feat: Changes for Scaleway AWX deploy

README.md

@@ -10,7 +10,7 @@
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg)](https://conventionalcommits.org)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 
-This repo contains playbooks for the Squonk2 Data Manager Job Operator.
+This repository contains playbooks for the Squonk2 Data Manager Job Operator.
 Prerequisites: -
 
 ## Contributing

parameters-scw-production.yaml

@@ -0,0 +1,12 @@
+---
+
+# A parameter file to replicate the variables used by AWX.
+# The user would run this (armed with a suitable Ansible) with: -
+#
+#   export KUBECONFIG=~/k8s-config/kubeconfig-im-main-scw-admin.yaml
+#   ansible-playbook site.yaml -e @parameters-scw-production.yaml \
+#       -e jo_image_tag=35.0.0 \
+#       --vault-password-file ../scw-production-vault.password
+
+jo_installation_name: scw-production
+jo_image_tag: SetMe

roles/operator/tasks/main.yaml

@@ -2,28 +2,30 @@
 
 - name: Prep
   ansible.builtin.include_tasks: prep.yaml
+  vars:
+    kubeconfig: "{{ jo_kubeconfig }}"
 
-- name: Deploy (with k8s kubeconfig)
-  when: jo_kubeconfig != 'SetMe'
+# Include sensitive (Ansible Vault) variables based on the installation name.
+# We include 'sensitive-local.vault' variables if the installation name is 'local'.
+# The user will need to provide the vault password.
+
+- name: Include sensitive (vault) variables ({{ dt_installation_name }})
+  ansible.builtin.include_vars:
+    file: sensitive-{{ dt_installation_name }}.vault
+  when: as_installation_name | length > 0
+
+- name: Go
   module_defaults:
     group/k8s:
-      kubeconfig: "{{ jo_kubeconfig }}"
+      host: "{{ k8s_auth_host }}"
+      api_key: "{{ k8s_auth_api_key }}"
+      kubeconfig: "{{ k8s_auth_kubeconfig }}"
   block:
 
-  - name: Deploy (k8s kubeconfig)
+  - name: Deploy
     ansible.builtin.include_tasks: deploy.yaml
-    when: jo_state|string == 'present'
-  - name: Undeploy (k8s kubeconfig)
-    ansible.builtin.include_tasks: undeploy.yaml
-    when: jo_state|string == 'absent'
+    when: jo_state | string == 'present'
 
-- name: Deploy (with k8s host and API key)
-  when: jo_kubeconfig == 'SetMe'
-  block:
-
-  - name: Deploy (k8s API key)
-    ansible.builtin.include_tasks: deploy.yaml
-    when: jo_state|string == 'present'
-  - name: Undeploy (k8s API key)
+  - name: Undeploy
     ansible.builtin.include_tasks: undeploy.yaml
-    when: jo_state|string == 'absent'
+    when: jo_state | string == 'absent'

roles/operator/tasks/prep.yaml

@@ -1,6 +1,28 @@
 ---
 
 # Common playbook preparation.
+#
+# We expect: -
+#
+# - kubeconfig (defined, that might point to a KUBECONFIG file)
+#
+# We process: -
+#
+# - K8S_AUTH_HOST (optional)
+# - K8S_AUTH_API_KEY (optional)
+# - KUBECONFIG (optional)
+#
+# One method of Kubernetes authentication must be provided.
+# On exit the following variables have been set (although some may be blank/None): -
+#
+# - k8s_auth_api_key
+# - k8s_auth_host
+# - k8s_auth_kubeconfig
+
+- name: Assert inputs
+  ansible.builtin.assert:
+    that:
+    - kubeconfig is defined
 
 # Expose ansible version
 - name: Display Ansible version
@@ -18,37 +40,60 @@
   ansible.builtin.debug:
     var: freeze.stdout_lines
 
-- name: Assert operator version defined
-  ansible.builtin.assert:
-    that:
-    - jo_image_tag|length > 0
-    - jo_image_tag != 'SetMe'
-
 # Kubernetes credentials ------------------------------------------------------
 
-# We don't use the Kubernetes credentials directly,
-# but we load them into variables here from their
-# expected environment variables so that we can assert they've been set.
+# If a kubeconfig value is set we use that.
+# Otherwise if K8S_AUTH_HOST is defined we use that (AWX).
+# Otherwise if KUBECONFIG is defined we use that.
 
-- name: Set initial authentication facts
+- name: Load K8S_AUTH_HOST and K8S_AUTH_API_KEY
   ansible.builtin.set_fact:
     k8s_auth_host: "{{ lookup('env', 'K8S_AUTH_HOST') }}"
     k8s_auth_api_key: "{{ lookup('env', 'K8S_AUTH_API_KEY') }}"
 
-# A kubernetes host and an API key must be set.
-# Either environment variables will have been set by the user
-# or AWX 'kubernetes' credentials will have injected them.
-# Either way the variables 'k8s_auth_host' and
-# 'k8s_auth_api_key' must have been set.
-- name: Assert kubernetes authentication (no kubeconfig)
+- name: Use kubernetes authentication (kubeconfig)
+  ansible.builtin.set_fact:
+    k8s_auth_kubeconfig: "{{ kubeconfig }}"
+  when: kubeconfig | string | length > 0
+
+- name: Use kubernetes authentication (k8s_auth_host)
   ansible.builtin.assert:
     that:
-    - k8s_auth_host|string|length > 0
-    - k8s_auth_api_key|string|length > 0
-  when: jo_kubeconfig == 'SetMe'
+    - k8s_auth_host | string | length > 0
+    - k8s_auth_api_key | string | length > 0
+  when:
+  - kubeconfig | string | length == 0
+  - k8s_auth_host | string | length > 0
 
-- name: Assert kubeconfig defined (kubeconfig)
+- name: Use kubernetes authentication (KUBECONFIG)
+  ansible.builtin.set_fact:
+    k8s_auth_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+  when:
+  - kubeconfig | string | length == 0
+  - k8s_auth_host | string | length == 0
+
+- name: Kubernetes authentication must be set
   ansible.builtin.assert:
     that:
-    - jo_kubeconfig|length > 0
-  when: jo_kubeconfig != 'SetMe'
+    - k8s_auth_kubeconfig is defined or k8s_auth_host is defined
+    msg: "You must provide a means to authenticate against Kubernetes"
+
+# We 'set' all the expected variables now (even to None)
+# to avoid the following playbooks having to apply 'default(none)'.
+# Basically we 'define' all three variables here,
+# whether they have a value or not, so any following playbook
+# won't encounter a 'variable not defined error'.
+
+- name: Set variables (with defaults)
+  ansible.builtin.set_fact:
+    k8s_auth_api_key: "{{ k8s_auth_api_key | default(None) }}"
+    k8s_auth_host: "{{ k8s_auth_host | default(None) }}"
+    k8s_auth_kubeconfig: "{{ k8s_auth_kubeconfig | default(None) }}"
+
+- name: Display Host
+  ansible.builtin.debug:
+    var: k8s_auth_host
+
+- name: Display KUBECONFIG
+  ansible.builtin.debug:
+    var: k8s_auth_kubeconfig

roles/operator/vars/sensitive-scw-production.vault

@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+62316139333866646361356564393831383333313439303835306534363966663864373339373064
+3538633237313536343163613563393139626564303066390a366664323036323063633462353664
+36363736643965373132316262323630396538653565396334363238306266313862363031363131
+3066663637663437300a323833666536313535633561623336333466383830633038303965623366
+61373134306662666466316664636565353061393863316439316362363231393363356462636539
+31313030333332303832646562646133313039623131353930333030633431656562336666333163
+31653138653033626332643634633631363838353961343734636331383839633336326133396161
+64623336333833663664386233373333663265366232386265643136656464633636333964366439
+34656365363063623737623232383761313933646337313938386134643463623831643432666137
+62306163383265613963353036323164643730303537633864613431663531636136396132636261
+37623666643566633534333531363462343133336361646365633362616363316434343532396131
+62613762613931643239646135396533376337346265643264396538633061653333343166303039
+64363034653161656632356263303464613238373064366663343338663366393566