diff --git a/parameters-scw-production.yaml b/parameters-scw-production.yaml new file mode 100644 index 0000000..fbbebe8 --- /dev/null +++ b/parameters-scw-production.yaml @@ -0,0 +1,12 @@ +--- + +# A parameter file to replicate the variables used by AWX. +# The user would run this (armed with a suitable Ansible) with: - +# +# export KUBECONFIG=~/k8s-config/kubeconfig-im-main-scw-admin.yaml +# ansible-playbook site.yaml -e @parameters-scw-production.yaml \ +# -e jo_image_tag=35.0.0 \ +# --vault-password-file ../scw-production-vault.password + +jo_installation_name: scw-production +jo_image_tag: SetMe diff --git a/parameters-sd.yaml b/parameters-sd.yaml deleted file mode 100644 index a9d30e4..0000000 --- a/parameters-sd.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -jo_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" - -jo_dmapi_namespace: data-manager-api-sygnature diff --git a/parameters-template.yaml b/parameters-template.yaml deleted file mode 100644 index ad464c9..0000000 --- a/parameters-template.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -# You shouldn't need to edit this file. -# You can adjust the configuration using environment variables. - -# The Operator image tag -jo_image_tag: "{{ lookup('env', 'IM_DEV_JUPYTER_O_TAG') | default('19.2.2', True) }}" - -# Here we use the Docker Desktop built-in Kubernetes cluster, -# which has a default domain of 'kubernetes.docker.internal' -jo_ingress_domain: "{{ lookup('env', 'IM_DEV_K8S_HOSTNAME') | default('kubernetes.docker.internal', True) }}" - -jo_ingress_tls_secret: '' -jo_ingress_cert_issuer: letsencrypt-nginx-production -# The Data Manager Kubernetes namespace -jo_dmapi_namespace: data-manager-api -# Supported namespaces -jo_namespaces: data-manager-api - -# The KUBECONFIG reference. -# Used outside of AWX to set kubernetes credentials. -jo_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" diff --git a/roles/operator/defaults/main.yaml b/roles/operator/defaults/main.yaml index fc75e07..6a4d591 100644 --- a/roles/operator/defaults/main.yaml +++ b/roles/operator/defaults/main.yaml @@ -5,7 +5,7 @@ jo_state: present # The kubernetes config file. -jo_kubeconfig: SetMe +jo_kubeconfig: '' # The Operator container image and tag jo_image: informaticsmatters/data-manager-jupyter-operator diff --git a/roles/operator/tasks/dm-patch.yaml b/roles/operator/tasks/dm-patch.yaml index 5d23a69..5df35ff 100644 --- a/roles/operator/tasks/dm-patch.yaml +++ b/roles/operator/tasks/dm-patch.yaml @@ -9,7 +9,7 @@ - name: Assert Namespace ({{ jo_dmapi_namespace }}) ansible.builtin.assert: that: - - ns_result.resources|length == 1 + - ns_result.resources | length == 1 - name: Get Data Manager ServiceAccount kubernetes.core.k8s_info: @@ -21,7 +21,7 @@ - name: Assert ServiceAccount ansible.builtin.assert: that: - - sa_result.resources|length == 1 + - sa_result.resources | length == 1 - name: Deploy Data Manager Material kubernetes.core.k8s: diff --git a/roles/operator/tasks/dm.yaml b/roles/operator/tasks/dm.yaml index f97c332..3c4c553 100644 --- a/roles/operator/tasks/dm.yaml +++ b/roles/operator/tasks/dm.yaml @@ -1,10 +1,21 @@ --- -# A ply to deploy objects to the chosen Data Manager namespace. +# A play to deploy objects to the chosen Data Manager namespace. # In this case it's a Role and RoleBinding - name: Prep ansible.builtin.include_tasks: prep.yaml + vars: + kubeconfig: "{{ jo_kubeconfig }}" + +# Include sensitive (Ansible Vault) variables based on the installation name. +# We include 'sensitive-local.vault' variables if the installation name is 'local'. +# The user will need to provide the vault password. + +- name: Include sensitive (vault) variables ({{ jo_installation_name }}) + ansible.builtin.include_vars: + file: sensitive-{{ jo_installation_name }}.vault + when: jo_installation_name | length > 0 # Check the Data Manager Namespace and Service Account exists... diff --git a/roles/operator/tasks/main.yaml b/roles/operator/tasks/main.yaml index 6ebec53..a96d719 100644 --- a/roles/operator/tasks/main.yaml +++ b/roles/operator/tasks/main.yaml @@ -2,34 +2,36 @@ - name: Prep ansible.builtin.include_tasks: prep.yaml + vars: + kubeconfig: "{{ jo_kubeconfig }}" + +# Include sensitive (Ansible Vault) variables based on the installation name. +# We include 'sensitive-local.vault' variables if the installation name is 'local'. +# The user will need to provide the vault password. + +- name: Include sensitive (vault) variables ({{ jo_installation_name }}) + ansible.builtin.include_vars: + file: sensitive-{{ jo_installation_name }}.vault + when: jo_installation_name | length > 0 - name: Assert operator version defined ansible.builtin.assert: that: - - jo_image_tag|length > 0 + - jo_image_tag | length > 0 - jo_image_tag != 'SetMe' -- name: Deploy (with k8s kubeconfig) - when: jo_kubeconfig != 'SetMe' +- name: Go module_defaults: group/k8s: - kubeconfig: "{{ jo_kubeconfig }}" + host: "{{ k8s_auth_host }}" + api_key: "{{ k8s_auth_api_key }}" + kubeconfig: "{{ k8s_auth_kubeconfig }}" block: - - name: Deploy (k8s kubeconfig) + - name: Deploy ansible.builtin.include_tasks: deploy.yaml - when: jo_state|string == 'present' - - name: Undeploy (k8s kubeconfig) - ansible.builtin.include_tasks: undeploy.yaml - when: jo_state|string == 'absent' + when: jo_state | string == 'present' -- name: Deploy (with k8s host and API key) - when: jo_kubeconfig == 'SetMe' - block: - - - name: Deploy (k8s API key) - ansible.builtin.include_tasks: deploy.yaml - when: jo_state|string == 'present' - - name: Undeploy (k8s API key) + - name: Undeploy ansible.builtin.include_tasks: undeploy.yaml - when: jo_state|string == 'absent' + when: jo_state | string == 'absent' diff --git a/roles/operator/tasks/prep.yaml b/roles/operator/tasks/prep.yaml index 6cf08f2..3569110 100644 --- a/roles/operator/tasks/prep.yaml +++ b/roles/operator/tasks/prep.yaml @@ -1,6 +1,28 @@ --- # Common playbook preparation. +# +# We expect: - +# +# - kubeconfig (defined, that might point to a KUBECONFIG file) +# +# We process: - +# +# - K8S_AUTH_HOST (optional) +# - K8S_AUTH_API_KEY (optional) +# - KUBECONFIG (optional) +# +# One method of Kubernetes authentication must be provided. +# On exit the following variables have been set (although some may be blank/None): - +# +# - k8s_auth_api_key +# - k8s_auth_host +# - k8s_auth_kubeconfig + +- name: Assert inputs + ansible.builtin.assert: + that: + - kubeconfig is defined # Expose ansible version - name: Display Ansible version @@ -20,29 +42,58 @@ # Kubernetes credentials ------------------------------------------------------ -# We don't use the Kubernetes credentials directly, -# but we load them into variables here from their -# expected environment variables so that we can assert they've been set. +# If a kubeconfig value is set we use that. +# Otherwise if K8S_AUTH_HOST is defined we use that (AWX). +# Otherwise if KUBECONFIG is defined we use that. -- name: Set initial authentication facts +- name: Load K8S_AUTH_HOST and K8S_AUTH_API_KEY ansible.builtin.set_fact: k8s_auth_host: "{{ lookup('env', 'K8S_AUTH_HOST') }}" k8s_auth_api_key: "{{ lookup('env', 'K8S_AUTH_API_KEY') }}" -# A kubernetes host and an API key must be set. -# Either environment variables will have been set by the user -# or AWX 'kubernetes' credentials will have injected them. -# Either way the variables 'k8s_auth_host' and -# 'k8s_auth_api_key' must have been set. -- name: Assert kubernetes authentication (no kubeconfig) +- name: Use kubernetes authentication (kubeconfig) + ansible.builtin.set_fact: + k8s_auth_kubeconfig: "{{ kubeconfig }}" + when: kubeconfig | string | length > 0 + +- name: Use kubernetes authentication (k8s_auth_host) ansible.builtin.assert: that: - - k8s_auth_host|string|length > 0 - - k8s_auth_api_key|string|length > 0 - when: jo_kubeconfig == 'SetMe' + - k8s_auth_host | string | length > 0 + - k8s_auth_api_key | string | length > 0 + when: + - kubeconfig | string | length == 0 + - k8s_auth_host | string | length > 0 + +- name: Use kubernetes authentication (KUBECONFIG) + ansible.builtin.set_fact: + k8s_auth_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" + when: + - kubeconfig | string | length == 0 + - k8s_auth_host | string | length == 0 -- name: Assert kubeconfig defined (kubeconfig) +- name: Kubernetes authentication must be set ansible.builtin.assert: that: - - jo_kubeconfig|length > 0 - when: jo_kubeconfig != 'SetMe' + - k8s_auth_kubeconfig is defined or k8s_auth_host is defined + msg: "You must provide a means to authenticate against Kubernetes" + +# We 'set' all the expected variables now (even to None) +# to avoid the following playbooks having to apply 'default(none)'. +# Basically we 'define' all three variables here, +# whether they have a value or not, so any following playbook +# won't encounter a 'variable not defined error'. + +- name: Set variables (with defaults) + ansible.builtin.set_fact: + k8s_auth_api_key: "{{ k8s_auth_api_key | default(None) }}" + k8s_auth_host: "{{ k8s_auth_host | default(None) }}" + k8s_auth_kubeconfig: "{{ k8s_auth_kubeconfig | default(None) }}" + +- name: Display Host + ansible.builtin.debug: + var: k8s_auth_host + +- name: Display KUBECONFIG + ansible.builtin.debug: + var: k8s_auth_kubeconfig diff --git a/roles/operator/tasks/undeploy.yaml b/roles/operator/tasks/undeploy.yaml index 5841763..6d6bf33 100644 --- a/roles/operator/tasks/undeploy.yaml +++ b/roles/operator/tasks/undeploy.yaml @@ -10,7 +10,7 @@ register: ns_result - name: Remove operator material - when: ns_result.resources|length == 1 + when: ns_result.resources | length == 1 block: - name: Remove operator Data Manager API RBAC