: "{{ kubeconfig.path }}"
         values_files:
-          - "{{ stepconfig.path }}"
+          - "{{ values_file.path }}"
+
+    - name: Cleanup tempfile
+      ansible.builtin.file:
+        path: "{{ values_file.path }}"
+        state: absent
+      when: values_file.path is defined
 
     - name: Retrieve configmap w/ root certificate
       kubernetes.core.k8s_info:
@@ -64,7 +45,6 @@
         kubeconfig: "{{ kubeconfig.path }}"
       loop:
         - argo-cd
-        - gitea
         # - kube-system
 
     - name: Store root certificate in namespaced configmaps/secrets
@@ -78,7 +58,6 @@
           namespace: "{{ item.namespace }}"
           annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}"
           labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}"
-          type: "{{ item.type | default('') }}"
           data: "{{ item.data }}"
       loop:
         - name: argocd-tls-certs-cm
@@ -94,12 +73,6 @@
           data:
             - key: git.{{ vapp['metacluster.fqdn'] }}
               value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
-        - name: step-certificates-certs
-          namespace: gitea
-          kind: secret
-          data:
-            - key: ca_chain.crt
-              value: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
         - name: step-certificates-certs
           namespace: kube-system
           kind: secret
@@ -120,7 +93,7 @@
         _template:
           name: step-ca
           namespace: step-ca
-          spec: |2
+          config: |2
               entryPoints:
                 - websecure
               routes:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml

@@ -32,7 +32,7 @@
         _template:
           name: gitea-ssh
           namespace: gitea
-          spec: |2
+          config: |2
               entryPoints:
                 - ssh
               routes:
@@ -55,7 +55,7 @@
         force_basic_auth: yes
         body:
           name: token_init_{{ lookup('password', '/dev/null length=5 chars=ascii_letters,digits') }}
-          scopes: ["write:user","write:organization"]
+          scopes: ["write:public_key","write:org"]
       register: gitea_api_token
 
     - name: Retrieve existing gitea configuration
@@ -111,8 +111,8 @@
             - organization: mc
               body:
                 name: GitOps.ClusterAPI
-                auto_init: true
+                # auto_init: true
-                default_branch: main
+                # default_branch: main
                 description: ClusterAPI manifests
             - organization: mc
               body:
@@ -123,15 +123,15 @@
             - organization: wl
               body:
                 name: GitOps.Config
-                auto_init: true
+                # auto_init: true
-                default_branch: main
+                # default_branch: main
                 description: GitOps manifests
             - organization: wl
               body:
-                name: ClusterAccess.Store
+                name: GitOps.HelmCharts
-                auto_init: true
+                # auto_init: true
-                default_branch: main
+                # default_branch: main
-                description: Kubeconfig files
+                description: Helm charts
           loop_control:
             label: "{{ item.organization ~ '/' ~ item.body.name }}"
 

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/ingress.yml

@@ -6,11 +6,7 @@
             initContainers:
               - name: volume-permissions
                 image: busybox:1
-                command: ["sh", "-c", "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json"]
+                command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"]
-                securityContext:
-                  runAsNonRoot: false
-                  runAsGroup: 0
-                  runAsUser: 0
                 volumeMounts:
                   - name: data
                     mountPath: /data
@@ -31,7 +27,7 @@
     _template:
       name: traefik-dashboard
       namespace: kube-system
-      spec: |2
+      config: |2
           entryPoints:
           - web
           - websecure

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml

@@ -12,15 +12,6 @@
     - registry
     - storage
 
-- name: Create step-ca config dictionary
-  ansible.builtin.set_fact:
-    stepconfig: "{{ { 'path': ansible_env.HOME ~ '/.step/config/values.yaml' } }}"
-
-- name: Create step-ca target folder
-  ansible.builtin.file:
-    path: "{{ stepconfig.path | dirname }}"
-    state: directory
-
 - name: Initialize tempfile
   ansible.builtin.tempfile:
     state: file
@@ -45,8 +36,8 @@
         --address=:9000 \
         --provisioner=admin \
         --acme \
-        --password-file={{ stepca_password.path }} | tee {{ stepconfig.path }}
+        --password-file={{ stepca_password.path }}
-    creates: "{{ stepconfig.path }}"
+  register: stepca_values
 
 - name: Cleanup tempfile
   ansible.builtin.file:
@@ -57,20 +48,12 @@
 - name: Store root CA certificate
   ansible.builtin.copy:
     dest: /usr/local/share/ca-certificates/root_ca.crt
-    content: "{{ (lookup('ansible.builtin.file', stepconfig.path) | from_yaml).inject.certificates.root_ca }}"
+    content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}"
 
 - name: Update certificate truststore
   ansible.builtin.command:
     cmd: update-ca-certificates
 
-- name: Extract container images (for idempotency purposes)
-  ansible.builtin.unarchive:
-    src: /opt/metacluster/container-images/image-tarballs.tgz
-    dest: /opt/metacluster/container-images
-    remote_src: no
-  when:
-    - lookup('ansible.builtin.fileglob', '/opt/metacluster/container-images/*.tgz') is match('.*image-tarballs.tgz')
-
 - name: Get all stored fully qualified container image names
   ansible.builtin.shell:
     cmd: >-

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml

@@ -42,30 +42,19 @@
   retries: "{{ playbook.retries }}"
   delay: "{{ (storage_benchmark | int) * (playbook.delay.medium | int) }}"
 
-- name: Install tab-completion
+- name: Install kubectl tab-completion
   ansible.builtin.shell:
-    cmd: |-
+    cmd: kubectl completion bash | tee /etc/bash_completion.d/kubectl
-      {{ item }} completion bash > /etc/bash_completion.d/{{ item }}
-    creates: /etc/bash_completion.d/{{ item }}
-  loop:
-    - kubectl
-    - helm
-    - step
 
-- name: Create kubeconfig dictionary
+- name: Initialize tempfile
-  ansible.builtin.set_fact:
+  ansible.builtin.tempfile:
-    kubeconfig: "{{ { 'path': ansible_env.HOME ~ '/.kube/config' } }}"
+    state: file
-
+  register: kubeconfig
-- name: Create kubeconfig target folder
-  ansible.builtin.file:
-    path: "{{ kubeconfig.path | dirname }}"
-    state: directory
 
 - name: Retrieve kubeconfig
   ansible.builtin.command:
     cmd: kubectl config view --raw
   register: kubectl_config
-  no_log: true
 
 - name: Store kubeconfig in tempfile
   ansible.builtin.copy:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml

@@ -1,13 +1,10 @@
 - import_tasks: init.yml
 - import_tasks: k3s.yml
 - import_tasks: assets.yml
-- import_tasks: workflow.yml
+- import_tasks: kube-vip.yml
-- import_tasks: virtualip.yml
-- import_tasks: metadata.yml
 - import_tasks: storage.yml
 - import_tasks: ingress.yml
 - import_tasks: certauthority.yml
 - import_tasks: registry.yml
 - import_tasks: git.yml
 - import_tasks: gitops.yml
-- import_tasks: authentication.yml

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/metadata.yml

@@ -1,57 +0,0 @@
-- block:
-    - name: Aggregate manifest-component versions into dictionary
-      ansible.builtin.set_fact:
-        manifest_versions: "{{ manifest_versions | default([]) + [ item | combine( {'type': 'manifest', 'id': index } ) ] }}"
-      loop:
-        - name: cluster-api
-          versions:
-            management:
-              base: "{{ components.clusterapi.management.version.base }}"
-              cert_manager: "{{ components.clusterapi.management.version.cert_manager }}"
-              infrastructure_vsphere: "{{ components.clusterapi.management.version.infrastructure_vsphere }}"
-              ipam_incluster: "{{ components.clusterapi.management.version.ipam_incluster }}"
-              cpi_vsphere: "{{ components.clusterapi.management.version.cpi_vsphere }}"
-            workload:
-              calico: "{{ components.clusterapi.workload.version.calico }}"
-              k8s: "{{ components.clusterapi.workload.version.k8s }}"
-        - name: kube-vip
-          version: "{{ components.kubevip.version }}"
-      loop_control:
-        label: "{{ item.name }}"
-        index_var: index
-
-    - name: Install json-server chart
-      kubernetes.core.helm:
-        name: json-server
-        chart_ref: /opt/metacluster/helm-charts/json-server
-        release_namespace: json-server
-        create_namespace: true
-        wait: false
-        kubeconfig: "{{ kubeconfig.path }}"
-        values: |
-          {{
-            components['json-server'].chart_values |
-            combine(
-              { 'jsonServer': { 'seedData': { 'configInline': (
-                { 'appliance': { "version": appliance.version }, 'components': manifest_versions, 'healthz': { 'status': 'running' } }
-              ) | to_json } } }
-            )
-          }}
-
-    - name: Ensure json-server API availability
-      ansible.builtin.uri:
-        url: https://version.{{ vapp['metacluster.fqdn'] }}/healthz
-        method: GET
-        # This mock REST API -ironically- does not support json encoded body argument
-        body_format: raw
-      register: api_readycheck
-      until:
-        - api_readycheck.json.status is defined
-        - api_readycheck.json.status == 'running'
-      retries: "{{ playbook.retries }}"
-      delay: "{{ (storage_benchmark | int) * (playbook.delay.long | int) }}"
-
-  module_defaults:
-    ansible.builtin.uri:
-      validate_certs: no
-      status_code: [200, 201]

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/workflow.yml

@@ -1,54 +0,0 @@
-- block:
-
-    - name: Create target namespace(s)
-      kubernetes.core.k8s:
-        name: "{{ item }}"
-        kind: Namespace
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-      loop:
-        # - argo-workflows
-        - firstboot
-
-    - name: Create ClusterRoleBinding for default serviceaccount
-      kubernetes.core.k8s:
-        state: present
-        kubeconfig: "{{ kubeconfig.path }}"
-        definition: |
-          kind: ClusterRoleBinding
-          metadata:
-            name: argo-workflows-firstboot-clusteradmin
-          roleRef:
-            apiGroup: rbac.authorization.k8s.io
-            kind: ClusterRole
-            name: cluster-admin
-          subjects:
-          - kind: ServiceAccount
-            name: default
-            namespace: firstboot
-
-    - name: Install argo-workflows chart
-      kubernetes.core.helm:
-        name: argo-workflows
-        chart_ref: /opt/metacluster/helm-charts/argo-workflows
-        release_namespace: argo-workflows
-        create_namespace: true
-        wait: false
-        kubeconfig: "{{ kubeconfig.path }}"
-        values: "{{ components['argo-workflows'].chart_values }}"
-
-    - name: Ensure argo workflows API availability
-      ansible.builtin.uri:
-        url: https://workflow.{{ vapp['metacluster.fqdn'] }}/api/v1/version
-        method: GET
-      register: api_readycheck
-      until:
-        - api_readycheck.json.version is defined
-      retries: "{{ playbook.retries }}"
-      delay: "{{ (storage_benchmark | int) * (playbook.delay.long | int) }}"
-
-  module_defaults:
-    ansible.builtin.uri:
-      validate_certs: no
-      status_code: [200, 201]
-      body_format: json

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/authentication.yml

@@ -1,40 +0,0 @@
-- name: Initialize tempfolder
-  ansible.builtin.tempfile:
-    state: directory
-  register: pinniped_kubeconfig
-
-- name: Pull existing repository
-  ansible.builtin.git:
-    repo: https://git.{{ vapp['metacluster.fqdn'] }}/wl/ClusterAccess.Store.git
-    dest: "{{ pinniped_kubeconfig.path }}"
-    version: main
-
-- name: Generate kubeconfig
-  ansible.builtin.shell:
-    cmd: pinniped get kubeconfig --kubeconfig {{ capi_kubeconfig.path }}
-  register: pinniped_config
-  until:
-    - pinniped_config is not failed
-  retries: "{{ playbook.retries }}"
-  delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
-
-- name: Store kubeconfig in tempfile
-  ansible.builtin.copy:
-    dest: "{{ pinniped_kubeconfig.path }}/kubeconfig"
-    content: "{{ pinniped_config.stdout }}"
-    mode: 0600
-  no_log: true
-
-- name: Push git repository
-  lvrfrc87.git_acp.git_acp:
-    path: "{{ pinniped_kubeconfig.path }}"
-    branch: main
-    comment: "Upload kubeconfig files"
-    add:
-      - .
-    url: https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/ClusterAccess.Store.git
-  environment:
-    GIT_AUTHOR_NAME: administrator
-    GIT_AUTHOR_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
-    GIT_COMMITTER_NAME: administrator
-    GIT_COMMITTER_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml

@@ -85,40 +85,6 @@
         --kubeconfig {{ kubeconfig.path }}
     chdir: /opt/metacluster/cluster-api
 
-- name: Initialize tempfolder
-  ansible.builtin.tempfile:
-    state: directory
-  register: capi_clustermanifest
-
-- name: Pull existing repository
-  ansible.builtin.git:
-    repo: https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
-    dest: "{{ capi_clustermanifest.path }}"
-    version: main
-
-- name: Generate Cluster API provider manifests
-  ansible.builtin.shell:
-    cmd: >-
-      clusterctl generate provider \
-        -v5 \
-        --{{ item.type }} {{ item.name }}:{{ item.version }} \
-        --config ./clusterctl.yaml > {{ capi_clustermanifest.path }}/provider-{{ item.name }}.yaml
-    chdir: /opt/metacluster/cluster-api
-  loop:
-    - type: infrastructure
-      name: vsphere
-      version: "{{ components.clusterapi.management.version.infrastructure_vsphere }}"
-    - type: ipam
-      name: in-cluster
-      version: "{{ components.clusterapi.management.version.ipam_incluster }}"
-
-- name: Split cluster API provider manifests into separate files
-  ansible.builtin.shell:
-    cmd: >-
-      awk 'BEGINFILE {print "---"}{print}' {{ capi_clustermanifest.path }}/provider-*.yaml |
-      kubectl slice \
-        -o {{ capi_clustermanifest.path }}/providers
-
 - name: Ensure controller availability
   kubernetes.core.k8s_info:
     kind: Deployment
@@ -127,8 +93,8 @@
     wait: true
     kubeconfig: "{{ kubeconfig.path }}"
   loop:
-    - name: capi-ipam-in-cluster-controller-manager
+    - name: caip-in-cluster-controller-manager
-      namespace: capi-ipam-in-cluster-system
+      namespace: caip-in-cluster-system
     - name: capi-controller-manager
       namespace: capi-system
     - name: capv-controller-manager
@@ -158,21 +124,26 @@
     chdir: /opt/metacluster/cluster-api
   register: clusterctl_newcluster
 
+- name: Initialize tempfolder
+  ansible.builtin.tempfile:
+    state: directory
+  register: capi_clustermanifest
+
 - name: Save workload cluster manifest
   ansible.builtin.copy:
     dest: "{{ capi_clustermanifest.path }}/new-cluster.yaml"
     content: "{{ clusterctl_newcluster.stdout }}"
 
-- name: Split workload cluster manifest into separate files
+- name: Split manifest into separate files
   ansible.builtin.shell:
     cmd: >-
       kubectl slice \
         -f {{ capi_clustermanifest.path }}/new-cluster.yaml \
-        -o {{ capi_clustermanifest.path }}/downstream-cluster
+        -o {{ capi_clustermanifest.path }}/manifests
 
 - name: Generate nodepool kustomization manifest
   ansible.builtin.template:
-    src: kustomization.longhorn-storage.j2
+    src: kustomization.nodepool.j2
     dest: "{{ capi_clustermanifest.path }}/kustomization.yaml"
   vars:
     _template:
@@ -184,20 +155,13 @@
 
 - name: Store nodepool manifest
   ansible.builtin.copy:
-    dest: "{{ capi_clustermanifest.path }}/nodepool-worker-storage.yaml"
+    dest: "{{ capi_clustermanifest.path }}/manifests/nodepool-worker-storage.yaml"
     content: "{{ lookup('kubernetes.core.kustomize', dir=capi_clustermanifest.path) }}"
 
-- name: Split nodepool manifest into separate files
-  ansible.builtin.shell:
-    cmd: >-
-      kubectl slice \
-        -f {{ capi_clustermanifest.path }}/nodepool-worker-storage.yaml \
-        -o {{ capi_clustermanifest.path }}/downstream-cluster
-
 - name: Create in-cluster IpPool
   ansible.builtin.template:
     src: ippool.j2
-    dest: "{{ capi_clustermanifest.path }}/downstream-cluster/inclusterippool-{{ _template.cluster.name }}.yml"
+    dest: "{{ capi_clustermanifest.path }}/manifests/inclusterippool-{{ _template.cluster.name }}.yml"
   vars:
     _template:
       cluster:
@@ -209,27 +173,24 @@
           prefix: "{{ vapp['guestinfo.prefixlength'] }}"
           gateway: "{{ vapp['guestinfo.gateway'] }}"
 
-- name: Push git repository
+- name: Initialize/Push git repository
-  lvrfrc87.git_acp.git_acp:
+  ansible.builtin.shell:
-    path: "{{ capi_clustermanifest.path }}"
+    cmd: |
-    branch: main
+      git init
-    comment: "Upload manifests"
+      git config --global user.email "administrator@{{ vapp['metacluster.fqdn'] }}"
-    add:
+      git config --global user.name "administrator"
-      - ./downstream-cluster
+      git checkout -b main
-      - ./providers
+      git add ./manifests
-    clean: untracked
+      git commit -m "Upload manifests"
-    url: https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
+      git remote add origin https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
-  environment:
+      git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all
-    GIT_AUTHOR_NAME: administrator
+    chdir: "{{ capi_clustermanifest.path }}"
-    GIT_AUTHOR_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
-    GIT_COMMITTER_NAME: administrator
-    GIT_COMMITTER_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
 
-# - name: Cleanup tempfolder
+- name: Cleanup tempfolder
-#   ansible.builtin.file:
+  ansible.builtin.file:
-#     path: "{{ capi_clustermanifest.path }}"
+    path: "{{ capi_clustermanifest.path }}"
-#     state: absent
+    state: absent
-#   when: capi_clustermanifest.path is defined
+  when: capi_clustermanifest.path is defined
 
 - name: Configure Cluster API repository
   ansible.builtin.template:
@@ -274,7 +235,7 @@
         namespace: default
       repository:
         url: https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
-        path: downstream-cluster
+        path: manifests
         revision: main
   notify:
     - Apply manifests
@@ -316,12 +277,7 @@
 # TODO: move to git repo
 - name: Apply cni plugin manifest
   kubernetes.core.k8s:
-    definition: |
+    src: /opt/metacluster/cluster-api/cni-calico/{{ components.clusterapi.workload.version.calico }}/calico.yaml
-      {{
-        lookup('ansible.builtin.file', '/opt/metacluster/cluster-api/cni-calico/' ~ components.clusterapi.workload.version.calico ~ '/calico.yaml') |
-          regex_replace('# - name: CALICO_IPV4POOL_CIDR', '- name: CALICO_IPV4POOL_CIDR') |
-          regex_replace('#   value: "192.168.0.0/16"',    '  value: "172.30.0.0/16"')
-      }}
     state: present
     wait: true
     kubeconfig: "{{ capi_kubeconfig.path }}"

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml

@@ -5,20 +5,6 @@
     recurse: false
   register: helm_charts
 
-- name: Pull existing repository
-  ansible.builtin.git:
-    repo: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
-    dest: /opt/workloadcluster/git-repositories/gitops
-    version: main
-
-- name: Create folder structure within new git-repository
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-  loop:
-    - /opt/workloadcluster/git-repositories/gitops/charts
-    - /opt/workloadcluster/git-repositories/gitops/values
-
 - name: Create hard-links to populate new git-repository
   ansible.builtin.shell:
     cmd: >-
@@ -27,18 +13,6 @@
   loop_control:
     label: "{{ item.path | basename }}"
 
-- name: Write custom manifests to respective chart templates store
-  ansible.builtin.template:
-    src: "{{ src }}"
-    dest: /opt/workloadcluster/git-repositories/gitops/charts/{{ manifest.value.namespace }}/{{ manifest.key }}/templates/{{ (src | split('.'))[0] ~ '-' ~ _template.name ~ '.yaml' }}
-  vars:
-    manifest: "{{ item.0 }}"
-    src: "{{ item.1.src }}"
-    _template: "{{ item.1._template }}"
-  loop: "{{ query('ansible.builtin.subelements', query('ansible.builtin.dict', downstream_components), 'value.extra_manifests') }}"
-  loop_control:
-    label: "{{ (src | split('.'))[0] ~ '-' ~ _template.name }}"
-
 - name: Create subfolders
   ansible.builtin.file:
     path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }}
@@ -55,19 +29,18 @@
   loop_control:
     label: "{{ item.key }}"
 
-- name: Push git repository
+- name: Initialize/Push git repository
-  lvrfrc87.git_acp.git_acp:
+  ansible.builtin.shell:
-    path: /opt/workloadcluster/git-repositories/gitops
+    cmd: |
-    branch: main
+      git init
-    comment: "Upload charts"
+      git config --global user.email "administrator@{{ vapp['metacluster.fqdn'] }}"
-    add:
+      git config --global user.name "administrator"
-      - .
+      git checkout -b main
-    url: https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
+      git add .
-  environment:
+      git commit -m "Upload charts"
-    GIT_AUTHOR_NAME: administrator
+      git remote add origin https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
-    GIT_AUTHOR_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
+      git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git --all
-    GIT_COMMITTER_NAME: administrator
+    chdir: /opt/workloadcluster/git-repositories/gitops
-    GIT_COMMITTER_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
 
 - name: Retrieve workload-cluster kubeconfig
   kubernetes.core.k8s_info:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/hypervisor.yml

@@ -11,7 +11,7 @@
     - attribute: cluster
       moref: >-
         $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
-          jq -r '.[] | select(.name == "runtime").val.host | .type + ":" + .value')
+          jq -r '.[] | select(.Name == "runtime").Val.Host | .Type + ":" + .Value')
       part: (NF-1)
     - attribute: datacenter
       moref: VirtualMachine:{{ moref_id }}
@@ -19,27 +19,27 @@
     - attribute: datastore
       moref: >-
         $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
-          jq -r '.[] | select(.name == "datastore").val._value | .[].type + ":" + .[].value')
+          jq -r '.[] | select(.Name == "datastore").Val.ManagedObjectReference | .[].Type + ":" + .[].Value')
       part: NF
     - attribute: folder
       moref: >-
         $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
-          jq -r '.[] | select(.name == "parent").val | .type + ":" + .value')
+          jq -r '.[] | select(.Name == "parent").Val | .Type + ":" + .Value')
       part: 0
     # - attribute: host
     #   moref: >-
     #     $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
-    #       jq -r '.[] | select(.name == "runtime").val.host | .type + ":" + .value')
+    #       jq -r '.[] | select(.Name == "runtime").Val.Host | .Type + ":" + .Value')
     #   part: NF
     - attribute: network
       moref: >-
         $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
-          jq -r '.[] | select(.name == "network").val._value | .[].type + ":" + .[].value')
+          jq -r '.[] | select(.Name == "network").Val.ManagedObjectReference | .[].Type + ":" + .[].Value')
       part: NF
     - attribute: resourcepool
       moref: >-
         $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
-          jq -r '.[] | select(.name == "resourcePool").val | .type + ":" + .value')
+          jq -r '.[] | select(.Name == "resourcePool").Val | .Type + ":" + .Value')
       part: 0
   loop_control:
     label: "{{ item.attribute }}"

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/main.yml

@@ -6,7 +6,6 @@
 
     - import_tasks: clusterapi.yml
     - import_tasks: gitops.yml
-    - import_tasks: authentication.yml
 
   when:
     - vapp['deployment.type'] != 'core'

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/nodetemplates.yml

@@ -0,0 +1,73 @@
+- block:
+
+    - name: Check for existing template on hypervisor
+      community.vmware.vmware_guest_info:
+        name: "{{ (filename | basename | split('.'))[:-1] | join('.') }}"
+      register: existing_ova
+      ignore_errors: yes
+
+    - name: Store inventory path of existing template
+      ansible.builtin.set_fact:
+        nodetemplate_inventorypath: "{{ existing_ova.instance.hw_folder ~ '/' ~ existing_ova.instance.hw_name }}"
+      when: existing_ova is not failed
+
+    - block:
+
+        - name: Parse OVA file for network mappings
+          ansible.builtin.shell:
+            cmd: govc import.spec -json {{ filename }}
+          environment:
+            GOVC_INSECURE: '1'
+            GOVC_URL: "{{ vapp['hv.fqdn'] }}"
+            GOVC_USERNAME: "{{ vapp['hv.username'] }}"
+            GOVC_PASSWORD: "{{ vapp['hv.password'] }}"
+          register: ova_spec
+
+        - name: Deploy OVA template on hypervisor
+          community.vmware.vmware_deploy_ovf:
+            cluster: "{{ vcenter_info.cluster }}"
+            datastore: "{{ vcenter_info.datastore }}"
+            name: "{{ (filename | basename | split('.'))[:-1] | join('.') }}"
+            networks: "{u'{{ ova_spec.stdout | from_json | json_query('NetworkMapping[0].Name') }}':u'{{ vcenter_info.network }}'}"
+            allow_duplicates: no
+            power_on: false
+            ovf: "{{ filename }}"
+          register: ova_deploy
+
+        - name: Add additional placeholder disk
+          community.vmware.vmware_guest_disk:
+            name: "{{ ova_deploy.instance.hw_name }}"
+            disk:
+              - size: 1Mb
+                scsi_controller: 1
+                scsi_type: paravirtual
+                unit_number: 0
+
+        # Disabled to allow disks to be resized; at the cost of cloning speed
+        # - name: Create snapshot on deployed VM
+        #   community.vmware.vmware_guest_snapshot:
+        #     name: "{{ ova_deploy.instance.hw_name }}"
+        #     state: present
+        #     snapshot_name: "{{ ansible_date_time.iso8601_basic_short }}-base"
+
+        - name: Mark deployed VM as templates
+          community.vmware.vmware_guest:
+            name: "{{ ova_deploy.instance.hw_name }}"
+            is_template: yes
+
+        - name: Store inventory path of deployed template
+          ansible.builtin.set_fact:
+            nodetemplate_inventorypath: "{{ ova_deploy.instance.hw_folder ~ '/' ~ ova_deploy.instance.hw_name }}"
+
+      when: existing_ova is failed
+
+  vars:
+    filename: "{{ query('ansible.builtin.fileglob', '/opt/workloadcluster/node-templates/*.ova') | first }}"
+  module_defaults:
+    group/vmware:
+      hostname: "{{ vapp['hv.fqdn'] }}"
+      validate_certs: no
+      username: "{{ vapp['hv.username'] }}"
+      password: "{{ vapp['hv.password'] }}"
+      datacenter: "{{ vcenter_info.datacenter }}"
+      folder: "{{ vcenter_info.folder }}"

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/federationdomain.j2

@@ -1,7 +0,0 @@
-apiVersion: config.supervisor.pinniped.dev/v1alpha1
-kind: FederationDomain
-metadata:
-  name: {{ _template.name }}
-  namespace: {{ _template.namespace }}
-spec:
-{{ _template.spec }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroute.j2

@@ -4,4 +4,4 @@ metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
 spec:
-{{ _template.spec }}
+{{ _template.config }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroutetcp.j2

@@ -4,4 +4,4 @@ metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
 spec:
-{{ _template.spec }}
+{{ _template.config }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ippool.j2

@@ -1,10 +1,10 @@
-apiVersion: ipam.cluster.x-k8s.io/v1alpha2
+apiVersion: ipam.cluster.x-k8s.io/v1alpha1
 kind: InClusterIPPool
 metadata:
   name: inclusterippool-{{ _template.cluster.name }}
   namespace: {{ _template.cluster.namespace }}
 spec:
-  addresses:
+  start: {{ _template.cluster.network.startip }}
-  - {{ _template.cluster.network.startip }}-{{ _template.cluster.network.endip }}
+  end: {{ _template.cluster.network.endip }}
   prefix: {{ _template.cluster.network.prefix }}
   gateway: {{ _template.cluster.network.gateway }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/jwtauthenticator.j2

@@ -1,6 +0,0 @@
-apiVersion: authentication.concierge.pinniped.dev/v1alpha1
-kind: JWTAuthenticator
-metadata:
-  name: {{ _template.name }}
-spec:
-{{ _template.spec }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.cluster-template.j2

@@ -3,8 +3,36 @@ kind: Kustomization
 resources:
 - cluster-template.yaml
 
-patches:
+patchesStrategicMerge:
-- patch: |-
+  - |-
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: csi-vsphere-config
+      namespace: '${NAMESPACE}'
+    stringData:
+      data: |
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: csi-vsphere-config
+          namespace: kube-system
+        stringData:
+          csi-vsphere.conf: |+
+            [Global]
+            insecure-flag = true
+            thumbprint = "${VSPHERE_TLS_THUMBPRINT}"
+            cluster-id = "${NAMESPACE}/${CLUSTER_NAME}"
+
+            [VirtualCenter "${VSPHERE_SERVER}"]
+            user = "${VSPHERE_USERNAME}"
+            password = "${VSPHERE_PASSWORD}"
+            datacenters = "${VSPHERE_DATACENTER}"
+
+            [Network]
+            public-network = "${VSPHERE_NETWORK}"
+        type: Opaque
+  - |-
     apiVersion: controlplane.cluster.x-k8s.io/v1beta1
     kind: KubeadmControlPlane
     metadata:
@@ -14,7 +42,12 @@ patches:
       kubeadmConfigSpec:
         clusterConfiguration:
           imageRepository: registry.{{ _template.network.fqdn }}/kubeadm
-- patch: |-
+        ntp:
+          enabled: true
+          servers:
+            - 0.nl.pool.ntp.org
+            - 1.nl.pool.ntp.org
+  - |-
     apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
     kind: KubeadmConfigTemplate
     metadata:
@@ -25,7 +58,12 @@ patches:
         spec:
           clusterConfiguration:
             imageRepository: registry.{{ _template.network.fqdn }}/kubeadm
-- patch: |-
+          ntp:
+            enabled: true
+            servers:
+              - 0.nl.pool.ntp.org
+              - 1.nl.pool.ntp.org
+  - |-
     apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
     kind: KubeadmConfigTemplate
     metadata:
@@ -58,7 +96,7 @@ patches:
               {{ _template.rootca | indent(width=14, first=False) | trim }}
             owner: root:root
             path: /usr/local/share/ca-certificates/root_ca.crt
-- patch: |-
+  - |-
     apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
     kind: VSphereMachineTemplate
     metadata:
@@ -67,7 +105,6 @@ patches:
     spec:
       template:
         spec:
-          diskGiB: 60
           network:
             devices:
             - dhcp4: false
@@ -78,7 +115,7 @@ patches:
               nameservers:
               - {{ _template.network.dnsserver }}
               networkName: '${VSPHERE_NETWORK}'
-- patch: |-
+  - |-
     apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
     kind: VSphereMachineTemplate
     metadata:
@@ -87,7 +124,6 @@ patches:
     spec:
       template:
         spec:
-          diskGiB: 60
           network:
             devices:
             - dhcp4: false
@@ -99,26 +135,8 @@ patches:
               - {{ _template.network.dnsserver }}
               networkName: '${VSPHERE_NETWORK}'
 
-- target:
+patchesJson6902:
-    group: addons.cluster.x-k8s.io
+  - target:
-    version: v1beta1
-    kind: ClusterResourceSet
-    name: \${CLUSTER_NAME}-crs-0
-  patch: |-
-    - op: replace
-      path: /spec/resources
-      value:
-        - kind: Secret
-          name: cloud-controller-manager
-        - kind: Secret
-          name: cloud-provider-vsphere-credentials
-        - kind: ConfigMap
-          name: cpi-manifests
-    - op: add
-      path: /spec/strategy
-      value: Reconcile
-
-- target:
       group: controlplane.cluster.x-k8s.io
       version: v1beta1
       kind: KubeadmControlPlane
@@ -156,10 +174,10 @@ patches:
         path: /spec/kubeadmConfigSpec/files/-
         value:
           content: |
-          {{ _template.rootca | indent(width=10, first=False) | trim }}
+            {{ _template.rootca | indent(width=12, first=False) | trim }}
           owner: root:root
           path: /usr/local/share/ca-certificates/root_ca.crt
-- target:
+  - target:
       group: bootstrap.cluster.x-k8s.io
       version: v1beta1
       kind: KubeadmConfigTemplate
@@ -170,7 +188,7 @@ patches:
         path: /spec/template/spec/preKubeadmCommands/-
         value: {{ cmd }}
 {% endfor %}
-- target:
+  - target:
       group: controlplane.cluster.x-k8s.io
       version: v1beta1
       kind: KubeadmControlPlane
@@ -182,7 +200,7 @@ patches:
         value: {{ cmd }}
 {% endfor %}
 
-- target:
+  - target:
       group: infrastructure.cluster.x-k8s.io
       version: v1beta1
       kind: VSphereMachineTemplate
@@ -191,9 +209,7 @@ patches:
       - op: replace
         path: /metadata/name
         value: ${CLUSTER_NAME}-master
-    - op: remove
+  - target:
-      path: /spec/template/spec/thumbprint
-- target:
       group: controlplane.cluster.x-k8s.io
       version: v1beta1
       kind: KubeadmControlPlane
@@ -205,22 +221,17 @@ patches:
       - op: replace
         path: /spec/machineTemplate/infrastructureRef/name
         value: ${CLUSTER_NAME}-master
-- target:
+  - target:
       group: cluster.x-k8s.io
       version: v1beta1
       kind: Cluster
       name: \${CLUSTER_NAME}
     patch: |-
-    - op: replace
-      path: /spec/clusterNetwork/pods
-      value:
-        cidrBlocks:
-          - 172.30.0.0/16
       - op: replace
         path: /spec/controlPlaneRef/name
         value: ${CLUSTER_NAME}-master
 
-- target:
+  - target:
       group: infrastructure.cluster.x-k8s.io
       version: v1beta1
       kind: VSphereMachineTemplate
@@ -232,9 +243,7 @@ patches:
       - op: replace
         path: /spec/template/spec/memoryMiB
         value: {{ _template.nodesize.memory }}
-    - op: remove
+  - target:
-      path: /spec/template/spec/thumbprint
-- target:
       group: cluster.x-k8s.io
       version: v1beta1
       kind: MachineDeployment
@@ -246,7 +255,7 @@ patches:
       - op: replace
         path: /spec/template/spec/bootstrap/configRef/name
         value: ${CLUSTER_NAME}-worker
-- target:
+  - target:
       group: bootstrap.cluster.x-k8s.io
       version: v1beta1
       kind: KubeadmConfigTemplate
@@ -255,12 +264,3 @@ patches:
       - op: replace
         path: /metadata/name
         value: ${CLUSTER_NAME}-worker
-
-- target:
-    group: infrastructure.cluster.x-k8s.io
-    version: v1beta1
-    kind: VSphereCluster
-    name: .*
-  patch: |-
-    - op: remove
-      path: /spec/thumbprint

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.longhorn-storage.j2

@@ -1,83 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- downstream-cluster/kubeadmconfigtemplate-{{ _template.cluster.name }}-worker.yaml
-- downstream-cluster/machinedeployment-{{ _template.cluster.name }}-worker.yaml
-- downstream-cluster/vspheremachinetemplate-{{ _template.cluster.name }}-worker.yaml
-
-patches:
-- patch: |-
-    apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
-    kind: KubeadmConfigTemplate
-    metadata:
-      name: {{ _template.cluster.name }}-worker
-      namespace: default
-    spec:
-      template:
-        spec:
-          diskSetup:
-            filesystems:
-            - device: /dev/sdb1
-              filesystem: ext4
-              label: blockstorage
-            partitions:
-            - device: /dev/sdb
-              layout: true
-              tableType: gpt
-          joinConfiguration:
-            nodeRegistration:
-              kubeletExtraArgs:
-                node-labels: "node.longhorn.io/create-default-disk=true"
-          mounts:
-          - - LABEL=blockstorage
-            - /mnt/blockstorage
-- patch: |-
-    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-    kind: VSphereMachineTemplate
-    metadata:
-      name: {{ _template.cluster.name }}-worker
-      namespace: default
-    spec:
-      template:
-        spec:
-          additionalDisksGiB:
-          - {{ _template.nodepool.additionaldisk }}
-
-- target:
-    group: bootstrap.cluster.x-k8s.io
-    version: v1beta1
-    kind: KubeadmConfigTemplate
-    name: {{ _template.cluster.name }}-worker
-  patch: |-
-    - op: replace
-      path: /metadata/name
-      value: {{ _template.cluster.name }}-worker-storage
-
-- target:
-    group: cluster.x-k8s.io
-    version: v1beta1
-    kind: MachineDeployment
-    name: {{ _template.cluster.name }}-worker
-  patch: |-
-    - op: replace
-      path: /metadata/name
-      value: {{ _template.cluster.name }}-worker-storage
-    - op: replace
-      path: /spec/template/spec/bootstrap/configRef/name
-      value: {{ _template.cluster.name }}-worker-storage
-    - op: replace
-      path: /spec/template/spec/infrastructureRef/name
-      value: {{ _template.cluster.name }}-worker-storage
-    - op: replace
-      path: /spec/replicas
-      value: {{ _template.nodepool.size }}
-
-- target:
-    group: infrastructure.cluster.x-k8s.io
-    version: v1beta1
-    kind: VSphereMachineTemplate
-    name: {{ _template.cluster.name }}-worker
-  patch: |-
-    - op: replace
-      path: /metadata/name
-      value: {{ _template.cluster.name }}-worker-storage

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.nodepool.j2

@@ -0,0 +1,84 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- manifests/kubeadmconfigtemplate-{{ _template.cluster.name }}-worker.yaml
+- manifests/machinedeployment-{{ _template.cluster.name }}-worker.yaml
+- manifests/vspheremachinetemplate-{{ _template.cluster.name }}-worker.yaml
+
+patchesStrategicMerge:
+  - |-
+    apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
+    kind: KubeadmConfigTemplate
+    metadata:
+      name: {{ _template.cluster.name }}-worker
+      namespace: default
+    spec:
+      template:
+        spec:
+          diskSetup:
+            filesystems:
+            - device: /dev/sdb1
+              filesystem: ext4
+              label: blockstorage
+            partitions:
+            - device: /dev/sdb
+              layout: true
+              tableType: gpt
+          joinConfiguration:
+            nodeRegistration:
+              kubeletExtraArgs:
+                node-labels: "node.longhorn.io/create-default-disk=true"
+          mounts:
+          - - LABEL=blockstorage
+            - /mnt/blockstorage
+  - |-
+    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+    kind: VSphereMachineTemplate
+    metadata:
+      name: {{ _template.cluster.name }}-worker
+      namespace: default
+    spec:
+      template:
+        spec:
+          additionalDisksGiB:
+          - {{ _template.nodepool.additionaldisk }}
+
+patchesJson6902:
+  - target:
+      group: bootstrap.cluster.x-k8s.io
+      version: v1beta1
+      kind: KubeadmConfigTemplate
+      name: {{ _template.cluster.name }}-worker
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: {{ _template.cluster.name }}-worker-storage
+
+  - target:
+      group: cluster.x-k8s.io
+      version: v1beta1
+      kind: MachineDeployment
+      name: {{ _template.cluster.name }}-worker
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: {{ _template.cluster.name }}-worker-storage
+      - op: replace
+        path: /spec/template/spec/bootstrap/configRef/name
+        value: {{ _template.cluster.name }}-worker-storage
+      - op: replace
+        path: /spec/template/spec/infrastructureRef/name
+        value: {{ _template.cluster.name }}-worker-storage
+      - op: replace
+        path: /spec/replicas
+        value: {{ _template.nodepool.size }}
+
+  - target:
+      group: infrastructure.cluster.x-k8s.io
+      version: v1beta1
+      kind: VSphereMachineTemplate
+      name: {{ _template.cluster.name }}-worker
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: {{ _template.cluster.name }}-worker-storage

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2

@@ -1,7 +0,0 @@
-apiVersion: idp.supervisor.pinniped.dev/v1alpha1
-kind: OIDCIdentityProvider
-metadata:
-  name: {{ _template.name }}
-  namespace: {{ _template.namespace }}
-spec:
-{{ _template.spec }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2

@@ -3,7 +3,6 @@ kind: Secret
 metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
-type: {{ _template.type }}
 data:
 {% for kv_pair in _template.data %}
   "{{ kv_pair.key }}": {{ kv_pair.value }}

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serverstransport.j2

@@ -1,7 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: ServersTransport
-metadata:
-  name: {{ _template.name }}
-  namespace: {{ _template.namespace }}
-spec:
-{{ _template.spec }}

ansible/roles/firstboot/files/ansible_payload/common/roles/cleanup/tasks/main.yml

@@ -1,6 +1,12 @@
 - import_tasks: service.yml
 - import_tasks: cron.yml
 
+- name: Cleanup tempfile
+  ansible.builtin.file:
+    path: "{{ kubeconfig.path }}"
+    state: absent
+  when: kubeconfig.path is defined
+
 # - name: Reboot host
 #   ansible.builtin.shell:
 #     cmd: systemctl reboot

ansible/roles/firstboot/files/ansible_payload/common/roles/workloadcluster/tasks/nodetemplates.yml

@@ -1,33 +0,0 @@
-- block:
-
-  - name: Check for existing template
-    community.vmware.vmware_guest_info:
-      name: "{{ vapp['workloadcluster.nodetemplate'] }}"
-      hostname: "{{ vapp['hv.fqdn'] }}"
-      validate_certs: false
-      username: "{{ vapp['hv.username'] }}"
-      password: "{{ vapp['hv.password'] }}"
-      datacenter: "{{ vcenter_info.datacenter }}"
-      folder: "{{ vcenter_info.folder }}"
-    register: nodetemplate
-    until:
-      - nodetemplate is not failed
-    retries: 600
-    delay: 30
-    #wait for 5 hr.
-    vars:
-      color_reset: "\e[0m"
-      ansible_callback_diy_runner_retry_msg: >-
-        {%- set result = ansible_callback_diy.result.output -%}
-        {%- set retries_left = result.retries - result.attempts -%}
-        TEMPLATE '{{ vapp['workloadcluster.nodetemplate'] }}' NOT FOUND; PLEASE UPLOAD MANUALLY -- ({{ retries_left }} retries left)
-      ansible_callback_diy_runner_retry_msg_color: bright yellow
-
-  - name: Store inventory path of existing template
-    ansible.builtin.set_fact:
-      nodetemplate_inventorypath: "{{ nodetemplate.instance.hw_folder ~ '/' ~ nodetemplate.instance.hw_name }}"
-
-  rescue:
-  - name: CRITICAL ERROR
-    ansible.builtin.fail:
-      msg: Required node-template is not available; cannot continue

ansible/roles/firstboot/files/ansible_payload/upgrade/roles/workloadcluster/tasks/hypervisor.yml

@@ -0,0 +1,57 @@
+- name: Gather hypervisor details
+  ansible.builtin.shell:
+    cmd: govc ls -L {{ item.moref }} | awk -F/ '{print ${{ item.part }}}'
+  environment:
+    GOVC_INSECURE: '1'
+    GOVC_URL: "{{ vapp['hv.fqdn'] }}"
+    GOVC_USERNAME: "{{ vapp['hv.username'] }}"
+    GOVC_PASSWORD: "{{ vapp['hv.password'] }}"
+  register: govc_inventory
+  loop:
+    - attribute: cluster
+      moref: >-
+        $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+          jq -r '.[] | select(.Name == "runtime").Val.Host | .Type + ":" + .Value')
+      part: (NF-1)
+    - attribute: datacenter
+      moref: VirtualMachine:{{ moref_id }}
+      part: 2
+    - attribute: datastore
+      moref: >-
+        $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+          jq -r '.[] | select(.Name == "datastore").Val.ManagedObjectReference | .[].Type + ":" + .[].Value')
+      part: NF
+    - attribute: folder
+      moref: >-
+        $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+          jq -r '.[] | select(.Name == "parent").Val | .Type + ":" + .Value')
+      part: 0
+    # - attribute: host
+    #   moref: >-
+    #     $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+    #       jq -r '.[] | select(.Name == "runtime").Val.Host | .Type + ":" + .Value')
+    #   part: NF
+    - attribute: network
+      moref: >-
+        $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+          jq -r '.[] | select(.Name == "network").Val.ManagedObjectReference | .[].Type + ":" + .[].Value')
+      part: NF
+    - attribute: resourcepool
+      moref: >-
+        $(govc object.collect -json VirtualMachine:{{ moref_id }} | \
+          jq -r '.[] | select(.Name == "resourcePool").Val | .Type + ":" + .Value')
+      part: 0
+  loop_control:
+    label: "{{ item.attribute }}"
+
+- name: Retrieve hypervisor TLS thumbprint
+  ansible.builtin.shell:
+    cmd: openssl s_client -connect {{ vapp['hv.fqdn'] }}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | awk -F'=' '{print $2}'
+  register: tls_thumbprint
+
+- name: Store hypervisor details in dictionary
+  ansible.builtin.set_fact:
+    vcenter_info: "{{ vcenter_info | default({}) | combine({ item.item.attribute : item.stdout }) }}"
+  loop: "{{ govc_inventory.results }}"
+  loop_control:
+    label: "{{ item.item.attribute }}"

ansible/roles/firstboot/files/ansible_payload/upgrade/roles/workloadcluster/tasks/nodetemplates.yml

@@ -0,0 +1,73 @@
+- block:
+
+    - name: Check for existing template on hypervisor
+      community.vmware.vmware_guest_info:
+        name: "{{ (filename | basename | split('.'))[:-1] | join('.') }}"
+      register: existing_ova
+      ignore_errors: yes
+
+    - name: Store inventory path of existing template
+      ansible.builtin.set_fact:
+        nodetemplate_inventorypath: "{{ existing_ova.instance.hw_folder ~ '/' ~ existing_ova.instance.hw_name }}"
+      when: existing_ova is not failed
+
+    - block:
+
+        - name: Parse OVA file for network mappings
+          ansible.builtin.shell:
+            cmd: govc import.spec -json {{ filename }}
+          environment:
+            GOVC_INSECURE: '1'
+            GOVC_URL: "{{ vapp['hv.fqdn'] }}"
+            GOVC_USERNAME: "{{ vapp['hv.username'] }}"
+            GOVC_PASSWORD: "{{ vapp['hv.password'] }}"
+          register: ova_spec
+
+        - name: Deploy OVA template on hypervisor
+          community.vmware.vmware_deploy_ovf:
+            cluster: "{{ vcenter_info.cluster }}"
+            datastore: "{{ vcenter_info.datastore }}"
+            name: "{{ (filename | basename | split('.'))[:-1] | join('.') }}"
+            networks: "{u'{{ ova_spec.stdout | from_json | json_query('NetworkMapping[0].Name') }}':u'{{ vcenter_info.network }}'}"
+            allow_duplicates: no
+            power_on: false
+            ovf: "{{ filename }}"
+          register: ova_deploy
+
+        - name: Add additional placeholder disk
+          community.vmware.vmware_guest_disk:
+            name: "{{ ova_deploy.instance.hw_name }}"
+            disk:
+              - size: 1Gb
+                scsi_controller: 1
+                scsi_type: paravirtual
+                unit_number: 0
+
+        # Disabled to allow disks to be resized; at the cost of cloning speed
+        # - name: Create snapshot on deployed VM
+        #   community.vmware.vmware_guest_snapshot:
+        #     name: "{{ ova_deploy.instance.hw_name }}"
+        #     state: present
+        #     snapshot_name: "{{ ansible_date_time.iso8601_basic_short }}-base"
+
+        - name: Mark deployed VM as templates
+          community.vmware.vmware_guest:
+            name: "{{ ova_deploy.instance.hw_name }}"
+            is_template: yes
+
+        - name: Store inventory path of deployed template
+          ansible.builtin.set_fact:
+            nodetemplate_inventorypath: "{{ ova_deploy.instance.hw_folder ~ '/' ~ ova_deploy.instance.hw_name }}"
+
+      when: existing_ova is failed
+
+  vars:
+    filename: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/node-templates/*.ova') | first }}"
+  module_defaults:
+    group/vmware:
+      hostname: "{{ vapp['hv.fqdn'] }}"
+      validate_certs: no
+      username: "{{ vapp['hv.username'] }}"
+      password: "{{ vapp['hv.password'] }}"
+      datacenter: "{{ vcenter_info.datacenter }}"
+      folder: "{{ vcenter_info.folder }}"

ansible/roles/os/tasks/packages.yml

@@ -37,30 +37,9 @@
     state: directory
 
 - name: Configure Ansible defaults
-  ansible.builtin.copy:
+  ansible.builtin.template:
+    src: ansible.j2
     dest: /etc/ansible/ansible.cfg
-    content: |
-      [defaults]
-      callbacks_enabled = ansible.posix.profile_tasks
-      force_color = true
-      stdout_callback = community.general.diy
-
-      [callback_diy]
-
-      [callback_profile_tasks]
-      task_output_limit = 0
-
-- name: Create default shell aliases
-  ansible.builtin.lineinfile:
-    path: ~/.bashrc
-    state: present
-    line: "{{ item }}"
-    insertafter: EOF
-  loop:
-    - alias k="kubectl"
-    - alias less="less -rf"
-  loop_control:
-    label: "{{ (item | regex_findall('([^ =\"]+)'))[2] }}"
 
 - name: Cleanup
   ansible.builtin.apt:

ansible/roles/os/templates/ansible.j2

@@ -0,0 +1,2 @@
+[defaults]
+callbacks_enabled = ansible.posix.profile_tasks

ansible/vars/metacluster.yml

@@ -1,8 +1,7 @@
 platform:
 
   k3s:
-    version: v1.30.0+k3s1
+    version: v1.26.5+k3s1
-    # version: v1.27.1+k3s1
 
   packaged_components:
     - name: traefik
@@ -23,8 +22,7 @@ platform:
                 port: 8022
                 protocol: TCP
               web:
-                redirectTo:
+                redirectTo: websecure
-                  port: websecure
               websecure:
                 tls:
                   certResolver: stepca
@@ -35,10 +33,12 @@ platform:
   helm_repositories:
     - name: argo
       url: https://argoproj.github.io/argo-helm
-    - name: bitnami
+    - name: authentik
-      url: https://charts.bitnami.com/bitnami
+      url: https://charts.goauthentik.io
-    - name: dexidp
+    # - name: codecentric
-      url: https://charts.dexidp.io
+    #   url: https://codecentric.github.io/helm-charts
+    # - name: dex
+    #   url: https://charts.dexidp.io
     - name: gitea-charts
       url: https://dl.gitea.io/charts/
     - name: harbor
@@ -51,168 +51,151 @@ platform:
       url: https://prometheus-community.github.io/helm-charts
     - name: smallstep
       url: https://smallstep.github.io/helm-charts/
-    - name: spamasaurus
-      url: https://code.spamasaurus.com/api/packages/djpbessems/helm
 
 components:
 
   argo-cd:
     helm:
-      # Must match the version referenced at `dependencies.static_binaries[.filename==argo].url`
+      version: 5.34.6  # (= ArgoCD v2.7.3)
-      version: 6.7.7  # (=Argo CD v2.10.5)
       chart: argo/argo-cd
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       chart_values: !unsafe |
         configs:
-          cm:
-            resource.compareoptions: |
-              ignoreAggregatedRoles: true
-            resource.customizations.ignoreDifferences.all: |
-              jsonPointers:
-              - /spec/conversion/webhook/clientConfig/caBundle
-          params:
-            server.insecure: true
           secret:
             argocdServerAdminPassword: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
-        global:
-          domain: gitops.{{ vapp['metacluster.fqdn'] | lower }}
         server:
-          ingress:
+          extraArgs:
-            enabled: true
+            - --insecure
-
-  argo-workflows:
-    helm:
-      version: 0.41.8  # (=Argo Workflows v3.5.7)
-      chart: argo/argo-workflows
-      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
-        # workflow:
-        #   serviceAccount:
-        #     create: true
-        #     name: "argo-workflows"
-        #   rbac:
-        #     create: true
-        controller:
-          workflowNamespaces:
-            - default
-            - firstboot
-        server:
-          authModes:
-            - server
           ingress:
             enabled: true
             hosts:
-              - workflow.{{ vapp['metacluster.fqdn']}}
+              - gitops.{{ vapp['metacluster.fqdn'] }}
+
+  authentik:
+    helm:
+      version: 2023.3.1
+      chart: authentik/authentik
+      parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        authentik:
+          avatars: none
+          secret_key: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
+          postgresql:
+            password: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
+        env:
+          AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ vapp['metacluster.password'] }}"
+        ingress:
+          enabled: true
+          hosts:
+            - host: auth.{{ vapp['metacluster.fqdn'] }}
               paths:
-              - /
+                - path: "/"
                   pathType: Prefix
+        postgresql:
+          enabled: true
+          postgresqlPassword: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
+        redis:
+          enabled: true
 
   cert-manager:
     helm:
-      version: 1.14.4
+      version: 1.12.1
       chart: jetstack/cert-manager
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
+      # chart_values: !unsafe |
-        installCRDs: true
+      #   installCRDs: true
 
   clusterapi:
     management:
       version:
         # Must match the version referenced at `dependencies.static_binaries[.filename==clusterctl].url`
-        base: v1.6.3
+        base: v1.4.1
         # Must match the version referenced at `components.cert-manager.helm.version`
-        cert_manager: v1.14.4
+        cert_manager: v1.11.1
-        infrastructure_vsphere: v1.9.2
+        infrastructure_vsphere: v1.6.1
-        ipam_incluster: v0.1.0
+        ipam_incluster: v0.1.0-alpha.2
         # Refer to `https://console.cloud.google.com/gcr/images/cloud-provider-vsphere/GLOBAL/cpi/release/manager` for available tags
-        cpi_vsphere: v1.30.1
+        cpi_vsphere: v1.26.2
     workload:
       version:
-        calico: v3.27.3
+        calico: v3.26.0
-        k8s: v1.30.1
+        k8s: v1.26.5
       node_template:
-      # Not used anymore; should be uploaded to hypervisor manually!
+        url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.26.5.ova
-      # https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/releases/download/templates%2Fv1.30.0/
 
-  dex:
+  # dex:
-    helm:
+  #   helm:
-      version: 0.15.3  # (= Dex 2.37.0)
+  #     version: 0.13.0 # (= Dex 2.35.3)
-      chart: dexidp/dex
+  #     chart: dex/dex
-      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+  #     parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
+  #     chart_values: !unsafe |
-        config:
+  #       config:
-          issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
+  #         connectors:
-          storage:
+  #           - type: ldap
-            type: kubernetes
+  #             id: ldap
-            config:
+  #             name: "LDAP"
-              inCluster: true
+  #             config:
-          staticClients:
+  #               host: "{{ vapp['ldap.fqdn'] }}:636"
-          - id: pinniped-supervisor
+  #               insecureNoSSL: false
-            secret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}"
+  #               insecureSkipVerify: true
-            name: Pinniped Supervisor client
+  #               bindDN: "{{ vapp['ldap.dn'] }}"
-            redirectURIs:
+  #               bindPW: "{{ vapp['ldap.password'] }}"
-            - https://auth.{{ vapp['metacluster.fqdn'] }}/sso/callback
+
-          enablePasswordDB: true
+  #               usernamePrompt: "Username"
-          staticPasswords:
+  #               userSearch:
-          - email: user@{{ vapp['metacluster.fqdn'] }}
+  #                 baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu
-            hash: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
+  #                 filter: "(objectClass=person)"
-            username: user
+  #                 username: userPrincipalName
-            userID: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | to_uuid }}"
+  #                 idAttr: DN
-        ingress:
+  #                 emailAttr: userPrincipalName
-          enabled: true
+  #                 nameAttr: cn
-          hosts:
+
-            - host: idps.{{ vapp['metacluster.fqdn'] }}
+  #               groupSearch:
-              paths:
+  #                 baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu
-                - path: /
+  #                 filter: "(objectClass=group)"
-                  pathType: Prefix
+  #                 userMatchers:
+  #                 - userAttr: DN
+  #                   groupAttr: member
+  #                 nameAttr: cn
+  #         enablePasswordDB: true
+  #         issuer: https://oidc.{{ vapp['metacluster.fqdn'] }}
+  #         storage:
+  #           type: kubernetes
+  #           config:
+  #             inCluster: true
+  #       ingress:
+  #         enabled: true
+  #         hosts:
+  #           - host: oidc.{{ vapp['metacluster.fqdn'] }}
+  #             paths:
+  #               - path: /
+  #                 pathType: Prefix
 
   gitea:
     helm:
-      version: v10.1.3  # (= Gitea v1.21.7)
+      version: v8.3.0 # (= Gitea v1.19.3)
       chart: gitea-charts/gitea
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
       chart_values: !unsafe |
-        extraVolumes:
-          - secret:
-              defaultMode: 420
-              secretName: step-certificates-certs
-            name: step-certificates-certs
-        extraVolumeMounts:
-          - mountPath: /etc/ssl/certs/ca-chain.crt
-            name: step-certificates-certs
-            readOnly: true
-            subPath: ca_chain.crt
         gitea:
           admin:
             username: administrator
             password: "{{ vapp['metacluster.password'] }}"
-            email: administrator@{{ vapp['metacluster.fqdn'] | lower }}
+            email: admin@{{ vapp['metacluster.fqdn'] }}
           config:
-            cache:
-              ADAPTER: memory
             server:
               OFFLINE_MODE: true
               PROTOCOL: http
-              ROOT_URL: https://git.{{ vapp['metacluster.fqdn'] | lower }}/
+              ROOT_URL: https://git.{{ vapp['metacluster.fqdn'] }}/
-            session:
-              PROVIDER: db
         image:
           pullPolicy: IfNotPresent
         ingress:
           enabled: true
           hosts:
-            - host: git.{{ vapp['metacluster.fqdn'] | lower }}
+            - host: git.{{ vapp['metacluster.fqdn'] }}
               paths:
                 - path: /
                   pathType: Prefix
-        postgresql:
-          enabled: true
-          image:
-            tag: 16.1.0-debian-11-r25
-        postgresql-ha:
-          enabled: false
-        redis-cluster:
-          enabled: false
         service:
           ssh:
             type: ClusterIP
@@ -221,7 +204,7 @@ components:
 
   harbor:
     helm:
-      version: 1.14.1  # (= Harbor v2.10.1)
+      version: 1.12.1  # (= Harbor v2.8.1)
       chart: harbor/harbor
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       chart_values: !unsafe |
@@ -229,11 +212,11 @@ components:
           ingress:
             annotations: {}
             hosts:
-              core: registry.{{ vapp['metacluster.fqdn'] | lower }}
+              core: registry.{{ vapp['metacluster.fqdn'] }}
           tls:
             certSource: none
             enabled: false
-        externalURL: https://registry.{{ vapp['metacluster.fqdn'] | lower }}
+        externalURL: https://registry.{{ vapp['metacluster.fqdn'] }}
         harborAdminPassword: "{{ vapp['metacluster.password'] }}"
         notary:
           enabled: false
@@ -242,32 +225,41 @@ components:
             registry:
               size: 25Gi
 
-  json-server:
+  # keycloakx:
-    helm:
+  #   helm:
-      version: v0.8.4
+  #     version: 2.1.1  # (= Keycloak 20.0.3)
-      chart: spamasaurus/json-server
+  #     chart: codecentric/keycloakx
-      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+  #     parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
+  #     chart_values: !unsafe |
-        ingress:
+  #       command:
-          enabled: true
+  #         - "/opt/keycloak/bin/kc.sh"
-          hosts:
+  #         - "start"
-            - host: version.{{ vapp['metacluster.fqdn'] }}
+  #         - "--http-enabled=true"
-              paths:
+  #         - "--http-port=8080"
-                - path: /
+  #         - "--hostname-strict=false"
-                  pathType: Prefix
+  #         - "--hostname-strict-https=false"
-        jsonServer:
+  #       extraEnv: |
-          image:
+  #         - name: KEYCLOAK_ADMIN
-            repository: code.spamasaurus.com/djpbessems/json-server
+  #           value: admin
-          seedData:
+  #         - name: KEYCLOAK_ADMIN_PASSWORD
-            configInline: {}
+  #           value: {{ vapp['metacluster.password'] }}
-        sidecar:
+  #         - name: KC_PROXY
-          targetUrl: version.{{ vapp['metacluster.fqdn'] }}
+  #           value: "passthrough"
-          image:
+  #         - name: JAVA_OPTS_APPEND
-            repository: code.spamasaurus.com/djpbessems/json-server
+  #           value: >-
+  #             -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless
+  #       ingress:
+  #         enabled: true
+  #         rules:
+  #           - host: keycloak.{{ vapp['metacluster.fqdn'] }}
+  #             paths:
+  #               - path: /
+  #                 pathType: Prefix
+  #         tls: []
 
   kube-prometheus-stack:
     helm:
-      version: 45.2.0
+      version: 46.5.0  # (= Prometheus version v0.65.1)
       chart: prometheus-community/kube-prometheus-stack
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
       chart_values: !unsafe |
@@ -278,62 +270,42 @@ components:
 
   kubevip:
     # Must match the version referenced at `dependencies.container_images`
-    version: v0.6.3
+    version: v0.6.0
 
   longhorn:
     helm:
-      version: 1.5.4
+      version: 1.4.2
       chart: longhorn/longhorn
       parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
       chart_values: !unsafe |
         defaultSettings:
-          concurrentReplicaRebuildPerNodeLimit: 10
+          allowNodeDrainWithLastHealthyReplica: true
           defaultDataPath: /mnt/blockstorage
-          logLevel: Info
+          defaultReplicaCount: 1
-          nodeDrainPolicy: block-for-eviction-if-contains-last-replica
-          replicaSoftAntiAffinity: true
-          priorityClass: system-node-critical
-          storageOverProvisioningPercentage: 200
-          storageReservedPercentageForDefaultDisk: 0
         ingress:
           enabled: true
-          host: storage.{{ vapp['metacluster.fqdn'] | lower }}
+          host: storage.{{ vapp['metacluster.fqdn'] }}
-        longhornManager:
+        persistence:
-          priorityClass: system-node-critical
+          defaultClassReplicaCount: 1
-        longhornDriver:
-          priorityClass: system-node-critical
-
-  pinniped:
-    helm:
-      version: 1.3.10  # (= Pinniped v0.27.0)
-      chart: bitnami/pinniped
-      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
-        concierge:
-          enabled: false
-        supervisor:
-          service:
-            public:
-              type: ClusterIP
-    local-user-authenticator:
-      # Must match the appVersion (!=chart version) referenced at `components.pinniped.helm.version`
-      version: v0.27.0
-      users:
-        - username: metauser
-          password: !unsafe "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
-        - username: metaguest
-          password: !unsafe "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
 
   step-certificates:
     helm:
-      version: 1.25.2  # (= step-ca v0.25.2)
+      version: 1.23.2+5  # (= step-ca v0.23.2)
       chart: smallstep/step-certificates
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u
       chart_values: !unsafe |
+        ca:
+          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
+          password: "{{ vapp['metacluster.password'] }}"
+          provisioner:
+            name: admin
+            password: "{{ vapp['metacluster.password'] }}"
         inject:
           secrets:
             ca_password: "{{ vapp['metacluster.password'] | b64encode }}"
             provisioner_password: "{{ vapp['metacluster.password'] | b64encode }}"
+        service:
+          targetPort: 9000
 
 dependencies:
 
@@ -344,50 +316,43 @@ dependencies:
     - community.general
     - community.vmware
     - kubernetes.core
-    - lvrfrc87.git_acp
 
   container_images:
     # This should match the image tag referenced at `platform.packaged_components[.name==traefik].config`
     - busybox:1
-    - ghcr.io/kube-vip/kube-vip:v0.6.3
+    - ghcr.io/kube-vip/kube-vip:v0.6.0
     # The following list is generated by running the following commands:
     #   $ clusterctl init -i vsphere:<version> [...]
     #   $ clusterctl generate cluster <name> [...] | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)' | sort -u
-    - gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.27.0
+    - gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.18.1
-    - gcr.io/cloud-provider-vsphere/csi/release/driver:v3.1.0
+    - gcr.io/cloud-provider-vsphere/csi/release/driver:v2.1.0
-    - gcr.io/cloud-provider-vsphere/csi/release/syncer:v3.1.0
+    - gcr.io/cloud-provider-vsphere/csi/release/syncer:v2.1.0
-    - registry.k8s.io/sig-storage/csi-attacher:v4.3.0
+    - quay.io/k8scsi/csi-attacher:v3.0.0
-    - registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0
+    - quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
-    - registry.k8s.io/sig-storage/csi-provisioner:v3.5.0
+    - quay.io/k8scsi/csi-provisioner:v2.0.0
-    - registry.k8s.io/sig-storage/csi-resizer:v1.8.0
+    - quay.io/k8scsi/livenessprobe:v2.1.0
-    - registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2
-    - registry.k8s.io/sig-storage/livenessprobe:v2.10.0
 
   static_binaries:
-    - filename: argo
-      url: https://github.com/argoproj/argo-workflows/releases/download/v3.5.7/argo-linux-amd64.gz
     - filename: clusterctl
-      url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.6.3/clusterctl-linux-amd64
+      url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.4.1/clusterctl-linux-amd64
     - filename: govc
-      url: https://github.com/vmware/govmomi/releases/download/v0.36.3/govc_Linux_x86_64.tar.gz
+      url: https://github.com/vmware/govmomi/releases/download/v0.30.4/govc_Linux_x86_64.tar.gz
       archive: compressed
     - filename: helm
-      url: https://get.helm.sh/helm-v3.14.3-linux-amd64.tar.gz
+      url: https://get.helm.sh/helm-v3.12.0-linux-amd64.tar.gz
       archive: compressed
       extra_opts: --strip-components=1
     - filename: kubectl-slice
-      url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.9/kubectl-slice_linux_x86_64.tar.gz
+      url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.6/kubectl-slice_linux_x86_64.tar.gz
       archive: compressed
-    - filename: pinniped
-      url: https://github.com/vmware-tanzu/pinniped/releases/download/v0.25.0/pinniped-cli-linux-amd64
     - filename: skopeo
       url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64
     - filename: step
-      url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.25.2/step_linux_0.25.2_amd64.tar.gz
+      url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.23.2/step_linux_0.23.2_amd64.tar.gz
       archive: compressed
       extra_opts: --strip-components=2
     - filename: yq
-      url: https://github.com/mikefarah/yq/releases/download/v4.43.1/yq_linux_amd64
+      url: http://github.com/mikefarah/yq/releases/download/v4.34.1/yq_linux_amd64
 
   packages:
     apt:

ansible/vars/workloadcluster.yml

@@ -1,8 +1,6 @@
 downstream:
 
   helm_repositories:
-    - name: bitnami
-      url: https://charts.bitnami.com/bitnami
     - name: longhorn
       url: https://charts.longhorn.io
     - name: sealed-secrets
@@ -11,7 +9,7 @@ downstream:
   helm_charts:
 
     longhorn:
-      version: 1.5.4
+      version: 1.4.2
       chart: longhorn/longhorn
       namespace: longhorn-system
       parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
@@ -20,26 +18,8 @@ downstream:
           createDefaultDiskLabeledNodes: true
           defaultDataPath: /mnt/blockstorage
 
-    pinniped:
-      version: 1.3.10  # (= Pinniped v0.27.0)
-      chart: bitnami/pinniped
-      namespace: pinniped-concierge
-      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
-        supervisor:
-          enabled: false
-      extra_manifests:
-        - src: jwtauthenticator.j2
-          _template:
-            name: metacluster-sso
-            spec: !unsafe |2
-                issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
-                audience: "{{ vapp['workloadcluster.name'] | lower }}"
-                tls:
-                  certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
-
     sealed-secrets:
-      version: 2.8.1  # (= Sealed Secrets v0.20.2)
+      version: 2.9.0  # (= Sealed Secrets v0.21.0)
       chart: sealed-secrets/sealed-secrets
       namespace: sealed-secrets
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'

deployment/playbook.yml

@@ -1,78 +0,0 @@
-- hosts: localhost
-  vars_files:
-    - vars/ova.bootstrap.yaml
-    - vars/hv.vcenter.yaml
-    - vars/pb.secrets.yaml
-  tasks:
-
-  - name: Retrieve target folder details
-    community.vmware.vmware_vm_info:
-      hostname: "{{ hv.hostname }}"
-      username: "{{ hv.username }}"
-      password: "{{ secrets.hv.password }}"
-      folder: "{{ hv.folder }}"
-      validate_certs: false
-    register: vm_info
-
-  - name: User prompt
-    ansible.builtin.pause:
-      prompt: Virtual machine '{{ appliance.id }}' already exists. Delete to continue [yes] or abort [no]?"
-    register: prompt
-    until:
-      - prompt.user_input in ['yes', 'no']
-    delay: 0
-    when: (vm_info | selectattr('guest_name', 'equalto', appliance.id) | length) > 0
-
-  - name: Destroy existing VM
-    community.vmware.vmware_guest:
-      hostname: "{{ hv.hostname }}"
-      username: "{{ hv.username }}"
-      password: "{{ secrets.hv.password }}"
-      folder: "{{ hv.folder }}"
-      name: appliance.id
-      state: absent
-    when:
-      - (vm_info | selectattr('guest_name', 'equalto', appliance.id) | length) > 0
-      - (prompt.user_input | bool) == true
-
-  - name: Deploy VM from OVA-template
-    community.vmware.vmware_deploy_ovf:
-      hostname: "{{ hv.hostname }}"
-      username: "{{ hv.username }}"
-      password: "{{ secrets.hv.password }}"
-      validate_certs: false
-      datacenter: "{{ hv.datacenter }}"
-      folder: "{{ hv.folder }}"
-      cluster: "{{ hv.cluster }}"
-      name: airgapped-k8s-meta1
-      datastore: "{{ hv.datastore }}"
-      disk_provisioning: thin
-      networks:
-        "LAN": "{{ hv.network }}"
-      power_on: yes
-      ovf: "{{ appliance.path }}/{{ appliance.filename }}"
-      deployment_option: cp1w1ws0
-      properties:
-        metacluster.fqdn: k8s.lab
-        metacluster.vip: 192.168.154.125
-        metacluster.token: "{{ secrets.appliance.installtoken }}"
-        # guestinfo.hostname: _default
-        metacluster.password: "{{ secrets.appliance.password }}"
-        guestinfo.ipaddress: 192.168.154.126
-        guestinfo.prefixlength: '24'
-        guestinfo.dnsserver: 192.168.154.225
-        guestinfo.gateway: 192.168.154.1
-        # workloadcluster.name: _default
-        workloadcluster.vip: 192.168.154.130
-        ippool.startip: 192.168.154.135
-        ippool.endip: 192.168.154.140
-        workloadcluster.nodetemplate: ubuntu-2204-kube-v1.30.0
-        workloadcluster.nodesize: small
-        # workloadcluster.additionaldisk: '75'
-        guestinfo.rootsshkey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiRc7Og+cRJGFwdUzgpX9YqvVenTk54N4kqM7emEfYHdsJLMjKQyxr8hklHmsam5dzxx3itFzc6SLf/ldJJ2JZuzE5FiCqUXXv4UFwN6HF5xqn7PTLicvWZH93H4m1gOlD5Dfzi4Es34v5zRBwbMScOgekk/LweTgl35jGKDgMP5DjGTqkPf7Ndh9+iuQrz99JEr8egl3bj+jIlKjScfaQbbnu3AJIRwZwTKgw0AOkLliQdEPNLvG5/ZImxJG4oHV9/uNkfdJObLjT1plR1HbVNskV5fuRNE/vnUiWl9jAJ1RT83GOqV0sQ+Q7p214fkgqb3JPvci/s0Bb7RA85hBEQ== bessems.eu
-        hv.fqdn: "{{ hv.hostname }}"
-        hv.username: "{{ hv.username }}"
-        hv.password: "{{ secrets.hv.password }}"
-        ldap.fqdn: _unused
-        ldap.dn: _unused
-        ldap.password: _unused

deployment/requirements.yaml

@@ -1,5 +0,0 @@
-collections:
-# - ansible.posix
-# - ansible.utils
-# - community.general
-- community.vmware

packer/build.pkr.hcl

@@ -1,14 +1,5 @@
 packer {
   required_plugins {
-    vsphere = {
-      source  = "github.com/hashicorp/vsphere"
-      version = "~> 1"
-    }
-
-    ansible = {
-      source  = "github.com/hashicorp/ansible"
-      version = "~> 1"
-    }
   }
 }
 
@@ -37,7 +28,6 @@ build {
 
     extra_arguments  = [
       "--extra-vars", "appliancetype=${source.name}",
-      "--extra-vars", "applianceversion=${var.appliance_version}",
       "--extra-vars", "ansible_ssh_pass=${var.ssh_password}",
       "--extra-vars", "docker_username=${var.docker_username}",
       "--extra-vars", "docker_password=${var.docker_password}",
@@ -50,12 +40,12 @@ build {
     inline = [
       "pwsh -command \"& scripts/Update-OvfConfiguration.ps1 \\",
       " -ApplianceType '${source.name}' \\",
-      " -OVFFile '/data/scratch/bld_${var.vm_name}_${source.name}.ovf' \"",
+      " -OVFFile '/scratch/bld_${var.vm_name}_${source.name}.ovf' \"",
       "pwsh -file scripts/Update-Manifest.ps1 \\",
-      " -ManifestFileName '/data/scratch/bld_${var.vm_name}_${source.name}.mf'",
+      " -ManifestFileName '/scratch/bld_${var.vm_name}_${source.name}.mf'",
       "ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
-      " '/data/scratch/bld_${var.vm_name}_${source.name}.ovf' \\",
+      " '/scratch/bld_${var.vm_name}_${source.name}.ovf' \\",
-      " /output/airgapped-k8s-${var.appliance_version}+${var.k8s_version}-${source.name}.ova"
+      " /output/airgapped-k8s-${var.k8s_version}.${source.name}.ova"
     ]
   }
 }

packer/iso.auto.pkrvars.hcl

@@ -1,5 +1,5 @@
-iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04.3-live-server-amd64.iso"
+iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04.1-live-server-amd64.iso"
-iso_checksum = "sha256:A4ACFDA10B18DA50E2EC50CCAF860D7F20B389DF8765611142305C0E911D16FD"
+iso_checksum = "sha256:10F19C5B2B8D6DB711582E0E27F5116296C34FE4B313BA45F9B201A5007056CB"
 
-// iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04.1-live-server-amd64.iso"
+// iso_url      = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04-live-server-amd64.iso"
-// iso_checksum = "sha256:10F19C5B2B8D6DB711582E0E27F5116296C34FE4B313BA45F9B201A5007056CB"
+// iso_checksum = "sha256:84AEAF7823C8C61BAA0AE862D0A06B03409394800000B3235854A6B38EB4856F"

packer/preseed/UbuntuServer22.04/user-data

@@ -1,19 +1,10 @@
 #cloud-config
 autoinstall:
   version: 1
-  apt:
-    geoip: true
-    preserve_sources_list: false
-    primary:
-      - arches: [amd64, i386]
-        uri: http://archive.ubuntu.com/ubuntu
-      - arches: [default]
-        uri: http://ports.ubuntu.com/ubuntu-ports
-  early-commands:
-    - sudo systemctl stop ssh
   locale: en_US
   keyboard:
-    layout: us
+    layout: en
+    variant: us
   network:
     network:
       version: 2
@@ -25,18 +16,14 @@ autoinstall:
     layout:
       name: direct
   identity:
-    hostname: ubuntu-server
+    hostname: packer-template
     username: ubuntu
+    # password: $6$ZThRyfmSMh9499ar$KSZus58U/l58Efci0tiJEqDKFCpoy.rv25JjGRv5.iL33AQLTY2aljumkGiDAiX6LsjzVsGTgH85Tx4S.aTfx0
     password: $6$rounds=4096$ZKfzRoaQOtc$M.fhOsI0gbLnJcCONXz/YkPfSoefP4i2/PQgzi2xHEi2x9CUhush.3VmYKL0XVr5JhoYvnLfFwqwR/1YYEqZy/
   ssh:
-    install-server: true
+    install-server: yes
     allow-pw: true
-  packages:
-    - openssh-server
-    - open-vm-tools
-    - cloud-init
   user-data:
     disable_root: false
   late-commands:
     - echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/ubuntu
-    - curtin in-target --target=/target -- chmod 440 /etc/sudoers.d/ubuntu

packer/source.pkr.hcl

@@ -1,21 +1,21 @@
 source "vsphere-iso" "ubuntu" {
-  vcenter_server                 = var.hv_fqdn
+  vcenter_server          = var.vcenter_server
-  username                       = var.hv_username
+  username                = var.vsphere_username
-  password                       = var.hv_password
+  password                = var.vsphere_password
   insecure_connection     = "true"
 
-  datacenter                     = var.hv_datacenter
+  datacenter              = var.vsphere_datacenter
-  cluster                        = var.hv_cluster
+  cluster                 = var.vsphere_cluster
-  host                           = var.hv_host
+  host                    = var.vsphere_host
-  folder                         = var.hv_folder
+  folder                  = var.vsphere_folder
-  datastore                      = var.hv_datastore
+  datastore               = var.vsphere_datastore
 
   guest_os_type           = "ubuntu64Guest"
 
   boot_order              = "disk,cdrom"
   boot_command            = [
     "e<down><down><down><end>",
-    " autoinstall network-config=disabled ds=nocloud;",
+    " autoinstall ds=nocloud;",
     "<F10>"
   ]
   boot_wait               = "2s"
@@ -31,7 +31,7 @@ source "vsphere-iso" "ubuntu" {
   RAM                     = 8192
 
   network_adapters {
-    network                      = var.hv_network
+    network               = var.vsphere_network
     network_card          = "vmxnet3"
   }
   storage {
@@ -41,7 +41,6 @@ source "vsphere-iso" "ubuntu" {
   disk_controller_type    = ["pvscsi"]
   usb_controller          = ["xhci"]
 
-  set_host_for_datastore_uploads = true
   cd_files                = [
     "packer/preseed/UbuntuServer22.04/user-data",
     "packer/preseed/UbuntuServer22.04/meta-data"
@@ -56,8 +55,7 @@ source "vsphere-iso" "ubuntu" {
   remove_cdrom            = true
 
   export {
-    output_directory             = "/data/scratch"
+    images                = false
+    output_directory      = "/scratch"
   }
-
-  destroy                        = true
 }

packer/variables.pkr.hcl

@@ -1,17 +1,17 @@
-variable "hv_fqdn" {}
+variable "vcenter_server" {}
-variable "hv_username" {}
+variable "vsphere_username" {}
-variable "hv_password" {
+variable "vsphere_password" {
     sensitive = true
 }
 
-variable "hv_host" {}
+variable "vsphere_host" {}
-variable "hv_datacenter" {}
+variable "vsphere_datacenter" {}
-variable "hv_cluster" {}
+variable "vsphere_cluster" {}
 
-variable "hv_templatefolder" {}
+variable "vsphere_templatefolder" {}
-variable "hv_folder" {}
+variable "vsphere_folder" {}
-variable "hv_datastore" {}
+variable "vsphere_datastore" {}
-variable "hv_network" {}
+variable "vsphere_network" {}
 
 variable "vm_name" {}
 variable "ssh_password" {
@@ -34,5 +34,4 @@ variable "docker_password" {
     sensitive = true
 }
 
-variable "appliance_version" {}
 variable "k8s_version" {}

packer/vsphere.auto.pkrvars.hcl

@@ -1,10 +1,9 @@
-hv_fqdn           = "lab-vc-01.bessems.lan"
+vcenter_server         = "bv11-vc.bessems.lan"
-hv_username       = "administrator@vsphere.local"
+vsphere_username       = "administrator@vsphere.local"
-# urlencoded        "4/55-Clydebank-Rd"
+vsphere_datacenter     = "DeSchakel"
-hv_datacenter     = "4%2f55-Clydebank-Rd"
+vsphere_cluster        = "Cluster.01"
-hv_cluster        = "Cluster.01"
+vsphere_host           = "bv11-esx02.bessems.lan"
-hv_host           = "lab-esx-02.bessems.lan"
+vsphere_datastore      = "ESX02.SSD02"
-hv_datastore      = "ESX02.SSD02"
+vsphere_folder         = "/Packer"
-hv_folder         = "/Packer"
+vsphere_templatefolder = "/Templates"
-hv_templatefolder = "/Templates"
+vsphere_network        = "LAN"
-hv_network        = "LAN"

scripts/Update-OvfConfiguration.bootstrap.yml

@@ -162,19 +162,6 @@ PropertyCategories:
     - cp1w1ws1
     UserConfigurable: true
 
-  - Key: workloadcluster.nodetemplate
-    Type: string["ubuntu-2204-kube-v1.30.0", "photon-5-kube-v1.30.0.ova"]
-    Label: Workload-cluster node template
-    Description: |
-      All worker and worker-storage nodes for the workload-cluster will be provisioned with this node template.
-      Note:
-      Make sure that this exact template has been uploaded to the vCenter instance before powering on this appliance!
-    DefaultValue: ubuntu-2204-kube-v1.30.0
-    Configurations:
-    - cp1w1ws0
-    - cp1w1ws1
-    UserConfigurable: true
-
   - Key: workloadcluster.nodesize
     Type: string["small", "medium", "large"]
     Label: Workload-cluster node size*

scripts/Update-OvfConfiguration.upgrade.yml

@@ -44,7 +44,7 @@ PropertyCategories:
     Configurations: '*'
     UserConfigurable: true
 
-- Name: 2) Meta-cluster new node
+- Name: 2) Add meta-cluster node
   ProductProperties:
 
   - Key: guestinfo.hostname
@@ -95,20 +95,7 @@ PropertyCategories:
   #   Configurations: '*'
   #   UserConfigurable: true
 
-- Name: 3) Workload-cluster
+- Name: 3) Common
-  ProductProperties:
-
-  - Key: workloadcluster.nodetemplate
-    Type: string["ubuntu-2204-kube-v1.30.0", "photon-5-kube-v1.30.0.ova"]
-    Label: Workload-cluster node template
-    Description: |
-      All worker and worker-storage nodes for the workload-cluster will be provisioned with this node template.
-      Note:
-      Make sure that this exact template has been uploaded to the vCenter instance before powering on this appliance!
-    DefaultValue: ubuntu-2204-kube-v1.30.0
-    UserConfigurable: true
-
-- Name: 4) Common
   ProductProperties:
 
   - Key: guestinfo.rootsshkey
@@ -119,7 +106,7 @@ PropertyCategories:
     Configurations: '*'
     UserConfigurable: true
 
-- Name: 5) Hypervisor
+- Name: 4) Hypervisor
   ProductProperties:
 
   - Key: hv.fqdn