build: Fix typo in manifest parser

.drone.yml

@@ -26,8 +26,6 @@ steps:
   - yamllint --version
 
 - name: Linting
-  depends_on:
-  - Debugging information
   image: bv11-cr01.bessems.eu/library/packer-extended
   pull: always
   commands:
@@ -38,8 +36,6 @@ steps:
       scripts
 
 - name: Semantic Release (Dry-run)
-  depends_on:
-  - Linting
   image: bv11-cr01.bessems.eu/proxy/library/node:20-slim
   pull: always
   commands:
@@ -47,21 +43,29 @@ steps:
     apt-get update
   - |
     apt-get install -y --no-install-recommends \
+      curl \
       git-core \
+      jq \
       ca-certificates
+  - |
+    curl -L https://api.github.com/repos/mikefarah/yq/releases/latest | \
+      jq -r '.assets[] | select(.name | endswith("yq_linux_amd64")) | .browser_download_url' | \
+      xargs -I {} curl -L -o /bin/yq {} && \
+    chmod +x /bin/yq
   - |
     npm install \
       semantic-release \
       @semantic-release/commit-analyzer \
       @semantic-release/exec \
   - |
+    export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
     export GIT_CREDENTIALS=$${GIT_USERNAME}:$${GIT_APIKEY}
   - |
     npx semantic-release \
       --package @semantic-release/exec \
       --package semantic-release \
       --branches ${DRONE_BRANCH} \
-      --tag-format "K8s_1.25.9-v\$${version}" \
+      --tag-format "K8s_$${K8S_VERSION}-v\$${version}" \
       --dry-run \
       --plugins @semantic-release/commit-analyzer,@semantic-release/exec \
       --analyzeCommits @semantic-release/commit-analyzer \
@@ -73,8 +77,6 @@ steps:
     GIT_USERNAME: djpbessems
 
 - name: Install Ansible Galaxy collections
-  depends_on:
-  - Semantic Release (Dry-run)
   image: bv11-cr01.bessems.eu/library/packer-extended
   pull: always
   commands:
@@ -84,8 +86,6 @@ steps:
       -p ./ansible/collections
 
 - name: Kubernetes Bootstrap Appliance
-  depends_on:
-  - Install Ansible Galaxy collections
   image: bv11-cr01.bessems.eu/library/packer-extended
   pull: always
   commands:
@@ -94,7 +94,7 @@ steps:
       packer/preseed/UbuntuServer22.04/user-data
   - |
     export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
-    export NEXT_RELEASE_VERSION=$(cat .version)
+    export APPLIANCE_VERSION=$(cat .version)
   - |
     packer init -upgrade \
       ./packer
@@ -109,7 +109,7 @@ steps:
       -var ssh_password=$${SSH_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \
       -var k8s_version=$K8S_VERSION \
-      -var next_release_version=$NEXT_RELEASE_VERSION \
+      -var appliance_version=$APPLIANCE_VERSION \
       ./packer
   - |
     packer build \
@@ -123,7 +123,7 @@ steps:
       -var ssh_password=$${SSH_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \
       -var k8s_version=$K8S_VERSION \
-      -var next_release_version=$NEXT_RELEASE_VERSION \
+      -var appliance_version=$APPLIANCE_VERSION \
       ./packer
   environment:
     DOCKER_USERNAME:
@@ -146,8 +146,6 @@ steps:
     path: /scratch
 
 - name: Kubernetes Upgrade Appliance
-  depends_on:
-  - Install Ansible Galaxy collections
   image: bv11-cr01.bessems.eu/library/packer-extended
   pull: alwaysquery(
   commands:
@@ -156,7 +154,7 @@ steps:
       packer/preseed/UbuntuServer22.04/user-data
   - |
     export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
-    export NEXT_RELEASE_VERSION=$(cat .version)
+    export APPLIANCE_VERSION=$(cat .version)
   - |
     packer init -upgrade \
       ./packer
@@ -171,7 +169,7 @@ steps:
       -var ssh_password=$${SSH_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \
       -var k8s_version=$K8S_VERSION \
-      -var next_release_version=$NEXT_RELEASE_VERSION \
+      -var appliance_version=$APPLIANCE_VERSION \
       ./packer
   - |
     packer build \
@@ -185,7 +183,7 @@ steps:
       -var ssh_password=$${SSH_PASSWORD} \
       -var vsphere_password=$${VSPHERE_PASSWORD} \
       -var k8s_version=$K8S_VERSION \
-      -var next_release_version=$NEXT_RELEASE_VERSION \
+      -var appliance_version=$APPLIANCE_VERSION \
       ./packer
   environment:
     DOCKER_USERNAME:
@@ -208,9 +206,6 @@ steps:
     path: /scratch
 
 - name: Remove temporary resources
-  depends_on:
-  - Kubernetes Bootstrap Appliance
-  - Kubernetes Upgrade Appliance
   image: bv11-cr01.bessems.eu/library/packer-extended
   commands:
   - |

.releaserc.json.DISABLED

@@ -1,11 +0,0 @@
-{
-    "plugins": [
-        ["@semantic-release/commit-analyzer"],
-        ["@semantic-release/release-notes-generator"],
-        ["@semantic-release/exec", {
-            "prepareCmd": "export SEMANTICRELEASE_NEXTRELEASEVERSION=${nextRelease.version}",
-            "publishCmd": "echo $SEMANTICRELEASE_NEXTRELEASEVERSION"
-        }],
-        ["@semantic-release/git"]
-    ]
-}

ansible/roles/assets/tasks/containerimages.yml

@@ -1,4 +1,4 @@
-- name: Parse manifests for container images
+- name: Parse Cluster-API manifests for container images
   ansible.builtin.shell:
     # This set of commands is necessary to deal with multi-line scalar values
     # eg.:
@@ -9,11 +9,20 @@
       cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
       cat {{ item.dest }} | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)';
       cat {{ item.dest }} | yq --no-doc eval '.. | .files? | with_entries(select(.value.path == "*.yaml")).[0].content' | awk '!/null/' | yq eval '.. | .image? | select(.)'
-  register: parsedmanifests
+  register: clusterapi_parsedmanifests
   loop: "{{ clusterapi_manifests.results }}"
   loop_control:
     label: "{{ item.dest | basename }}"
 
+- name: Parse pinniped manifests for container images
+  ansible.builtin.shell:
+    # The pinniped manifest specify container images with *both* tag and digest; which is not supported by skopeo
+    cmd: cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.) | sub("@.*", "")' | awk '!/ /'
+  register: pinniped_parsedmanifests
+  loop: "{{ pinniped_manifests.results }}"
+  loop_control:
+    label: "{{ item.dest | basename }}"
+
 - name: Parse metacluster helm charts for container images
   ansible.builtin.shell:
     cmd: "{{ item.value.helm.parse_logic }}"
@@ -41,8 +50,10 @@
       results: "{{ (chartimages_metacluster | json_query('results[*].stdout_lines')) + (chartimages_workloadcluster | json_query('results[*].stdout_lines')) | select() | flatten | list }}"
     - source: kubeadm
       results: "{{ kubeadmimages.stdout_lines }}"
-    - source: manifests
+    - source: clusterapi
-      results: "{{ parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+      results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+    - source: pinniped
+      results: "{{ pinniped_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
   loop_control:
     label: "{{ item.source }}"
 
@@ -64,4 +75,4 @@
         docker://{{ item }} \
         docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
     chdir: /opt/metacluster/container-images
-  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_manifests + dependencies.container_images) | flatten | unique | sort }}"
+  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"

ansible/roles/assets/tasks/main.yml

@@ -16,6 +16,7 @@
     - /opt/metacluster/helm-charts
     - /opt/metacluster/k3s
     - /opt/metacluster/kube-vip
+    - /opt/metacluster/pinniped
     - /opt/workloadcluster/git-repositories/gitops/charts
     - /opt/workloadcluster/git-repositories/gitops/values
     - /opt/workloadcluster/helm-charts

ansible/roles/assets/tasks/manifests.yml

@@ -16,14 +16,17 @@
             { 'components': (
               metacluster_chartvalues |
               combine({ 'clusterapi': components.clusterapi }) |
-              combine({ 'kubevip'   : components.kubevip }) )
+              combine({ 'kubevip'   : components.kubevip }) |
+              combine({ 'pinniped'  : components.pinniped }) ),
+              'appliance': {
+                'version': (applianceversion)
+              }
             } | to_nice_yaml(indent=2, width=4096)
           }}
 
     - name: Aggregate chart_values into dict
       ansible.builtin.set_fact:
         workloadcluster_chartvalues: "{{ workloadcluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.chart_values | default('') | from_yaml) } }) }}"
-      # when: item.value.chart_values is defined
       loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}"
       loop_control:
         label: "{{ item.key }}"
@@ -37,7 +40,7 @@
             } | to_nice_yaml(indent=2, width=4096)
           }}
 
-- name: Download ClusterAPI manifests
+- name: Download Cluster-API manifests
   ansible.builtin.get_url:
     url: "{{ item.url }}"
     dest: /opt/metacluster/cluster-api/{{ item.dest }}
@@ -97,6 +100,29 @@
   delay: 5
   until: kubevip_manifest is not failed
 
+- name: Download pinniped manifests
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: /opt/metacluster/pinniped/{{ item.dest }}
+  register: pinniped_manifests
+  loop:
+    # The 'supervisor' runs in the metacluster and handles authentication
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-supervisor.yaml
+      dest: pinniped-supervisor.yaml
+    # The 'local-user-authenticator' can be used to run a simple OIDC provider based on useraccounts defined in secrets.
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-local-user-authenticator.yaml
+      dest: local-user-authenticator.yaml
+    # The 'concierge' runs in downstream clusters and forwards authentication requests
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-crds.yaml
+      dest: pinniped-concierge-crds.yaml
+    - url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-resources.yaml
+      dest: pinniped-concierge-resources.yaml
+  loop_control:
+    label: "{{ item.dest }}"
+  retries: 5
+  delay: 5
+  until: pinniped_manifests is not failed
+
 # - name: Inject manifests
 #   ansible.builtin.template:
 #     src: "{{ item.type }}.j2"

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml

@@ -0,0 +1 @@
+#

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml

@@ -1,14 +1,9 @@
 - block:
 
-    - name: Initialize tempfile
+    - name: Inject password into values file
-      ansible.builtin.tempfile:
-        state: file
-      register: values_file
-
-    - name: Write chart values w/ password to tempfile
       ansible.builtin.copy:
-        dest: "{{ values_file.path }}"
+        dest: "{{ stepconfig.path }}"
-        content: "{{ stepca_values.stdout | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}"
+        content: "{{ lookup('ansible.builtin.file', stepconfig.path) | regex_replace('(ca_password|provisioner_password):[ ]?\n', '\\1: ' ~ (vapp['metacluster.password'] | b64encode) ~ '\n') }}"
       no_log: true
 
     - name: Install step-ca chart
@@ -21,13 +16,7 @@
         wait: true
         kubeconfig: "{{ kubeconfig.path }}"
         values_files:
-          - "{{ values_file.path }}"
+          - "{{ stepconfig.path }}"
-
-    - name: Cleanup tempfile
-      ansible.builtin.file:
-        path: "{{ values_file.path }}"
-        state: absent
-      when: values_file.path is defined
 
     - name: Retrieve configmap w/ root certificate
       kubernetes.core.k8s_info:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml

@@ -12,6 +12,15 @@
     - registry
     - storage
 
+- name: Create step-ca config dictionary
+  ansible.builtin.set_fact:
+    stepconfig: "{{ { 'path': ansible_env.HOME ~ '/.step/config/values.yaml' } }}"
+
+- name: Create step-ca target folder
+  ansible.builtin.file:
+    path: "{{ stepconfig.path | dirname }}"
+    state: directory
+
 - name: Initialize tempfile
   ansible.builtin.tempfile:
     state: file
@@ -36,8 +45,8 @@
         --address=:9000 \
         --provisioner=admin \
         --acme \
-        --password-file={{ stepca_password.path }}
+        --password-file={{ stepca_password.path }} | tee {{ stepconfig.path }}
-  register: stepca_values
+    creates: "{{ stepconfig.path }}"
 
 - name: Cleanup tempfile
   ansible.builtin.file:
@@ -48,7 +57,7 @@
 - name: Store root CA certificate
   ansible.builtin.copy:
     dest: /usr/local/share/ca-certificates/root_ca.crt
-    content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}"
+    content: "{{ (lookup('ansible.builtin.file', stepconfig.path) | from_yaml).inject.certificates.root_ca }}"
 
 - name: Update certificate truststore
   ansible.builtin.command:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml

@@ -42,19 +42,30 @@
   retries: "{{ playbook.retries }}"
   delay: "{{ (storage_benchmark | int) * (playbook.delay.medium | int) }}"
 
-- name: Install kubectl tab-completion
+- name: Install tab-completion
   ansible.builtin.shell:
-    cmd: kubectl completion bash | tee /etc/bash_completion.d/kubectl
+    cmd: |-
+      {{ item }} completion bash > /etc/bash_completion.d/{{ item }}
+    creates: /etc/bash_completion.d/{{ item }}
+  loop:
+    - kubectl
+    - helm
+    - step
 
-- name: Initialize tempfile
+- name: Create kubeconfig dictionary
-  ansible.builtin.tempfile:
+  ansible.builtin.set_fact:
-    state: file
+    kubeconfig: "{{ { 'path': ansible_env.HOME ~ '/.kube/config' } }}"
-  register: kubeconfig
+
+- name: Create kubeconfig target folder
+  ansible.builtin.file:
+    path: "{{ kubeconfig.path | dirname }}"
+    state: directory
 
 - name: Retrieve kubeconfig
   ansible.builtin.command:
     cmd: kubectl config view --raw
   register: kubectl_config
+  no_log: true
 
 - name: Store kubeconfig in tempfile
   ansible.builtin.copy:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml

@@ -1,10 +1,12 @@
 - import_tasks: init.yml
 - import_tasks: k3s.yml
 - import_tasks: assets.yml
-- import_tasks: kube-vip.yml
+- import_tasks: virtualip.yml
+- import_tasks: metadata.yml
 - import_tasks: storage.yml
 - import_tasks: ingress.yml
 - import_tasks: certauthority.yml
 - import_tasks: registry.yml
 - import_tasks: git.yml
 - import_tasks: gitops.yml
+- import_tasks: authentication.yml

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/metadata.yml

@@ -0,0 +1,57 @@
+- block:
+    - name: Aggregate manifest-component versions into dictionary
+      ansible.builtin.set_fact:
+        manifest_versions: "{{ manifest_versions | default([]) + [ item | combine( {'type': 'manifest', 'id': index } ) ] }}"
+      loop:
+        - name: cluster-api
+          versions:
+            management:
+              base: "{{ components.clusterapi.management.version.base }}"
+              cert_manager: "{{ components.clusterapi.management.version.cert_manager }}"
+              infrastructure_vsphere: "{{ components.clusterapi.management.version.infrastructure_vsphere }}"
+              ipam_incluster: "{{ components.clusterapi.management.version.ipam_incluster }}"
+              cpi_vsphere: "{{ components.clusterapi.management.version.cpi_vsphere }}"
+            workload:
+              calico: "{{ components.clusterapi.workload.version.calico }}"
+              k8s: "{{ components.clusterapi.workload.version.k8s }}"
+        - name: kube-vip
+          version: "{{ components.kubevip.version }}"
+      loop_control:
+        label: "{{ item.name }}"
+        index_var: index
+
+    - name: Install json-server chart
+      kubernetes.core.helm:
+        name: json-server
+        chart_ref: /opt/metacluster/helm-charts/json-server
+        release_namespace: json-server
+        create_namespace: true
+        wait: false
+        kubeconfig: "{{ kubeconfig.path }}"
+        values: |
+          {{
+            components['json-server'].chart_values |
+            combine(
+              { 'jsonServer': { 'seedData': { 'configInline': (
+                { 'appliance': { "version": appliance.version }, 'components': manifest_versions, 'healthz': { 'status': 'running' } }
+              ) | to_json } } }
+            )
+          }}
+
+    - name: Ensure json-server API availability
+      ansible.builtin.uri:
+        url: https://version.{{ vapp['metacluster.fqdn'] }}/healthz
+        method: GET
+        # This mock REST API -ironically- does not support json encoded body argument
+        body_format: raw
+      register: api_readycheck
+      until:
+        - api_readycheck.json.status is defined
+        - api_readycheck.json.status == 'running'
+      retries: "{{ playbook.retries }}"
+      delay: "{{ (storage_benchmark | int) * (playbook.delay.long | int) }}"
+
+  module_defaults:
+    ansible.builtin.uri:
+      validate_certs: no
+      status_code: [200, 201]

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.cluster-template.j2

@@ -3,8 +3,8 @@ kind: Kustomization
 resources:
 - cluster-template.yaml
 
-patchesStrategicMerge:
+patches:
-  - |-
+- patch: |-
     apiVersion: v1
     kind: Secret
     metadata:
@@ -32,7 +32,7 @@ patchesStrategicMerge:
             [Network]
             public-network = "${VSPHERE_NETWORK}"
         type: Opaque
-  - |-
+- patch: |-
     apiVersion: controlplane.cluster.x-k8s.io/v1beta1
     kind: KubeadmControlPlane
     metadata:
@@ -42,7 +42,7 @@ patchesStrategicMerge:
       kubeadmConfigSpec:
         clusterConfiguration:
           imageRepository: registry.{{ _template.network.fqdn }}/kubeadm
-  - |-
+- patch: |-
     apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
     kind: KubeadmConfigTemplate
     metadata:
@@ -53,7 +53,7 @@ patchesStrategicMerge:
         spec:
           clusterConfiguration:
             imageRepository: registry.{{ _template.network.fqdn }}/kubeadm
-  - |-
+- patch: |-
     apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
     kind: KubeadmConfigTemplate
     metadata:
@@ -86,7 +86,7 @@ patchesStrategicMerge:
               {{ _template.rootca | indent(width=14, first=False) | trim }}
             owner: root:root
             path: /usr/local/share/ca-certificates/root_ca.crt
-  - |-
+- patch: |-
     apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
     kind: VSphereMachineTemplate
     metadata:
@@ -105,7 +105,7 @@ patchesStrategicMerge:
               nameservers:
               - {{ _template.network.dnsserver }}
               networkName: '${VSPHERE_NETWORK}'
-  - |-
+- patch: |-
     apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
     kind: VSphereMachineTemplate
     metadata:
@@ -125,132 +125,131 @@ patchesStrategicMerge:
               - {{ _template.network.dnsserver }}
               networkName: '${VSPHERE_NETWORK}'
 
-patchesJson6902:
+- target:
-  - target:
+    group: controlplane.cluster.x-k8s.io
-      group: controlplane.cluster.x-k8s.io
+    version: v1beta1
-      version: v1beta1
+    kind: KubeadmControlPlane
-      kind: KubeadmControlPlane
+    name: .*
-      name: .*
+  patch: |-
-    patch: |-
+    - op: add
-      - op: add
+      path: /spec/kubeadmConfigSpec/files/-
-        path: /spec/kubeadmConfigSpec/files/-
+      value:
-        value:
+        content: |
-          content: |
+            [plugins."io.containerd.grpc.v1.cri".registry]
-              [plugins."io.containerd.grpc.v1.cri".registry]
+              config_path = "/etc/containerd/certs.d"
-                config_path = "/etc/containerd/certs.d"
+        append: true
-          append: true
+        path: /etc/containerd/config.toml
-          path: /etc/containerd/config.toml
 {% for registry in _template.registries %}
-      - op: add
+    - op: add
-        path: /spec/kubeadmConfigSpec/files/-
+      path: /spec/kubeadmConfigSpec/files/-
-        value:
+      value:
-          content: |
+        content: |
-            server = "https://{{ registry }}"
+          server = "https://{{ registry }}"
 
-            [host."https://registry.{{ _template.network.fqdn }}/v2/library/{{ registry }}"]
+          [host."https://registry.{{ _template.network.fqdn }}/v2/library/{{ registry }}"]
-              capabilities = ["pull", "resolve"]
+            capabilities = ["pull", "resolve"]
-              override_path = true
+            override_path = true
-          owner: root:root
+        owner: root:root
-          path: /etc/containerd/certs.d/{{ registry }}/hosts.toml
+        path: /etc/containerd/certs.d/{{ registry }}/hosts.toml
 {% endfor %}
-      - op: add
+    - op: add
-        path: /spec/kubeadmConfigSpec/files/-
+      path: /spec/kubeadmConfigSpec/files/-
-        value:
+      value:
-          content: |
+        content: |
-            network: {config: disabled}
+          network: {config: disabled}
-          owner: root:root
+        owner: root:root
-          path: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
+        path: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
-      - op: add
+    - op: add
-        path: /spec/kubeadmConfigSpec/files/-
+      path: /spec/kubeadmConfigSpec/files/-
-        value:
+      value:
-          content: |
+        content: |
-            {{ _template.rootca | indent(width=12, first=False) | trim }}
+          {{ _template.rootca | indent(width=10, first=False) | trim }}
-          owner: root:root
+        owner: root:root
-          path: /usr/local/share/ca-certificates/root_ca.crt
+        path: /usr/local/share/ca-certificates/root_ca.crt
-  - target:
+- target:
-      group: bootstrap.cluster.x-k8s.io
+    group: bootstrap.cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: KubeadmConfigTemplate
+    kind: KubeadmConfigTemplate
-      name: .*
+    name: .*
-    patch: |-
+  patch: |-
 {% for cmd in _template.runcmds %}
-      - op: add
+    - op: add
-        path: /spec/template/spec/preKubeadmCommands/-
+      path: /spec/template/spec/preKubeadmCommands/-
-        value: {{ cmd }}
+      value: {{ cmd }}
 {% endfor %}
-  - target:
+- target:
-      group: controlplane.cluster.x-k8s.io
+    group: controlplane.cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: KubeadmControlPlane
+    kind: KubeadmControlPlane
-      name: .*
+    name: .*
-    patch: |-
+  patch: |-
 {% for cmd in _template.runcmds %}
-      - op: add
+    - op: add
-        path: /spec/kubeadmConfigSpec/preKubeadmCommands/-
+      path: /spec/kubeadmConfigSpec/preKubeadmCommands/-
-        value: {{ cmd }}
+      value: {{ cmd }}
 {% endfor %}
 
-  - target:
+- target:
-      group: infrastructure.cluster.x-k8s.io
+    group: infrastructure.cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: VSphereMachineTemplate
+    kind: VSphereMachineTemplate
-      name: \${CLUSTER_NAME}
+    name: \${CLUSTER_NAME}
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /metadata/name
+      path: /metadata/name
-        value: ${CLUSTER_NAME}-master
+      value: ${CLUSTER_NAME}-master
-  - target:
+- target:
-      group: controlplane.cluster.x-k8s.io
+    group: controlplane.cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: KubeadmControlPlane
+    kind: KubeadmControlPlane
-      name: \${CLUSTER_NAME}
+    name: \${CLUSTER_NAME}
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /metadata/name
+      path: /metadata/name
-        value: ${CLUSTER_NAME}-master
+      value: ${CLUSTER_NAME}-master
-      - op: replace
+    - op: replace
-        path: /spec/machineTemplate/infrastructureRef/name
+      path: /spec/machineTemplate/infrastructureRef/name
-        value: ${CLUSTER_NAME}-master
+      value: ${CLUSTER_NAME}-master
-  - target:
+- target:
-      group: cluster.x-k8s.io
+    group: cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: Cluster
+    kind: Cluster
-      name: \${CLUSTER_NAME}
+    name: \${CLUSTER_NAME}
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /spec/controlPlaneRef/name
+      path: /spec/controlPlaneRef/name
-        value: ${CLUSTER_NAME}-master
+      value: ${CLUSTER_NAME}-master
 
-  - target:
+- target:
-      group: infrastructure.cluster.x-k8s.io
+    group: infrastructure.cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: VSphereMachineTemplate
+    kind: VSphereMachineTemplate
-      name: \${CLUSTER_NAME}-worker
+    name: \${CLUSTER_NAME}-worker
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /spec/template/spec/numCPUs
+      path: /spec/template/spec/numCPUs
-        value: {{ _template.nodesize.cpu }}
+      value: {{ _template.nodesize.cpu }}
-      - op: replace
+    - op: replace
-        path: /spec/template/spec/memoryMiB
+      path: /spec/template/spec/memoryMiB
-        value: {{ _template.nodesize.memory }}
+      value: {{ _template.nodesize.memory }}
-  - target:
+- target:
-      group: cluster.x-k8s.io
+    group: cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: MachineDeployment
+    kind: MachineDeployment
-      name: \${CLUSTER_NAME}-md-0
+    name: \${CLUSTER_NAME}-md-0
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /metadata/name
+      path: /metadata/name
-        value: ${CLUSTER_NAME}-worker
+      value: ${CLUSTER_NAME}-worker
-      - op: replace
+    - op: replace
-        path: /spec/template/spec/bootstrap/configRef/name
+      path: /spec/template/spec/bootstrap/configRef/name
-        value: ${CLUSTER_NAME}-worker
+      value: ${CLUSTER_NAME}-worker
-  - target:
+- target:
-      group: bootstrap.cluster.x-k8s.io
+    group: bootstrap.cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: KubeadmConfigTemplate
+    kind: KubeadmConfigTemplate
-      name: \${CLUSTER_NAME}-md-0
+    name: \${CLUSTER_NAME}-md-0
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /metadata/name
+      path: /metadata/name
-        value: ${CLUSTER_NAME}-worker
+      value: ${CLUSTER_NAME}-worker

ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.nodepool.j2

@@ -5,8 +5,8 @@ resources:
 - manifests/machinedeployment-{{ _template.cluster.name }}-worker.yaml
 - manifests/vspheremachinetemplate-{{ _template.cluster.name }}-worker.yaml
 
-patchesStrategicMerge:
+patches:
-  - |-
+- patch: |-
     apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
     kind: KubeadmConfigTemplate
     metadata:
@@ -31,7 +31,7 @@ patchesStrategicMerge:
           mounts:
           - - LABEL=blockstorage
             - /mnt/blockstorage
-  - |-
+- patch: |-
     apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
     kind: VSphereMachineTemplate
     metadata:
@@ -43,42 +43,41 @@ patchesStrategicMerge:
           additionalDisksGiB:
           - {{ _template.nodepool.additionaldisk }}
 
-patchesJson6902:
+- target:
-  - target:
+    group: bootstrap.cluster.x-k8s.io
-      group: bootstrap.cluster.x-k8s.io
+    version: v1beta1
-      version: v1beta1
+    kind: KubeadmConfigTemplate
-      kind: KubeadmConfigTemplate
+    name: {{ _template.cluster.name }}-worker
-      name: {{ _template.cluster.name }}-worker
+  patch: |-
-    patch: |-
+    - op: replace
-      - op: replace
+      path: /metadata/name
-        path: /metadata/name
+      value: {{ _template.cluster.name }}-worker-storage
-        value: {{ _template.cluster.name }}-worker-storage
 
-  - target:
+- target:
-      group: cluster.x-k8s.io
+    group: cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: MachineDeployment
+    kind: MachineDeployment
-      name: {{ _template.cluster.name }}-worker
+    name: {{ _template.cluster.name }}-worker
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /metadata/name
+      path: /metadata/name
-        value: {{ _template.cluster.name }}-worker-storage
+      value: {{ _template.cluster.name }}-worker-storage
-      - op: replace
+    - op: replace
-        path: /spec/template/spec/bootstrap/configRef/name
+      path: /spec/template/spec/bootstrap/configRef/name
-        value: {{ _template.cluster.name }}-worker-storage
+      value: {{ _template.cluster.name }}-worker-storage
-      - op: replace
+    - op: replace
-        path: /spec/template/spec/infrastructureRef/name
+      path: /spec/template/spec/infrastructureRef/name
-        value: {{ _template.cluster.name }}-worker-storage
+      value: {{ _template.cluster.name }}-worker-storage
-      - op: replace
+    - op: replace
-        path: /spec/replicas
+      path: /spec/replicas
-        value: {{ _template.nodepool.size }}
+      value: {{ _template.nodepool.size }}
 
-  - target:
+- target:
-      group: infrastructure.cluster.x-k8s.io
+    group: infrastructure.cluster.x-k8s.io
-      version: v1beta1
+    version: v1beta1
-      kind: VSphereMachineTemplate
+    kind: VSphereMachineTemplate
-      name: {{ _template.cluster.name }}-worker
+    name: {{ _template.cluster.name }}-worker
-    patch: |-
+  patch: |-
-      - op: replace
+    - op: replace
-        path: /metadata/name
+      path: /metadata/name
-        value: {{ _template.cluster.name }}-worker-storage
+      value: {{ _template.cluster.name }}-worker-storage

ansible/roles/firstboot/files/ansible_payload/common/roles/cleanup/tasks/main.yml

@@ -1,12 +1,6 @@
 - import_tasks: service.yml
 - import_tasks: cron.yml
 
-- name: Cleanup tempfile
-  ansible.builtin.file:
-    path: "{{ kubeconfig.path }}"
-    state: absent
-  when: kubeconfig.path is defined
-
 # - name: Reboot host
 #   ansible.builtin.shell:
 #     cmd: systemctl reboot

ansible/vars/metacluster.yml

@@ -1,7 +1,7 @@
 platform:
 
   k3s:
-    version: v1.25.9+k3s1
+    version: v1.27.1+k3s1
 
   packaged_components:
     - name: traefik
@@ -33,12 +33,6 @@ platform:
   helm_repositories:
     - name: argo
       url: https://argoproj.github.io/argo-helm
-    - name: authentik
-      url: https://charts.goauthentik.io
-    # - name: codecentric
-    #   url: https://codecentric.github.io/helm-charts
-    # - name: dex
-    #   url: https://charts.dexidp.io
     - name: gitea-charts
       url: https://dl.gitea.io/charts/
     - name: harbor
@@ -51,6 +45,8 @@ platform:
       url: https://prometheus-community.github.io/helm-charts
     - name: smallstep
       url: https://smallstep.github.io/helm-charts/
+    - name: spamasaurus
+      url: https://code.spamasaurus.com/api/packages/djpbessems/helm
 
 components:
 
@@ -71,32 +67,6 @@ components:
             hosts:
               - gitops.{{ vapp['metacluster.fqdn'] }}
 
-  authentik:
-    helm:
-      version: 2023.3.1
-      chart: authentik/authentik
-      parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
-        authentik:
-          avatars: none
-          secret_key: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-          postgresql:
-            password: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-        env:
-          AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ vapp['metacluster.password'] }}"
-        ingress:
-          enabled: true
-          hosts:
-            - host: auth.{{ vapp['metacluster.fqdn'] }}
-              paths:
-                - path: "/"
-                  pathType: Prefix
-        postgresql:
-          enabled: true
-          postgresqlPassword: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
-        redis:
-          enabled: true
-
   cert-manager:
     helm:
       version: 1.11.0
@@ -115,61 +85,13 @@ components:
         infrastructure_vsphere: v1.6.0
         ipam_incluster: v0.1.0-alpha.2
         # Refer to `https://console.cloud.google.com/gcr/images/cloud-provider-vsphere/GLOBAL/cpi/release/manager` for available tags
-        cpi_vsphere: v1.25.2
+        cpi_vsphere: v1.26.2
     workload:
       version:
         calico: v3.25.0
-        k8s: v1.25.9
+        k8s: v1.27.1
       node_template:
-        url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.25.9.ova
+        url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova
-
-  # dex:
-  #   helm:
-  #     version: 0.13.0 # (= Dex 2.35.3)
-  #     chart: dex/dex
-  #     parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-  #     chart_values: !unsafe |
-  #       config:
-  #         connectors:
-  #           - type: ldap
-  #             id: ldap
-  #             name: "LDAP"
-  #             config:
-  #               host: "{{ vapp['ldap.fqdn'] }}:636"
-  #               insecureNoSSL: false
-  #               insecureSkipVerify: true
-  #               bindDN: "{{ vapp['ldap.dn'] }}"
-  #               bindPW: "{{ vapp['ldap.password'] }}"
-
-  #               usernamePrompt: "Username"
-  #               userSearch:
-  #                 baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu
-  #                 filter: "(objectClass=person)"
-  #                 username: userPrincipalName
-  #                 idAttr: DN
-  #                 emailAttr: userPrincipalName
-  #                 nameAttr: cn
-
-  #               groupSearch:
-  #                 baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu
-  #                 filter: "(objectClass=group)"
-  #                 userMatchers:
-  #                 - userAttr: DN
-  #                   groupAttr: member
-  #                 nameAttr: cn
-  #         enablePasswordDB: true
-  #         issuer: https://oidc.{{ vapp['metacluster.fqdn'] }}
-  #         storage:
-  #           type: kubernetes
-  #           config:
-  #             inCluster: true
-  #       ingress:
-  #         enabled: true
-  #         hosts:
-  #           - host: oidc.{{ vapp['metacluster.fqdn'] }}
-  #             paths:
-  #               - path: /
-  #                 pathType: Prefix
 
   gitea:
     helm:
@@ -225,37 +147,24 @@ components:
             registry:
               size: 25Gi
 
-  # keycloakx:
+  json-server:
-  #   helm:
+    helm:
-  #     version: 2.1.1  # (= Keycloak 20.0.3)
+      version: v0.8.3
-  #     chart: codecentric/keycloakx
+      chart: spamasaurus/json-server
-  #     parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-  #     chart_values: !unsafe |
+      chart_values: !unsafe |
-  #       command:
+        ingress:
-  #         - "/opt/keycloak/bin/kc.sh"
+          enabled: true
-  #         - "start"
+          hosts:
-  #         - "--http-enabled=true"
+            - host: version.{{ vapp['metacluster.fqdn'] }}
-  #         - "--http-port=8080"
+              paths:
-  #         - "--hostname-strict=false"
+                - path: /
-  #         - "--hostname-strict-https=false"
+                  pathType: Prefix
-  #       extraEnv: |
+        jsonServer:
-  #         - name: KEYCLOAK_ADMIN
+          seedData:
-  #           value: admin
+            configInline: {}
-  #         - name: KEYCLOAK_ADMIN_PASSWORD
+        sidecar:
-  #           value: {{ vapp['metacluster.password'] }}
+          targetUrl: version.{{ vapp['metacluster.fqdn'] }}
-  #         - name: KC_PROXY
-  #           value: "passthrough"
-  #         - name: JAVA_OPTS_APPEND
-  #           value: >-
-  #             -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless
-  #       ingress:
-  #         enabled: true
-  #         rules:
-  #           - host: keycloak.{{ vapp['metacluster.fqdn'] }}
-  #             paths:
-  #               - path: /
-  #                 pathType: Prefix
-  #         tls: []
 
   kube-prometheus-stack:
     helm:
@@ -288,6 +197,10 @@ components:
         persistence:
           defaultClassReplicaCount: 1
 
+  pinniped:
+    # Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url`
+    version: v0.25.0
+
   step-certificates:
     helm:
       version: 1.23.0
@@ -345,6 +258,8 @@ dependencies:
     - filename: kubectl-slice
       url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz
       archive: compressed
+    - filename: pinniped
+      url: https://github.com/vmware-tanzu/pinniped/releases/download/v0.25.0/pinniped-cli-linux-amd64
     - filename: skopeo
       url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64
     - filename: step

packer/build.pkr.hcl

@@ -1,5 +1,14 @@
 packer {
   required_plugins {
+    vsphere = {
+      source  = "github.com/hashicorp/vsphere"
+      version = "~> 1"
+    }
+
+    ansible = {
+      source  = "github.com/hashicorp/ansible"
+      version = "~> 1"
+    }
   }
 }
 
@@ -28,6 +37,7 @@ build {
 
     extra_arguments  = [
       "--extra-vars", "appliancetype=${source.name}",
+      "--extra-vars", "applianceversion=${var.appliance_version}",
       "--extra-vars", "ansible_ssh_pass=${var.ssh_password}",
       "--extra-vars", "docker_username=${var.docker_username}",
       "--extra-vars", "docker_password=${var.docker_password}",
@@ -45,7 +55,7 @@ build {
       " -ManifestFileName '/scratch/bld_${var.vm_name}_${source.name}.mf'",
       "ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
       " '/scratch/bld_${var.vm_name}_${source.name}.ovf' \\",
-      " /output/airgapped-k8s-${var.next_release_version}+${var.k8s_version}-${source.name}.ova"
+      " /output/airgapped-k8s-${var.appliance_version}+${var.k8s_version}-${source.name}.ova"
     ]
   }
 }

packer/variables.pkr.hcl

@@ -34,5 +34,5 @@ variable "docker_password" {
     sensitive = true
 }
 
+variable "appliance_version" {}
 variable "k8s_version" {}
-variable "next_release_version" {}