djpbessems/Packer.Images
Archived
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: djpbessems:Test_SemRel
Branches Tags
djpbessems:master djpbessems:Appliance.AirgappedK8s-1.27.x djpbessems:Appliance.AirgappedK8s-1.26.x djpbessems:Appliance.AirgappedK8s-1.25.x djpbessems:Test_SemRel djpbessems:UbuntuServer22.04 djpbessems:UbuntuServer20.04 djpbessems:Windows10 djpbessems:Server2019 djpbessems:ADDS
djpbessems:K8s_1.25.9-v1.0.0 djpbessems:v1.0.0
..
compare: djpbessems:8c1016a231f3f1c07300e06d63b1202fbe57e187
Branches Tags
djpbessems:Appliance.AirgappedK8s-1.27.x djpbessems:Appliance.AirgappedK8s-1.26.x djpbessems:Appliance.AirgappedK8s-1.25.x djpbessems:Test_SemRel djpbessems:UbuntuServer22.04 djpbessems:UbuntuServer20.04 djpbessems:Windows10 djpbessems:master djpbessems:Server2019 djpbessems:ADDS
djpbessems:K8s_1.25.9-v1.0.0 djpbessems:v1.0.0

110 Commits
Test_SemRe ... 8c1016a231

Author SHA1 Message Date
djpbessems
8c1016a231 build: Prepare dependencies / inject configuration
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 1m2s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 35m9s
Details
2024-06-06 16:34:45 +10:00
djpbessems
663804e1b6 build: Switch to transfer through hypervisor host
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 44s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 10m3s
Details
2024-06-06 15:56:27 +10:00
djpbessems
33ba3771cc chore: Refactor step syntax
Some checks failed
Container & Helm chart / Linting (push) Successful in 6s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 31s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 24s
Details
2024-06-06 13:03:47 +10:00
djpbessems
c05b58e93a chore: Debug packer build error
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 1m2s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 23s
Details
2024-06-06 13:00:44 +10:00
djpbessems
29c89e16ee build: Escape characters in hypervisor configuration
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 1m2s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 23s
Details
2024-06-06 12:36:37 +10:00
djpbessems
201c6f8bca build: Update action container image #2
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 59s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 57s
Details
2024-06-06 12:26:59 +10:00
djpbessems
67f91f2962 build: Update action container image
Some checks failed
Container & Helm chart / Linting (push) Successful in 6s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 41s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 47s
Details
2024-06-06 11:48:28 +10:00
djpbessems
be02f884ac build: Switch container image
Some checks failed
Container & Helm chart / Linting (push) Successful in 19s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 58s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 43s
Details
2024-06-05 22:25:59 +10:00
djpbessems
8037d4d1c7 build: Revert packer parameter syntax
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 32s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 22s
Details
2024-06-05 13:09:29 +10:00
djpbessems
d99fca654f chore: Refactor string substitutions
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 49s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 21s
Details
2024-06-05 13:05:30 +10:00
djpbessems
7d431d88c3 build: Remove redundant packer parameters
Some checks failed
Container & Helm chart / Linting (push) Successful in 6s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 55s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 20s
Details
2024-06-05 12:58:22 +10:00
djpbessems
691dcee21f chore: Debug packer validate workflow step #10
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 35s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 21s
Details
2024-06-05 12:44:18 +10:00
djpbessems
95c14fc385 chore: Debug packer validate workflow step #9
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 47s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 19s
Details
2024-06-05 12:39:33 +10:00
djpbessems
33cd272d53 chore: Debug packer validate workflow step #8
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 58s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 21s
Details
2024-06-05 12:27:01 +10:00
djpbessems
e46e5c0802 chore: Debug packer validate workflow step #7
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 27s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 18s
Details
2024-06-05 12:23:16 +10:00
djpbessems
2d468d8b83 chore: Debug packer validate workflow step #6
All checks were successful
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 53s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Successful in 20s
Details
2024-06-05 12:21:14 +10:00
djpbessems
f45b96f42b chore: Debug packer validate workflow step #5
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 1m1s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 20s
Details
2024-06-05 12:18:27 +10:00
djpbessems
4dc5a6ed39 chore: Debug packer validate workflow step #4
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 39s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 19s
Details
2024-06-05 12:14:46 +10:00
djpbessems
34af03ca99 chore: Debug packer validate workflow step #3
All checks were successful
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 51s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Successful in 19s
Details
2024-06-05 12:12:15 +10:00
djpbessems
55c594d242 chore: Debug packer validate workflow step #2
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 57s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 21s
Details
2024-06-05 12:03:46 +10:00
djpbessems
8555e677b3 chore: Debug packer validate workflow step
Some checks failed
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 53s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Failing after 21s
Details
2024-06-05 11:58:40 +10:00
djpbessems
3cefd67458 chore: Attempt more verbose console output #2
All checks were successful
Container & Helm chart / Linting (push) Successful in 6s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 35s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Successful in 19s
Details
2024-06-05 11:56:12 +10:00
djpbessems
1a0e674aa8 chore: Attempt more verbose console output
All checks were successful
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 1m2s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Successful in 21s
Details
2024-06-05 11:52:37 +10:00
djpbessems
6e37fd756b build: Enable packer build step
All checks were successful
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 1m6s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Successful in 20s
Details
2024-06-05 11:28:17 +10:00
djpbessems
6568acf541 build: Populate/Reference packer parameters
All checks were successful
Container & Helm chart / Linting (push) Successful in 6s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 49s
Details
Container & Helm chart / Kubernetes Bootstrap Appliance (push) Successful in 30s
Details
2024-06-05 11:16:12 +10:00
djpbessems
092ce5eabc build: Refactor/Update packer configuration 2024-06-05 10:57:05 +10:00
djpbessems
a785e57126 build: Align steps between jobs 2024-06-05 10:43:39 +10:00
djpbessems
71e9957122 build: Add repository checkout workflow step
All checks were successful
Container & Helm chart / Linting (push) Successful in 5s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 59s
Details
Container & Helm chart / Container image (push) Successful in 1m20s
Details
2024-06-05 10:40:51 +10:00
djpbessems
877fc24235 build: Attempt initial actions workflow
Some checks failed
Container & Helm chart / Linting (push) Failing after 1m6s
Details
Container & Helm chart / Semantic Release (Dry-run) (push) Successful in 2m25s
Details
Container & Helm chart / Container image (push) Has been skipped
Details
2024-06-05 10:33:01 +10:00
Danny Bessems
778a7581c0 chore: Remove stray colon
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-24 16:33:12 +02:00
Danny Bessems
d1bce54a2d chore: Refactor dictionary structure
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-24 16:29:06 +02:00
Danny Bessems
a8cb53429d fix: Incorrect escape sequence
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-24 12:59:01 +02:00
Danny Bessems
e1f83f2245 fix: Incorrect module parameter name
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-24 09:56:31 +02:00
Danny Bessems
1cfca1fa4a chore: Temporarily disable 'no_log'
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-24 09:38:11 +02:00
Danny Bessems
27cb500b8c chore: Revert debugging 2023-10-24 09:31:33 +02:00
Danny Bessems
720bc43546 fix: Switch ansible module
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-24 09:28:24 +02:00
Danny Bessems
49b8b80db0 fix: Update cloud-init file contents
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-24 09:13:33 +02:00
djpbessems
3bc3da54be chore: Retain VM to allow debugging
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-23 14:06:32 +02:00
Danny Bessems
8e7e23c8bc feat: Upgrade base OS version
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-22 20:49:53 +02:00
Danny Bessems
e4cfc26e2c fix: Incorrect dictionary key reference 2023-10-22 20:49:35 +02:00
Danny Bessems
3b89aed52b fix: Prevent parsing of list keys
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-22 20:28:54 +02:00
Danny Bessems
5cdd6ef052 feat: Include pinniped local-user-authenticator
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-10-22 15:20:34 +02:00
Danny Bessems
ef8766b5ca feat: Upgrade pinniped to v0.27.0
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-21 15:37:34 +02:00
Danny Bessems
ab14a966e0 fix: Incorrect path to cluster api provider manifests
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-20 14:49:29 +02:00
djpbessems
f6961b5e3a fix: Update kustomization template with correct paths
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-18 14:47:36 +02:00
Danny Bessems
c1a8a35494 fix: Add missing path to cluster api provider manifests
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-12 15:44:39 +02:00
Danny Bessems
ba7e233c27 feat: Store cluster API provider manifests
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-12 11:24:56 +02:00
Danny Bessems
8c6a9f38ba fix: Update IPPool template to new CRD
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-06 13:16:38 +02:00
Danny Bessems
bf3d7ed239 feat: Upgrade CAPI/CAPV/CAIP and dependencies
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-05 11:29:31 +02:00
Danny Bessems
0509a7cb8a feat: Upgrade Pinniped
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-09-29 16:22:21 +02:00
Danny Bessems
01601de897 fix: Upgrade Pinniped chart
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-09-23 12:23:56 +02:00
Danny Bessems
a2198f1109 fix: Force playbook colour output 2023-09-23 12:23:39 +02:00
Danny Bessems
7cc8fbbccb fix: Clean untracked files in git repo through git_acp module
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-09-22 12:10:02 +02:00
Danny Bessems
da0558711c fix: Fix volume secret name reference
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-25 16:16:26 +02:00
Danny Bessems
90082ca36a fix: Inject ca-bundle into gitea container
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-25 14:13:01 +02:00
Danny Bessems
b2ae56e54b build: Split nodepool manifest in separate documents 2023-08-25 11:39:02 +02:00
Danny Bessems
b21b8b5376 fix: Missing filename
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-25 09:30:20 +02:00
Danny Bessems
931eaf366c fix: Add retries to wait for pinniped-concierge to come online 2023-08-25 09:29:58 +02:00
Danny Bessems
32dda728cb fix: Generate and store kubeconfig in repository
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-24 18:24:24 +02:00
Danny Bessems
4c1f1fce5e fix: Add playbook scoped variable 2023-08-24 17:41:35 +02:00
Danny Bessems
bb58e287b7 fix: Change CIDR subnet block #2
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-24 15:28:09 +02:00
Danny Bessems
ef58b823c2 fix: Change CIDR subnet block
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-24 12:27:49 +02:00
Danny Bessems
5000c324e1 fix: Register correct redirect/callback url
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-24 10:05:08 +02:00
Danny Bessems
87e89cfa27 fix: Incorrect linebreak in ca-bundle 2023-08-24 10:04:38 +02:00
Danny Bessems
ac5d3e3668 fix: Create folderstructure after cloning git repository 2023-08-24 09:47:58 +02:00
Danny Bessems
616f8b9a53 fix: Incorrect path 2023-08-24 09:47:16 +02:00
Danny Bessems
2c5e8e10b5 fix: Inject line break in ca-bundle through variable
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-23 17:17:54 +02:00
Danny Bessems
17ad64013a build: Move !unsafe data type declaration
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-23 16:43:25 +02:00
Danny Bessems
eb2ada2164 chore: Refactor git commands to git_acp module 2023-08-23 14:31:09 +02:00
Danny Bessems
3e3a92c344 fix: Rename duplicate keys
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-23 14:26:49 +02:00
Danny Bessems
d86f70a458 fix: Remove redundant dictionary key
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-23 14:04:39 +02:00
Danny Bessems
436995accc chore: Refactor playbook for idempotency 2023-08-23 14:03:25 +02:00
Danny Bessems
0310bb9d1a fix: Incorrect indentation
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-23 13:46:55 +02:00
Danny Bessems
21f03ba048 fix: Incorrect secret types;Missing newline in ca-bundle 2023-08-23 13:46:44 +02:00
Danny Bessems
b009395f62 chore: Fix/Remove incorrect/redundant key references
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-22 21:17:18 +02:00
Danny Bessems
2110eb9e2c build: Quote jinja templating delimiters
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-22 13:08:06 +02:00
Danny Bessems
423ecc2f95 fix: Rebase pinniped-concierge on workload-cluster to bitnami chart
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-22 12:54:07 +02:00
Danny Bessems
1a1440f751 build: Rebase pinniped to bitnami helm chart
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-22 12:02:13 +02:00
Danny Bessems
b17501ee1d fix: Trim digest when applying pinniped manifest; Add ingressroute
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-21 11:59:41 +02:00
Danny Bessems
87eb5e0dd7 build: Fix typo in manifest parser
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-08-21 09:44:11 +02:00
Danny Bessems
f5ed60fa38 build: Move to external packer plugins 2023-08-21 09:39:05 +02:00
Danny Bessems
eab5cfc688 fix: Trim digest when parsing pinniped manifest
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-21 09:31:11 +02:00
Danny Bessems
05b271214c feat: Switch authentication provider to pinniped
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-08-21 09:02:33 +02:00
Danny Bessems
455a2e14be fix: Avoid regex_replace pattern duplication
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-28 13:23:59 +02:00
Danny Bessems
f5154f6961 fix: Incorrect nesting of dictionary and filters 2023-07-28 13:22:23 +02:00
Danny Bessems
4bf5121086 fix: Remove redundant combine filter
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-19 22:46:51 +02:00
djpbessems
393b1092e5 fix: Refactor version endpoint json creation to guarantee variable substitution
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-19 16:46:23 +02:00
Danny Bessems
36c30ca646 fix: Aggregate dictionary content within respective component task list
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-18 16:05:54 +02:00
Danny Bessems
8005b172a5 feat: Include manifests in version endpoint
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-16 14:52:41 +02:00
Danny Bessems
13f4965278 fix: Upgrade version endpoint component
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-16 11:48:28 +02:00
Danny Bessems
05f085aee7 feat: Preconfigure root profile for cli tools
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-15 19:09:44 +02:00
Danny Bessems
072fc56050 fix: Refactor to make step-ca initialization idempotent 2023-07-15 19:08:33 +02:00
Danny Bessems
5363eba1a3 fix: Upgrade version endpoint component
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-14 15:38:49 +02:00
Danny Bessems
a245cc3d48 feat: Dynamically fill version endpoint database
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-14 13:49:02 +02:00
Danny Bessems
51c477fb07 feat: Upgrade version endpoint component
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-14 10:48:18 +02:00
Danny Bessems
1446cba537 fix: Change API call encoding
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-13 12:18:33 +02:00
Danny Bessems
0501a035f2 fix: Upgrade component version
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-12 11:49:48 +02:00
Danny Bessems
6e942af974 fix: Revert skopeo transport when storing container images
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-11 14:54:57 +02:00
Danny Bessems
89874d57ce fix: Explicitly convert child dictionary to json
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-11 11:53:37 +02:00
Danny Bessems
2b497d4653 fix: Fix playbook tasklist order 2023-07-11 11:42:12 +02:00
Danny Bessems
cfa4a5379a feat: Switch to OCI-archive for container storage 2023-07-11 11:41:33 +02:00
Danny Bessems
a2c2766ff7 fix: Remove non-functional variable references
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-08 18:09:48 +02:00
Danny Bessems
76d3b6c742 build: Include semantic release dry-run logic
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-07 17:31:32 +02:00
Danny Bessems
a5248bd54c build: Add missing variables
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-07-07 17:12:20 +02:00
Danny Bessems
cbedc9679f feat: Add version/metadata API endpoint
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-07-07 16:48:32 +02:00
Danny Bessems
740b6b3dc9 build: Disable parallel builds entirely
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-07 14:33:47 +02:00
Danny Bessems
0ba87988bc fix: Incorrect indentation causing malformed PEM file
Some checks failed
continuous-integration/drone/push Build is failing
Details
2023-07-07 10:30:20 +02:00
Danny Bessems
aa14a8a3a8 fix: Refactor kustomize templates
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-06 13:01:35 +02:00
Danny Bessems
48c14afd0f New major version branch
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-05-19 13:43:23 +02:00
Danny Bessems
2addda3f06 Upgrade node template OS version;Upgrade K8s minor version
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-05-19 12:19:06 +02:00
41 changed files with 1095 additions and 491 deletions
Expand all files Collapse all files

35
.drone.yml
View File

@@ -26,8 +26,6 @@ steps:
- yamllint --version - yamllint --version
- name: Linting - name: Linting
depends_on:
- Debugging information
image: bv11-cr01.bessems.eu/library/packer-extended image: bv11-cr01.bessems.eu/library/packer-extended
pull: always pull: always
commands: commands:
@@ -38,8 +36,6 @@ steps:
scripts scripts
- name: Semantic Release (Dry-run) - name: Semantic Release (Dry-run)
depends_on:
- Linting
image: bv11-cr01.bessems.eu/proxy/library/node:20-slim image: bv11-cr01.bessems.eu/proxy/library/node:20-slim
pull: always pull: always
commands: commands:
@@ -47,21 +43,29 @@ steps:
apt-get update apt-get update
- | - |
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
curl \
git-core \ git-core \
jq \
ca-certificates ca-certificates
- |
curl -L https://api.github.com/repos/mikefarah/yq/releases/latest | \
jq -r '.assets[] | select(.name | endswith("yq_linux_amd64")) | .browser_download_url' | \
xargs -I {} curl -L -o /bin/yq {} && \
chmod +x /bin/yq
- | - |
npm install \ npm install \
semantic-release \ semantic-release \
@semantic-release/commit-analyzer \ @semantic-release/commit-analyzer \
@semantic-release/exec \ @semantic-release/exec \
- | - |
export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
export GIT_CREDENTIALS=$${GIT_USERNAME}:$${GIT_APIKEY} export GIT_CREDENTIALS=$${GIT_USERNAME}:$${GIT_APIKEY}
- | - |
npx semantic-release \ npx semantic-release \
--package @semantic-release/exec \ --package @semantic-release/exec \
--package semantic-release \ --package semantic-release \
--branches ${DRONE_BRANCH} \ --branches ${DRONE_BRANCH} \
--tag-format "K8s_1.25.9-v\$${version}" \ --tag-format "K8s_$${K8S_VERSION}-v\$${version}" \
--dry-run \ --dry-run \
--plugins @semantic-release/commit-analyzer,@semantic-release/exec \ --plugins @semantic-release/commit-analyzer,@semantic-release/exec \
--analyzeCommits @semantic-release/commit-analyzer \ --analyzeCommits @semantic-release/commit-analyzer \
@@ -73,8 +77,6 @@ steps:
GIT_USERNAME: djpbessems GIT_USERNAME: djpbessems
- name: Install Ansible Galaxy collections - name: Install Ansible Galaxy collections
depends_on:
- Semantic Release (Dry-run)
image: bv11-cr01.bessems.eu/library/packer-extended image: bv11-cr01.bessems.eu/library/packer-extended
pull: always pull: always
commands: commands:
@@ -84,8 +86,6 @@ steps:
-p ./ansible/collections -p ./ansible/collections
- name: Kubernetes Bootstrap Appliance - name: Kubernetes Bootstrap Appliance
depends_on:
- Install Ansible Galaxy collections
image: bv11-cr01.bessems.eu/library/packer-extended image: bv11-cr01.bessems.eu/library/packer-extended
pull: always pull: always
commands: commands:
@@ -94,7 +94,7 @@ steps:
packer/preseed/UbuntuServer22.04/user-data packer/preseed/UbuntuServer22.04/user-data
- | - |
export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml) export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
export NEXT_RELEASE_VERSION=$(cat .version) export APPLIANCE_VERSION=$(cat .version)
- | - |
packer init -upgrade \ packer init -upgrade \
./packer ./packer
@@ -109,7 +109,7 @@ steps:
-var ssh_password=$${SSH_PASSWORD} \ -var ssh_password=$${SSH_PASSWORD} \
-var vsphere_password=$${VSPHERE_PASSWORD} \ -var vsphere_password=$${VSPHERE_PASSWORD} \
-var k8s_version=$K8S_VERSION \ -var k8s_version=$K8S_VERSION \
-var next_release_version=$NEXT_RELEASE_VERSION \ -var appliance_version=$APPLIANCE_VERSION \
./packer ./packer
- | - |
packer build \ packer build \
@@ -123,7 +123,7 @@ steps:
-var ssh_password=$${SSH_PASSWORD} \ -var ssh_password=$${SSH_PASSWORD} \
-var vsphere_password=$${VSPHERE_PASSWORD} \ -var vsphere_password=$${VSPHERE_PASSWORD} \
-var k8s_version=$K8S_VERSION \ -var k8s_version=$K8S_VERSION \
-var next_release_version=$NEXT_RELEASE_VERSION \ -var appliance_version=$APPLIANCE_VERSION \
./packer ./packer
environment: environment:
DOCKER_USERNAME: DOCKER_USERNAME:
@@ -146,8 +146,6 @@ steps:
path: /scratch path: /scratch
- name: Kubernetes Upgrade Appliance - name: Kubernetes Upgrade Appliance
depends_on:
- Install Ansible Galaxy collections
image: bv11-cr01.bessems.eu/library/packer-extended image: bv11-cr01.bessems.eu/library/packer-extended
pull: alwaysquery( pull: alwaysquery(
commands: commands:
@@ -156,7 +154,7 @@ steps:
packer/preseed/UbuntuServer22.04/user-data packer/preseed/UbuntuServer22.04/user-data
- | - |
export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml) export K8S_VERSION=$(yq '.components.clusterapi.workload.version.k8s' < ./ansible/vars/metacluster.yml)
export NEXT_RELEASE_VERSION=$(cat .version) export APPLIANCE_VERSION=$(cat .version)
- | - |
packer init -upgrade \ packer init -upgrade \
./packer ./packer
@@ -171,7 +169,7 @@ steps:
-var ssh_password=$${SSH_PASSWORD} \ -var ssh_password=$${SSH_PASSWORD} \
-var vsphere_password=$${VSPHERE_PASSWORD} \ -var vsphere_password=$${VSPHERE_PASSWORD} \
-var k8s_version=$K8S_VERSION \ -var k8s_version=$K8S_VERSION \
-var next_release_version=$NEXT_RELEASE_VERSION \ -var appliance_version=$APPLIANCE_VERSION \
./packer ./packer
- | - |
packer build \ packer build \
@@ -185,7 +183,7 @@ steps:
-var ssh_password=$${SSH_PASSWORD} \ -var ssh_password=$${SSH_PASSWORD} \
-var vsphere_password=$${VSPHERE_PASSWORD} \ -var vsphere_password=$${VSPHERE_PASSWORD} \
-var k8s_version=$K8S_VERSION \ -var k8s_version=$K8S_VERSION \
-var next_release_version=$NEXT_RELEASE_VERSION \ -var appliance_version=$APPLIANCE_VERSION \
./packer ./packer
environment: environment:
DOCKER_USERNAME: DOCKER_USERNAME:
@@ -208,9 +206,6 @@ steps:
path: /scratch path: /scratch
- name: Remove temporary resources - name: Remove temporary resources
depends_on:
- Kubernetes Bootstrap Appliance
- Kubernetes Upgrade Appliance
image: bv11-cr01.bessems.eu/library/packer-extended image: bv11-cr01.bessems.eu/library/packer-extended
commands: commands:
- | - |

154
.gitea/workflows/actions.yaml Normal file
View File

@@ -0,0 +1,154 @@
name: Container & Helm chart
on: [push]
jobs:
linting:
name: Linting
runs-on: dind-rootless
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: yamllint
uses: bewuethr/yamllint-action@v1
with:
config-file: .yamllint.yaml
semrel_dryrun:
name: Semantic Release (Dry-run)
runs-on: dind-rootless
outputs:
version: ${{ steps.sem_rel.outputs.version }}
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: 20
- name: Install dependencies
run: |
npm install \
semantic-release \
@semantic-release/commit-analyzer \
@semantic-release/exec
- name: Semantic Release (dry-run)
id: sem_rel
run: |
npx semantic-release \
--package @semantic-release/exec \
--package semantic-release \
--branches ${{ gitea.refname }} \
--tag-format 'v${version}' \
--dry-run \
--plugins @semantic-release/commit-analyzer,@semantic-release/exec \
--analyzeCommits @semantic-release/commit-analyzer \
--verifyRelease @semantic-release/exec \
--verifyReleaseCmd 'echo "version=${nextRelease.version}" >> $GITHUB_OUTPUT'
env:
GIT_CREDENTIALS: ${{ secrets.GIT_USERNAME }}:${{ secrets.GIT_APIKEY }}
- name: Assert semantic release output
run: |
[[ -z "${{ steps.sem_rel.outputs.version }}" ]] && {
echo 'No release tag - exiting'; exit 1
} || {
echo 'Release tag set correctly: ${{ steps.sem_rel.outputs.version }}'; exit 0
}
build_image:
name: Kubernetes Bootstrap Appliance
container: code.spamasaurus.com/djpbessems/packer-extended:1.2.0
runs-on: dind-rootless
needs: [semrel_dryrun, linting]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Parse Kubernetes version
uses: mikefarah/yq@master
id: get_k8sversion
with:
cmd: yq '.components.clusterapi.workload.version.k8s' ansible/vars/metacluster.yml
- name: Setup `packer`
uses: hashicorp/setup-packer@main
id: setup
with:
version: "latest"
- name: Run `packer init`
id: init
run: packer init -upgrade ./packer
- name: Prepare dependencies and inject configuration
run: |
export BUILD_COMMIT=$(echo "${{ gitea.sha }}" | cut -c 1-10)
export BUILD_SUFFIX=$(openssl rand -hex 3)
sed -i -e "s/<<img-password>>/${{ secrets.SSH_PASSWORD }}/g" \
packer/preseed/UbuntuServer22.04/user-data
ansible-galaxy collection install \
-r ansible/requirements.yml \
-p ./ansible/collections
- name: Run `packer validate`
id: validate
run: |
# BUILD_COMMIT=$(echo "${{ gitea.sha }}" | cut -c 1-10)
# BUILD_SUFFIX=$(openssl rand -hex 3)
packer validate \
-only=vsphere-iso.bootstrap \
-var vm_name=${{ gitea.run_number }}-${BUILD_COMMIT}-${BUILD_SUFFIX} \
-var docker_username=${{ secrets.DOCKER_USERNAME }} \
-var docker_password=${{ secrets.DOCKER_PASSWORD }} \
-var repo_username=${{ secrets.REPO_USERNAME }} \
-var repo_password=${{ secrets.REPO_PASSWORD }} \
-var ssh_password=${{ secrets.SSH_PASSWORD }} \
-var hv_password=${{ secrets.HV_PASSWORD }} \
-var k8s_version=${{ steps.get_k8sversion.outputs.result }} \
-var appliance_version=${{ needs.semrel_dryrun.outputs.version }} \
./packer
- name: Run `packer build`
run: |
# BUILD_COMMIT=$(echo "${{ gitea.sha }}" | cut -c 1-10)
# BUILD_SUFFIX=$(openssl rand -hex 3)
packer build \
-only=vsphere-iso.bootstrap \
-var vm_name=${{ gitea.run_number }}-${BUILD_COMMIT}-${BUILD_SUFFIX} \
-var docker_username=${{ secrets.DOCKER_USERNAME }} \
-var docker_password=${{ secrets.DOCKER_PASSWORD }} \
-var repo_username=${{ secrets.REPO_USERNAME }} \
-var repo_password=${{ secrets.REPO_PASSWORD }} \
-var ssh_password=${{ secrets.SSH_PASSWORD }} \
-var hv_password=${{ secrets.HV_PASSWORD }} \
-var k8s_version=${{ steps.get_k8sversion.outputs.result }} \
-var appliance_version=${{ needs.semrel_dryrun.outputs.version }} \
./packer
# env:
# PACKER_LOG: 1
# semrel:
# name: Semantic Release
# runs-on: dind-rootless
# needs: [build_container, build_chart]
# steps:
# - name: Check out repository code
# uses: actions/checkout@v3
# - name: Setup Node
# uses: actions/setup-node@v3
# with:
# node-version: 20
# - name: Install dependencies
# run: |
# npm install \
# semantic-release \
# @semantic-release/changelog \
# @semantic-release/commit-analyzer \
# @semantic-release/git \
# @semantic-release/release-notes-generator
# - name: Semantic Release
# run: |
# npx semantic-release \
# --branches ${{ gitea.refname }} \
# --tag-format 'v${version}' \
# --plugins @semantic-release/commit-analyzer,@semantic-release/release-notes-generator,@semantic-release/changelog,@semantic-release/git
# env:
# GIT_CREDENTIALS: ${{ secrets.GIT_USERNAME }}:${{ secrets.GIT_APIKEY }}

11
.releaserc.json.DISABLED
View File

@@ -1,11 +0,0 @@
{
"plugins": [
["@semantic-release/commit-analyzer"],
["@semantic-release/release-notes-generator"],
["@semantic-release/exec", {
"prepareCmd": "export SEMANTICRELEASE_NEXTRELEASEVERSION=${nextRelease.version}",
"publishCmd": "echo $SEMANTICRELEASE_NEXTRELEASEVERSION"
}],
["@semantic-release/git"]
]
}

4
.yamllint.yaml Normal file
View File

@@ -0,0 +1,4 @@
extends: relaxed
rules:
line-length: disable

18
ansible/roles/assets/tasks/containerimages.yml
View File

@@ -1,4 +1,4 @@
- name: Parse manifests for container images - name: Parse Cluster-API manifests for container images
ansible.builtin.shell: ansible.builtin.shell:
# This set of commands is necessary to deal with multi-line scalar values # This set of commands is necessary to deal with multi-line scalar values
# eg.: # eg.:
@@ -9,11 +9,17 @@
cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /'; cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
cat {{ item.dest }} | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)'; cat {{ item.dest }} | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)';
cat {{ item.dest }} | yq --no-doc eval '.. | .files? | with_entries(select(.value.path == "*.yaml")).[0].content' | awk '!/null/' | yq eval '.. | .image? | select(.)' cat {{ item.dest }} | yq --no-doc eval '.. | .files? | with_entries(select(.value.path == "*.yaml")).[0].content' | awk '!/null/' | yq eval '.. | .image? | select(.)'
register: parsedmanifests register: clusterapi_parsedmanifests
loop: "{{ clusterapi_manifests.results }}" loop: "{{ clusterapi_manifests.results }}"
loop_control: loop_control:
label: "{{ item.dest | basename }}" label: "{{ item.dest | basename }}"
- name: Parse pinniped manifest for container images
ansible.builtin.shell:
cmd: >-
cat {{ pinniped_manifest.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
register: pinniped_parsedmanifest
- name: Parse metacluster helm charts for container images - name: Parse metacluster helm charts for container images
ansible.builtin.shell: ansible.builtin.shell:
cmd: "{{ item.value.helm.parse_logic }}" cmd: "{{ item.value.helm.parse_logic }}"
@@ -41,8 +47,10 @@
results: "{{ (chartimages_metacluster | json_query('results[*].stdout_lines')) + (chartimages_workloadcluster | json_query('results[*].stdout_lines')) | select() | flatten | list }}" results: "{{ (chartimages_metacluster | json_query('results[*].stdout_lines')) + (chartimages_workloadcluster | json_query('results[*].stdout_lines')) | select() | flatten | list }}"
- source: kubeadm - source: kubeadm
results: "{{ kubeadmimages.stdout_lines }}" results: "{{ kubeadmimages.stdout_lines }}"
- source: manifests - source: clusterapi
results: "{{ parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}" results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
- source: pinniped
results: "{{ pinniped_parsedmanifest.stdout_lines }}"
loop_control: loop_control:
label: "{{ item.source }}" label: "{{ item.source }}"
@@ -64,4 +72,4 @@
docker://{{ item }} \ docker://{{ item }} \
docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }} docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
chdir: /opt/metacluster/container-images chdir: /opt/metacluster/container-images
loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_manifests + dependencies.container_images) | flatten | unique | sort }}" loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"

3
ansible/roles/assets/tasks/main.yml
View File

@@ -16,8 +16,7 @@
- /opt/metacluster/helm-charts - /opt/metacluster/helm-charts
- /opt/metacluster/k3s - /opt/metacluster/k3s
- /opt/metacluster/kube-vip - /opt/metacluster/kube-vip
- /opt/workloadcluster/git-repositories/gitops/charts - /opt/metacluster/pinniped
- /opt/workloadcluster/git-repositories/gitops/values
- /opt/workloadcluster/helm-charts - /opt/workloadcluster/helm-charts
- /opt/workloadcluster/node-templates - /opt/workloadcluster/node-templates
- /var/lib/rancher/k3s/agent/images - /var/lib/rancher/k3s/agent/images

44
ansible/roles/assets/tasks/manifests.yml
View File

@@ -1,6 +1,6 @@
- block: - block:
- name: Aggregate chart_values into dict - name: Aggregate meta-cluster chart_values into dict
ansible.builtin.set_fact: ansible.builtin.set_fact:
metacluster_chartvalues: "{{ metacluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}" metacluster_chartvalues: "{{ metacluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.helm.chart_values | from_yaml) } }) }}"
when: item.value.helm.chart_values is defined when: item.value.helm.chart_values is defined
@@ -8,22 +8,34 @@
loop_control: loop_control:
label: "{{ item.key }}" label: "{{ item.key }}"
- name: Write dict to vars_file - name: Combine and write dict to vars_file
ansible.builtin.copy: ansible.builtin.copy:
dest: /opt/firstboot/ansible/vars/metacluster.yml dest: /opt/firstboot/ansible/vars/metacluster.yml
content: >- content: >-
{{ {{
{ 'components': ( { 'components': (
metacluster_chartvalues | metacluster_chartvalues |
combine({ 'clusterapi': components.clusterapi }) | combine({ 'clusterapi' : components['clusterapi'] }) |
combine({ 'kubevip' : components.kubevip }) ) combine({ 'kubevip' : components['kubevip'] }) |
combine({ 'localuserauthenticator': components['pinniped']['local-user-authenticator'] })),
'appliance': {
'version': (applianceversion)
}
} | to_nice_yaml(indent=2, width=4096) } | to_nice_yaml(indent=2, width=4096)
}} }}
- name: Aggregate chart_values into dict - name: Aggregate workload-cluster chart_values into dict
ansible.builtin.set_fact: ansible.builtin.set_fact:
workloadcluster_chartvalues: "{{ workloadcluster_chartvalues | default({}) | combine({ item.key: { 'chart_values': (item.value.chart_values | default('') | from_yaml) } }) }}" workloadcluster_chartvalues: |
# when: item.value.chart_values is defined {{
workloadcluster_chartvalues | default({}) | combine({
item.key: {
'chart_values': (item.value.chart_values | default('') | from_yaml),
'extra_manifests': (item.value.extra_manifests | default([])),
'namespace': (item.value.namespace)
}
})
}}
loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}" loop: "{{ query('ansible.builtin.dict', downstream.helm_charts) }}"
loop_control: loop_control:
label: "{{ item.key }}" label: "{{ item.key }}"
@@ -37,7 +49,7 @@
} | to_nice_yaml(indent=2, width=4096) } | to_nice_yaml(indent=2, width=4096)
}} }}
- name: Download ClusterAPI manifests - name: Download Cluster-API manifests
ansible.builtin.get_url: ansible.builtin.get_url:
url: "{{ item.url }}" url: "{{ item.url }}"
dest: /opt/metacluster/cluster-api/{{ item.dest }} dest: /opt/metacluster/cluster-api/{{ item.dest }}
@@ -97,6 +109,22 @@
delay: 5 delay: 5
until: kubevip_manifest is not failed until: kubevip_manifest is not failed
- name: Download pinniped local-user-authenticator manifest
ansible.builtin.get_url:
url: https://get.pinniped.dev/{{ components.pinniped['local-user-authenticator'].version }}/install-local-user-authenticator.yaml
dest: /opt/metacluster/pinniped/local-user-authenticator.yaml
register: pinniped_manifest
retries: 5
delay: 5
until: pinniped_manifest is not failed
- name: Trim image hash from manifest
ansible.builtin.replace:
path: /opt/metacluster/pinniped/local-user-authenticator.yaml
regexp: '([ ]*image: .*)@.*'
replace: '\1'
no_log: true
# - name: Inject manifests # - name: Inject manifests
# ansible.builtin.template: # ansible.builtin.template:
# src: "{{ item.type }}.j2" # src: "{{ item.type }}.j2"

3
ansible/roles/firstboot/files/ansible_payload/bootstrap/playbook.yml
View File

@@ -2,6 +2,9 @@
- hosts: 127.0.0.1 - hosts: 127.0.0.1
connection: local connection: local
gather_facts: true gather_facts: true
vars:
# Needed by some templating in various tasks
_newline: "\n"
vars_files: vars_files:
- defaults.yml - defaults.yml
- metacluster.yml - metacluster.yml

176
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml Normal file
View File

@@ -0,0 +1,176 @@
- block:
- name: Install dex
kubernetes.core.helm:
name: dex
chart_ref: /opt/metacluster/helm-charts/dex
release_namespace: dex
create_namespace: true
wait: false
kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components['dex'].chart_values }}"
- block:
- name: Install pinniped local-user-authenticator
kubernetes.core.k8s:
src: /opt/metacluster/pinniped/local-user-authenticator.yaml
state: present
kubeconfig: "{{ kubeconfig.path }}"
- name: Create local-user-authenticator accounts
kubernetes.core.k8s:
template: secret.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
name: "{{ item.username }}"
namespace: local-user-authenticator
type: ''
data:
- key: groups
value: "{{ 'group1,group2' | b64encode }}"
- key: passwordHash
value: "{{ item.password | b64encode }}"
loop: "{{ components['localuserauthenticator'].users }}"
- block:
- name: Install pinniped chart
kubernetes.core.helm:
name: pinniped
chart_ref: /opt/metacluster/helm-charts/pinniped
release_namespace: pinniped-supervisor
create_namespace: true
wait: false
kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components['pinniped'].chart_values }}"
- name: Add ingress for supervisor
kubernetes.core.k8s:
template: "{{ item.kind }}.j2"
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
name: "{{ item.name }}"
namespace: "{{ item.namespace }}"
spec: "{{ item.spec }}"
loop:
- kind: ingressroute
name: pinniped-supervisor
namespace: pinniped-supervisor
spec: |2
entryPoints:
- web
- websecure
routes:
- kind: Rule
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
services:
- kind: Service
name: pinniped-supervisor
namespace: pinniped-supervisor
port: 443
scheme: https
serversTransport: pinniped-supervisor
- kind: serverstransport
name: pinniped-supervisor
namespace: pinniped-supervisor
spec: |2
insecureSkipVerify: true
serverName: auth.{{ vapp['metacluster.fqdn'] }}
loop_control:
label: "{{ item.kind ~ '/' ~ item.name ~ ' (' ~ item.namespace ~ ')' }}"
- name: Ensure pinniped API availability
ansible.builtin.uri:
url: https://auth.{{ vapp['metacluster.fqdn'] }}/healthz
method: GET
register: api_readycheck
until:
- api_readycheck.status == 200
- api_readycheck.msg is search("OK")
retries: "{{ playbook.retries }}"
delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
# TODO: Migrate to step-ca
- name: Initialize tempfile
ansible.builtin.tempfile:
state: directory
register: certificate
- name: Create private key (RSA, 4096 bits)
community.crypto.openssl_privatekey:
path: "{{ certificate.path }}/certificate.key"
- name: Create self-signed certificate
community.crypto.x509_certificate:
path: "{{ certificate.path }}/certificate.crt"
privatekey_path: "{{ certificate.path }}/certificate.key"
provider: selfsigned
- name: Store self-signed certificate for use by pinniped supervisor
kubernetes.core.k8s:
template: secret.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
name: pinniped-supervisor-tls
namespace: pinniped-supervisor
type: kubernetes.io/tls
data:
- key: tls.crt
value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') | b64encode }}"
- key: tls.key
value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') | b64encode }}"
# TODO: Migrate to step-ca
- name: Create pinniped resources
kubernetes.core.k8s:
template: "{{ item.kind }}.j2"
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
name: "{{ item.name }}"
namespace: "{{ item.namespace }}"
type: "{{ item.type | default('') }}"
data: "{{ item.data | default(omit) }}"
spec: "{{ item.spec | default(omit) }}"
loop:
- kind: oidcidentityprovider
name: dex-staticpasswords
namespace: pinniped-supervisor
spec: |2
issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
tls:
certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
authorizationConfig:
additionalScopes: [offline_access, groups, email]
allowPasswordGrant: false
claims:
username: email
groups: groups
client:
secretName: dex-clientcredentials
- kind: secret
name: dex-clientcredentials
namespace: pinniped-supervisor
type: secrets.pinniped.dev/oidc-client
data:
- key: clientID
value: "{{ 'pinniped-supervisor' | b64encode }}"
- key: clientSecret
value: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | b64encode }}"
- kind: federationdomain
name: metacluster-sso
namespace: pinniped-supervisor
spec: |2
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
tls:
secretName: pinniped-supervisor-tls
loop_control:
label: "{{ item.kind ~ '/' ~ item.name }}"

29
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
View File

@@ -1,14 +1,9 @@
- block: - block:
- name: Initialize tempfile - name: Inject password into values file
ansible.builtin.tempfile:
state: file
register: values_file
- name: Write chart values w/ password to tempfile
ansible.builtin.copy: ansible.builtin.copy:
dest: "{{ values_file.path }}" dest: "{{ stepconfig.path }}"
content: "{{ stepca_values.stdout | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}" content: "{{ lookup('ansible.builtin.file', stepconfig.path) | regex_replace('(ca_password|provisioner_password):[ ]?\n', '\\1: ' ~ (vapp['metacluster.password'] | b64encode) ~ '\n') }}"
no_log: true no_log: true
- name: Install step-ca chart - name: Install step-ca chart
@@ -21,13 +16,7 @@
wait: true wait: true
kubeconfig: "{{ kubeconfig.path }}" kubeconfig: "{{ kubeconfig.path }}"
values_files: values_files:
- "{{ values_file.path }}" - "{{ stepconfig.path }}"
- name: Cleanup tempfile
ansible.builtin.file:
path: "{{ values_file.path }}"
state: absent
when: values_file.path is defined
- name: Retrieve configmap w/ root certificate - name: Retrieve configmap w/ root certificate
kubernetes.core.k8s_info: kubernetes.core.k8s_info:
@@ -45,6 +34,7 @@
kubeconfig: "{{ kubeconfig.path }}" kubeconfig: "{{ kubeconfig.path }}"
loop: loop:
- argo-cd - argo-cd
- gitea
# - kube-system # - kube-system
- name: Store root certificate in namespaced configmaps/secrets - name: Store root certificate in namespaced configmaps/secrets
@@ -58,6 +48,7 @@
namespace: "{{ item.namespace }}" namespace: "{{ item.namespace }}"
annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}" annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}"
labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}" labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}"
type: "{{ item.type | default('') }}"
data: "{{ item.data }}" data: "{{ item.data }}"
loop: loop:
- name: argocd-tls-certs-cm - name: argocd-tls-certs-cm
@@ -73,6 +64,12 @@
data: data:
- key: git.{{ vapp['metacluster.fqdn'] }} - key: git.{{ vapp['metacluster.fqdn'] }}
value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}" value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
- name: step-certificates-certs
namespace: gitea
kind: secret
data:
- key: ca_chain.crt
value: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
- name: step-certificates-certs - name: step-certificates-certs
namespace: kube-system namespace: kube-system
kind: secret kind: secret
@@ -93,7 +90,7 @@
_template: _template:
name: step-ca name: step-ca
namespace: step-ca namespace: step-ca
config: |2 spec: |2
entryPoints: entryPoints:
- websecure - websecure
routes: routes:

18
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml
View File

@@ -32,7 +32,7 @@
_template: _template:
name: gitea-ssh name: gitea-ssh
namespace: gitea namespace: gitea
config: |2 spec: |2
entryPoints: entryPoints:
- ssh - ssh
routes: routes:
@@ -110,8 +110,8 @@
- organization: mc - organization: mc
body: body:
name: GitOps.ClusterAPI name: GitOps.ClusterAPI
# auto_init: true auto_init: true
# default_branch: main default_branch: main
description: ClusterAPI manifests description: ClusterAPI manifests
- organization: mc - organization: mc
body: body:
@@ -122,15 +122,15 @@
- organization: wl - organization: wl
body: body:
name: GitOps.Config name: GitOps.Config
# auto_init: true auto_init: true
# default_branch: main default_branch: main
description: GitOps manifests description: GitOps manifests
- organization: wl - organization: wl
body: body:
name: GitOps.HelmCharts name: ClusterAccess.Store
# auto_init: true auto_init: true
# default_branch: main default_branch: main
description: Helm charts description: Kubeconfig files
loop_control: loop_control:
label: "{{ item.organization ~ '/' ~ item.body.name }}" label: "{{ item.organization ~ '/' ~ item.body.name }}"

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/ingress.yml
View File

@@ -27,7 +27,7 @@
_template: _template:
name: traefik-dashboard name: traefik-dashboard
namespace: kube-system namespace: kube-system
config: |2 spec: |2
entryPoints: entryPoints:
- web - web
- websecure - websecure

23
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
View File

@@ -12,6 +12,15 @@
- registry - registry
- storage - storage
- name: Create step-ca config dictionary
ansible.builtin.set_fact:
stepconfig: "{{ { 'path': ansible_env.HOME ~ '/.step/config/values.yaml' } }}"
- name: Create step-ca target folder
ansible.builtin.file:
path: "{{ stepconfig.path | dirname }}"
state: directory
- name: Initialize tempfile - name: Initialize tempfile
ansible.builtin.tempfile: ansible.builtin.tempfile:
state: file state: file
@@ -36,8 +45,8 @@
--address=:9000 \ --address=:9000 \
--provisioner=admin \ --provisioner=admin \
--acme \ --acme \
--password-file={{ stepca_password.path }} --password-file={{ stepca_password.path }} | tee {{ stepconfig.path }}
register: stepca_values creates: "{{ stepconfig.path }}"
- name: Cleanup tempfile - name: Cleanup tempfile
ansible.builtin.file: ansible.builtin.file:
@@ -48,12 +57,20 @@
- name: Store root CA certificate - name: Store root CA certificate
ansible.builtin.copy: ansible.builtin.copy:
dest: /usr/local/share/ca-certificates/root_ca.crt dest: /usr/local/share/ca-certificates/root_ca.crt
content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}" content: "{{ (lookup('ansible.builtin.file', stepconfig.path) | from_yaml).inject.certificates.root_ca }}"
- name: Update certificate truststore - name: Update certificate truststore
ansible.builtin.command: ansible.builtin.command:
cmd: update-ca-certificates cmd: update-ca-certificates
- name: Extract container images (for idempotency purposes)
ansible.builtin.unarchive:
src: /opt/metacluster/container-images/image-tarballs.tgz
dest: /opt/metacluster/container-images
remote_src: no
when:
- lookup('ansible.builtin.fileglob', '/opt/metacluster/container-images/*.tgz') is match('.*image-tarballs.tgz')
- name: Get all stored fully qualified container image names - name: Get all stored fully qualified container image names
ansible.builtin.shell: ansible.builtin.shell:
cmd: >- cmd: >-

23
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml
View File

@@ -42,19 +42,30 @@
retries: "{{ playbook.retries }}" retries: "{{ playbook.retries }}"
delay: "{{ (storage_benchmark | int) * (playbook.delay.medium | int) }}" delay: "{{ (storage_benchmark | int) * (playbook.delay.medium | int) }}"
- name: Install kubectl tab-completion - name: Install tab-completion
ansible.builtin.shell: ansible.builtin.shell:
cmd: kubectl completion bash | tee /etc/bash_completion.d/kubectl cmd: |-
{{ item }} completion bash > /etc/bash_completion.d/{{ item }}
creates: /etc/bash_completion.d/{{ item }}
loop:
- kubectl
- helm
- step
- name: Initialize tempfile - name: Create kubeconfig dictionary
ansible.builtin.tempfile: ansible.builtin.set_fact:
state: file kubeconfig: "{{ { 'path': ansible_env.HOME ~ '/.kube/config' } }}"
register: kubeconfig
- name: Create kubeconfig target folder
ansible.builtin.file:
path: "{{ kubeconfig.path | dirname }}"
state: directory
- name: Retrieve kubeconfig - name: Retrieve kubeconfig
ansible.builtin.command: ansible.builtin.command:
cmd: kubectl config view --raw cmd: kubectl config view --raw
register: kubectl_config register: kubectl_config
no_log: true
- name: Store kubeconfig in tempfile - name: Store kubeconfig in tempfile
ansible.builtin.copy: ansible.builtin.copy:

4
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml
View File

@@ -1,10 +1,12 @@
- import_tasks: init.yml - import_tasks: init.yml
- import_tasks: k3s.yml - import_tasks: k3s.yml
- import_tasks: assets.yml - import_tasks: assets.yml
- import_tasks: kube-vip.yml - import_tasks: virtualip.yml
- import_tasks: metadata.yml
- import_tasks: storage.yml - import_tasks: storage.yml
- import_tasks: ingress.yml - import_tasks: ingress.yml
- import_tasks: certauthority.yml - import_tasks: certauthority.yml
- import_tasks: registry.yml - import_tasks: registry.yml
- import_tasks: git.yml - import_tasks: git.yml
- import_tasks: gitops.yml - import_tasks: gitops.yml
- import_tasks: authentication.yml

57
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/metadata.yml Normal file
View File

@@ -0,0 +1,57 @@
- block:
- name: Aggregate manifest-component versions into dictionary
ansible.builtin.set_fact:
manifest_versions: "{{ manifest_versions | default([]) + [ item | combine( {'type': 'manifest', 'id': index } ) ] }}"
loop:
- name: cluster-api
versions:
management:
base: "{{ components.clusterapi.management.version.base }}"
cert_manager: "{{ components.clusterapi.management.version.cert_manager }}"
infrastructure_vsphere: "{{ components.clusterapi.management.version.infrastructure_vsphere }}"
ipam_incluster: "{{ components.clusterapi.management.version.ipam_incluster }}"
cpi_vsphere: "{{ components.clusterapi.management.version.cpi_vsphere }}"
workload:
calico: "{{ components.clusterapi.workload.version.calico }}"
k8s: "{{ components.clusterapi.workload.version.k8s }}"
- name: kube-vip
version: "{{ components.kubevip.version }}"
loop_control:
label: "{{ item.name }}"
index_var: index
- name: Install json-server chart
kubernetes.core.helm:
name: json-server
chart_ref: /opt/metacluster/helm-charts/json-server
release_namespace: json-server
create_namespace: true
wait: false
kubeconfig: "{{ kubeconfig.path }}"
values: |
{{
components['json-server'].chart_values |
combine(
{ 'jsonServer': { 'seedData': { 'configInline': (
{ 'appliance': { "version": appliance.version }, 'components': manifest_versions, 'healthz': { 'status': 'running' } }
) | to_json } } }
)
}}
- name: Ensure json-server API availability
ansible.builtin.uri:
url: https://version.{{ vapp['metacluster.fqdn'] }}/healthz
method: GET
# This mock REST API -ironically- does not support json encoded body argument
body_format: raw
register: api_readycheck
until:
- api_readycheck.json.status is defined
- api_readycheck.json.status == 'running'
retries: "{{ playbook.retries }}"
delay: "{{ (storage_benchmark | int) * (playbook.delay.long | int) }}"
module_defaults:
ansible.builtin.uri:
validate_certs: no
status_code: [200, 201]

0
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/kube-vip.yml → ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/virtualip.yml
View File

40
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/authentication.yml Normal file
View File

@@ -0,0 +1,40 @@
- name: Initialize tempfolder
ansible.builtin.tempfile:
state: directory
register: pinniped_kubeconfig
- name: Pull existing repository
ansible.builtin.git:
repo: https://git.{{ vapp['metacluster.fqdn'] }}/wl/ClusterAccess.Store.git
dest: "{{ pinniped_kubeconfig.path }}"
version: main
- name: Generate kubeconfig
ansible.builtin.shell:
cmd: pinniped get kubeconfig --kubeconfig {{ capi_kubeconfig.path }}
register: pinniped_config
until:
- pinniped_config is not failed
retries: "{{ playbook.retries }}"
delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
- name: Store kubeconfig in tempfile
ansible.builtin.copy:
dest: "{{ pinniped_kubeconfig.path }}/kubeconfig"
content: "{{ pinniped_config.stdout }}"
mode: 0600
no_log: true
- name: Push git repository
lvrfrc87.git_acp.git_acp:
path: "{{ pinniped_kubeconfig.path }}"
branch: main
comment: "Upload kubeconfig files"
add:
- .
url: https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/ClusterAccess.Store.git
environment:
GIT_AUTHOR_NAME: administrator
GIT_AUTHOR_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
GIT_COMMITTER_NAME: administrator
GIT_COMMITTER_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}

100
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/clusterapi.yml
View File

@@ -85,6 +85,40 @@
--kubeconfig {{ kubeconfig.path }} --kubeconfig {{ kubeconfig.path }}
chdir: /opt/metacluster/cluster-api chdir: /opt/metacluster/cluster-api
- name: Initialize tempfolder
ansible.builtin.tempfile:
state: directory
register: capi_clustermanifest
- name: Pull existing repository
ansible.builtin.git:
repo: https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
dest: "{{ capi_clustermanifest.path }}"
version: main
- name: Generate Cluster API provider manifests
ansible.builtin.shell:
cmd: >-
clusterctl generate provider \
-v5 \
--{{ item.type }} {{ item.name }}:{{ item.version }} \
--config ./clusterctl.yaml > {{ capi_clustermanifest.path }}/provider-{{ item.name }}.yaml
chdir: /opt/metacluster/cluster-api
loop:
- type: infrastructure
name: vsphere
version: "{{ components.clusterapi.management.version.infrastructure_vsphere }}"
- type: ipam
name: in-cluster
version: "{{ components.clusterapi.management.version.ipam_incluster }}"
- name: Split cluster API provider manifests into separate files
ansible.builtin.shell:
cmd: >-
awk 'BEGINFILE {print "---"}{print}' {{ capi_clustermanifest.path }}/provider-*.yaml |
kubectl slice \
-o {{ capi_clustermanifest.path }}/providers
- name: Ensure controller availability - name: Ensure controller availability
kubernetes.core.k8s_info: kubernetes.core.k8s_info:
kind: Deployment kind: Deployment
@@ -124,22 +158,17 @@
chdir: /opt/metacluster/cluster-api chdir: /opt/metacluster/cluster-api
register: clusterctl_newcluster register: clusterctl_newcluster
- name: Initialize tempfolder
ansible.builtin.tempfile:
state: directory
register: capi_clustermanifest
- name: Save workload cluster manifest - name: Save workload cluster manifest
ansible.builtin.copy: ansible.builtin.copy:
dest: "{{ capi_clustermanifest.path }}/new-cluster.yaml" dest: "{{ capi_clustermanifest.path }}/new-cluster.yaml"
content: "{{ clusterctl_newcluster.stdout }}" content: "{{ clusterctl_newcluster.stdout }}"
- name: Split manifest into separate files - name: Split workload cluster manifest into separate files
ansible.builtin.shell: ansible.builtin.shell:
cmd: >- cmd: >-
kubectl slice \ kubectl slice \
-f {{ capi_clustermanifest.path }}/new-cluster.yaml \ -f {{ capi_clustermanifest.path }}/new-cluster.yaml \
-o {{ capi_clustermanifest.path }}/manifests -o {{ capi_clustermanifest.path }}/downstream-cluster
- name: Generate nodepool kustomization manifest - name: Generate nodepool kustomization manifest
ansible.builtin.template: ansible.builtin.template:
@@ -155,13 +184,20 @@
- name: Store nodepool manifest - name: Store nodepool manifest
ansible.builtin.copy: ansible.builtin.copy:
dest: "{{ capi_clustermanifest.path }}/manifests/nodepool-worker-storage.yaml" dest: "{{ capi_clustermanifest.path }}/nodepool-worker-storage.yaml"
content: "{{ lookup('kubernetes.core.kustomize', dir=capi_clustermanifest.path) }}" content: "{{ lookup('kubernetes.core.kustomize', dir=capi_clustermanifest.path) }}"
- name: Split nodepool manifest into separate files
ansible.builtin.shell:
cmd: >-
kubectl slice \
-f {{ capi_clustermanifest.path }}/nodepool-worker-storage.yaml \
-o {{ capi_clustermanifest.path }}/downstream-cluster
- name: Create in-cluster IpPool - name: Create in-cluster IpPool
ansible.builtin.template: ansible.builtin.template:
src: ippool.j2 src: ippool.j2
dest: "{{ capi_clustermanifest.path }}/manifests/inclusterippool-{{ _template.cluster.name }}.yml" dest: "{{ capi_clustermanifest.path }}/downstream-cluster/inclusterippool-{{ _template.cluster.name }}.yml"
vars: vars:
_template: _template:
cluster: cluster:
@@ -173,24 +209,27 @@
prefix: "{{ vapp['guestinfo.prefixlength'] }}" prefix: "{{ vapp['guestinfo.prefixlength'] }}"
gateway: "{{ vapp['guestinfo.gateway'] }}" gateway: "{{ vapp['guestinfo.gateway'] }}"
- name: Initialize/Push git repository - name: Push git repository
ansible.builtin.shell: lvrfrc87.git_acp.git_acp:
cmd: |
git init
git config --global user.email "administrator@{{ vapp['metacluster.fqdn'] }}"
git config --global user.name "administrator"
git checkout -b main
git add ./manifests
git commit -m "Upload manifests"
git remote add origin https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git --all
chdir: "{{ capi_clustermanifest.path }}"
- name: Cleanup tempfolder
ansible.builtin.file:
path: "{{ capi_clustermanifest.path }}" path: "{{ capi_clustermanifest.path }}"
state: absent branch: main
when: capi_clustermanifest.path is defined comment: "Upload manifests"
add:
- ./downstream-cluster
- ./providers
clean: untracked
url: https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
environment:
GIT_AUTHOR_NAME: administrator
GIT_AUTHOR_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
GIT_COMMITTER_NAME: administrator
GIT_COMMITTER_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
# - name: Cleanup tempfolder
# ansible.builtin.file:
# path: "{{ capi_clustermanifest.path }}"
# state: absent
# when: capi_clustermanifest.path is defined
- name: Configure Cluster API repository - name: Configure Cluster API repository
ansible.builtin.template: ansible.builtin.template:
@@ -235,7 +274,7 @@
namespace: default namespace: default
repository: repository:
url: https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git url: https://git.{{ vapp['metacluster.fqdn'] }}/mc/GitOps.ClusterAPI.git
path: manifests path: downstream-cluster
revision: main revision: main
notify: notify:
- Apply manifests - Apply manifests
@@ -277,7 +316,12 @@
# TODO: move to git repo # TODO: move to git repo
- name: Apply cni plugin manifest - name: Apply cni plugin manifest
kubernetes.core.k8s: kubernetes.core.k8s:
src: /opt/metacluster/cluster-api/cni-calico/{{ components.clusterapi.workload.version.calico }}/calico.yaml definition: |
{{
lookup('ansible.builtin.file', '/opt/metacluster/cluster-api/cni-calico/' ~ components.clusterapi.workload.version.calico ~ '/calico.yaml') |
regex_replace('# - name: CALICO_IPV4POOL_CIDR', '- name: CALICO_IPV4POOL_CIDR') |
regex_replace('# value: "192.168.0.0/16"', ' value: "172.30.0.0/16"')
}}
state: present state: present
wait: true wait: true
kubeconfig: "{{ capi_kubeconfig.path }}" kubeconfig: "{{ capi_kubeconfig.path }}"

51
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/gitops.yml
View File

@@ -5,6 +5,20 @@
recurse: false recurse: false
register: helm_charts register: helm_charts
- name: Pull existing repository
ansible.builtin.git:
repo: https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
dest: /opt/workloadcluster/git-repositories/gitops
version: main
- name: Create folder structure within new git-repository
ansible.builtin.file:
path: "{{ item }}"
state: directory
loop:
- /opt/workloadcluster/git-repositories/gitops/charts
- /opt/workloadcluster/git-repositories/gitops/values
- name: Create hard-links to populate new git-repository - name: Create hard-links to populate new git-repository
ansible.builtin.shell: ansible.builtin.shell:
cmd: >- cmd: >-
@@ -13,6 +27,18 @@
loop_control: loop_control:
label: "{{ item.path | basename }}" label: "{{ item.path | basename }}"
- name: Write custom manifests to respective chart templates store
ansible.builtin.template:
src: "{{ src }}"
dest: /opt/workloadcluster/git-repositories/gitops/charts/{{ manifest.value.namespace }}/{{ manifest.key }}/templates/{{ (src | split('.'))[0] ~ '-' ~ _template.name ~ '.yaml' }}
vars:
manifest: "{{ item.0 }}"
src: "{{ item.1.src }}"
_template: "{{ item.1._template }}"
loop: "{{ query('ansible.builtin.subelements', query('ansible.builtin.dict', downstream_components), 'value.extra_manifests') }}"
loop_control:
label: "{{ (src | split('.'))[0] ~ '-' ~ _template.name }}"
- name: Create subfolders - name: Create subfolders
ansible.builtin.file: ansible.builtin.file:
path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }} path: /opt/workloadcluster/git-repositories/gitops/values/{{ item.key }}
@@ -29,18 +55,19 @@
loop_control: loop_control:
label: "{{ item.key }}" label: "{{ item.key }}"
- name: Initialize/Push git repository - name: Push git repository
ansible.builtin.shell: lvrfrc87.git_acp.git_acp:
cmd: | path: /opt/workloadcluster/git-repositories/gitops
git init branch: main
git config --global user.email "administrator@{{ vapp['metacluster.fqdn'] }}" comment: "Upload charts"
git config --global user.name "administrator" add:
git checkout -b main - .
git add . url: https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git
git commit -m "Upload charts" environment:
git remote add origin https://git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git GIT_AUTHOR_NAME: administrator
git push https://administrator:{{ vapp['metacluster.password'] | urlencode }}@git.{{ vapp['metacluster.fqdn'] }}/wl/GitOps.Config.git --all GIT_AUTHOR_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
chdir: /opt/workloadcluster/git-repositories/gitops GIT_COMMITTER_NAME: administrator
GIT_COMMITTER_EMAIL: administrator@{{ vapp['metacluster.fqdn'] }}
- name: Retrieve workload-cluster kubeconfig - name: Retrieve workload-cluster kubeconfig
kubernetes.core.k8s_info: kubernetes.core.k8s_info:

1
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/workloadcluster/tasks/main.yml
View File

@@ -6,6 +6,7 @@
- import_tasks: clusterapi.yml - import_tasks: clusterapi.yml
- import_tasks: gitops.yml - import_tasks: gitops.yml
- import_tasks: authentication.yml
when: when:
- vapp['deployment.type'] != 'core' - vapp['deployment.type'] != 'core'

7
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/federationdomain.j2 Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: config.supervisor.pinniped.dev/v1alpha1
kind: FederationDomain
metadata:
name: {{ _template.name }}
namespace: {{ _template.namespace }}
spec:
{{ _template.spec }}

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroute.j2
View File

@@ -4,4 +4,4 @@ metadata:
name: {{ _template.name }} name: {{ _template.name }}
namespace: {{ _template.namespace }} namespace: {{ _template.namespace }}
spec: spec:
{{ _template.config }} {{ _template.spec }}

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroutetcp.j2
View File

@@ -4,4 +4,4 @@ metadata:
name: {{ _template.name }} name: {{ _template.name }}
namespace: {{ _template.namespace }} namespace: {{ _template.namespace }}
spec: spec:
{{ _template.config }} {{ _template.spec }}

6
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ippool.j2
View File

@@ -1,10 +1,10 @@
apiVersion: ipam.cluster.x-k8s.io/v1alpha1 apiVersion: ipam.cluster.x-k8s.io/v1alpha2
kind: InClusterIPPool kind: InClusterIPPool
metadata: metadata:
name: inclusterippool-{{ _template.cluster.name }} name: inclusterippool-{{ _template.cluster.name }}
namespace: {{ _template.cluster.namespace }} namespace: {{ _template.cluster.namespace }}
spec: spec:
start: {{ _template.cluster.network.startip }} addresses:
end: {{ _template.cluster.network.endip }} - {{ _template.cluster.network.startip }}-{{ _template.cluster.network.endip }}
prefix: {{ _template.cluster.network.prefix }} prefix: {{ _template.cluster.network.prefix }}
gateway: {{ _template.cluster.network.gateway }} gateway: {{ _template.cluster.network.gateway }}

6
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/jwtauthenticator.j2 Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator
metadata:
name: {{ _template.name }}
spec:
{{ _template.spec }}

40
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.cluster-template.j2
View File

@@ -3,8 +3,8 @@ kind: Kustomization
resources: resources:
- cluster-template.yaml - cluster-template.yaml
patchesStrategicMerge: patches:
- |- - patch: |-
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@@ -32,7 +32,7 @@ patchesStrategicMerge:
[Network] [Network]
public-network = "${VSPHERE_NETWORK}" public-network = "${VSPHERE_NETWORK}"
type: Opaque type: Opaque
- |- - patch: |-
apiVersion: controlplane.cluster.x-k8s.io/v1beta1 apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane kind: KubeadmControlPlane
metadata: metadata:
@@ -42,7 +42,7 @@ patchesStrategicMerge:
kubeadmConfigSpec: kubeadmConfigSpec:
clusterConfiguration: clusterConfiguration:
imageRepository: registry.{{ _template.network.fqdn }}/kubeadm imageRepository: registry.{{ _template.network.fqdn }}/kubeadm
- |- - patch: |-
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
metadata: metadata:
@@ -53,7 +53,7 @@ patchesStrategicMerge:
spec: spec:
clusterConfiguration: clusterConfiguration:
imageRepository: registry.{{ _template.network.fqdn }}/kubeadm imageRepository: registry.{{ _template.network.fqdn }}/kubeadm
- |- - patch: |-
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
metadata: metadata:
@@ -86,7 +86,7 @@ patchesStrategicMerge:
{{ _template.rootca | indent(width=14, first=False) | trim }} {{ _template.rootca | indent(width=14, first=False) | trim }}
owner: root:root owner: root:root
path: /usr/local/share/ca-certificates/root_ca.crt path: /usr/local/share/ca-certificates/root_ca.crt
- |- - patch: |-
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: VSphereMachineTemplate kind: VSphereMachineTemplate
metadata: metadata:
@@ -105,7 +105,7 @@ patchesStrategicMerge:
nameservers: nameservers:
- {{ _template.network.dnsserver }} - {{ _template.network.dnsserver }}
networkName: '${VSPHERE_NETWORK}' networkName: '${VSPHERE_NETWORK}'
- |- - patch: |-
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: VSphereMachineTemplate kind: VSphereMachineTemplate
metadata: metadata:
@@ -125,8 +125,7 @@ patchesStrategicMerge:
- {{ _template.network.dnsserver }} - {{ _template.network.dnsserver }}
networkName: '${VSPHERE_NETWORK}' networkName: '${VSPHERE_NETWORK}'
patchesJson6902: - target:
- target:
group: controlplane.cluster.x-k8s.io group: controlplane.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: KubeadmControlPlane kind: KubeadmControlPlane
@@ -164,10 +163,10 @@ patchesJson6902:
path: /spec/kubeadmConfigSpec/files/- path: /spec/kubeadmConfigSpec/files/-
value: value:
content: | content: |
{{ _template.rootca | indent(width=12, first=False) | trim }} {{ _template.rootca | indent(width=10, first=False) | trim }}
owner: root:root owner: root:root
path: /usr/local/share/ca-certificates/root_ca.crt path: /usr/local/share/ca-certificates/root_ca.crt
- target: - target:
group: bootstrap.cluster.x-k8s.io group: bootstrap.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
@@ -178,7 +177,7 @@ patchesJson6902:
path: /spec/template/spec/preKubeadmCommands/- path: /spec/template/spec/preKubeadmCommands/-
value: {{ cmd }} value: {{ cmd }}
{% endfor %} {% endfor %}
- target: - target:
group: controlplane.cluster.x-k8s.io group: controlplane.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: KubeadmControlPlane kind: KubeadmControlPlane
@@ -190,7 +189,7 @@ patchesJson6902:
value: {{ cmd }} value: {{ cmd }}
{% endfor %} {% endfor %}
- target: - target:
group: infrastructure.cluster.x-k8s.io group: infrastructure.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: VSphereMachineTemplate kind: VSphereMachineTemplate
@@ -199,7 +198,7 @@ patchesJson6902:
- op: replace - op: replace
path: /metadata/name path: /metadata/name
value: ${CLUSTER_NAME}-master value: ${CLUSTER_NAME}-master
- target: - target:
group: controlplane.cluster.x-k8s.io group: controlplane.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: KubeadmControlPlane kind: KubeadmControlPlane
@@ -211,17 +210,22 @@ patchesJson6902:
- op: replace - op: replace
path: /spec/machineTemplate/infrastructureRef/name path: /spec/machineTemplate/infrastructureRef/name
value: ${CLUSTER_NAME}-master value: ${CLUSTER_NAME}-master
- target: - target:
group: cluster.x-k8s.io group: cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: Cluster kind: Cluster
name: \${CLUSTER_NAME} name: \${CLUSTER_NAME}
patch: |- patch: |-
- op: replace
path: /spec/clusterNetwork/pods
value:
cidrBlocks:
- 172.30.0.0/16
- op: replace - op: replace
path: /spec/controlPlaneRef/name path: /spec/controlPlaneRef/name
value: ${CLUSTER_NAME}-master value: ${CLUSTER_NAME}-master
- target: - target:
group: infrastructure.cluster.x-k8s.io group: infrastructure.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: VSphereMachineTemplate kind: VSphereMachineTemplate
@@ -233,7 +237,7 @@ patchesJson6902:
- op: replace - op: replace
path: /spec/template/spec/memoryMiB path: /spec/template/spec/memoryMiB
value: {{ _template.nodesize.memory }} value: {{ _template.nodesize.memory }}
- target: - target:
group: cluster.x-k8s.io group: cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: MachineDeployment kind: MachineDeployment
@@ -245,7 +249,7 @@ patchesJson6902:
- op: replace - op: replace
path: /spec/template/spec/bootstrap/configRef/name path: /spec/template/spec/bootstrap/configRef/name
value: ${CLUSTER_NAME}-worker value: ${CLUSTER_NAME}-worker
- target: - target:
group: bootstrap.cluster.x-k8s.io group: bootstrap.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate

19
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/kustomization.nodepool.j2
View File

@@ -1,12 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- manifests/kubeadmconfigtemplate-{{ _template.cluster.name }}-worker.yaml - downstream-cluster/kubeadmconfigtemplate-{{ _template.cluster.name }}-worker.yaml
- manifests/machinedeployment-{{ _template.cluster.name }}-worker.yaml - downstream-cluster/machinedeployment-{{ _template.cluster.name }}-worker.yaml
- manifests/vspheremachinetemplate-{{ _template.cluster.name }}-worker.yaml - downstream-cluster/vspheremachinetemplate-{{ _template.cluster.name }}-worker.yaml
patchesStrategicMerge: patches:
- |- - patch: |-
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
metadata: metadata:
@@ -31,7 +31,7 @@ patchesStrategicMerge:
mounts: mounts:
- - LABEL=blockstorage - - LABEL=blockstorage
- /mnt/blockstorage - /mnt/blockstorage
- |- - patch: |-
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: VSphereMachineTemplate kind: VSphereMachineTemplate
metadata: metadata:
@@ -43,8 +43,7 @@ patchesStrategicMerge:
additionalDisksGiB: additionalDisksGiB:
- {{ _template.nodepool.additionaldisk }} - {{ _template.nodepool.additionaldisk }}
patchesJson6902: - target:
- target:
group: bootstrap.cluster.x-k8s.io group: bootstrap.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: KubeadmConfigTemplate kind: KubeadmConfigTemplate
@@ -54,7 +53,7 @@ patchesJson6902:
path: /metadata/name path: /metadata/name
value: {{ _template.cluster.name }}-worker-storage value: {{ _template.cluster.name }}-worker-storage
- target: - target:
group: cluster.x-k8s.io group: cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: MachineDeployment kind: MachineDeployment
@@ -73,7 +72,7 @@ patchesJson6902:
path: /spec/replicas path: /spec/replicas
value: {{ _template.nodepool.size }} value: {{ _template.nodepool.size }}
- target: - target:
group: infrastructure.cluster.x-k8s.io group: infrastructure.cluster.x-k8s.io
version: v1beta1 version: v1beta1
kind: VSphereMachineTemplate kind: VSphereMachineTemplate

7
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2 Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
name: {{ _template.name }}
namespace: {{ _template.namespace }}
spec:
{{ _template.spec }}

1
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2
View File

@@ -3,6 +3,7 @@ kind: Secret
metadata: metadata:
name: {{ _template.name }} name: {{ _template.name }}
namespace: {{ _template.namespace }} namespace: {{ _template.namespace }}
type: {{ _template.type }}
data: data:
{% for kv_pair in _template.data %} {% for kv_pair in _template.data %}
"{{ kv_pair.key }}": {{ kv_pair.value }} "{{ kv_pair.key }}": {{ kv_pair.value }}

7
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serverstransport.j2 Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: {{ _template.name }}
namespace: {{ _template.namespace }}
spec:
{{ _template.spec }}

6
ansible/roles/firstboot/files/ansible_payload/common/roles/cleanup/tasks/main.yml
View File

@@ -1,12 +1,6 @@
- import_tasks: service.yml - import_tasks: service.yml
- import_tasks: cron.yml - import_tasks: cron.yml
- name: Cleanup tempfile
ansible.builtin.file:
path: "{{ kubeconfig.path }}"
state: absent
when: kubeconfig.path is defined
# - name: Reboot host # - name: Reboot host
# ansible.builtin.shell: # ansible.builtin.shell:
# cmd: systemctl reboot # cmd: systemctl reboot

4
ansible/roles/os/templates/ansible.j2
View File

@@ -1,2 +1,6 @@
[defaults] [defaults]
callbacks_enabled = ansible.posix.profile_tasks callbacks_enabled = ansible.posix.profile_tasks
force_color = true
[callback_profile_tasks]
task_output_limit = 5

223
ansible/vars/metacluster.yml
View File

@@ -1,7 +1,7 @@
platform: platform:
k3s: k3s:
version: v1.25.9+k3s1 version: v1.27.1+k3s1
packaged_components: packaged_components:
- name: traefik - name: traefik
@@ -33,12 +33,10 @@ platform:
helm_repositories: helm_repositories:
- name: argo - name: argo
url: https://argoproj.github.io/argo-helm url: https://argoproj.github.io/argo-helm
- name: authentik - name: bitnami
url: https://charts.goauthentik.io url: https://charts.bitnami.com/bitnami
# - name: codecentric - name: dexidp
# url: https://codecentric.github.io/helm-charts url: https://charts.dexidp.io
# - name: dex
# url: https://charts.dexidp.io
- name: gitea-charts - name: gitea-charts
url: https://dl.gitea.io/charts/ url: https://dl.gitea.io/charts/
- name: harbor - name: harbor
@@ -51,6 +49,8 @@ platform:
url: https://prometheus-community.github.io/helm-charts url: https://prometheus-community.github.io/helm-charts
- name: smallstep - name: smallstep
url: https://smallstep.github.io/helm-charts/ url: https://smallstep.github.io/helm-charts/
- name: spamasaurus
url: https://code.spamasaurus.com/api/packages/djpbessems/helm
components: components:
@@ -71,35 +71,9 @@ components:
hosts: hosts:
- gitops.{{ vapp['metacluster.fqdn'] }} - gitops.{{ vapp['metacluster.fqdn'] }}
authentik:
helm:
version: 2023.3.1
chart: authentik/authentik
parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe |
authentik:
avatars: none
secret_key: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
postgresql:
password: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
env:
AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ vapp['metacluster.password'] }}"
ingress:
enabled: true
hosts:
- host: auth.{{ vapp['metacluster.fqdn'] }}
paths:
- path: "/"
pathType: Prefix
postgresql:
enabled: true
postgresqlPassword: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}"
redis:
enabled: true
cert-manager: cert-manager:
helm: helm:
version: 1.11.0 version: 1.13.1
chart: jetstack/cert-manager chart: jetstack/cert-manager
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
# chart_values: !unsafe | # chart_values: !unsafe |
@@ -109,67 +83,51 @@ components:
management: management:
version: version:
# Must match the version referenced at `dependencies.static_binaries[.filename==clusterctl].url` # Must match the version referenced at `dependencies.static_binaries[.filename==clusterctl].url`
base: v1.4.0 base: v1.5.1
# Must match the version referenced at `components.cert-manager.helm.version` # Must match the version referenced at `components.cert-manager.helm.version`
cert_manager: v1.11.0 cert_manager: v1.13.1
infrastructure_vsphere: v1.6.0 infrastructure_vsphere: v1.8.1
ipam_incluster: v0.1.0-alpha.2 ipam_incluster: v0.1.0-alpha.3
# Refer to `https://console.cloud.google.com/gcr/images/cloud-provider-vsphere/GLOBAL/cpi/release/manager` for available tags # Refer to `https://console.cloud.google.com/gcr/images/cloud-provider-vsphere/GLOBAL/cpi/release/manager` for available tags
cpi_vsphere: v1.25.2 cpi_vsphere: v1.27.0
workload: workload:
version: version:
calico: v3.25.0 calico: v3.26.2
k8s: v1.25.9 k8s: v1.27.1
node_template: node_template:
url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.25.9.ova url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova
# dex: dex:
# helm: helm:
# version: 0.13.0 # (= Dex 2.35.3) version: 0.15.3 # (= Dex 2.37.0)
# chart: dex/dex chart: dexidp/dex
# parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
# chart_values: !unsafe | chart_values: !unsafe |
# config: config:
# connectors: issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
# - type: ldap storage:
# id: ldap type: kubernetes
# name: "LDAP" config:
# config: inCluster: true
# host: "{{ vapp['ldap.fqdn'] }}:636" staticClients:
# insecureNoSSL: false - id: pinniped-supervisor
# insecureSkipVerify: true secret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}"
# bindDN: "{{ vapp['ldap.dn'] }}" name: Pinniped Supervisor client
# bindPW: "{{ vapp['ldap.password'] }}" redirectURIs:
- https://auth.{{ vapp['metacluster.fqdn'] }}/sso/callback
# usernamePrompt: "Username" enablePasswordDB: true
# userSearch: staticPasswords:
# baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu - email: user@{{ vapp['metacluster.fqdn'] }}
# filter: "(objectClass=person)" hash: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
# username: userPrincipalName username: user
# idAttr: DN userID: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | to_uuid }}"
# emailAttr: userPrincipalName ingress:
# nameAttr: cn enabled: true
hosts:
# groupSearch: - host: idps.{{ vapp['metacluster.fqdn'] }}
# baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu paths:
# filter: "(objectClass=group)" - path: /
# userMatchers: pathType: Prefix
# - userAttr: DN
# groupAttr: member
# nameAttr: cn
# enablePasswordDB: true
# issuer: https://oidc.{{ vapp['metacluster.fqdn'] }}
# storage:
# type: kubernetes
# config:
# inCluster: true
# ingress:
# enabled: true
# hosts:
# - host: oidc.{{ vapp['metacluster.fqdn'] }}
# paths:
# - path: /
# pathType: Prefix
gitea: gitea:
helm: helm:
@@ -177,6 +135,16 @@ components:
chart: gitea-charts/gitea chart: gitea-charts/gitea
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/' parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
chart_values: !unsafe | chart_values: !unsafe |
extraVolumes:
- secret:
defaultMode: 420
secretName: step-certificates-certs
name: step-certificates-certs
extraVolumeMounts:
- mountPath: /etc/ssl/certs/ca-chain.crt
name: step-certificates-certs
readOnly: true
subPath: ca_chain.crt
gitea: gitea:
admin: admin:
username: administrator username: administrator
@@ -225,37 +193,24 @@ components:
registry: registry:
size: 25Gi size: 25Gi
# keycloakx: json-server:
# helm: helm:
# version: 2.1.1 # (= Keycloak 20.0.3) version: v0.8.3
# chart: codecentric/keycloakx chart: spamasaurus/json-server
# parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
# chart_values: !unsafe | chart_values: !unsafe |
# command: ingress:
# - "/opt/keycloak/bin/kc.sh" enabled: true
# - "start" hosts:
# - "--http-enabled=true" - host: version.{{ vapp['metacluster.fqdn'] }}
# - "--http-port=8080" paths:
# - "--hostname-strict=false" - path: /
# - "--hostname-strict-https=false" pathType: Prefix
# extraEnv: | jsonServer:
# - name: KEYCLOAK_ADMIN seedData:
# value: admin configInline: {}
# - name: KEYCLOAK_ADMIN_PASSWORD sidecar:
# value: {{ vapp['metacluster.password'] }} targetUrl: version.{{ vapp['metacluster.fqdn'] }}
# - name: KC_PROXY
# value: "passthrough"
# - name: JAVA_OPTS_APPEND
# value: >-
# -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless
# ingress:
# enabled: true
# rules:
# - host: keycloak.{{ vapp['metacluster.fqdn'] }}
# paths:
# - path: /
# pathType: Prefix
# tls: []
kube-prometheus-stack: kube-prometheus-stack:
helm: helm:
@@ -288,6 +243,27 @@ components:
persistence: persistence:
defaultClassReplicaCount: 1 defaultClassReplicaCount: 1
pinniped:
helm:
version: 1.3.10 # (= Pinniped v0.27.0)
chart: bitnami/pinniped
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe |
concierge:
enabled: false
supervisor:
service:
public:
type: ClusterIP
local-user-authenticator:
# Must match the appVersion (!=chart version) referenced at `components.pinniped.helm.version`
version: v0.27.0
users:
- username: metauser
password: !unsafe "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
- username: metaguest
password: !unsafe "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
step-certificates: step-certificates:
helm: helm:
version: 1.23.0 version: 1.23.0
@@ -316,6 +292,7 @@ dependencies:
- community.general - community.general
- community.vmware - community.vmware
- kubernetes.core - kubernetes.core
- lvrfrc87.git_acp
container_images: container_images:
# This should match the image tag referenced at `platform.packaged_components[.name==traefik].config` # This should match the image tag referenced at `platform.packaged_components[.name==traefik].config`
@@ -324,7 +301,7 @@ dependencies:
# The following list is generated by running the following commands: # The following list is generated by running the following commands:
# $ clusterctl init -i vsphere:<version> [...] # $ clusterctl init -i vsphere:<version> [...]
# $ clusterctl generate cluster <name> [...] | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)' | sort -u # $ clusterctl generate cluster <name> [...] | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)' | sort -u
- gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.18.1 - gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.27.0
- gcr.io/cloud-provider-vsphere/csi/release/driver:v2.1.0 - gcr.io/cloud-provider-vsphere/csi/release/driver:v2.1.0
- gcr.io/cloud-provider-vsphere/csi/release/syncer:v2.1.0 - gcr.io/cloud-provider-vsphere/csi/release/syncer:v2.1.0
- quay.io/k8scsi/csi-attacher:v3.0.0 - quay.io/k8scsi/csi-attacher:v3.0.0
@@ -334,7 +311,7 @@ dependencies:
static_binaries: static_binaries:
- filename: clusterctl - filename: clusterctl
url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.4.0/clusterctl-linux-amd64 url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.5.1/clusterctl-linux-amd64
- filename: govc - filename: govc
url: https://github.com/vmware/govmomi/releases/download/v0.29.0/govc_Linux_x86_64.tar.gz url: https://github.com/vmware/govmomi/releases/download/v0.29.0/govc_Linux_x86_64.tar.gz
archive: compressed archive: compressed
@@ -345,6 +322,8 @@ dependencies:
- filename: kubectl-slice - filename: kubectl-slice
url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz
archive: compressed archive: compressed
- filename: pinniped
url: https://github.com/vmware-tanzu/pinniped/releases/download/v0.25.0/pinniped-cli-linux-amd64
- filename: skopeo - filename: skopeo
url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64 url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64
- filename: step - filename: step

20
ansible/vars/workloadcluster.yml
View File

@@ -1,6 +1,8 @@
downstream: downstream:
helm_repositories: helm_repositories:
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: longhorn - name: longhorn
url: https://charts.longhorn.io url: https://charts.longhorn.io
- name: sealed-secrets - name: sealed-secrets
@@ -18,6 +20,24 @@ downstream:
createDefaultDiskLabeledNodes: true createDefaultDiskLabeledNodes: true
defaultDataPath: /mnt/blockstorage defaultDataPath: /mnt/blockstorage
pinniped:
version: 1.3.10 # (= Pinniped v0.27.0)
chart: bitnami/pinniped
namespace: pinniped-concierge
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe |
supervisor:
enabled: false
extra_manifests:
- src: jwtauthenticator.j2
_template:
name: metacluster-sso
spec: !unsafe |2
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
audience: "{{ vapp['workloadcluster.name'] | lower }}"
tls:
certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
sealed-secrets: sealed-secrets:
version: 2.8.1 # (= Sealed Secrets v0.20.2) version: 2.8.1 # (= Sealed Secrets v0.20.2)
chart: sealed-secrets/sealed-secrets chart: sealed-secrets/sealed-secrets

12
packer/build.pkr.hcl
View File

@@ -1,5 +1,14 @@
packer { packer {
required_plugins { required_plugins {
vsphere = {
source = "github.com/hashicorp/vsphere"
version = "~> 1"
}
ansible = {
source = "github.com/hashicorp/ansible"
version = "~> 1"
}
} }
} }
@@ -28,6 +37,7 @@ build {
extra_arguments = [ extra_arguments = [
"--extra-vars", "appliancetype=${source.name}", "--extra-vars", "appliancetype=${source.name}",
"--extra-vars", "applianceversion=${var.appliance_version}",
"--extra-vars", "ansible_ssh_pass=${var.ssh_password}", "--extra-vars", "ansible_ssh_pass=${var.ssh_password}",
"--extra-vars", "docker_username=${var.docker_username}", "--extra-vars", "docker_username=${var.docker_username}",
"--extra-vars", "docker_password=${var.docker_password}", "--extra-vars", "docker_password=${var.docker_password}",
@@ -45,7 +55,7 @@ build {
" -ManifestFileName '/scratch/bld_${var.vm_name}_${source.name}.mf'", " -ManifestFileName '/scratch/bld_${var.vm_name}_${source.name}.mf'",
"ovftool --acceptAllEulas --allowExtraConfig --overwrite \\", "ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
" '/scratch/bld_${var.vm_name}_${source.name}.ovf' \\", " '/scratch/bld_${var.vm_name}_${source.name}.ovf' \\",
" /output/airgapped-k8s-${var.next_release_version}+${var.k8s_version}-${source.name}.ova" " /output/airgapped-k8s-${var.appliance_version}+${var.k8s_version}-${source.name}.ova"
] ]
} }
} }

8
packer/iso.auto.pkrvars.hcl
View File

@@ -1,5 +1,5 @@
iso_url = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04.1-live-server-amd64.iso" iso_url = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04.3-live-server-amd64.iso"
iso_checksum = "sha256:10F19C5B2B8D6DB711582E0E27F5116296C34FE4B313BA45F9B201A5007056CB" iso_checksum = "sha256:A4ACFDA10B18DA50E2EC50CCAF860D7F20B389DF8765611142305C0E911D16FD"
// iso_url = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04-live-server-amd64.iso" // iso_url = "sn.itch.fyi/Repository/iso/Canonical/Ubuntu%20Server%2022.04/ubuntu-22.04.1-live-server-amd64.iso"
// iso_checksum = "sha256:84AEAF7823C8C61BAA0AE862D0A06B03409394800000B3235854A6B38EB4856F" // iso_checksum = "sha256:10F19C5B2B8D6DB711582E0E27F5116296C34FE4B313BA45F9B201A5007056CB"

23
packer/preseed/UbuntuServer22.04/user-data
View File

@@ -1,10 +1,19 @@
#cloud-config #cloud-config
autoinstall: autoinstall:
version: 1 version: 1
apt:
geoip: true
preserve_sources_list: false
primary:
- arches: [amd64, i386]
uri: http://archive.ubuntu.com/ubuntu
- arches: [default]
uri: http://ports.ubuntu.com/ubuntu-ports
early-commands:
- sudo systemctl stop ssh
locale: en_US locale: en_US
keyboard: keyboard:
layout: en layout: us
variant: us
network: network:
network: network:
version: 2 version: 2
@@ -16,14 +25,18 @@ autoinstall:
layout: layout:
name: direct name: direct
identity: identity:
hostname: packer-template hostname: ubuntu-server
username: ubuntu username: ubuntu
# password: $6$ZThRyfmSMh9499ar$KSZus58U/l58Efci0tiJEqDKFCpoy.rv25JjGRv5.iL33AQLTY2aljumkGiDAiX6LsjzVsGTgH85Tx4S.aTfx0
password: $6$rounds=4096$ZKfzRoaQOtc$M.fhOsI0gbLnJcCONXz/YkPfSoefP4i2/PQgzi2xHEi2x9CUhush.3VmYKL0XVr5JhoYvnLfFwqwR/1YYEqZy/ password: $6$rounds=4096$ZKfzRoaQOtc$M.fhOsI0gbLnJcCONXz/YkPfSoefP4i2/PQgzi2xHEi2x9CUhush.3VmYKL0XVr5JhoYvnLfFwqwR/1YYEqZy/
ssh: ssh:
install-server: yes install-server: true
allow-pw: true allow-pw: true
packages:
- openssh-server
- open-vm-tools
- cloud-init
user-data: user-data:
disable_root: false disable_root: false
late-commands: late-commands:
- echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/ubuntu - echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/ubuntu
- curtin in-target --target=/target -- chmod 440 /etc/sudoers.d/ubuntu

20
packer/source.pkr.hcl
View File

@@ -1,14 +1,14 @@
source "vsphere-iso" "ubuntu" { source "vsphere-iso" "ubuntu" {
vcenter_server = var.vcenter_server vcenter_server = var.hv_fqdn
username = var.vsphere_username username = var.hv_username
password = var.vsphere_password password = var.hv_password
insecure_connection = "true" insecure_connection = "true"
datacenter = var.vsphere_datacenter datacenter = var.hv_datacenter
cluster = var.vsphere_cluster cluster = var.hv_cluster
host = var.vsphere_host host = var.hv_host
folder = var.vsphere_folder folder = var.hv_folder
datastore = var.vsphere_datastore datastore = var.hv_datastore
guest_os_type = "ubuntu64Guest" guest_os_type = "ubuntu64Guest"
@@ -31,7 +31,7 @@ source "vsphere-iso" "ubuntu" {
RAM = 8192 RAM = 8192
network_adapters { network_adapters {
network = var.vsphere_network network = var.hv_network
network_card = "vmxnet3" network_card = "vmxnet3"
} }
storage { storage {
@@ -41,6 +41,7 @@ source "vsphere-iso" "ubuntu" {
disk_controller_type = ["pvscsi"] disk_controller_type = ["pvscsi"]
usb_controller = ["xhci"] usb_controller = ["xhci"]
set_host_for_datastore_uploads = true
cd_files = [ cd_files = [
"packer/preseed/UbuntuServer22.04/user-data", "packer/preseed/UbuntuServer22.04/user-data",
"packer/preseed/UbuntuServer22.04/meta-data" "packer/preseed/UbuntuServer22.04/meta-data"
@@ -55,7 +56,6 @@ source "vsphere-iso" "ubuntu" {
remove_cdrom = true remove_cdrom = true
export { export {
images = false
output_directory = "/scratch" output_directory = "/scratch"
} }
} }

22
packer/variables.pkr.hcl
View File

@@ -1,17 +1,17 @@
variable "vcenter_server" {} variable "hv_fqdn" {}
variable "vsphere_username" {} variable "hv_username" {}
variable "vsphere_password" { variable "hv_password" {
sensitive = true sensitive = true
} }
variable "vsphere_host" {} variable "hv_host" {}
variable "vsphere_datacenter" {} variable "hv_datacenter" {}
variable "vsphere_cluster" {} variable "hv_cluster" {}
variable "vsphere_templatefolder" {} variable "hv_templatefolder" {}
variable "vsphere_folder" {} variable "hv_folder" {}
variable "vsphere_datastore" {} variable "hv_datastore" {}
variable "vsphere_network" {} variable "hv_network" {}
variable "vm_name" {} variable "vm_name" {}
variable "ssh_password" { variable "ssh_password" {
@@ -34,5 +34,5 @@ variable "docker_password" {
sensitive = true sensitive = true
} }
variable "appliance_version" {}
variable "k8s_version" {} variable "k8s_version" {}
variable "next_release_version" {}

19
packer/vsphere.auto.pkrvars.hcl
View File

@@ -1,9 +1,10 @@
vcenter_server = "bv11-vc.bessems.lan" hv_fqdn = "lab-vc-01.bessems.lan"
vsphere_username = "administrator@vsphere.local" hv_username = "administrator@vsphere.local"
vsphere_datacenter = "DeSchakel" # urlencoded "4/55-Clydebank-Rd"
vsphere_cluster = "Cluster.01" hv_datacenter = "4%2f55-Clydebank-Rd"
vsphere_host = "bv11-esx02.bessems.lan" hv_cluster = "Cluster.01"
vsphere_datastore = "ESX02.SSD02" hv_host = "lab-esx-02.bessems.lan"
vsphere_folder = "/Packer" hv_datastore = "ESX02.SSD02"
vsphere_templatefolder = "/Templates" hv_folder = "/Packer"
vsphere_network = "LAN" hv_templatefolder = "/Templates"
hv_network = "LAN"