diff --git a/README.md b/README.md index fbe6cb9..4ce9b55 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg)](https://conventionalcommits.org) [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit) -This repo contains playbooks for the Squonk2 Data Manager Job Operator. +This repository contains playbooks for the Squonk2 Data Manager Job Operator. Prerequisites: - ## Contributing diff --git a/parameters-scw-production.yaml b/parameters-scw-production.yaml new file mode 100644 index 0000000..fbbebe8 --- /dev/null +++ b/parameters-scw-production.yaml @@ -0,0 +1,12 @@ +--- + +# A parameter file to replicate the variables used by AWX. +# The user would run this (armed with a suitable Ansible) with: - +# +# export KUBECONFIG=~/k8s-config/kubeconfig-im-main-scw-admin.yaml +# ansible-playbook site.yaml -e @parameters-scw-production.yaml \ +# -e jo_image_tag=35.0.0 \ +# --vault-password-file ../scw-production-vault.password + +jo_installation_name: scw-production +jo_image_tag: SetMe diff --git a/parameters-template.yaml b/parameters-template.yaml deleted file mode 100644 index 7525587..0000000 --- a/parameters-template.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -# You shouldn't need to edit this file. -# You can adjust the configuration using environment variables. - -# The Operator image tag -jo_image_tag: "{{ lookup('env', 'IM_DEV_JOB_O_TAG') | default('19.3.3', True) }}" - -jo_nf_executor_queue_size: 250 -jo_nf_ansi_log: yes - -jo_namespace: data-manager-job-operator - -# The KUBECONFIG reference. -# Used outside of AWX to set kubernetes credentials. -jo_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" diff --git a/roles/operator/tasks/main.yaml b/roles/operator/tasks/main.yaml index 2b8758d..014a812 100644 --- a/roles/operator/tasks/main.yaml +++ b/roles/operator/tasks/main.yaml @@ -2,28 +2,30 @@ - name: Prep ansible.builtin.include_tasks: prep.yaml + vars: + kubeconfig: "{{ jo_kubeconfig }}" -- name: Deploy (with k8s kubeconfig) - when: jo_kubeconfig != 'SetMe' +# Include sensitive (Ansible Vault) variables based on the installation name. +# We include 'sensitive-local.vault' variables if the installation name is 'local'. +# The user will need to provide the vault password. + +- name: Include sensitive (vault) variables ({{ dt_installation_name }}) + ansible.builtin.include_vars: + file: sensitive-{{ dt_installation_name }}.vault + when: as_installation_name | length > 0 + +- name: Go module_defaults: group/k8s: - kubeconfig: "{{ jo_kubeconfig }}" + host: "{{ k8s_auth_host }}" + api_key: "{{ k8s_auth_api_key }}" + kubeconfig: "{{ k8s_auth_kubeconfig }}" block: - - name: Deploy (k8s kubeconfig) + - name: Deploy ansible.builtin.include_tasks: deploy.yaml - when: jo_state|string == 'present' - - name: Undeploy (k8s kubeconfig) - ansible.builtin.include_tasks: undeploy.yaml - when: jo_state|string == 'absent' + when: jo_state | string == 'present' -- name: Deploy (with k8s host and API key) - when: jo_kubeconfig == 'SetMe' - block: - - - name: Deploy (k8s API key) - ansible.builtin.include_tasks: deploy.yaml - when: jo_state|string == 'present' - - name: Undeploy (k8s API key) + - name: Undeploy ansible.builtin.include_tasks: undeploy.yaml - when: jo_state|string == 'absent' + when: jo_state | string == 'absent' diff --git a/roles/operator/tasks/prep.yaml b/roles/operator/tasks/prep.yaml index c43979b..3569110 100644 --- a/roles/operator/tasks/prep.yaml +++ b/roles/operator/tasks/prep.yaml @@ -1,6 +1,28 @@ --- # Common playbook preparation. +# +# We expect: - +# +# - kubeconfig (defined, that might point to a KUBECONFIG file) +# +# We process: - +# +# - K8S_AUTH_HOST (optional) +# - K8S_AUTH_API_KEY (optional) +# - KUBECONFIG (optional) +# +# One method of Kubernetes authentication must be provided. +# On exit the following variables have been set (although some may be blank/None): - +# +# - k8s_auth_api_key +# - k8s_auth_host +# - k8s_auth_kubeconfig + +- name: Assert inputs + ansible.builtin.assert: + that: + - kubeconfig is defined # Expose ansible version - name: Display Ansible version @@ -18,37 +40,60 @@ ansible.builtin.debug: var: freeze.stdout_lines -- name: Assert operator version defined - ansible.builtin.assert: - that: - - jo_image_tag|length > 0 - - jo_image_tag != 'SetMe' - # Kubernetes credentials ------------------------------------------------------ -# We don't use the Kubernetes credentials directly, -# but we load them into variables here from their -# expected environment variables so that we can assert they've been set. +# If a kubeconfig value is set we use that. +# Otherwise if K8S_AUTH_HOST is defined we use that (AWX). +# Otherwise if KUBECONFIG is defined we use that. -- name: Set initial authentication facts +- name: Load K8S_AUTH_HOST and K8S_AUTH_API_KEY ansible.builtin.set_fact: k8s_auth_host: "{{ lookup('env', 'K8S_AUTH_HOST') }}" k8s_auth_api_key: "{{ lookup('env', 'K8S_AUTH_API_KEY') }}" -# A kubernetes host and an API key must be set. -# Either environment variables will have been set by the user -# or AWX 'kubernetes' credentials will have injected them. -# Either way the variables 'k8s_auth_host' and -# 'k8s_auth_api_key' must have been set. -- name: Assert kubernetes authentication (no kubeconfig) +- name: Use kubernetes authentication (kubeconfig) + ansible.builtin.set_fact: + k8s_auth_kubeconfig: "{{ kubeconfig }}" + when: kubeconfig | string | length > 0 + +- name: Use kubernetes authentication (k8s_auth_host) ansible.builtin.assert: that: - - k8s_auth_host|string|length > 0 - - k8s_auth_api_key|string|length > 0 - when: jo_kubeconfig == 'SetMe' + - k8s_auth_host | string | length > 0 + - k8s_auth_api_key | string | length > 0 + when: + - kubeconfig | string | length == 0 + - k8s_auth_host | string | length > 0 -- name: Assert kubeconfig defined (kubeconfig) +- name: Use kubernetes authentication (KUBECONFIG) + ansible.builtin.set_fact: + k8s_auth_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" + when: + - kubeconfig | string | length == 0 + - k8s_auth_host | string | length == 0 + +- name: Kubernetes authentication must be set ansible.builtin.assert: that: - - jo_kubeconfig|length > 0 - when: jo_kubeconfig != 'SetMe' + - k8s_auth_kubeconfig is defined or k8s_auth_host is defined + msg: "You must provide a means to authenticate against Kubernetes" + +# We 'set' all the expected variables now (even to None) +# to avoid the following playbooks having to apply 'default(none)'. +# Basically we 'define' all three variables here, +# whether they have a value or not, so any following playbook +# won't encounter a 'variable not defined error'. + +- name: Set variables (with defaults) + ansible.builtin.set_fact: + k8s_auth_api_key: "{{ k8s_auth_api_key | default(None) }}" + k8s_auth_host: "{{ k8s_auth_host | default(None) }}" + k8s_auth_kubeconfig: "{{ k8s_auth_kubeconfig | default(None) }}" + +- name: Display Host + ansible.builtin.debug: + var: k8s_auth_host + +- name: Display KUBECONFIG + ansible.builtin.debug: + var: k8s_auth_kubeconfig diff --git a/roles/operator/vars/sensitive-scw-production.vault b/roles/operator/vars/sensitive-scw-production.vault new file mode 100644 index 0000000..1b7ba1c --- /dev/null +++ b/roles/operator/vars/sensitive-scw-production.vault @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.1;AES256 +62316139333866646361356564393831383333313439303835306534363966663864373339373064 +3538633237313536343163613563393139626564303066390a366664323036323063633462353664 +36363736643965373132316262323630396538653565396334363238306266313862363031363131 +3066663637663437300a323833666536313535633561623336333466383830633038303965623366 +61373134306662666466316664636565353061393863316439316362363231393363356462636539 +31313030333332303832646562646133313039623131353930333030633431656562336666333163 +31653138653033626332643634633631363838353961343734636331383839633336326133396161 +64623336333833663664386233373333663265366232386265643136656464633636333964366439 +34656365363063623737623232383761313933646337313938386134643463623831643432666137 +62306163383265613963353036323164643730303537633864613431663531636136396132636261 +37623666643566633534333531363462343133336361646365633362616363316434343532396131 +62613762613931643239646135396533376337346265643264396538633061653333343166303039 +64363034653161656632356263303464613238373064366663343338663366393566