feat: Initial scaleway changes (#1)

Co-authored-by: a.b.christie <alan.christie@matildapeak.com>

Author: alanbchristie

parameters-scw-production.yaml

@@ -0,0 +1,12 @@
+---
+
+# A parameter file to replicate the variables used by AWX.
+# The user would run this (armed with a suitable Ansible) with: -
+#
+#   export KUBECONFIG=~/k8s-config/kubeconfig-im-main-scw-admin.yaml
+#   ansible-playbook site.yaml -e @parameters-scw-production.yaml \
+#       -e jo_image_tag=35.0.0 \
+#       --vault-password-file ../scw-production-vault.password
+
+jo_installation_name: scw-production
+jo_image_tag: SetMe

parameters-sd.yaml

@@ -5,7 +5,7 @@
 jo_state: present
 
 # The kubernetes config file.
-jo_kubeconfig: SetMe
+jo_kubeconfig: ''
 
 # The Operator container image and tag
 jo_image: informaticsmatters/data-manager-jupyter-operator

parameters-template.yaml

@@ -9,7 +9,7 @@
 - name: Assert Namespace ({{ jo_dmapi_namespace }})
   ansible.builtin.assert:
     that:
-    - ns_result.resources|length == 1
+    - ns_result.resources | length == 1
 
 - name: Get Data Manager ServiceAccount
   kubernetes.core.k8s_info:
@@ -21,7 +21,7 @@
 - name: Assert ServiceAccount
   ansible.builtin.assert:
     that:
-    - sa_result.resources|length == 1
+    - sa_result.resources | length == 1
 
 - name: Deploy Data Manager Material
   kubernetes.core.k8s:

roles/operator/defaults/main.yaml

@@ -1,10 +1,21 @@
 ---
 
-# A ply to deploy objects to the chosen Data Manager namespace.
+# A play to deploy objects to the chosen Data Manager namespace.
 # In this case it's a Role and RoleBinding
 
 - name: Prep
   ansible.builtin.include_tasks: prep.yaml
+  vars:
+    kubeconfig: "{{ jo_kubeconfig }}"
+
+# Include sensitive (Ansible Vault) variables based on the installation name.
+# We include 'sensitive-local.vault' variables if the installation name is 'local'.
+# The user will need to provide the vault password.
+
+- name: Include sensitive (vault) variables ({{ jo_installation_name }})
+  ansible.builtin.include_vars:
+    file: sensitive-{{ jo_installation_name }}.vault
+  when: jo_installation_name | length > 0
 
 # Check the Data Manager Namespace and Service Account exists...
 

roles/operator/tasks/dm-patch.yaml

@@ -2,34 +2,36 @@
 
 - name: Prep
   ansible.builtin.include_tasks: prep.yaml
+  vars:
+    kubeconfig: "{{ jo_kubeconfig }}"
+
+# Include sensitive (Ansible Vault) variables based on the installation name.
+# We include 'sensitive-local.vault' variables if the installation name is 'local'.
+# The user will need to provide the vault password.
+
+- name: Include sensitive (vault) variables ({{ jo_installation_name }})
+  ansible.builtin.include_vars:
+    file: sensitive-{{ jo_installation_name }}.vault
+  when: jo_installation_name | length > 0
 
 - name: Assert operator version defined
   ansible.builtin.assert:
     that:
-    - jo_image_tag|length > 0
+    - jo_image_tag | length > 0
     - jo_image_tag != 'SetMe'
 
-- name: Deploy (with k8s kubeconfig)
-  when: jo_kubeconfig != 'SetMe'
+- name: Go
   module_defaults:
     group/k8s:
-      kubeconfig: "{{ jo_kubeconfig }}"
+      host: "{{ k8s_auth_host }}"
+      api_key: "{{ k8s_auth_api_key }}"
+      kubeconfig: "{{ k8s_auth_kubeconfig }}"
   block:
 
-  - name: Deploy (k8s kubeconfig)
+  - name: Deploy
     ansible.builtin.include_tasks: deploy.yaml
-    when: jo_state|string == 'present'
-  - name: Undeploy (k8s kubeconfig)
-    ansible.builtin.include_tasks: undeploy.yaml
-    when: jo_state|string == 'absent'
+    when: jo_state | string == 'present'
 
-- name: Deploy (with k8s host and API key)
-  when: jo_kubeconfig == 'SetMe'
-  block:
-
-  - name: Deploy (k8s API key)
-    ansible.builtin.include_tasks: deploy.yaml
-    when: jo_state|string == 'present'
-  - name: Undeploy (k8s API key)
+  - name: Undeploy
     ansible.builtin.include_tasks: undeploy.yaml
-    when: jo_state|string == 'absent'
+    when: jo_state | string == 'absent'

roles/operator/tasks/dm.yaml

@@ -1,6 +1,28 @@
 ---
 
 # Common playbook preparation.
+#
+# We expect: -
+#
+# - kubeconfig (defined, that might point to a KUBECONFIG file)
+#
+# We process: -
+#
+# - K8S_AUTH_HOST (optional)
+# - K8S_AUTH_API_KEY (optional)
+# - KUBECONFIG (optional)
+#
+# One method of Kubernetes authentication must be provided.
+# On exit the following variables have been set (although some may be blank/None): -
+#
+# - k8s_auth_api_key
+# - k8s_auth_host
+# - k8s_auth_kubeconfig
+
+- name: Assert inputs
+  ansible.builtin.assert:
+    that:
+    - kubeconfig is defined
 
 # Expose ansible version
 - name: Display Ansible version
@@ -20,29 +42,58 @@
 
 # Kubernetes credentials ------------------------------------------------------
 
-# We don't use the Kubernetes credentials directly,
-# but we load them into variables here from their
-# expected environment variables so that we can assert they've been set.
+# If a kubeconfig value is set we use that.
+# Otherwise if K8S_AUTH_HOST is defined we use that (AWX).
+# Otherwise if KUBECONFIG is defined we use that.
 
-- name: Set initial authentication facts
+- name: Load K8S_AUTH_HOST and K8S_AUTH_API_KEY
   ansible.builtin.set_fact:
     k8s_auth_host: "{{ lookup('env', 'K8S_AUTH_HOST') }}"
     k8s_auth_api_key: "{{ lookup('env', 'K8S_AUTH_API_KEY') }}"
 
-# A kubernetes host and an API key must be set.
-# Either environment variables will have been set by the user
-# or AWX 'kubernetes' credentials will have injected them.
-# Either way the variables 'k8s_auth_host' and
-# 'k8s_auth_api_key' must have been set.
-- name: Assert kubernetes authentication (no kubeconfig)
+- name: Use kubernetes authentication (kubeconfig)
+  ansible.builtin.set_fact:
+    k8s_auth_kubeconfig: "{{ kubeconfig }}"
+  when: kubeconfig | string | length > 0
+
+- name: Use kubernetes authentication (k8s_auth_host)
   ansible.builtin.assert:
     that:
-    - k8s_auth_host|string|length > 0
-    - k8s_auth_api_key|string|length > 0
-  when: jo_kubeconfig == 'SetMe'
+    - k8s_auth_host | string | length > 0
+    - k8s_auth_api_key | string | length > 0
+  when:
+  - kubeconfig | string | length == 0
+  - k8s_auth_host | string | length > 0
+
+- name: Use kubernetes authentication (KUBECONFIG)
+  ansible.builtin.set_fact:
+    k8s_auth_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+  when:
+  - kubeconfig | string | length == 0
+  - k8s_auth_host | string | length == 0
 
-- name: Assert kubeconfig defined (kubeconfig)
+- name: Kubernetes authentication must be set
   ansible.builtin.assert:
     that:
-    - jo_kubeconfig|length > 0
-  when: jo_kubeconfig != 'SetMe'
+    - k8s_auth_kubeconfig is defined or k8s_auth_host is defined
+    msg: "You must provide a means to authenticate against Kubernetes"
+
+# We 'set' all the expected variables now (even to None)
+# to avoid the following playbooks having to apply 'default(none)'.
+# Basically we 'define' all three variables here,
+# whether they have a value or not, so any following playbook
+# won't encounter a 'variable not defined error'.
+
+- name: Set variables (with defaults)
+  ansible.builtin.set_fact:
+    k8s_auth_api_key: "{{ k8s_auth_api_key | default(None) }}"
+    k8s_auth_host: "{{ k8s_auth_host | default(None) }}"
+    k8s_auth_kubeconfig: "{{ k8s_auth_kubeconfig | default(None) }}"
+
+- name: Display Host
+  ansible.builtin.debug:
+    var: k8s_auth_host
+
+- name: Display KUBECONFIG
+  ansible.builtin.debug:
+    var: k8s_auth_kubeconfig

roles/operator/tasks/main.yaml

@@ -10,7 +10,7 @@
   register: ns_result
 
 - name: Remove operator material
-  when: ns_result.resources|length == 1
+  when: ns_result.resources | length == 1
   block:
 
   - name: Remove operator Data Manager API RBAC