101 lines
3.2 KiB
YAML
101 lines
3.2 KiB
YAML
- name: Configure fallback name resolution
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/hosts
|
|
line: "{{ vapp['guestinfo.ipaddress'] }} {{ item ~ '.' ~ vapp['metacluster.fqdn'] }}"
|
|
state: present
|
|
loop:
|
|
# TODO: Make this list dynamic
|
|
- ca
|
|
- git
|
|
- gitops
|
|
- ingress
|
|
- registry
|
|
- storage
|
|
|
|
- name: Create step-ca config dictionary
|
|
ansible.builtin.set_fact:
|
|
stepconfig: "{{ { 'path': ansible_env.HOME ~ '/.step/config/values.yaml' } }}"
|
|
|
|
- name: Create step-ca target folder
|
|
ansible.builtin.file:
|
|
path: "{{ stepconfig.path | dirname }}"
|
|
state: directory
|
|
|
|
- name: Initialize tempfile
|
|
ansible.builtin.tempfile:
|
|
state: file
|
|
register: stepca_password
|
|
|
|
- name: Store password in tempfile
|
|
ansible.builtin.copy:
|
|
dest: "{{ stepca_password.path }}"
|
|
content: "{{ vapp['metacluster.password'] }}"
|
|
no_log: true
|
|
|
|
- name: Generate step-ca helm chart values (including root CA certificate)
|
|
ansible.builtin.shell:
|
|
cmd: >-
|
|
step ca init \
|
|
--helm \
|
|
--deployment-type=standalone \
|
|
--name=ca.{{ vapp['metacluster.fqdn'] }} \
|
|
--dns=ca.{{ vapp['metacluster.fqdn'] }} \
|
|
--dns=step-certificates.step-ca.svc.cluster.local \
|
|
--dns=127.0.0.1 \
|
|
--address=:9000 \
|
|
--provisioner=admin \
|
|
--acme \
|
|
--password-file={{ stepca_password.path }} | tee {{ stepconfig.path }}
|
|
creates: "{{ stepconfig.path }}"
|
|
|
|
- name: Cleanup tempfile
|
|
ansible.builtin.file:
|
|
path: "{{ stepca_password.path }}"
|
|
state: absent
|
|
when: stepca_password.path is defined
|
|
|
|
- name: Store root CA certificate
|
|
ansible.builtin.copy:
|
|
dest: /usr/local/share/ca-certificates/root_ca.crt
|
|
content: "{{ (lookup('ansible.builtin.file', stepconfig.path) | from_yaml).inject.certificates.root_ca }}"
|
|
|
|
- name: Update certificate truststore
|
|
ansible.builtin.command:
|
|
cmd: update-ca-certificates
|
|
|
|
- name: Extract container images (for idempotency purposes)
|
|
ansible.builtin.unarchive:
|
|
src: /opt/metacluster/container-images/image-tarballs.tgz
|
|
dest: /opt/metacluster/container-images
|
|
remote_src: no
|
|
when:
|
|
- lookup('ansible.builtin.fileglob', '/opt/metacluster/container-images/*.tgz') is match('.*image-tarballs.tgz')
|
|
|
|
- name: Get all stored fully qualified container image names
|
|
ansible.builtin.shell:
|
|
cmd: >-
|
|
skopeo list-tags \
|
|
--insecure-policy \
|
|
docker-archive:./{{ item | basename }} | \
|
|
jq -r '.Tags[0]'
|
|
chdir: /opt/metacluster/container-images
|
|
register: registry_artifacts
|
|
loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/container-images/*.tar') | sort }}"
|
|
loop_control:
|
|
label: "{{ item | basename }}"
|
|
|
|
- name: Get source registries of all artifacts
|
|
ansible.builtin.set_fact:
|
|
source_registries: "{{ (source_registries | default([]) + [(item | split('/'))[0]]) | unique | sort }}"
|
|
loop: "{{ registry_artifacts | json_query('results[*].stdout') | select | sort }}"
|
|
|
|
- name: Configure K3s node for private registry
|
|
ansible.builtin.template:
|
|
dest: /etc/rancher/k3s/registries.yaml
|
|
src: registries.j2
|
|
vars:
|
|
_template:
|
|
registries: "{{ source_registries }}"
|
|
hv:
|
|
fqdn: "{{ vapp['metacluster.fqdn'] }}"
|