From 7c62a8e654de1eef5a669f88ee1e74eea5b70188 Mon Sep 17 00:00:00 2001 From: "a.b.christie" Date: Mon, 26 Jan 2026 14:44:23 +0000 Subject: [PATCH 1/3] feat: Changes for Scaleway AWX deploy --- parameters-scw-production.yaml | 12 +++ parameters-template.yaml | 16 ---- roles/operator/tasks/main.yaml | 36 ++++---- roles/operator/tasks/prep.yaml | 89 ++++++++++++++----- .../vars/sensitive-scw-production.vault | 14 +++ 5 files changed, 112 insertions(+), 55 deletions(-) create mode 100644 parameters-scw-production.yaml delete mode 100644 parameters-template.yaml create mode 100644 roles/operator/vars/sensitive-scw-production.vault diff --git a/parameters-scw-production.yaml b/parameters-scw-production.yaml new file mode 100644 index 0000000..fbbebe8 --- /dev/null +++ b/parameters-scw-production.yaml @@ -0,0 +1,12 @@ +--- + +# A parameter file to replicate the variables used by AWX. +# The user would run this (armed with a suitable Ansible) with: - +# +# export KUBECONFIG=~/k8s-config/kubeconfig-im-main-scw-admin.yaml +# ansible-playbook site.yaml -e @parameters-scw-production.yaml \ +# -e jo_image_tag=35.0.0 \ +# --vault-password-file ../scw-production-vault.password + +jo_installation_name: scw-production +jo_image_tag: SetMe diff --git a/parameters-template.yaml b/parameters-template.yaml deleted file mode 100644 index 7525587..0000000 --- a/parameters-template.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -# You shouldn't need to edit this file. -# You can adjust the configuration using environment variables. - -# The Operator image tag -jo_image_tag: "{{ lookup('env', 'IM_DEV_JOB_O_TAG') | default('19.3.3', True) }}" - -jo_nf_executor_queue_size: 250 -jo_nf_ansi_log: yes - -jo_namespace: data-manager-job-operator - -# The KUBECONFIG reference. -# Used outside of AWX to set kubernetes credentials. -jo_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" diff --git a/roles/operator/tasks/main.yaml b/roles/operator/tasks/main.yaml index 2b8758d..014a812 100644 --- a/roles/operator/tasks/main.yaml +++ b/roles/operator/tasks/main.yaml @@ -2,28 +2,30 @@ - name: Prep ansible.builtin.include_tasks: prep.yaml + vars: + kubeconfig: "{{ jo_kubeconfig }}" -- name: Deploy (with k8s kubeconfig) - when: jo_kubeconfig != 'SetMe' +# Include sensitive (Ansible Vault) variables based on the installation name. +# We include 'sensitive-local.vault' variables if the installation name is 'local'. +# The user will need to provide the vault password. + +- name: Include sensitive (vault) variables ({{ dt_installation_name }}) + ansible.builtin.include_vars: + file: sensitive-{{ dt_installation_name }}.vault + when: as_installation_name | length > 0 + +- name: Go module_defaults: group/k8s: - kubeconfig: "{{ jo_kubeconfig }}" + host: "{{ k8s_auth_host }}" + api_key: "{{ k8s_auth_api_key }}" + kubeconfig: "{{ k8s_auth_kubeconfig }}" block: - - name: Deploy (k8s kubeconfig) + - name: Deploy ansible.builtin.include_tasks: deploy.yaml - when: jo_state|string == 'present' - - name: Undeploy (k8s kubeconfig) - ansible.builtin.include_tasks: undeploy.yaml - when: jo_state|string == 'absent' + when: jo_state | string == 'present' -- name: Deploy (with k8s host and API key) - when: jo_kubeconfig == 'SetMe' - block: - - - name: Deploy (k8s API key) - ansible.builtin.include_tasks: deploy.yaml - when: jo_state|string == 'present' - - name: Undeploy (k8s API key) + - name: Undeploy ansible.builtin.include_tasks: undeploy.yaml - when: jo_state|string == 'absent' + when: jo_state | string == 'absent' diff --git a/roles/operator/tasks/prep.yaml b/roles/operator/tasks/prep.yaml index c43979b..3569110 100644 --- a/roles/operator/tasks/prep.yaml +++ b/roles/operator/tasks/prep.yaml @@ -1,6 +1,28 @@ --- # Common playbook preparation. +# +# We expect: - +# +# - kubeconfig (defined, that might point to a KUBECONFIG file) +# +# We process: - +# +# - K8S_AUTH_HOST (optional) +# - K8S_AUTH_API_KEY (optional) +# - KUBECONFIG (optional) +# +# One method of Kubernetes authentication must be provided. +# On exit the following variables have been set (although some may be blank/None): - +# +# - k8s_auth_api_key +# - k8s_auth_host +# - k8s_auth_kubeconfig + +- name: Assert inputs + ansible.builtin.assert: + that: + - kubeconfig is defined # Expose ansible version - name: Display Ansible version @@ -18,37 +40,60 @@ ansible.builtin.debug: var: freeze.stdout_lines -- name: Assert operator version defined - ansible.builtin.assert: - that: - - jo_image_tag|length > 0 - - jo_image_tag != 'SetMe' - # Kubernetes credentials ------------------------------------------------------ -# We don't use the Kubernetes credentials directly, -# but we load them into variables here from their -# expected environment variables so that we can assert they've been set. +# If a kubeconfig value is set we use that. +# Otherwise if K8S_AUTH_HOST is defined we use that (AWX). +# Otherwise if KUBECONFIG is defined we use that. -- name: Set initial authentication facts +- name: Load K8S_AUTH_HOST and K8S_AUTH_API_KEY ansible.builtin.set_fact: k8s_auth_host: "{{ lookup('env', 'K8S_AUTH_HOST') }}" k8s_auth_api_key: "{{ lookup('env', 'K8S_AUTH_API_KEY') }}" -# A kubernetes host and an API key must be set. -# Either environment variables will have been set by the user -# or AWX 'kubernetes' credentials will have injected them. -# Either way the variables 'k8s_auth_host' and -# 'k8s_auth_api_key' must have been set. -- name: Assert kubernetes authentication (no kubeconfig) +- name: Use kubernetes authentication (kubeconfig) + ansible.builtin.set_fact: + k8s_auth_kubeconfig: "{{ kubeconfig }}" + when: kubeconfig | string | length > 0 + +- name: Use kubernetes authentication (k8s_auth_host) ansible.builtin.assert: that: - - k8s_auth_host|string|length > 0 - - k8s_auth_api_key|string|length > 0 - when: jo_kubeconfig == 'SetMe' + - k8s_auth_host | string | length > 0 + - k8s_auth_api_key | string | length > 0 + when: + - kubeconfig | string | length == 0 + - k8s_auth_host | string | length > 0 -- name: Assert kubeconfig defined (kubeconfig) +- name: Use kubernetes authentication (KUBECONFIG) + ansible.builtin.set_fact: + k8s_auth_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" + when: + - kubeconfig | string | length == 0 + - k8s_auth_host | string | length == 0 + +- name: Kubernetes authentication must be set ansible.builtin.assert: that: - - jo_kubeconfig|length > 0 - when: jo_kubeconfig != 'SetMe' + - k8s_auth_kubeconfig is defined or k8s_auth_host is defined + msg: "You must provide a means to authenticate against Kubernetes" + +# We 'set' all the expected variables now (even to None) +# to avoid the following playbooks having to apply 'default(none)'. +# Basically we 'define' all three variables here, +# whether they have a value or not, so any following playbook +# won't encounter a 'variable not defined error'. + +- name: Set variables (with defaults) + ansible.builtin.set_fact: + k8s_auth_api_key: "{{ k8s_auth_api_key | default(None) }}" + k8s_auth_host: "{{ k8s_auth_host | default(None) }}" + k8s_auth_kubeconfig: "{{ k8s_auth_kubeconfig | default(None) }}" + +- name: Display Host + ansible.builtin.debug: + var: k8s_auth_host + +- name: Display KUBECONFIG + ansible.builtin.debug: + var: k8s_auth_kubeconfig diff --git a/roles/operator/vars/sensitive-scw-production.vault b/roles/operator/vars/sensitive-scw-production.vault new file mode 100644 index 0000000..1b7ba1c --- /dev/null +++ b/roles/operator/vars/sensitive-scw-production.vault @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.1;AES256 +62316139333866646361356564393831383333313439303835306534363966663864373339373064 +3538633237313536343163613563393139626564303066390a366664323036323063633462353664 +36363736643965373132316262323630396538653565396334363238306266313862363031363131 +3066663637663437300a323833666536313535633561623336333466383830633038303965623366 +61373134306662666466316664636565353061393863316439316362363231393363356462636539 +31313030333332303832646562646133313039623131353930333030633431656562336666333163 +31653138653033626332643634633631363838353961343734636331383839633336326133396161 +64623336333833663664386233373333663265366232386265643136656464633636333964366439 +34656365363063623737623232383761313933646337313938386134643463623831643432666137 +62306163383265613963353036323164643730303537633864613431663531636136396132636261 +37623666643566633534333531363462343133336361646365633362616363316434343532396131 +62613762613931643239646135396533376337346265643264396538633061653333343166303039 +64363034653161656632356263303464613238373064366663343338663366393566 From a4d0d93e10b28f62e37735142c038e50d342228e Mon Sep 17 00:00:00 2001 From: "a.b.christie" Date: Mon, 26 Jan 2026 14:48:40 +0000 Subject: [PATCH 2/3] docs: Doc tweak --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fbe6cb9..4ce9b55 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg)](https://conventionalcommits.org) [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit) -This repo contains playbooks for the Squonk2 Data Manager Job Operator. +This repository contains playbooks for the Squonk2 Data Manager Job Operator. Prerequisites: - ## Contributing From ca94c631bcc2ff06c48410ce8ab903e7671d0247 Mon Sep 17 00:00:00 2001 From: "a.b.christie" Date: Mon, 26 Jan 2026 14:59:57 +0000 Subject: [PATCH 3/3] fix: New namespace --- .../vars/sensitive-scw-production.vault | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/roles/operator/vars/sensitive-scw-production.vault b/roles/operator/vars/sensitive-scw-production.vault index 1b7ba1c..603c1c4 100644 --- a/roles/operator/vars/sensitive-scw-production.vault +++ b/roles/operator/vars/sensitive-scw-production.vault @@ -1,14 +1,17 @@ $ANSIBLE_VAULT;1.1;AES256 -62316139333866646361356564393831383333313439303835306534363966663864373339373064 -3538633237313536343163613563393139626564303066390a366664323036323063633462353664 -36363736643965373132316262323630396538653565396334363238306266313862363031363131 -3066663637663437300a323833666536313535633561623336333466383830633038303965623366 -61373134306662666466316664636565353061393863316439316362363231393363356462636539 -31313030333332303832646562646133313039623131353930333030633431656562336666333163 -31653138653033626332643634633631363838353961343734636331383839633336326133396161 -64623336333833663664386233373333663265366232386265643136656464633636333964366439 -34656365363063623737623232383761313933646337313938386134643463623831643432666137 -62306163383265613963353036323164643730303537633864613431663531636136396132636261 -37623666643566633534333531363462343133336361646365633362616363316434343532396131 -62613762613931643239646135396533376337346265643264396538633061653333343166303039 -64363034653161656632356263303464613238373064366663343338663366393566 +35613261346637646363323234306263633364666162393333353062613263393463343637633434 +6533303532386639643461333530666432333833616362390a323364353932363465303436333165 +31386464356433303735363061363539323439343135333933363164623038663963636237663330 +3065393161666361640a323965623539336238396432623366393932306531326232626632303962 +61653661356136343930386465383435613537656431633839636461336664393931356332396265 +66646365613233326462356338336562303332613061613930306330623465353732643261613636 +64363931633530636564633461626639623233393366353565643761353832353162383366656666 +36376665663934346534326535653235623239386664306432623661303464366139353039643330 +33306237353439376566653231643935376564633463363362393934346166363937316530303139 +35356465393633386234666139396435323863376666313536323161646336633334353064396361 +64613539356161323561373339346338346338326136663464356535336464323764376266616464 +39643566643238343761386564363536656263383238633162643762393365333730393064386363 +36323839336330666434313864623462386430376238396438613736393934623136393230356663 +62306437346332333535316466653838633661383737373836323733323463663031396661663239 +35613535616434626566366139373162656233383337303066636364656230633730636431663266 +64343562663138393864