177 lines
6.1 KiB
YAML
177 lines
6.1 KiB
YAML
- block:
|
|
|
|
- name: Install dex
|
|
kubernetes.core.helm:
|
|
name: dex
|
|
chart_ref: /opt/metacluster/helm-charts/dex
|
|
release_namespace: dex
|
|
create_namespace: true
|
|
wait: false
|
|
kubeconfig: "{{ kubeconfig.path }}"
|
|
values: "{{ components['dex'].chart_values }}"
|
|
|
|
- block:
|
|
|
|
- name: Install pinniped local-user-authenticator
|
|
kubernetes.core.k8s:
|
|
src: /opt/metacluster/pinniped/local-user-authenticator.yaml
|
|
state: present
|
|
kubeconfig: "{{ kubeconfig.path }}"
|
|
|
|
- name: Create local-user-authenticator accounts
|
|
kubernetes.core.k8s:
|
|
template: secret.j2
|
|
state: present
|
|
kubeconfig: "{{ kubeconfig.path }}"
|
|
vars:
|
|
_template:
|
|
name: "{{ item.username }}"
|
|
namespace: local-user-authenticator
|
|
type: ''
|
|
data:
|
|
- key: groups
|
|
value: "{{ 'group1,group2' | b64encode }}"
|
|
- key: passwordHash
|
|
value: "{{ item.password | b64encode }}"
|
|
loop: "{{ components['localuserauthenticator'].users }}"
|
|
|
|
- block:
|
|
|
|
- name: Install pinniped chart
|
|
kubernetes.core.helm:
|
|
name: pinniped
|
|
chart_ref: /opt/metacluster/helm-charts/pinniped
|
|
release_namespace: pinniped-supervisor
|
|
create_namespace: true
|
|
wait: false
|
|
kubeconfig: "{{ kubeconfig.path }}"
|
|
values: "{{ components['pinniped'].chart_values }}"
|
|
|
|
- name: Add ingress for supervisor
|
|
kubernetes.core.k8s:
|
|
template: "{{ item.kind }}.j2"
|
|
state: present
|
|
kubeconfig: "{{ kubeconfig.path }}"
|
|
vars:
|
|
_template:
|
|
name: "{{ item.name }}"
|
|
namespace: "{{ item.namespace }}"
|
|
spec: "{{ item.spec }}"
|
|
loop:
|
|
- kind: ingressroute
|
|
name: pinniped-supervisor
|
|
namespace: pinniped-supervisor
|
|
spec: |2
|
|
entryPoints:
|
|
- web
|
|
- websecure
|
|
routes:
|
|
- kind: Rule
|
|
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
|
|
services:
|
|
- kind: Service
|
|
name: pinniped-supervisor
|
|
namespace: pinniped-supervisor
|
|
port: 443
|
|
scheme: https
|
|
serversTransport: pinniped-supervisor
|
|
- kind: serverstransport
|
|
name: pinniped-supervisor
|
|
namespace: pinniped-supervisor
|
|
spec: |2
|
|
insecureSkipVerify: true
|
|
serverName: auth.{{ vapp['metacluster.fqdn'] }}
|
|
loop_control:
|
|
label: "{{ item.kind ~ '/' ~ item.name ~ ' (' ~ item.namespace ~ ')' }}"
|
|
|
|
- name: Ensure pinniped API availability
|
|
ansible.builtin.uri:
|
|
url: https://auth.{{ vapp['metacluster.fqdn'] }}/healthz
|
|
method: GET
|
|
register: api_readycheck
|
|
until:
|
|
- api_readycheck.status == 200
|
|
- api_readycheck.msg is search("OK")
|
|
retries: "{{ playbook.retries }}"
|
|
delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
|
|
|
|
# TODO: Migrate to step-ca
|
|
- name: Initialize tempfile
|
|
ansible.builtin.tempfile:
|
|
state: directory
|
|
register: certificate
|
|
|
|
- name: Create private key (RSA, 4096 bits)
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ certificate.path }}/certificate.key"
|
|
|
|
- name: Create self-signed certificate
|
|
community.crypto.x509_certificate:
|
|
path: "{{ certificate.path }}/certificate.crt"
|
|
privatekey_path: "{{ certificate.path }}/certificate.key"
|
|
provider: selfsigned
|
|
|
|
- name: Store self-signed certificate for use by pinniped supervisor
|
|
kubernetes.core.k8s:
|
|
template: secret.j2
|
|
state: present
|
|
kubeconfig: "{{ kubeconfig.path }}"
|
|
vars:
|
|
_template:
|
|
name: pinniped-supervisor-tls
|
|
namespace: pinniped-supervisor
|
|
type: kubernetes.io/tls
|
|
data:
|
|
- key: tls.crt
|
|
value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') | b64encode }}"
|
|
- key: tls.key
|
|
value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') | b64encode }}"
|
|
# TODO: Migrate to step-ca
|
|
|
|
- name: Create pinniped resources
|
|
kubernetes.core.k8s:
|
|
template: "{{ item.kind }}.j2"
|
|
state: present
|
|
kubeconfig: "{{ kubeconfig.path }}"
|
|
vars:
|
|
_template:
|
|
name: "{{ item.name }}"
|
|
namespace: "{{ item.namespace }}"
|
|
type: "{{ item.type | default('') }}"
|
|
data: "{{ item.data | default(omit) }}"
|
|
spec: "{{ item.spec | default(omit) }}"
|
|
loop:
|
|
- kind: oidcidentityprovider
|
|
name: dex-staticpasswords
|
|
namespace: pinniped-supervisor
|
|
spec: |2
|
|
issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
|
|
tls:
|
|
certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ _newline ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
|
|
authorizationConfig:
|
|
additionalScopes: [offline_access, groups, email]
|
|
allowPasswordGrant: false
|
|
claims:
|
|
username: email
|
|
groups: groups
|
|
client:
|
|
secretName: dex-clientcredentials
|
|
- kind: secret
|
|
name: dex-clientcredentials
|
|
namespace: pinniped-supervisor
|
|
type: secrets.pinniped.dev/oidc-client
|
|
data:
|
|
- key: clientID
|
|
value: "{{ 'pinniped-supervisor' | b64encode }}"
|
|
- key: clientSecret
|
|
value: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | b64encode }}"
|
|
- kind: federationdomain
|
|
name: metacluster-sso
|
|
namespace: pinniped-supervisor
|
|
spec: |2
|
|
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
|
|
tls:
|
|
secretName: pinniped-supervisor-tls
|
|
loop_control:
|
|
label: "{{ item.kind ~ '/' ~ item.name }}"
|