improvements to deploy k8s

ansible/playbook/kubernetes/k8s_install_passstore.yml

@@ -1,9 +1,9 @@
 ---
-- name: "Install Kubernetes"
-  import_playbook: "k8s_install.yml"
+- name: "Install Kubernetes using Passwordstore"
+  ansible.builtin.import_playbook: "k8s_install.yml"
 
 - name: "Get k8s configuration"
-  import_playbook: "k8s_get_config.yml"
+  ansible.builtin.import_playbook: "k8s_get_config.yml"
 
 # Requires:
 # . k8s_config
@@ -34,4 +34,8 @@
         pass_l3: "{{ vm_name }}"
         var_name: "k8s_dashboard_token"
         var_value: "{{ k8s_dashboard_token }}"
+
+- name: "Install Kubernetes using Passwordstore"
+  ansible.builtin.import_playbook: "k8s_install_tools.yml"
+
 ...

ansible/playbook/kubernetes/k8s_install_tools.yml

@@ -0,0 +1,81 @@
+---
+# Doesn't work, doesn't return api_key and api_secret variables. 
+# Don't kow why :(
+# - name: "Build GoDaddy authentication, if not provided"
+#   import_playbook: "../godaddy/godaddy_auth_passwordstore.yml"
+#   when: api_key is undefined and api_secret is undefined
+#   tags: [always]
+
+- name: "Install Kubernetes tools"
+  hosts: "{{ vm_name | default('masters') }}"
+  gather_facts: true
+
+  pre_tasks:
+    - name: "Set godaddy auth facts"
+      ansible.builtin.set_fact:
+        api_key: "{{ query('passwordstore', 'godaddy/' ~ api_environment | default('ote') ~ '/api-key')[0] }}"
+        api_secret: "{{ query('passwordstore', 'godaddy/' ~ api_environment | default('ote') ~ '/secret-key')[0] }}"
+      when: api_key is undefined and api_secret is undefined
+      tags: [always]
+
+    - name: "Validate required variables"
+      assert:
+        that:
+          - "vm_name is defined and vm_name | length > 0"
+          - "state is defined and (state == 'present' or state == 'absent')"
+          - "api_key is defined and api_secret is defined"
+        fail_msg: 
+          - "Required parameters:"
+          - "  vm_name: VM to where the tolls will be deployed"
+          - "  state: 'present' to install the tools and 'absent' to remove them"
+      tags: [always]
+
+  tasks:
+    # Requires GoDaddy API Key and Secret Key
+    - name: "Install k8s_issuer_certificate"
+      ansible.builtin.import_role:
+        name: k8s_issuer_certificate
+      # vars:
+      #   api_key: "{{ api_key  }}"
+      #   api_secret: "{{ api_secret  }}"
+      tags: [k8s_issuer_certificate]
+
+#     - role: 'cert_manager'
+#       tags: [always,cert_manager]
+#     - role: 'k8s_dashboard'
+#       tags: [always,k8s_dashboard]
+#     - { role: 'persistence',            tags: 'persistence'}          # When Minishift or oc cluster up is NOT used
+#     - { role: 'identity_provider',      tags: 'identity_provider'}    # Use HTPasswdPasswordIdentityProvider as Identity Provider -> more secure
+#     - { role: 'enable_cluster_role',    tags: 'enable_cluster_role'}
+#     - { role: 'add_extra_users',        tags: 'add_extra_users'}
+#     - { role: 'delete_extra_users',     tags: 'delete_extra_users'}
+#     - { role: 'install_oc',             tags: 'install_oc'}           # Install oc client when cluster role is not used
+#     - { role: 'docker',                 tags: 'docker'}               # Enable to access docker on port 2376
+#     - { role: 'create_projects',        tags: 'create_projects'}
+#     - { role: 'install_nexus',          tags: 'nexus'}
+#     - { role: 'install_jenkins',        tags: 'jenkins'}
+#     - { role: 'install_jaeger',         tags: 'jaeger'}
+#     - { role: 'install_istio',          tags: 'istio'}
+#     - { role: 'install_launcher',       tags: 'install-launcher'}
+#     - { role: 'uninstall_launcher',     tags: 'uninstall-launcher'}
+#     - { role: 'component_crd_operator', tags: 'component_crd_operator'}
+#     - { role: 'snowdrop_site',          tags: 'snowdrop-site'}
+#     - { role: 'tekton_pipelines',       tags: 'tekton_pipelines'}
+#     - { role: 'halkyon',                tags: 'halkyon'}
+# #    - { role: 'k8s_cluster',            tags: 'k8s_cluster'}
+#     - { role: 'k8s_config',             tags: 'k8s_config'}
+# #    - { role: 'k8s_dashboard',          tags: 'k8s_dashboard'}
+#     - { role: 'k8s_service_broker',     tags: 'k8s_service_broker'}
+#     - { role: 'k8s_halkyon_site',       tags: 'k8s_halkyon_site'}
+#     - { role: 'k8s_issuer_certificate', tags: 'k8s_issuer_certificate'}
+#     - { role: 'kind',                   tags: 'kind'}
+# #    - { role: 'ingress',                tags: 'ingress'}
+#     - { role: 'helm',                   tags: 'helm'}
+#     - { role: 'kubedb',                 tags: 'kubedb'}
+#     - { role: 'docker_registry',        tags: 'docker_registry'}
+#     - { role: 'tekton_pipelines',       tags: 'tekton_pipelines'}
+#     - { role: 'component_crd_operator', tags: 'component_crd_operator'}
+#     - { role: 'ocp4_console',           tags: 'ocp4_console'}
+# #    - { role: 'cert_manager',           tags: 'cert_manager'}
+
+...

ansible/playbook/passstore/passstore_controller_init.yml

@@ -15,6 +15,7 @@
       assert:
         that:
           - "pass_provider is defined"
+          - "pass_provider == 'hetzner' or pass_provider == 'openstack'"
         fail_msg: 
           - "Required parameters:"
           - "  pass_provider: provider in the passstore project [hetzner,openstack]"

ansible/roles/k8s_issuer_certificate/tasks/install.yml

@@ -47,4 +47,5 @@
 
 - name: Deploy the Godaddy secrets, Issuers resources containing the API Token
   shell: |
-    {{ client_tool }} {{ k8s_config }} apply -f {{ tempPath }}
+    {{ client_tool }} apply -f {{ tempPath }}
+...

ansible/roles/k8s_issuer_certificate/tasks/main.yml

@@ -1,13 +1,12 @@
 - set_fact:
-    k8s_config: "--kubeconfig '/etc/kubernetes/admin.conf'"
     client_tool: kubectl
   when: not isOpenshift | bool
 
 - debug:
     var: k8s_config
 
 - include_tasks: install.yml
-  when: not remove | bool
+  when: state == 'present'
 
 - include_tasks: remove.yml
-  when: remove | bool
+  when: state == 'absent'

ansible/roles/k8s_issuer_certificate/tasks/remove.yml

@@ -1,6 +1,6 @@
 - name: Delete the Godaddy Secrets, Issuers & Certificates resources
   shell: |
-    {{ client_tool }} {{ k8s_config }} delete issuer,certificate,secret -l app=ca-cert -n {{ item }}
+    {{ client_tool }} delete issuer,certificate,secret -l app=ca-cert -n {{ item }}
   with_items:
   - snowdrop-site
   - generator-site

ansible/roles/k8s_issuer_certificate/templates/godaddy_token_secret.yml.j2

@@ -7,4 +7,5 @@ metadata:
   namespace: {{ item.namespace }}
 type: Opaque
 stringData:
-  token: "{{ godaddy_token }}"
+#  token: "{ { godaddy_token } }"
+  token: "sso-key {{ api_key }}:{{ api_secret }}"

kubernetes/README.adoc

@@ -163,6 +163,63 @@ command.
 ansible-playbook ansible/playbook/kubernetes/k8s_remove.yml -e vm_name=${VM_NAME} 
 ----
 
+== Other k8s tools
+
+To deploy other k8s tools.
+
+.Common parameters
+[cols="2,5"]
+|===
+| Parameter | Description
+
+| `vm_name`
+
+[.fuchsia]#string#
+
+[.red]#required# 
+
+a| Name of the VM where the tools will be installed.
+
+|===
+
+[source,bash]
+----
+ansible-playbook ansible/playbook/kubernetes/k8s_install_tools.yml -e vm_name=${VM_NAME} -e letsencrypt_env=prod --tags k8s_issuer_certificate
+----
+
+
+.k8s_issuer_certificate parameters
+[cols="2,5"]
+|===
+| Parameter | Description
+
+| `api_key`
+
+[.fuchsia]#string#
+
+[.red]#required# 
+
+a| GoDaddy API key.
+
+| `api_secret`
+
+[.fuchsia]#string#
+
+[.red]#required# 
+
+a| GoDaddy API secretkey.
+
+| `letsencrypt_env`
+
+[.fuchsia]#string#
+
+a| Let's Encrypt environment to use.
+
+* *`staging` <= Default:* Staging environment
+* `prod`: Production environment
+
+|===
+
 == Troubleshooting
 
 === Expired k8s certificate

passwordstore/README.adoc

@@ -17,6 +17,15 @@ endif::[]
 
 This document describes the implementation of the passwordstore.
 
+== Prepare controller
+
+To prepare the controller for existing common keys use the `passstore_controller_init` playbook.
+
+[source,bash]
+----
+ansible-playbook ansible/playbook/passstore/passstore_controller_init.yml -e pass_provider=openstack
+----
+
 == Ansible Inventory
 
 == Define host inventory for provisioning