DEV-319: feat: split dev/qa into own hetzner projects

4 years ago · 5d604700dd
parent b24ab2e823
commit 5d604700dd
73 changed files with 1404 additions and 1671 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -1,4 +1,4 @@
 [submodule "kubespray"]
  path = kubespray
  url = https://github.com/kubernetes-sigs/kubespray.git
-  branch = v2.17.1
+  branch = v2.18.0
--- a/README.md
+++ b/README.md
@ -98,10 +98,3 @@ IPFire
 Prometheus (Grafana)
  docker exec -i dev-prometheus-01-grafana sh -c 'grafana-cli plugins install grafana-piechart-panel'
  docker restart dev-prometheus-01-grafana
 AWX
  -> /etc/kubernetes/k9s
  wget https://github.com/derailed/k9s/releases/download/v0.24.14/k9s_Linux_x86_64.tar.gz
  tar -xzf k9s_*.tar.gz -C .
  ln -s /etc/kubernetes/k9s/k9s /usr/bin/k9s
  kubectl taint nodes --all node-role.kubernetes.io/master-
--- a/create-database.yml
+++ b/create-database.yml
@ -82,7 +82,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: connect_postgres
--- a/create-realm.yml
+++ b/create-realm.yml
@ -65,7 +65,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: connect_realm
--- a/create-server.yml
+++ b/create-server.yml
@ -118,7 +118,10 @@
      when: ansible_distribution == "Ubuntu"
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: ansible-role-docker
--- a/create-service.yml
+++ b/create-service.yml
@ -57,7 +57,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: connect
--- a/evil-remove-server.yml
+++ b/evil-remove-server.yml
@ -26,8 +26,10 @@
      delegate_to: 127.0.0.1
      become: false
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
--- a/external_monitoring.yml
+++ b/external_monitoring.yml
@ -29,7 +29,7 @@
      port: 9115
      proto: tcp
      src: "{{ item }}"
-    loop: "{{ promethues_endpoints_all_stages }}"
+    loop: "{{ promethues_endpoints_all_stages + ip_whitelist_admins}}"
  - name: "Set firewall default policy"
    ufw:
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -106,7 +106,7 @@ smardigo_plattform_users:
  - 'friedrich.goerz'
 ip_whitelist_admins:
-  - "87.150.38.134/32" # sven
+  - "79.215.10.239/32" # sven
  - "212.86.56.112/32" # peter
 ip_whitelist:
@ -123,13 +123,12 @@ docker_compose_path: "/usr/bin/docker-compose"
 service_base_path: '/etc/smardigo'
 # TODO we need a company email addresses
 gitea_admin_email: "nso.devops@netgo.de"
 lets_encrypt_email: "nso.devops@netgo.de"
 docker_admin_email: "nso.devops@netgo.de"
 connect_admin_email: "nso.devops@netgo.de"
 keycloak_admin_email: "nso.devops@netgo.de"
 pgadmin4_admin_email: "nso.devops@netgo.de"
 harbor_oidc_admin_email: "nso.devops@netgo.de"
 http_port: "80"
 https_port: "443"
--- a/group_vars/k8s_cluster/plain.yml
+++ b/group_vars/k8s_cluster/plain.yml
@ -9,9 +9,15 @@ kube_network_plugin: calico
 kube_proxy_metrics_bind_address: 0.0.0.0:10249
 kubelet_preferred_address_types: InternalIP,ExternalIP,Hostname
 docker_log_opts: "--log-opt max-size=100m --log-opt max-file=5 --log-opt compress=true"
 #TODO https://github.com/kubernetes/kubernetes/pull/59898
 containerd_max_container_log_line_size: 51200
 helm_enabled: true
 #TODO configuration migration needed
 #cert_manager_enabled: true
 #TODO configuration migration needed
 #ingress_nginx_enabled: true
 #TODO configuration migration needed
 #argocd_enabled: true
 #TODO configuration migration needed
 #krew_enabled: true
--- a/group_vars/keycloak/plain.yml
+++ b/group_vars/keycloak/plain.yml
@ -7,48 +7,3 @@ keycloak_postgres_host: "{{ shared_service_postgres_01_hostname }}"
 keycloak_postgres_database: "{{ stage }}_keycloak"
 keycloak_postgres_username: "{{ keycloak_postgres_database }}"
 keycloak_postgres_password: "keycloak-postgres-admin"
 # TODO shouldn't be declared in a static way -> must be stage specific
 keycloak: {
  realms: [
    {
      name: 'docker',
      display_name: 'docker',
      users: [
        {
          "username": "{{ docker_admin_username }}",
          "password": "{{ docker_admin_password }}",
          "email": "{{ docker_admin_email }}",
        }
      ],
      groups: [
        {
          "name": "awx",
        },
        {
          "name": "admin",
        },
        {
          "name": "smardigo",
        },
      ],
      clients: [
        {
          clientId: '{{ harbor_oidc_client_id }}',
          name: '{{ harbor_oidc_client_id }}',
          admin_url: '',
          root_url: '',
          redirect_uris: '
            [
              "{{ http_s }}://{{ shared_service_harbor_hostname }}/*",
            ]',
          secret: '{{ harbor_oidc_client_secret }}',
          web_origins: '
            [
              "{{ http_s }}://{{ shared_service_harbor_hostname }}",
            ]',
        }
      ]
    }
  ]
 }
--- a/group_vars/management/plain.yml
+++ b/group_vars/management/plain.yml
@ -28,15 +28,13 @@ current_realm_clients: [
    clientId: "{{ management_oidc_client_id }}",
    admin_url: '',
    root_url: '',
-    redirect_uris: '
+    redirect_uris: [
      [
        "{{ http_s }}://{{ connect_base_url }}/*"
-      ]',
+    ],
    secret: '{{ management_oidc_client_secret }}',
-    web_origins: '
+    web_origins: [
      [
      "{{ http_s }}://{{ connect_base_url }}"
-      ]',
+    ],
  }
 ]
@ -45,12 +43,11 @@ current_realm_users: [
    "username": "{{ management_admin_username }}",
    "password": "{{ management_admin_password }}",
    "email": "{{ connect_admin_email }}",
    "requiredActions": []
  }
 ]
-current_realm_admin_users: [
+current_realm_admin_user:
-  {
+  username: "{{ management_realm_admin_username }}"
-    "username": "{{ management_realm_admin_username }}",
+  password: "{{ management_realm_admin_password }}"
-    "password": "{{ management_realm_admin_password }}",
+  email: "{{ connect_admin_email }}"
-    "email": "{{ connect_admin_email }}",
+  requiredActions: []
  }
 ]
--- a/group_vars/stage_dev/plain.yml
+++ b/group_vars/stage_dev/plain.yml
@ -260,8 +260,11 @@ elastic_stack_network: {
  dev-elastic-stack-elastic-03: "{{ shared_service_elastic_03 }}",
 }
-harbor_oidc_realm: "docker"
+harbor_oidc_realm: "harbor"
 harbor_oidc_client_id: "harbor"
 harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 harbor_oidc_admin_username: "harbor-admin"
 harbor_oidc_admin_password: "harbor-admin"
 postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},{{ stage_private_server_ip }}'"
@ -302,9 +305,6 @@ pgadmin4_admin_password: "pgadmin-admin"
 awx_admin_username: "awx-admin"
 awx_admin_password: "awx-admin"
 docker_admin_username: "docker-admin"
 docker_admin_password: "docker-admin"
 management_admin_username: "management-admin"
 management_admin_password: "management-admin"
 management_realm_admin_username: "management-realm-admin"
@ -338,7 +338,6 @@ argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
 harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation DEV gpg key
--- a/group_vars/stage_prodnso/plain.yml
+++ b/group_vars/stage_prodnso/plain.yml
@ -262,8 +262,11 @@ elastic_stack_network: {
  prodnso-elastic-stack-elastic-03: "{{ shared_service_elastic_03 }}",
 }
-harbor_oidc_realm: "docker"
+harbor_oidc_realm: "harbor"
 harbor_oidc_client_id: "harbor"
 harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 harbor_oidc_admin_username: "harbor-admin"
 harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
 postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},{{ stage_private_server_ip }}'"
@ -304,9 +307,6 @@ pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"
 docker_admin_username: "docker-admin"
 docker_admin_password: "{{ docker_admin_password_vault }}"
 management_admin_username: "management-admin"
 management_admin_password: "{{ management_admin_password_vault }}"
 management_realm_admin_username: "management-realm-admin"
@ -340,5 +340,4 @@ argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
 harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
--- a/group_vars/stage_prodnso/vault.yml
+++ b/group_vars/stage_prodnso/vault.yml
@ -1,276 +1,276 @@
 $ANSIBLE_VAULT;1.1;AES256
-30353361303861653361316264663262363466643065323837313631363961616439353137323062
+35613439643036366262653161636232346233336339346132326466613161343263393632323037
-3964666238393265383133646462663038653335623462390a313062323831353630343362656639
+3765626461663264316537306566383338636230613236370a393239616432343131353237646261
-30356237646361626564363534393335626564653062316639353839613739396131363338343334
+39633237333735313464613064373763326266313139366238656637386362376539643438336264
-6265313839613337660a326263313838326363613535316233373338306430396166313861306333
+3063633030643630370a643761373766363036363165666139396362323135383332323833393865
-34636239626435356438316434663832393066373939633239373230306534306362346635323232
+34353530353261323338303863313131333362336466356638366635623865366564346164633334
-37363939666261663634303765653836613737396534646339356230316234303937653063306665
+32393830363935336232313466646535623233313939313235656532373239386262323363636337
-31363637306638386564613562383332366532396237393663636262323937306630616663643835
+34643032316666326630373561613865643834623737333263303965613733366430303230303536
-33336431653365323632393536356639383763323839376662653134313966623066336530323232
+32653839666433626363313035646266616362383366656666636137643635313331306431396335
-35633363323430386436373765316333396632303264653163363635353538653933306431363664
+61633238303136363665646533353065373238643863303337663437616666346265326331633038
-61383035663765306536396464326265353663363131626164613963386434613530656532316664
+32613630656264643261616535616534303339646333316537353262366463663663393434333330
-63623631666636343131366364383434316331636334616231363231623166343832396136376634
+61316134353536336266613939353932613532643135383536343539353535393663653139373164
-36623162623531623538306665393732363766393662616366636566393434393463343439666330
+32356237316237646638373863313665306365316361336536653730653631313839633030343735
-34636663613034313937356263343766633065333837313436626236333565303138373238373065
+37633661336432333037656636633530643631396131643364343938316336346665636530366662
-64323763343432363636383535626461323531316338663139323338653834646566643131346165
+36653137353062326434623033383639356630623764653336356139343038313934316436396332
-33383462613739326231393036616132303530316464333639643633343365373763653562343266
+32653633613335333937663233316639623438373633313837646463636363623439666330383232
-61316138633138356662626634313335363864343566346566306365323766323435626435343636
+38313535663832383564363236376664303534393335666562373563376564346233306230613635
-66353034663833323733656362323733306332613966396633623833323334623666306362643433
+66623639323561353831383631363863616233336234666132613939316264303231636537633161
-36626362336232653539666431383633316364303433343139613063616664333939323635303861
+37323064313664393161663339656466616333363533353230646131636139633838366537373637
-30626538626265363161336336363364663765666565356565663964393830626539623932653833
+31303637623462326236303335323562666462616239383239306636356663636337313135376332
-61393465343563383762336638393861646538616238663362633966633433353264316136356334
+30363036306164656433353735333131383336633335323833393966306130613164323931316237
-33633739346434313964396166633839636462303861303735343735656331643537616131353737
+36313362373535616535303161623166323134613662383862656265303632613261356563366630
-33636134663366623061356432386463373064366163313764313335303434303833333138396236
+64303436303038346238666430626335313830396635393631383661323265663966626635356337
-37353635356361616563646537353632383862393830333362636431383037376661346461343731
+33623361333066393232303061313361386634353733386238383266323836373564623239356566
-34626430636636373038353435316434613730623135636136373032643161613836303765386431
+31653834386530353066636233653039663339303432303364313630323231623533313839393666
-35653931386335663366363839656562336536376235373936623465636466333039656135613339
+32626364636538393734623133346430626265346536643431306639386639373036306234623065
-35376536323738323439336431363864663465663739623831303463306631323066353763323931
+65353338303739643561386266356432303362326436373864646330313039643763356634353462
-37306633613739376139663337366331353939323962336461656363366434313536616465383965
+37643764386563393736383633323431323765666562663965366531333735393931653032653730
-34303262613165316635666165653135313136663035376664363435376362383563616535376661
+37353536653832376237303765393862316335656534336466396461626530646163613431376534
-61633365303565373030376563653463616338616265313238383331636162333163383930643761
+36333536373062346662666664646563316162313835343431373165633766386663666464333564
-39373037356564663234383532396636616162623438373633663537386562346363323235366438
+30303136646131313430666330383964623837656534323939666631656234386564626562353232
-62393462316337646337383732636235613738376466326330346166616164623361363964313635
+37616439303761613434623361323534393737653439353565646365616231306565353066656430
-64326338323336323266353463613062663932616536646639353065366534623961303762363931
+38346332363461383864303163656335323237376461353934363930353032343163316661396532
-61363635656631383538343337363531663131653365633965313961383131393063663865383962
+37346430336564323237366261313330316131363166626366643463373830303935333339303239
-65613132306233643836353636646362663331643839383932346136393739316638656266346163
+31353332383361643563623765646236396335656236323131346362373332376438376362656435
-30393938646263383338366335613838613537333663656139303630303234303165346666616430
+64623735333330323930366462306631386466643537363063623865323161313262316235333835
-39393861333838646332666234383133363837326639633036306563363063336633623634656136
+36396636666263616330626565373732323238336465333934396432653661653031333835303939
-33663864336461363733623531353565326632663236373563616162373566666633633237346363
+36333636363564363638353734643439626632623962333037656131613937643062336338316163
-66616263383833333034663630373464373630386636636331386465633130633735653332376163
+33373131653338343835343930613263353035666137393065613061613931303533366435643638
-38336634363232336331376161333837653335343064333565626164316661646663613365363933
+38663431323034383933303166323635656465333935383066353538316332653436393234336433
-61323438656333326434393032313361363264303635353236353939633262313833613663323639
+65376331306365363762643164316439326135393865643438653565616266616534373162376661
-38356638663362633137613533656432666430373631616537656330383030303733366230386338
+32346431333130323533333831613538373533353738306238623064396235343234346531623862
-65316536393432666663373266646237353839396365373261386663636634333232303334343864
+30623162373035363734316130393230646439353461323062303461393232373037373736353337
-65346336666334623139396533303462663435623365613835323734383863386261346139386230
+30656463653837363139636536633735663030333465306565303636323036383566636537633033
-36383735313832343638343738656334383437653234626532653031663132346130666563653465
+62373365643262363661383936353136613032323632323161396161303336333263613735313938
-38643538666534613439316432366165393464623562333034353234323863393039353634626238
+38653733633535646637653337386363316331326135346535333838323331373738333366333738
-32383035393730663466663866393931363163306231326138383231643239643165323263636431
+35343965616236333231646631353536633062323533663134623531303736323864353334373766
-65653837653531346266336331363563633137323738653531623762393433373831643162313539
+63376635346137323632373034656339663530663637323230633361366164366361653735373963
-37626534313662376631663535356265343166363539653564303931633566356633626166383364
+61306633373330376663613236346636323837366161633032336634646239326561643430633334
-31613638303930346330336634303165663438666634333637636537626436653937666664646138
+61643839363530663139623332383832623561633836333264386264626432306333323935663561
-66353732346566303565623261613536366538623830623430616364386662336130366633346165
+32303463663838366434646264623230383239353639613335653261383161383730646334613162
-34303530636331353633626664383064376532653733636636633039643836386239363366396662
+65363430356338343462653131333666346536353264333237303363643737393230646236626363
-37373436313930356131613131303431326666343434326465336430306563363735363036623936
+37346261636165656166313464323931643561323863663064323435363064393866393564393632
-31613530393130373633303337393161633565326565393966386430613466383737316634303762
+32356439316333653230333431383764336565306362326339393332653734383533356633326366
-38636638326130363131653233333234333431643064333136616131613936336335656237366466
+31363237666330363734303261376536336632613664333630386137383830646539666137336664
-61376433343039323431393865663031623863326463353137346633356238396436343237386263
+34653231346639313833623530613531376165343035326539326530386338366138363462613430
-64336431323835643763313764333233343535643534616465383266353136656538633630323462
+63656539626637303932313339323566623332396465343233353261393234393537633631396665
-32353033386537666635306330626465323630343936633733396262666339396331346136353062
+34363964353261303734343530353930326230333166633135653437626666376238613062666339
-38623336653732653338333435343333313237313031363439363737346263663862373462373132
+62386663646231663563323861616564633862326164323638383637333739636434633038653235
-38316564393738396530663862613235643035646530306131303039366538613238336638346566
+33313564393965646333343336343762643362326165323166393066626334646537306438656164
-62346130393266626537393332656232343164646366373666616466313636323865616632656463
+63373834366438326433366236333836386236623937303434643762333532613764663039383235
-32623264346136633234336435303761653063316634336262383366313632373733366536323439
+36323034353064623338663239346431393965646462636633646163623337383865373063333737
-33373332616639393130336430326237356538616132366536343461353033326633646331366138
+30646237366635326532626238313864623732336664323061646435653466643765323064303134
-37656136303763353735323330376436613035373866656231343830653432393230653935343232
+36386266313865366266396166366134383130663536313334383631356132353335303130366366
-62346435616466653138363961303038313061396530316466643336376337363162623135656334
+38363865646337383330316464353439386232393033393034303732373466336237613038356236
-31666461613638303761353236666563326564376164633438313132343163386138646463376335
+31386263643031303265366661306163393161643634353638633535656530333633613363646635
-63303931646337653664633565366166306237656561306433303735386163316633333030626266
+65333439613030393235366437653361303066613035333966313635316234386266366430376664
-65386131623538663037616164333435336435613564356331663430333665393732633438386535
+62343664646661376435633334396261616230303466373934633766343132333966383033306337
-61633535343931656239353731346637383361306162636463346665663231633738386434386531
+32366431653032643531616365663839623432623132643362376538663462656536653530323832
-38633335616530333632326635393361396166313265653763363065666133393735376239383039
+34373936643038616266373932323734396338306364626637366131353861616433656135303963
-31383831646537333531376631313637306634663864653261313437373939376165613830376236
+33626538336438383233646635383164386365616638663565336232376133306434343538663563
-63623336663131333932643933333962363062646332343262383365376563646139323066346631
+64326366626631636231623636653662306365626432326665353037616239616630306137633538
-61323765393035366532336365396335333466326461313836386437616263336133346130333535
+31316133643964366666326465303337343466663064616431376161623133356465366263613337
-32306664393362366663646536306263376164623130323030326563646231616561613464653565
+34643334393534313235363531663066336137306533323630653533353834313466323332363735
-65626531633966363433363439346564663232353366666632373333343335633534363033663938
+62336134373031666135663966646630326431663534386435383536306133353931346361383834
-36646632663236626164663530356463363436343865663938613232613331393266656638396538
+65313339396461643164353639373135333733623334366664396236336531383637646336643935
-63646533306537616635323365303837373861656339333761653438396664323330396432613530
+66353934353063663935313937373230353135363766656134346463623032373733336465303635
-33333361653735336564623832326334313265356633373332343934623436346361633635383064
+35643965653539336230323435396462626437353238393064363934643866306264306231373266
-64313763303431666262316431626564313561636430616631376237623732663236663132336537
+61623537326531383664323830386265613034313632303664633461333137353936363664636264
-36656133393431333537633263326636313163663732633263396339616134393264383132343636
+61336433393134326237636136613766333938323736323831613863313538623137363330353037
-63383939326563616434626664376337633235366166626432396165323931386539363262343034
+63363437393736623261396165373233316163386364613733386632306362376535343937323937
-66316164376664623166313261373633633430343332636638343133336435336337656564636430
+32656431396435393663383063356162646534353831643161373130633135366365313965376131
-31363736313135353831313938653736623036316633363562333539663862363534613238323761
+38323830303133346139636338313837303030376364333034643466336436396432343136303862
-38613962633734326562643934303761313762353130636566343765306438626135313961653631
+33363333346139613636316662353363376433373931356264643734316138323835323430343831
-30653331333632326461343730613433376366373535663763356664383537613262356664313030
+32343438336266323763333432653865366333626533393034376665393032623331316139366464
-32346464633830303466623337613561313134323637623861653333643333626462626163343761
+35636562383962363131356130386139323364346662393434323861633136393534643534663434
-39323530366266343464366133613238366230363035373833343332333439353032326233653737
+39343833616438343233656365646331363863336366396431346161623662646465623363633036
-64643238613062373938353939363736633239353537663633646334396563343565336335323938
+64653439396232616164383538333763636366623463666561636262666562393831373036663333
-63393465383962363039336163333138376162373537356530393035386233333439663333316436
+61336163353133316233353134383830633032386534303533393437333136616563613131643261
-63363961646437363037333839396163323639363234343031336233323132393362306439336232
+36356538633733656631363637656362343732626461383237303664323130646634666562303465
-38363237346134343466613262396536626234623938356134316366333138306333366237626534
+65313337383265316636333837623263643138626237373563383765356563316466383165343435
-39636634306535313934636261333266626362353030633735643061666136323732653733373835
+38316432373433323036363230396231383565616632663737333965313034613136656562383966
-33303131623236303237653636323365653963363064343633316537653036313634346664373565
+65363639346161333738373038323065313638383261626161323738326431643131323064376664
-35386462376233383335623263666461356637613161616662343934663266616164643561616466
+65353964326434313438666536393431393034333537623366656364343534616439396430316562
-30306531323265383032663636646534383538643436343237393261303930386136613433363335
+66313465306563373236396539623931373166306662616565653636303632393435663638626664
-32343536306331306165393837663136623639303633353038323938353631643136386462303230
+37326566353863383230323733313164646561326666353837356235393130363337626361323833
-35333835343738626237396365306365316265653463653866663237616561353630613161306162
+33393639393930653666393862636235353035306238643463643231366434366232396366383665
-31393334333539373533383339343666376233336363333537363731323738353731303465336462
+61323234336534363534306431613331613232626533663736633063313462306666336236666365
-65613066323431646564623235323532343530316363656231356465366163343838646261393336
+36613737623534353162376264626266313730663962663961393061346163656531643362373864
-33353930663233313338346230353964326361376432343032613865323538313537623161623863
+61373032613861656330303964623330376332353463663066613865623931336138306336643437
-38333334666262656530393932663161303732383461613561393039373765333839323036643237
+36616361663461653639616463623462376433303433656361356565356135376362366563373039
-62653265343939656666313133396137353935333563643930383066326563396530306339626335
+64333633653563323039343932353136633664633735613363613834353131386239393133653932
-38383436666163643639353562646232353138666363323832646230343366346636376261626139
+35396437396566656138363339613230353263623330343430346530313330646632613834656233
-62613063363737366634383065363964613864633638613763373165373833613130313262303864
+33646531333536336436343234343235363064386363643837333062623331336439616330333461
-31633533613531316462623038323464313530646635623461653165663162363036353135633833
+35383335396365643037356362346231313737663632306436303136623763346666613735656439
-38383035333732646531653832373531663238376434653337616237373131663733626663613562
+32626261303635653165356236366631616637626165343135336238633164376364303861313033
-33653234323430343433643632343361633732623661663265343432323763323330353064646436
+31646435613639313464323338336237633435393130353466366265306462326632316466643462
-37303164313633313863643865666463623365653761396336356630346437363866326131623434
+64646438353064326161353538626239646463623139626130326438623265623935313035313338
-39366263303630663364323563343830326534376437373239653561313037653661333532653238
+62656431636135636535393133636563353266373336656335373337386435303338326666383862
-34663536383132373032363733616536663161303033613235343534623664343531386535656664
+61353930633632306564373239656330373566363935303663633530616238316139373865616339
-62346662373366633964613963333962363763626366663138363235366436633637653661633836
+39346431383238356434316231633033343937323031656665653738636465643436323335386434
-61383437633737303331373638396534336139303363356662353538366163623333653637373838
+64376165653537383633356237313965646237363435666238336664303139303933363865333630
-30363262656136396436646165623538326631383862643030366262303234653831626433656166
+63636434656661336432643639386664356437653131383830353236313239623965356139633166
-37643762303037333766326233346239613938343738626137646432333732383161356536366265
+63306364663831646365383964663263626265303331373733626466306335333264373438316333
-37336338313166636162366535623332366631653530626334323234333536373837663933363165
+31613963623562336131666537336665306662343331336164623037326633663532656333303235
-32393132636239306430343031323766306366343534333965346263616432623030646535383136
+66366134393431303062356135376339363035333762333965643336363130313433393530393462
-30653538363965623063303432633332666662663431633464646566623261376465633333613032
+64366266363264626161613830643966613461666565306362623033303432323532366438326639
-39623963633133346161313638623663343130626331373039383362383534353338373565366533
+36656461613165383733363761376662313261613632333336323232333932316534613234653230
-39653530633537643163386632313537616535646431353332326535633835323331396336613764
+39646265376364396361376630623763626337386236646463393030356161373163306333386630
-65336138636332626266346137303566376336313032636431333730396130303533316534373538
+63616433306130313065613065366339373863386638363338323337303138626338663861343530
-32363333313232623335383632336564316138346634646563623932656339393135373266663830
+65663631316563306666396335353164343830613635646465663037366238373666303537303338
-39353733623265653030646232653831613835343262613764316531666339643235653735383838
+33333931353362363834303666343932333965646363643061393434646635623637353936343931
-61353939383563353334316437613136373164663236633036383633373265653434363231363265
+35393035623331366230316564353433316463366165643864633334626439643265323432313131
-31336261303234343861383063386233626232363638313535313137376239303031336139663832
+37316161613036333963636538623739666463353466316463653430313938353438613533663464
-34333365373961313535343664386464613362653361346266616130633632333832663433623930
+66616535316437316130613931323332386666306530396361616235343963333065353436633461
-66616561346337306464353635636666646537666330313161336333306335333162646636323239
+32363839336435313639346265663762383530383335313066633865323366393734343638316238
-65333062333032333938353666386639663261353033663261323761393764653232653838616665
+61623038613966613330356132663330376636613837313264613030393832646339373630353637
-35343138356139393764666637306666623937343539393338373833303165306561373861373433
+61326266303733393531383966333765336637333866636433636436653836643334343963383364
-35313630386661383331336633396333313136323365366163376330623237666164356438653136
+39343931663534336363663363313262666264643839326334343261343834663938363038373132
-65616264343730343261316266316633356262653063636266306637643864353333366330376336
+35346564393366383562653862393938343537333162656131623762353830636330323336626363
-38303333623439646634386536616362376263363738316134653366613564396263363036643862
+32376536633539306262386530313464313834303964643230613162393335656565346638373933
-64383438663361643937356530613034363131303232316338663064383631663336366364303063
+61376666343039623965656335663066623136623061306234666664333335306465383834303764
-62343438353035633763646365343838653835633663386163613136313230636162353330633932
+37656164373164653261333236323530653865373831303932323532623234613039623532653963
-36653465393032343937653964646133376663386264653634616563313363633339653531386136
+39363630336262626433313862386464363138643937353433656634323762383336323662333266
-39316665363537376339316338363335343231653030333864366538303235323736616266616465
+62306435316531633962333736376532356435353935356635353665303762393138646261383363
-65316165643034653837613565363966316233366234636539333430306562633266363562303063
+33353062303739363231396232343830623666376462663564346432343439653764386234656337
-65336530616361363130343233653736356238386233363736623331326466383132336236303539
+33373038363462613234356131666165383837396661396461353163383435366133313062623138
-33613538383438363332326436633361616437373533393738656461633633333661323863653137
+39316664376363303335653138656638383133383364336661316166376564346363356462626463
-33366637643830633939633334613932343936356531373835393930616232623033343861663737
+66343135306166323064653562663737656635376639636334393863643432646233376466386238
-30646634383234653938353062396662323566303962393565323639363365383034306633633738
+39333233646231633633623033323139313461366436373362343731376466346664366439316132
-66633438616536623737343635323564343538363537346130326239376335386266643465383163
+32323866383138356261313533666535373038376632303139396266333537336135663064303331
-65333737643538636439363037626163323733393538313561333738393661373066666538633337
+38663731366366313965313362366532383232336333336139646431373739386361626333376464
-37663161393264356265303035376262336665333433376239333830626132353161386665643963
+65353139653661313365396237343233363865333030326361373336326532366334343832373764
-31653138613139643264353634636639376666336439643064303131373861373666313464623764
+37316266356536653862383862646539316436336163623537663163373032633931336566643166
-39636334383963626137373839633435643132306638316565343134623165333464643032653032
+35363134663634383735626135663664303764633338326133613036353830393134323439306565
-30366432326364376337623363313964396331633833316433666239343639313363616335376532
+34333531356335656639393737663366616166313430303637306464353138356437333133626234
-30366365316632376662376435636332386464663462333938373235323661663662306531373236
+63613637656463333437396363376638356530636665646262386637613030613637613534396138
-35646635363962343635623366336466313435396639393336303761306631663939663362643735
+30306364386266616566616565306533343233333663383836613332366136623735623134623338
-32366663626333663163393830356531366161643064316233393832343238613865646564666335
+61316137333761373130383230663039623434316637613161383465346264393762643038646638
-37323934373361663862316430363735343336343432323561363033643235653638316335353134
+62643439323339656265353063343334613462346434306462313339393965336563656662373961
-39643165346265343564366261366139626166353466313832646336643634623665383862663635
+62623163626335626363626562653437616330616130393637353033323865343533386337343933
-31626633613134616439383366656130396230643764656462363763396663353130373464303532
+39636438376266333233343265623330303164666566363666363736326236373231363662613632
-35646261633936323662373636313933633563313338656334353665323633623331393665333566
+63626566396566303839623637303931373139356638633161396239633431333863396639616231
-39653463353661366362666530373830663938643861386633303137343938646263656636363037
+33383161366363356139656463616532383233653763303836636365306436633735353932363861
-32626231623938656532323466656162666636343738363730663866623963333433393831373636
+31633730626461313733393964653433356330323262366434323833383732653065326232393962
-32343561613162333361626632343130316137353666623336663139373761393262393934373030
+61396634616138623135626138623566313531346562663830356635306663363163333537333766
-37306237623632343233663536363836616431636433356539616534363939623331303165333361
+36303264386235653034313934333736383239666431623730323432666432313834633264653631
-61326264343233356539633435386531623437656462623537303935323633383435633663386333
+37646461306462623664303134316633303632636162333938373634636331353336643033623938
-65666635373564623137656635663636323338643930356133383539333762656664386364356263
+66646266393262623062636365366261386565656136323432336636613838656531353964666563
-37313463303430666338326634366664386561633563376464393738643235303062346564316662
+36316262393564313034373261623132333234646164323235316531663638373337613130376364
-61656666663537366166303737316566313530353030343237373366346563363333363838323263
+62616662333365376565383837626566356438653631313235356536643034373434393463303935
-37313234643437613637623039333366643233323431376534653463646238613133326161663639
+31363231626431363465333964323139323830663363653431366334303036373833386333363264
-64626665346638636239353136386538313336336332613762376337626438636166396431643066
+37613134353732313061623734616161316537366162343938313963323735313864663166326237
-66636532633038643230326334393262366564643063613961353866306531303535646231303335
+38663436646535323166643130393966386332323062366333613862613939353733653862616665
-32366230656231633832333630616562363934303332376562333034353030333537393237656566
+65346332363962636536313937313938613335366132613464646162653361323361643766646439
-33333161326430393930356634383364336665393665616334613438326365356166653561643436
+66373137336531306363353532383865613064613333373435616264323635373631363734343166
-30353737393535353635396131626661653531623863313866653337373434613039323033636630
+31623363646566396139313966353539656265353636316133663635633839336333313232313639
-33303231353566383138383264623736626532313535323963353863613161356238393835316166
+33336131623865663764653638663237623831363034396661303534373838376166623836326538
-63303932643939373465386130643061393638313037623966396562663333336164336339326331
+64646236376337313039663335366163353437386333373161383164613666343233373731326164
-62383233323766383435396164666436356561313937343630646365333239646639343731333330
+37316464316139316166663132393466396237366632343263363962613235393137666365303961
-36343363633130656236336466306638343666343031353437636631343630303937643037636233
+64633735646335323438623835353564313334313464306462616436343765333335306365663733
-66346162356634646363623161386236643265366331363732386165366561393336313039323336
+65393530643633373662663762663563376163316562376435396661383739363331663062373166
-38316332653232643134333430343363653537323965633064313066623635653130613432613931
+64663030636561366562363437663438353031393931303563326338643361336338393630316534
-61363238316434336664653461636432363931333933613038306335353463396136626666313163
+35316335646465326464386630663262616335343766633930346466623465366238356365663063
-33323565383930363632316135353262663864373935646535313838353561376134323130383937
+32653931386630336166383431626664343538663565396536646136633935356338386665393230
-34363736626235613233386634363536323563353363313736346231646131643062636536363032
+38333933623237366337336365353935623030623666393837353232616433666632396636316133
-33636234333935646634363338393166383139363039613164636332353938373436663566343663
+33316237393531643131333261313630373338336437306335353932663462353133333235353435
-37316664386162383862366136313764663232353435373265643435333935343634386536356535
+35653432626239633565666365623139636230323263663435343165623634633938376133323039
-38633937633939653764313065613034316439343837326332316634323634336433316465616538
+35663231323563343366306564363830623934646334386461623134623532393534346237323538
-34616566616334656136303837663138353165623332313230633234616161313962306661333566
+35333936333166373037613036346233666239633236393265663065313265636534376561666436
-36613135343835316361653964383630336161633965396334663632353432666162306166313566
+35343035376430663466663535393962313739313763303230653961346566356134633361636532
-35316630346561313336353166316138396330336637653532383032663432346462663636356632
+65353839653435376261626161343531396636333361633431363236616137323863646232376465
-36383061666134376133616463333965383062383934663763616336303561306461626164633136
+31666137653534313439313737376162393765326537643632363338366139313763356363613838
-61636364323439353531373937333364326432653866303530383636366636396364646537663566
+38633932363063643662383930663833346432313135666134633933363466633965316431623539
-32656330376334363433353734333135373735363739303039623164623064386137623930626466
+65626261636666623866633930386537666338313664636264666363333736636437346463323539
-38663533373662333034373962653661323766653966383336383566363864376233303965393465
+65383464346634306230626139303739646566356131333830333865343661666564366131646230
-63343535646534666234633366323832633830376132613839383264306337323036326261663363
+37306665656562653138316333396530393263386166623534393333363565646664656162633161
-64653035653433343531633230363762313536303232666632643535316539623330383738626432
+66303863373236353738383034656531363532666132356166383139666561383464396163353334
-35343836386533313961666639643930326236343262616462383863396336393161633435633065
+66316566383136343230393437323731663761636533643738616463613432656663636430323932
-30333262363636613931666630623134396363366337633739363963363462363862656132386265
+33366432663337316537383735663735316232376335393563306330653535623138346166363763
-31373862376164343134666235396366313538323837373763663162623634313338373232383030
+37326632363162383463353462336663363333613831353466313433366339343635356437653532
-35376331616439653031666334363639336633306432316334303061373432393439333234613664
+31363065393066303433313264656339316265663533316434363233326131326431376263643432
-64653162633535623931393665333464656530656630363432383533393033313036373062393365
+33626133393735313466323465363534376338343162636632656334623964316236613432343066
-32356331336636383037653630396333623262653232376565643135316162656632346235616665
+37663331653935663930623738383131353363393462396130623131326133623934326535656532
-66336430363837386337316464373263373436666338643661666334313363323638656532356437
+33643839626233663361643337393131343438333538396431303766336634303466353037646335
-61666432356466666634376666373932643939376430643564353835613432346264373138656336
+36343536393138303135346662636233313766373961386239393636313838356334643432303935
-61323834343438363962386432363032333261356665373765383864636466366131386234376437
+38333662396333643861396233313332386662376464653337623935663337393762363331303833
-62306633363435386233303534313034346438393465333963323035363030346430343035393162
+31663765633533613561386233356532363031366462333663376139323665336231653533613737
-31376138343035313666616333646161396464663261366363323165366265343566653362303361
+66633765633361323732336330613634643064363731366661303231393631636435616633323538
-34356636393532396436373466306339316232343933663239623331633534383334336261396464
+34393037373064373062643466616561656661356365663336623364366531366234613865336530
-36346330643261396636383337343038656363386163336533643037313862396435623333313232
+31666534636263343761353364306638636230353734346334396435653866613764366362613661
-37333736303637393465343130306663336165663430313961373438336138393533613034636463
+64373962373335356166373165386230323734386133373238306635646637353765633434653538
-63643966366161313538653063383130303335306439636637306465363030346463373064313630
+62333339613132663634656430656564633465353339333063633466376534636339333930616162
-66303037363538366138363037376365646664626532306237326636636665303862313234363532
+32623337393666626334313037336163633332633330643766633031653331646631343566363865
-65653039343266626438393961626631323032346238356564303431303737623334383032373930
+39643537323563366239626130376263623631333935623565316232623335663234636262323761
-30376263316634343936626134306634616438666264336234376261363237653337613934636532
+62323637623064323663393163383562363262303332353738363133623665303535316165383238
-32613464383265343230643537626334643361336264613232643963386237636130613836363037
+62653338316232336663386463396633666663663363653333663239616332656438613664396463
-32623037373562323031653632363832346235366133663530303439343232353831616461633933
+38323762313435346263636437323833656531333765663636363833633636303837396166393539
-37303565343463623663643565616238636239363764333234303438366262376563343033643465
+36303832623436323637373064316535313734643034643033356135303663383264303730313936
-38363432366135333334646461626163386235666461383861656333376331643838373631653563
+32363362386131656536316363663535333133653137373564633939386435633631663032336662
-35326536366562336332366430613435666164366666313230363431653739393664373565326162
+66316565636639343030326263643930326631343033333564636562623532363639653366333139
-63393433616232356539386566353665643538323434323563393436646437666531623361623762
+32333064636666313663643638663765326263666538373765636131346232336637323938656364
-38393534653537313764613139353761363432643234333164386561323065656132316161666163
+30303735613466333434386330626435353833636139613035356639373939633265313833356162
-34626131376437336562363036396432653637663361373538313334633666376430393562633164
+31363764633937653936643136303136343039383830666334623461373335326638346236303536
-64363931343734323733343639386334353935323139383037323532396637653333663531613465
+34643836633032663539613635323433363565326138393930646434653064653339626332396139
-63316331653930353165633034326638383161326334633066363763363531353833663736636137
+30353936316263396461376530333061626635363765373036646265356366343266323961393236
-35386232353833326132313762613866343836346339376131643430663735363535613734663633
+31623334643233623062323633653864343531396461643637333561386534633066393435383766
-65643035303736316463656663663736666566383534363739623737396530323564326365373432
+33633465646530393333656264383639366637623139386361666535323334373866383836303035
-63643863313362393138376232626434366563316431613135626534633130636264346562656532
+65333833333838346363333531643134343865383061333865646435326631653130633333383663
-36393939323336313235313632386539646133386434623232653332366537396266343462363564
+39623634623335363537646531386566666434303533663437643637633466363035663566393665
-64643438323032656461616365346164343039316264616565313430653930666461656430663438
+31643065303263356533343335613161666533303536383762313663323463313332343564623231
-34626530343163306433313561393435393266346134663865373464356630633166323066346637
+39373536336363343938386237633334616533323835363031373436383631356331626238373662
-36306563666461623563633764316364666332376132376330313766653033616261666331363134
+39313564656634663836313936636237643831376433663861366535383364333365623134323662
-33363630353835346237396639383132353738323534333764306462346462373531326138396632
+64363964656137313365333165393935643465326535653537363237643034356535333866646231
-66653762326231326665323438316536386166326231393838313161396632336135616431346434
+33393965393761396336653437623037643833653162626335653832376238363336633430623032
-31623361373637366133393364383233376436623266386562363237343039663236363066656566
+33636335626662663663323034333035373939373665613138323939663766363962303233393636
-65346563323037643563356538623461663864343662326237366439356161306538303131643862
+36306564383961653833626561383361346662313936663336656666326366313530613637613438
-39633232326165383334353735643364333365316264376661313438396635646630303462646164
+31636332656134386531663730326162666436333133653766353861646434633433306138396365
-37616261326461653935363265356465343063393464373331663066326163333533643130343033
+65623032656435663233633239663835323938613533366666393634393831623233613363386536
-61363639623736643031323165303764323762353137663364393831636163303430333632663932
+32623637363363363237383465396430396462343135346135396465303439303033356331353863
-64313933346538383764373937366464363562366339663832656263616164616634363961626536
+63636463343062333437643330373462346466356334366565323466313531343666383338366138
-37353738643039653332636634373038326130373836306562623466396138316265616531343331
+65373838653261316364316664616464626466343937613339363735626531326136376134313362
-64346535346661323864646535383061356561333932333935393563346534666263626561323434
+31666666303139313433353335333263633033363437356563653334366330366632663535363861
-32366161623631343733623861336539653439333931623439303061326564383263386339623832
+31623934666430646663303636323434383263653632396666646532383138346430396332633337
-33383039666363646165383736323130316563623938306231353238356631656131313739623663
+33613862393533313337383931353130313135303833633935376664643265353536366638613561
-64623365313563343632656166366638663435616633656534383339303938313562333238343330
+33626637376639313661643732336662633134353536313432333232333762336165326263323934
-34306231363438393833613634373738326461306437323331313432663135323037333231393366
+30316362613730633730393832663365633164653035326536343163346333653432653663633134
-34653864376536633337383834383935343761626338303165376336393138363961353039656430
+65613832356535376337356331343037373933383232626133373538666538653363313838333065
-66303266613164393163366632663666373166393335396139353031633865343438636331623137
+34356464353662313136316331333034343738323934326638613230336233613637313162633166
-62636533366431393435323135383332333439346131666235376332653763353833373238386264
+66343336383331316335386166323930326565303766376539353462336236353638656133353632
-36373136663266373733613365313836383937666131313732363963366133363063313533643237
+62363432323863306163353866343663353839373935396339373861363831373166376262653934
-39366462646134333166613465626261653761303131653361323838343966626633313763303632
+34376166663262303166303437383937366230366538643666303663303032376666393737623166
-62353639663030326666643266313262333336333261316333343663653238373662356231383866
+38323731346665303536663333656331336662386639346661376462633864656632383338376335
-30613961346561333062363363636635646162393534616133336463396232346435333538393332
+39623964376361396338643037636464313032626363386662303234616437373965303532643639
-31663230636262636137346131306366626666663161386533303639353639643332303961633735
+39396135326239633031386331383463306438666362336636616161623933626233316131353730
-34316137616238376261393932656134313333616438643533336530383835303961333866376330
+33393461386666656565633731303530343338636238666531306263383030653533613931343534
-66613964343031303362386163393763393837313536383463393265626661363532343932386333
+30393032623333666465616330623932383232653033663939636239383566316362353963663763
-32663761373465643338366165663337356530373536396135346539353632326166633139643038
+37633134316164613730316630633864303664626465306566353934636364323539663339636632
-37303232326332613264396134663865323633306162333266306665343765346564316239306161
+64623839313932323239353264643130363764376234656639373366323730313833396561336132
-64656265346162643034303462323864366666353537376434626135623461663564396632663361
+39386462313037376466343031653535343965653631343030323138363535653537336464616264
-62643635303539353830343035636430646166633535326338316463366538666639613766643033
+38346535656365373734363232656530653832383961376530653734336666653339383661613031
-39346631353435623163633539656331363533303737366438346234376662373331373636613636
+31633039393664373931323061636533363433356535623732396339356630353537373362313337
-36646166633833396437353630643735376166393030356666653962616130623536336536633936
+31333935363739303035613038373563303061643863343831663166336635663832356265373239
-34653137316430333961383737633239323565356137666534333861356238616331616635663761
+39653938366434656234613863313533643665336131613735333732323233353431333934353938
-37393363333833353334656132613961316137663261633834306332363735623439623237616331
+37323430623730313239376565373766383662316133646638633830346334353732616366326662
-64393539646466663238396361333439663633336162386462656566646237333235383833386132
+65323363613234376364393838356637643664333563393663656537323162303362323933663666
-37323661633762333464336464616237353138666333346565313636353038346630333632626231
+31333831616631646561363438653534656532326638656364333334306633656665626433343137
-66626261663961333531336137313066313039363537373364313363326166626361383832363637
+65663132373434313432303139393961356237323765656661336462613439356331393032353035
-33393963313138373934366638656635316664346534316239373634396161306363623736303034
+39303231303635353634333937633038626633616634633965623666646232333137623261636139
-66386163313039623137386665363936646166396661306665623062383263343737336632303039
+30646537633933373261633739633333346362346430616161663362343066306161313464343635
-38363930353536326238363134306533363164386562346231363837633939343635366636663436
+31616561643261356633393931626137613034646161336634313435346364373131316234333838
-63326135396665333539646130386434313036386437346264396534303762613832666134646435
+34616637316462346131333439343434646331336637313362346661373835396135333530643337
-31396364396461303865643064643035666565366331663836663436643164626333353338393335
+38393232663734353235363230626262653930393664383362613937396430353130653235383631
-32666339666431656464373263353332613861646637346230643637376234333762313262376537
+34663963663733306333663361653332363036333365646665643165353864643766393930653234
-66646536393861626365376635336436386235646238326237363834306633323036326666326161
+36666462333364363063393831373435363631336565653132366561386137343034666632313162
-61666663303562363636663065316262333833373432626435646431313866653236643132303639
+30646566313133313438396233313532326439366331363432376461366534663062383835373839
-39303336313061363131346131656439623264636664383962623832313531346562356231356631
+65626430306430303039623063353530306262666565373163366236616339353764633639323235
-34313862613631333438656362613861613239346630373234616334613834343835646565316334
+37346336636134326132613836383562323164316666373032363733383063356262376165373637
-37303332643138396330323337613665353664623166386361316635653164643438343466326634
+63626130663335343237303138313261356235323065303637623464613737303533656339313031
-33343634626634386435636161633534666361623366343237646433633866333031376238383933
+66373362353764313834386437306533653665363731623635633665376232656462653361643064
-64336331383762626638656339306263646363376465326462303431353039646532643136616632
+62616363393936643061393039636564356437356136613337653532656337666337316134376333
-30653333306565623462383235356266643532653565346164373864366537653838636263326436
+30336162303833393036623266346161653665356534636634396335663562626231613336313537
-34353232643836313064306133376434323530613566303032386636363966646138316232313364
+33323735636235326362373239643537346630343938366665633837663266393861353030353737
-33386266316536363330313566623664313738646565363563303231386533386337633462623238
+34666436393039663730346638363935316163393562333532666331646130376236666139366333
-35306162646130613238653437643833396234633066303833363330346564386531393735373864
+35363531366665353134303031343632643034363836306135336262306630353763393165303764
-373837666536633866393537393332316531
+323530613234336162356635353634373264
--- a/group_vars/stage_qa/plain.yml
+++ b/group_vars/stage_qa/plain.yml
@ -260,8 +260,11 @@ elastic_stack_network: {
  qa-elastic-stack-elastic-03: "{{ shared_service_elastic_03 }}",
 }
-harbor_oidc_realm: "docker"
+harbor_oidc_realm: "harbor"
 harbor_oidc_client_id: "harbor"
 harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 harbor_oidc_admin_username: "harbor-admin"
 harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
 postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},{{ stage_private_server_ip }}'"
@ -302,9 +305,6 @@ pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"
 docker_admin_username: "docker-admin"
 docker_admin_password: "{{ docker_admin_password_vault }}"
 management_admin_username: "management-admin"
 management_admin_password: "{{ management_admin_password_vault }}"
 management_realm_admin_username: "management-realm-admin"
@ -338,9 +338,10 @@ argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
 harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation QA gpg key
 # pub part => https://dev-gitea-01.smardigo.digital/gitea-admin/communication-keys/
 gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
 hetzner_server_type_kube_node: cpx31
--- a/group_vars/stage_qa/vault.yml
+++ b/group_vars/stage_qa/vault.yml
--- a/import-database.yml
+++ b/import-database.yml
@ -62,7 +62,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: import_maria_database
--- a/info.yml
+++ b/info.yml
@ -12,8 +12,10 @@
          - ansible_version.major >= 2
          - ansible_version.minor >= 10
        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
@ -21,14 +23,17 @@
      debug:
        msg: "{{ ansible_distribution }}"
      delegate_to: 127.0.0.1
    - name: "Variable <group_names>"
      debug:
        msg: "{{ group_names }}"
      delegate_to: 127.0.0.1
    - name: "Printing ip addresses for {{ inventory_hostname }}"
      debug:
        msg: "{{ stage_server_ip }} / {{ stage_private_server_ip }}"
      delegate_to: 127.0.0.1
    - name: "Printing stage_server_infos"
      debug:
        msg: "{{ stage_server_infos }}"
--- a/kubernetes.yml
+++ b/kubernetes.yml
@ -13,19 +13,20 @@
        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
      delegate_to: 127.0.0.1
      become: false
-# TODO run only once (> argo-cd uses stage_server_infos)
+
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - { role: kubernetes/base }
    - { role: kubernetes/namespace }
 # DEV-243 is waiting for hetzner support << Ticket#2021110303010972 RE: Anderes Problem (Server: #15275628) >>
    - { role: kubernetes/cloud-controller-manager }
    - { role: kubernetes/container-storage-interface }
-    - { role: kubernetes/cert-manager }
+# TODO setup prometheus operator here
-    - { role: kubernetes/external-dns }
+    - { role: kubernetes/cert-manager } # TODO depends on prometheus
-    - { role: kubernetes/ingress-controller }
+    - { role: kubernetes/external-dns } # TODO depends on prometheus
-    - { role: kubernetes/apps }
+    - { role: kubernetes/ingress-controller } # TODO depends on prometheus
    - { role: kubernetes/apps } # TODO depends on prometheus (argo-cd)
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit eeeca4a1d0334efebcf732d08bffc7e10240fc9c
+Subproject commit 92f25bf267ffd3393f6caffa588169d3a44a799c
--- a/patchday.yml
+++ b/patchday.yml
@ -29,7 +29,7 @@
    - name: "Smardigo Patchday: rebooting <{{ inventory_hostname }}>"
      ansible.builtin.reboot:
        post_reboot_delay: 30
-        reboot_timeout: 60
+        reboot_timeout: 300
    - name: "Smardigo Patchday: wait_for host after reboot"
      delegate_to: localhost
@ -82,7 +82,7 @@
    - name: "Smardigo Patchday: rebooting <{{ inventory_hostname }}>"
      ansible.builtin.reboot:
        post_reboot_delay: 30
-        reboot_timeout: 60
+        reboot_timeout: 300
    - name: "Smardigo Patchday: wait_for host after reboot"
      delegate_to: localhost
@ -124,7 +124,7 @@
    - name: "Smardigo Patchday: rebooting <{{ inventory_hostname }}>"
      ansible.builtin.reboot:
        post_reboot_delay: 30
-        reboot_timeout: 60
+        reboot_timeout: 300
    - name: "Smardigo Patchday: wait_for host after reboot"
      delegate_to: localhost
@ -146,7 +146,10 @@
  vars:
    k8s_basic_services:
      - kubelet
 # TODO check if docker or containerd is used
      - docker
      - containerd
  tasks:
      # draining the hard way
      # due to force( delete static pods) + relative short terminate_grace_period +
@ -169,18 +172,19 @@
        name: '{{ item }}'
        state: stopped
      loop: '{{ k8s_basic_services }}'
      ignore_errors: true
    - name: "Smardigo Patchday: update pkgs"
      ansible.builtin.apt:
        upgrade: yes
        update_cache: yes
        autoremove: yes
        autoclean: yes
        autoremove: yes
        update_cache: yes
        upgrade: yes
    - name: "Smardigo Patchday: rebooting <{{ inventory_hostname }}>"
      ansible.builtin.reboot:
        post_reboot_delay: 30
-        reboot_timeout: 60
+        reboot_timeout: 300
    - name: "Smardigo Patchday: wait_for host after reboot"
      delegate_to: localhost
@ -196,13 +200,14 @@
        name: '{{ item }}'
        state: started
      loop: '{{ k8s_basic_services }}'
      ignore_errors: true
    - name: "Smardigo Patchday: wait for node readiness"
      delegate_to: "{{ groups['kube_control_plane'][0] }}"
      kubernetes.core.k8s:
        kind: Node
        state: present
-        name: '{{ stage_server_ip }}'
+        name: '{{ inventory_hostname | lower }}'
        wait_condition:
          reason: KubeletReady
          type: Ready
--- a/remove-database.yml
+++ b/remove-database.yml
@ -75,7 +75,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: connect_postgres
--- a/remove-realm.yml
+++ b/remove-realm.yml
@ -65,7 +65,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  tasks:
    - name: "Delete client in realm <{{ current_realm_name }}>"
--- a/remove-service.yml
+++ b/remove-service.yml
@ -55,7 +55,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  tasks:
    - name: "Delete DNS entry <{{ inventory_hostname }}> for <{{ domain }}>"
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -64,7 +64,7 @@
    - users
 - name: "Create users"
-  user:
+  ansible.builtin.user:
    name: '{{ item }}'
    groups: '{{ sudo_group }}'
    shell: '/bin/bash'
@ -76,6 +76,16 @@
  tags:
    - users
 - name: "Enable passwordless sudo"
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^%sudo'
    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
    validate: 'visudo -cf %s'
  tags:
    - users
 # TODO check usage of key_options "no-agent-forwarding, no-agent-forwarding, no-X11-forwarding"
 - name: "Set up authorized users"
  ansible.posix.authorized_key:
--- a/roles/connect_realm/defaults/main.yml
+++ b/roles/connect_realm/defaults/main.yml
@ -46,9 +46,6 @@ current_realm_users: >-
  [{{ current_realm_users_base }}]
  {%- endif -%}
-current_realm_admin_users: [
+current_realm_admin_user:
-  {
+  username: "{{ connect_realm_admin_username }}"
-    "username": "{{ connect_realm_admin_username }}",
+  password: "{{ connect_realm_admin_password }}"
    "password": "{{ connect_realm_admin_password }}",
  }
 ]
--- a/roles/gitea_realm/defaults/main.yml
+++ b/roles/gitea_realm/defaults/main.yml
@ -24,9 +24,6 @@ current_realm_users: [
    "password": "{{ gitea_admin_password }}",
  }
 ]
-current_realm_admin_users: [
+current_realm_admin_user:
-  {
+  username: "{{ gitea_realm_admin_username }}"
-    "username": "{{ gitea_realm_admin_username }}",
+  password: "{{ gitea_realm_admin_password }}"
    "password": "{{ gitea_realm_admin_password }}",
  }
 ]
--- a/roles/harbor/defaults/main.yml
+++ b/roles/harbor/defaults/main.yml
@ -47,13 +47,15 @@ harbor_base_configuration:
  email_insecure: true
  auth_mode: oidc_auth
  oidc_name: "{{ harbor_oidc_realm }}"
-  oidc_endpoint: 'https://{{ shared_service_keycloak_hostname }}/auth/realms/docker'
+  oidc_endpoint: 'https://{{ shared_service_keycloak_hostname }}/auth/realms/{{ harbor_oidc_realm }}'
  oidc_client_id: "{{ harbor_oidc_client_id }}"
  oidc_client_secret: "{{ harbor_oidc_client_secret }}"
  oidc_groups_claim: groups
  oidc_scope: openid
  oidc_verify_cert: true
  oidc_auto_onboard: true
  oidc_admin_group: 'admin'
  oidc_user_claim: 'sub'
  scan_all_policy:
    parameter:
      daily_time: 0
@ -79,7 +81,7 @@ harbor_projects: []
 harbor_robot_tokens:
  -
-#    secret_refresh: True
+    secret_refresh: true
 #    token_state: present
    name: ansible
    level: system
--- a/roles/harbor/tasks/configure.yml
+++ b/roles/harbor/tasks/configure.yml
@ -1,5 +1,9 @@
 ---
 ### tags:
 ###   harbor-configure-base
 ###   harbor-configure-robots
 - name: "Check if harbor is up and running"
  delegate_to: 127.0.0.1
  become: false
@ -20,6 +24,8 @@
  include_tasks: configure_base_config.yml
  vars:
    base_configuration: '{{ harbor_base_configuration  }}'
  tags:
    - harbor-configure-base
  args:
   apply:
      tags:
@ -45,6 +51,8 @@
  loop: '{{ harbor_robot_tokens }}'
  loop_control:
    loop_var: robot_token
  tags:
    - harbor-configure-robots
 - name: "CRUD - scanall schedule"
  include_tasks: configure_scanall_schedule.yml
--- a/roles/harbor/tasks/configure_base_config.yml
+++ b/roles/harbor/tasks/configure_base_config.yml
@ -1,5 +1,4 @@
 ---
 - name: "Add harbor base configuration via API"
  delegate_to: 127.0.0.1
  become: false
@ -18,3 +17,4 @@
  delay: 10
  retries: 10
  until: base_setting.status in [200]
  no_log: true
--- a/roles/harbor/tasks/configure_robot_tokens.yml
+++ b/roles/harbor/tasks/configure_robot_tokens.yml
@ -2,21 +2,28 @@
 - name: "Initialze VARs"
  set_fact:
    tok_obj: {}
  tags:
    - harbor-configure-robots
 - name: "DEBUG"
  debug:
    msg: "DEBUGGING - robot_token: {{ robot_token }}"
  when:
    - debug
    - harbor-configure-robots
 - name: "Drop token_state from dict to avoid rejecting object by harbor API due to unknown field"
  set_fact:
    tok_obj: "{{ tok_obj | combine( { item.key: item.value } ) }}"
  when: item.key not in ['token_state']
  with_dict: "{{ robot_token }}"
  tags:
    - harbor-configure-robots
 - name:
  include_tasks: configure_robot_tokens_crud.yml
  vars:
    token_state: "{{ robot_token.token_state | default('present') }}"
    token_object: "{{ tok_obj }}"
  tags:
    - harbor-configure-robots
--- a/roles/harbor/tasks/configure_robot_tokens_crud.yml
+++ b/roles/harbor/tasks/configure_robot_tokens_crud.yml
@ -1,7 +1,13 @@
 ---
 ### tags:
 ###   harbor-configure-base
 - name: "Initialze VARs"
  set_fact:
    token_object_combined: {}
  tags:
    - harbor-configure-robots
 - name: "Get all robot tokens"
  delegate_to: 127.0.0.1
@ -19,6 +25,9 @@
  register: all_robot_tokens
  delay: 10
  retries: 3
  no_log: true
  tags:
    - harbor-configure-robots
 - name: "Create robot token"
  delegate_to: 127.0.0.1
@ -41,6 +50,8 @@
  when:
    - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 0
    - token_state == 'present'
  tags:
    - harbor-configure-robots
 - name: "Set VARs if current robot token object already exists"
  set_fact:
@ -50,6 +61,8 @@
    token_object_dropped: {}
  when:
    - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 1
  tags:
    - harbor-configure-robots
 - name: "Refresh the robot secret"
  delegate_to: 127.0.0.1
@ -81,6 +94,9 @@
    - token_state == 'present'
    - token_object.secret_refresh is defined
    - token_object.secret_refresh
  no_log: true
  tags:
    - harbor-configure-robots
 - name: "Block to Update robot token data"
  block:
@ -89,6 +105,8 @@
      msg: "DEBUGGING before dropping - combined token_object_combined: {{ token_object_combined }}"
    when:
      - debug
    tags:
      - harbor-configure-robots
  # unknown param/key in object robot-token will result in errors with harbor API
  # therefore we drop $keys from dict
@ -98,6 +116,8 @@
    with_dict: "{{ token_object_combined }}"
    when:
      - item.key not in ['secret','secret_refresh']
    tags:
      - harbor-configure-robots
  # harbor API behaviour:
  # in case of initial creation for robot token objects, harbor creates a name for this
@ -113,10 +133,15 @@
    set_fact:
      robot_token_name_cleaned:
        name: 'robot${{ token_object_dropped.name }}'
    tags:
      - harbor-configure-robots
  # part 2: override name with new defined name of object
  - name: "Set fact"
    set_fact:
      token_object_finished: '{{ token_object_dropped | combine(robot_token_name_cleaned, recursive=True) }}'
    tags:
      - harbor-configure-robots
  - name: "DEBUG"
    debug:
@ -152,11 +177,16 @@
    delay: 10
    retries: 3
    until: update.status in [200]
    no_log: true
    tags:
      - harbor-configure-robots
 # when - part of BLOCK-statement
  when:
    - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 1
    - token_state == 'present'
-
+  tags:
    - harbor-configure-robots
 # end of BLOCK to Update robot token data
 - name: "Delete robot token"
--- a/roles/harbor/tasks/main.yml
+++ b/roles/harbor/tasks/main.yml
@ -1,15 +1,19 @@
 ---
 - name: "Create realm for <{{ inventory_hostname }}> if necessary"
  include_role:
    name: harbor_realm
  vars:
    current_realm_name: "harbor"
    current_realm_display_name: "harbor"
  tags:
    - always
 - name: "Install harbor"
  include_tasks: install.yml
  args:
    apply:
      tags:
        - harbor-install
 - name: "Configure harbor"
  include_tasks: configure.yml
  args:
    apply:
  tags:
-        - harbor-configure
+    - harbor-configure-base
    - harbor-configure-robots
--- a/roles/harbor_realm/defaults/main.yml
+++ b/roles/harbor_realm/defaults/main.yml
@ -0,0 +1,59 @@
 ---
 current_realm_clients: [
  {
    name: "{{ harbor_oidc_client_id }}",
    clientId: "{{ harbor_oidc_client_id }}",
    admin_url: "{{ http_s }}://{{ shared_service_harbor_hostname }}",
    root_url: "{{ http_s }}://{{ shared_service_harbor_hostname }}",
    redirect_uris: [
      "{{ http_s }}://{{ shared_service_harbor_hostname }}/*"
    ],
    secret: "{{ harbor_oidc_client_secret }}",
    web_origins: [
      "{{ http_s }}://{{ shared_service_harbor_hostname }}"
    ]
  }
 ]
 current_realm_groups: [
  {
    "name": "awx",
  },
  {
    "name": "admin",
  },
  {
    "name": "smardigo",
  },
 ]
 current_realm_users: [
  {
    "username": "{{ harbor_oidc_admin_username }}",
    "password": "{{ harbor_oidc_admin_password }}",
    "email": "{{ harbor_oidc_admin_email }}",
    "requiredActions": []
  }
 ]
 current_realm_admin_user: 
  username: "{{ harbor_oidc_admin_username }}"
  password: "{{ harbor_oidc_admin_password }}"
  email: "{{ harbor_oidc_admin_email }}"
  requiredActions: []
 current_user_groupmembership: [
  {
    "username": "{{ harbor_oidc_admin_username }}",
    "destination_group": "awx",
  },
  {
    "username": "{{ harbor_oidc_admin_username }}",
    "destination_group": "admin",
  },
  {
    "username": "{{ harbor_oidc_admin_username }}",
    "destination_group": "smardigo",
  }
 ]
--- a/roles/harbor_realm/tasks/main.yml
+++ b/roles/harbor_realm/tasks/main.yml
@ -0,0 +1,39 @@
 ---
 - name: "Setup realm for {{ inventory_hostname }}"
  include_role:
    name: keycloak
    tasks_from: _authenticate
 - name: "Setup realm for {{ inventory_hostname }}"
  include_role:
    name: keycloak
    tasks_from: _configure_realm
 - name: "Create realm users"
  include_role:
    name: keycloak
    tasks_from: _create_realm_groups
 - name: "Create realm users"
  include_role:
    name: keycloak
    tasks_from: _create_realm_users
 - name: "Create realm admin"
  include_role:
    name: keycloak
    tasks_from: _create_realm_admin
 - name: "Create user group mappings"
  include_role:
    name: keycloak
    tasks_from: _configure_user_groupmembership_crud
  vars:
    realm_name: '{{ current_realm_name }}'
    bearer_token: '{{ access_token }}'
    username: '{{ item.username }}'
    destination_group: '{{ item.destination_group }}'
  loop: "{{ current_user_groupmembership }}"
  loop_control:
    label: "{{ item.username }} >> {{ item.destination_group }}"
--- a/roles/harbor_realm/vars/main.yml
+++ b/roles/harbor_realm/vars/main.yml
@ -0,0 +1 @@
 ---
--- a/roles/keycloak/tasks/_authenticate.yml
+++ b/roles/keycloak/tasks/_authenticate.yml
@ -1,5 +1,4 @@
 ---
 - name: "Authenticating with keycloak server"
  uri:
    url: "{{ keycloak_server_url }}/auth/realms/master/protocol/openid-connect/token"
--- a/roles/keycloak/tasks/_configure_client.yml
+++ b/roles/keycloak/tasks/_configure_client.yml
@ -1,5 +1,4 @@
 ---
 - name: Print client {{ client_id }} for realm {{ realm_name }}
  debug:
    msg: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
--- a/roles/keycloak/tasks/_configure_client_crud.yml
+++ b/roles/keycloak/tasks/_configure_client_crud.yml
@ -1,5 +1,5 @@
 ---
- name: "GETTING all clients for realm <<{{ realm_name }}>>"
+- name: "GETTING all clients for realm <{{ realm_name }}>"
  delegate_to: 127.0.0.1
  become: false
  uri:
--- a/roles/keycloak/tasks/_configure_realm.yml
+++ b/roles/keycloak/tasks/_configure_realm.yml
@ -1,96 +1,100 @@
 ---
 - name: "Creating realm <{{ current_realm_name }}>"
  community.general.keycloak_realm:
    enabled: true
    id: "{{ current_realm_name }}"
    realm: "{{ current_realm_name }}"
    display_name: "{{ current_realm_display_name }}"
    auth_realm: "master"
    auth_client_id: "admin-cli"
    auth_username: "{{ keycloak_admin_username }}"
    auth_password: "{{ keycloak_admin_password }}"
    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
    account_theme: "smardigo-theme"
    admin_theme: "smardigo-theme"
    login_theme: "smardigo-theme"
    registration_allowed: no
    reset_password_allowed: yes
    login_with_email_allowed: no
    duplicate_emails_allowed: yes
    internationalization_enabled: yes
    default_locale: "de"
    supported_locales:
    - "de"
    - "en"
    events_enabled: yes
    events_expiration: 604800
    admin_events_enabled: yes
    smtp_server:
      host: "{{ shared_service_mail_hostname }}"
      from: "{{ keycloak_id }}@smardigo.digital"
    events_listeners:
    - "jboss-logging"
    - "metrics-listener"
    state: present
  tags:
    - update_realms
- name: Read realms
+- name: "Creating client <{{ client.clientId }}> in realm <{{ current_realm_name }}>"
-  uri:
+  community.general.keycloak_client:
-    url: "{{ keycloak_server_url }}/auth/admin/realms"
+    auth_realm: "master"
-    method: GET
+    auth_client_id: "admin-cli"
-    headers:
+    auth_username: "{{ keycloak_admin_username }}"
-      Authorization: "Bearer {{ access_token }}"
+    auth_password: "{{ keycloak_admin_password }}"
-    status_code: [200]
+    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
-  register: realms
+    state: present
-  delegate_to: 127.0.0.1
+    realm: "{{ current_realm_name }}"
-  become: false
+    client_id: "{{ client.clientId }}"
-
+    id: "{{ client.clientId }}"
- name: Save realms as variable (fact)
+    name: "{{ client.name }}"
-  set_fact: 
+    root_url: "{{ client.root_url }}"
-    realms_json: "{{ realms.json }}"
+    admin_url: "{{ client.admin_url }}"
-  delegate_to: 127.0.0.1
+    secret: "{{ client.secret }}"
-  become: false
+    redirect_uris: "{{ client.redirect_uris }}"
-
+    web_origins: "{{ client.web_origins }}"
- name: Read realm ids
+    bearer_only: false
-  set_fact:  
+    consent_required: false
-    realm_ids: "{{ realms_json | json_query(jmesquery) }}"
+    standard_flow_enabled: true
-  vars:
+    implicit_flow_enabled: false
-    jmesquery: '[*].id'
+    service_accounts_enabled: true
-  delegate_to: 127.0.0.1
+    authorization_services_enabled: true
-  become: false
+    public_client: false
-
+    frontchannel_logout: false
- name: "Printing realm ids"
+    protocol: openid-connect
-  debug:
+    full_scope_allowed: true
-    msg: "{{ realm_ids }}"
+    node_re_registration_timeout: -1
-  delegate_to: 127.0.0.1
+    surrogate_auth_required: false
-  become: false
+    attributes:
-  when:
+      saml.authnstatement: false
-   - debug
+      saml.client.signature: false
-
+      saml.force.post.binding: false
- name: Create realm {{ current_realm_name }}
+      saml.server.signature: false
-  uri:
+      saml_force_name_id_format: false
-    url: "{{ keycloak_server_url }}/auth/admin/realms"
+      user.info.response.signature.alg: unsigned
-    method: POST
+      request.object.signature.alg: none
-    body_format: json
+    protocol_mappers:
-    body: "{{ lookup('template','keycloak-realm-create.json.j2') }}"
+      - name: "username"
-    headers:
+        consentRequired: false
-      Authorization: "Bearer {{ access_token }}"
+        protocol: openid-connect
-    status_code: [201]
+        protocolMapper: oidc-usermodel-property-mapper
-  when: current_realm_name not in realm_ids
+        config:
-  delegate_to: 127.0.0.1
+          claim.name: "sub"
-  become: false
+          user.attribute: "username"
-
+          id.token.claim: true
- name: Read clients from realm {{ current_realm_name }}
+          access.token.claim: true
-  uri:
+          userinfo.token.claim: true
-    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/clients"
+          jsonType.label: String
-    method: GET
+      - name: "groups"
-    headers:
+        protocol: openid-connect
-      Authorization: "Bearer {{ access_token }}"
+        protocolMapper: oidc-group-membership-mapper
-    status_code: [200]
+        consentRequired: false
-  register: realm_clients
+        config:
-  delegate_to: 127.0.0.1
+          claim.name: "groups"
-  become: false
+          full.path: false
-
+          id.token.claim: true
- name: Save clients from realm as variable (fact)
+          access.token.claim: true
-  set_fact: 
+          userinfo.token.claim: true
-    realm_clients_json: "{{ realm_clients.json }}"
+          jsonType.label: String
-  delegate_to: 127.0.0.1
+  with_items: "{{ current_realm_clients | default([]) }}"
  become: false
 - name: "Save client ids from realm {{ current_realm_name }}"
  set_fact:  
    realm_client_ids: "{{ realm_clients_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].{id: id, clientId: clientId}'
  delegate_to: 127.0.0.1
  become: false
 - name: "Printing client ids from realm {{ current_realm_name }}"
  debug:
    msg: "{{ realm_client_ids }}"
  delegate_to: 127.0.0.1
  become: false
  when:
   - debug
 - name: "Create clients from realm {{ current_realm_name }}"
  include_tasks: _configure_client.yml
  vars:
    realm_name: '{{ current_realm_name }}'
    client_id: '{{ client.clientId }}'
    client_name: '{{ client.name }}'
    admin_url: '{{ client.admin_url }}'
    root_url: '{{ client.root_url }}'
    redirect_uris: '{{ client.redirect_uris }}'
    secret: '{{ client.secret }}'
    web_origins: '{{ client.web_origins }}'
  with_items: "{{ current_realm_clients }}"
  loop_control:
    loop_var: client
  when: create_client | default('True') | bool
--- a/roles/keycloak/tasks/_configure_realm_admin_users.yml
+++ b/roles/keycloak/tasks/_configure_realm_admin_users.yml
@ -1,5 +1,4 @@
 ---
 - name: "Reading users of realm {{ current_realm_name }}"
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
--- a/roles/keycloak/tasks/_configure_user_groupmembership_crud.yml
+++ b/roles/keycloak/tasks/_configure_user_groupmembership_crud.yml
@ -1,5 +1,5 @@
 ---
- name: "GETTING all groups for realm <<{{ realm_name }}>>"
+- name: "GETTING all groups for realm <{{ realm_name }}>"
  delegate_to: 127.0.0.1
  become: false
  uri:
@ -10,7 +10,7 @@
    status_code: [200]
  register: get_all_groups
- name: "GETTING all users for realm <<{{ realm_name }}>>"
+- name: "GETTING all users for realm <{{ realm_name }}>"
  delegate_to: 127.0.0.1
  become: false
  uri:
@ -26,7 +26,7 @@
    group_id: '{{ ( get_all_groups.json | selectattr("name","equalto",destination_group) | first ).id }}'
    user_id: '{{ ( get_all_users.json | selectattr("username","equalto",username) | first ).id }}'
- name: "GETTING all group for user <<{{ username }}>> in realm<<{{ realm_name }}>>"
+- name: "GETTING all group for user <{{ username }}> in realm <{{ realm_name }}>"
  delegate_to: 127.0.0.1
  become: false
  uri:
@ -37,7 +37,7 @@
    status_code: [200]
  register: get_all_groups_for_current_user
- name: "ADDING USER <{{ client_id }}> for realm <{{ realm_name }}> to Group <<{{ destination_group }}>>"
+- name: "ADDING USER <{{ username }}> for realm <{{ realm_name }}> to Group <{{ destination_group }}>"
  delegate_to: 127.0.0.1
  become: false
  uri:
--- a/roles/keycloak/tasks/_create_realm_admin.yml
+++ b/roles/keycloak/tasks/_create_realm_admin.yml
@ -58,16 +58,13 @@
      Content-Type: "application/json"
      Authorization: "Bearer {{ access_token }}"
    status_code: [201]
-  with_items: "{{ current_realm_admin_users }}"
+  loop: "[{{ current_realm_admin_user }}]"
  when: current_realm_user.username not in realm_user_usernames
  changed_when: True
  loop_control:
    loop_var: current_realm_user
  when: current_realm_user.username not in realm_user_usernames
  changed_when: True
  delegate_to: 127.0.0.1
  become: false
 - name: "Adding admin users from realm {{ current_realm_name }}"
  include_tasks: _configure_realm_admin_users.yml
  with_items: "{{ current_realm_admin_users }}"
  loop_control:
    loop_var: current_realm_admin_user
--- a/roles/keycloak/tasks/_create_realm_groups.yml
+++ b/roles/keycloak/tasks/_create_realm_groups.yml
@ -1,5 +1,4 @@
 ---
 - name: Read groups of realm {{ current_realm_name }}
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/groups"
--- a/roles/keycloak/tasks/_create_realm_users.yml
+++ b/roles/keycloak/tasks/_create_realm_users.yml
@ -1,5 +1,4 @@
 ---
 - name: "Reading users of realm {{ current_realm_name }}"
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
--- a/roles/keycloak/tasks/configure_client.yml
+++ b/roles/keycloak/tasks/configure_client.yml
@ -1,23 +0,0 @@
 ---
 - name: Print client {{ client_id }} for realm {{ realm_name }}
  debug:
    msg: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
  tags:
    - always
  when:
    - debug
    - realm_client_ids | selectattr('clientId', 'equalto', client_id) | list | length == 0
 - name: Create client {{ client_id }} for realm {{ realm_name }}
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/clients"
    method: POST
    body_format: json
    body: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
    headers:
      Authorization: "Bearer {{ access_token }} "
    status_code: [201]
  when: realm_client_ids | selectattr('clientId', 'equalto', client_id) | list | length == 0
  tags:
    - update_realms
--- a/roles/keycloak/tasks/configure_realm.yml
+++ b/roles/keycloak/tasks/configure_realm.yml
@ -1,90 +0,0 @@
 ---
 - name: Read realms
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms"
    method: GET
    headers:
      Authorization: "Bearer {{ access_token }}"
    status_code: [200]
  register: realms
  tags:
    - update_realms
 - name: Save realms as variable (fact)
  set_fact: 
    realms_json: "{{ realms.json }}"
  tags:
    - update_realms
 - name: Read realm ids
  set_fact:  
    realm_ids: "{{ realms_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].id'
  tags:
    - update_realms
 - name: Create realm {{ current_realm_name }}
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms"
    method: POST
    body_format: json
    body: "{{ lookup('template','keycloak-realm-create.json.j2') }}"
    headers:
      Authorization: "Bearer {{ access_token }}"
    status_code: [201]
  when: current_realm_name not in realm_ids
  tags:
    - update_realms
 - name: Read clients from realm {{ current_realm_name }}
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/clients"
    method: GET
    headers:
      Authorization: "Bearer {{ access_token }}"
    status_code: [200]
  register: realm_clients
  tags:
    - update_realms
 - name: Save clients from realm as variable (fact)
  set_fact: 
    realm_clients_json: "{{ realm_clients.json }}"
  tags:
    - update_realms
 - name: Save client ids from realm {{ current_realm_name }}
  set_fact:  
    realm_client_ids: "{{ realm_clients_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].{id: id, clientId: clientId}'
  tags:
    - update_realms
 - name: Print client ids
  debug:
    msg: "{{ realm_client_ids }}"
  tags:
    - always
  when:
    - debug
 - name: Create clients from realm {{ current_realm_name }}
  include_tasks: configure_client.yml
  vars:
    realm_name: '{{ current_realm_name }}'
    client_id: '{{ client.clientId }}'
    client_name: '{{ client.name }}'
    admin_url: '{{ client.admin_url }}'
    root_url: '{{ client.root_url }}'
    redirect_uris: '{{ client.redirect_uris }}'
    secret: '{{ client.secret }}'
    web_origins: '{{ client.web_origins }}'
    access_token: '{{ keycloak_authentication.json.access_token }}'
  with_items: "{{ current_realm_clients }}"
  loop_control:
    loop_var: client
  tags:
    - update_realms
--- a/roles/keycloak/tasks/create_realm_users.yml
+++ b/roles/keycloak/tasks/create_realm_users.yml
@ -1,63 +0,0 @@
 ---
 - name: Read users of realm {{ current_realm_name }}
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
    method: GET
    headers:
      Authorization: "Bearer {{ access_token }} "
    status_code: [200]
  register: realm_users
  tags:
    - create_users
    - update_realms
 - name: Print realm users
  debug:
    msg: "{{ realm_users }}"
  tags:
    - always
  when:
    - debug
 - name: Save realm users as variable (fact)
  set_fact: 
    realm_users_json: "{{ realm_users.json }}"
  tags:
    - create_users
    - update_realms
 - name: Read realm user ids
  set_fact:  
    realm_user_usernames:  "{{ realm_users_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].username'
  tags:
    - create_users
    - update_realms
 - name: Print realm usernames
  debug:
    msg: "{{ realm_user_usernames }}"
  tags:
    - always
  when:
    - debug
 - name: "Create users for realm {{ current_realm_name }}"
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
    method: POST
    body_format: json
    body: "{{ lookup('template','keycloak-realm-create-user.json.j2') }}"
    headers:
      Content-Type: "application/json"
      Authorization: "Bearer {{ access_token }}"
    status_code: [201]
  with_items: "{{ current_realm_users }}"
  when: current_realm_user.username not in realm_user_usernames
  loop_control:
    loop_var: current_realm_user
  tags:
    - create_users
    - update_realms
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -1,11 +1,8 @@
 ---
 ### tags:
 ###   create_users
 ###   create_groups
 ###   update_realms
 ###   update_deployment
-###   configure_container
+###   update_realms
 - name: "Setup DNS configuration for {{ inventory_hostname }}"
  include_role:
@ -82,8 +79,6 @@
  delay: 5
  register: keycloak_authentication
  tags:
    - create_users
    - create_groups
    - update_realms
 - name: "Printing master realm access_token"
@ -127,38 +122,3 @@
    state: present
  tags:
    - update_realms
 - name: "Setup realms"
  include_tasks: configure_realm.yml
  vars:
    current_realm_name: '{{ current_realm.name }}'
    current_realm_display_name: '{{ current_realm.display_name }}'
    current_realm_clients: '{{ current_realm.clients | default([]) }}'
    access_token: "{{ keycloak_authentication.json.access_token }}"
  with_items: "{{ keycloak.realms }}"
  loop_control:
    loop_var: current_realm
  tags:
    - update_realms
 - name: "Create realm users"
  include_tasks: create_realm_users.yml
  vars:
    current_realm_name: "{{ item.name }}"
    current_realm_users: "{{ item.users | default([]) }}"
    access_token: "{{ keycloak_authentication.json.access_token }}"
  with_items: "{{ keycloak.realms }}"
  tags:
    - create_users
    - update_realms
 - name: "Create realm groups"
  include_tasks: create_realm_groups.yml
  vars:
    current_realm_name: "{{ item.name }}"
    current_realm_groups: "{{ item.groups | default([]) }}"
    access_token: "{{ keycloak_authentication.json.access_token }}"
  with_items: "{{ keycloak.realms }}"
  tags:
    - create_groups
    - update_realms
--- a/roles/keycloak/templates/keycloak-realm-create-client.json.j2
+++ b/roles/keycloak/templates/keycloak-realm-create-client.json.j2
@ -1,76 +0,0 @@
 {
  "adminUrl": "{{ admin_url }}",
  "attributes": {
    "saml.assertion.signature": "false",
    "saml.force.post.binding": "false",
    "saml.multivalued.roles": "false",
    "saml.encrypt": "false",
    "saml.server.signature": "false",
    "saml.server.signature.keyinfo.ext": "false",
    "exclude.session.state.from.auth.response": "false",
    "saml_force_name_id_format": "false",
    "saml.client.signature": "false",
    "tls.client.certificate.bound.access.tokens": "false",
    "saml.authnstatement": "false",
    "display.on.consent.screen": "false",
    "saml.onetimeuse.condition": "false"
  },
  "authenticationFlowBindingOverrides": {},
  "authorizationServicesEnabled": true,
  "bearerOnly": false,
  "clientAuthenticatorType": "client-secret",
  "clientId": "{{ client_id }}",
  "consentRequired": false,
  "defaultClientScopes": [
    "role_list",
    "profile",
    "roles",
    "email"
  ],
  "directAccessGrantsEnabled": true,
  "enabled": true,
  "frontchannelLogout": false,
  "fullScopeAllowed": true,
  "implicitFlowEnabled": false,
  "name": "{{ client_name }}",
  "nodeReRegistrationTimeout": -1,
  "notBefore": 0,
  "optionalClientScopes": [],
  "protocol" : "{{ protocol | default('openid-connect') }}",
  "protocolMappers": [
    {
      "name": "username",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-usermodel-property-mapper",
      "consentRequired": false,
      "config": {
        "user.attribute": "username",
        "claim.name": "sub",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "userinfo.token.claim": "true"
      }
    },
    {
      "name": "groups",
      "protocol": "openid-connect",
      "protocolMapper": "oidc-group-membership-mapper",
      "consentRequired": false,
      "config": {
        "full.path": "false",
        "id.token.claim": "true",
        "access.token.claim": "true",
        "claim.name": "groups",
        "userinfo.token.claim": "true"
      }
    }
  ],
  "publicClient": false,
  "redirectUris": {{ redirect_uris }},
  "rootUrl": "{{ root_url }}",
  "secret": "{{ secret }}",
  "serviceAccountsEnabled": true,
  "standardFlowEnabled": true,
  "surrogateAuthRequired": false,
  "webOrigins": {{ web_origins }}
 }
--- a/roles/keycloak/templates/keycloak-realm-create-user.json.j2
+++ b/roles/keycloak/templates/keycloak-realm-create-user.json.j2
@ -4,11 +4,7 @@
  "lastName": "{{ current_realm_user.lastName | default('') }}",
  "email": "{{ current_realm_user.email | default('') }}",
  "enabled": true,
-  "requiredActions": [
+  "requiredActions": {{ current_realm_user.requiredActions | default(["UPDATE_PASSWORD","UPDATE_PROFILE","VERIFY_EMAIL"]) }},
    "UPDATE_PASSWORD",
    "UPDATE_PROFILE",
    "VERIFY_EMAIL"
  ],
  "credentials" : [{
    "type": "password",
    "value": "{{ current_realm_user.password }}",
--- a/roles/keycloak/templates/keycloak-realm-create.json.j2
+++ b/roles/keycloak/templates/keycloak-realm-create.json.j2
@ -1,135 +0,0 @@
 {
  "id": "{{ current_realm_name }}",
  "realm": "{{ current_realm_name }}",
  "displayName": "{{ current_realm_display_name }}",
  "displayNameHtml": "",
  "notBefore": 0,
  "revokeRefreshToken": false,
  "refreshTokenMaxReuse": 0,
  "accessTokenLifespan": 60,
  "accessTokenLifespanForImplicitFlow": 900,
  "ssoSessionIdleTimeout": 1800,
  "ssoSessionMaxLifespan": 36000,
  "ssoSessionIdleTimeoutRememberMe": 0,
  "ssoSessionMaxLifespanRememberMe": 0,
  "offlineSessionIdleTimeout": 2592000,
  "offlineSessionMaxLifespanEnabled": false,
  "offlineSessionMaxLifespan": 5184000,
  "clientSessionIdleTimeout": 0,
  "clientSessionMaxLifespan": 0,
  "clientOfflineSessionIdleTimeout": 0,
  "clientOfflineSessionMaxLifespan": 0,
  "accessCodeLifespan": 60,
  "accessCodeLifespanUserAction": 300,
  "accessCodeLifespanLogin": 1800,
  "actionTokenGeneratedByAdminLifespan": 43200,
  "actionTokenGeneratedByUserLifespan": 300,
  "enabled": true,
  "sslRequired": "none",
  "registrationAllowed": true,
  "registrationEmailAsUsername": false,
  "rememberMe": true,
  "verifyEmail": true,
  "loginWithEmailAllowed": false,
  "duplicateEmailsAllowed": true,
  "resetPasswordAllowed": true,
  "editUsernameAllowed": false,
  "bruteForceProtected": false,
  "permanentLockout": false,
  "maxFailureWaitSeconds": 900,
  "minimumQuickLoginWaitSeconds": 60,
  "waitIncrementSeconds": 60,
  "quickLoginCheckMilliSeconds": 1000,
  "maxDeltaTimeSeconds": 43200,
  "failureFactor": 30,
  "defaultRoles": [
    "offline_access",
    "uma_authorization"
  ],
  "requiredCredentials": [
    "password"
  ],
  "otpPolicyType": "totp",
  "otpPolicyAlgorithm": "HmacSHA1",
  "otpPolicyInitialCounter": 0,
  "otpPolicyDigits": 6,
  "otpPolicyLookAheadWindow": 1,
  "otpPolicyPeriod": 30,
  "otpSupportedApplications": [
    "FreeOTP",
    "Google Authenticator"
  ],
  "webAuthnPolicyRpEntityName": "keycloak",
  "webAuthnPolicySignatureAlgorithms": [
    "ES256"
  ],
  "webAuthnPolicyRpId": "",
  "webAuthnPolicyAttestationConveyancePreference": "not specified",
  "webAuthnPolicyAuthenticatorAttachment": "not specified",
  "webAuthnPolicyRequireResidentKey": "not specified",
  "webAuthnPolicyUserVerificationRequirement": "not specified",
  "webAuthnPolicyCreateTimeout": 0,
  "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
  "webAuthnPolicyAcceptableAaguids": [
  ],
  "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
  "webAuthnPolicyPasswordlessSignatureAlgorithms": [
    "ES256"
  ],
  "webAuthnPolicyPasswordlessRpId": "",
  "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
  "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
  "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
  "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
  "webAuthnPolicyPasswordlessCreateTimeout": 0,
  "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
  "webAuthnPolicyPasswordlessAcceptableAaguids": [
  ],
  "browserSecurityHeaders": {
    "contentSecurityPolicyReportOnly": "",
    "xContentTypeOptions": "nosniff",
    "xRobotsTag": "none",
    "xFrameOptions": "SAMEORIGIN",
    "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
    "xXSSProtection": "1; mode=block",
    "strictTransportSecurity": "max-age=31536000; includeSubDomains"
  },
  "smtpServer": {
    "host": "{{ shared_service_mail_hostname }}",
    "from": "{{ current_realm_name }}.{{ inventory_hostname }}@{{ domain }}"
  },
  "loginTheme": "smardigo-theme",
  "accountTheme": "smardigo-theme",
  "adminTheme": "smardigo-theme",
  "eventsEnabled": false,
  "eventsListeners": [
    "jboss-logging"
  ],
  "enabledEventTypes": [
  ],
  "adminEventsEnabled": false,
  "adminEventsDetailsEnabled": false,
  "identityProviders": [
  ],
  "identityProviderMappers": [
  ],
  "internationalizationEnabled": true,
  "supportedLocales": [
    "de",
    "en"
  ],
  "defaultLocale": "de",
  "browserFlow": "browser",
  "registrationFlow": "registration",
  "directGrantFlow": "direct grant",
  "resetCredentialsFlow": "reset credentials",
  "clientAuthenticationFlow": "clients",
  "dockerAuthenticationFlow": "docker auth",
  "attributes": {
    "clientOfflineSessionMaxLifespan": "0",
    "clientSessionIdleTimeout": "0",
    "clientSessionMaxLifespan": "0",
    "clientOfflineSessionIdleTimeout": "0"
  },
  "userManagedAccessAllowed": false
 }
--- a/roles/kubernetes/apps/tasks/argocd.yml
+++ b/roles/kubernetes/apps/tasks/argocd.yml
@ -1,10 +1,4 @@
 ---
 # I tried to create a realm via community.general.keycloak_realm
 # but every request failed with HTTP 500
 # but creating a group via community.general.keycloak_group
 # was successfully
 #  ¯\_(ツ)_/¯
 #
 - name: "Login with keycloak-admin"
  include_role:
    name: keycloak
@ -22,17 +16,14 @@
  - inventory_hostname == groups['kube_control_plane'][0]
 - name: "Create a Keycloak group, authentication with credentials"
-  delegate_to: localhost
+  include_role:
-  become: False
+    name: keycloak
-  community.general.keycloak_group:
+    tasks_from: _create_realm_groups
-    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
+  vars:
-    auth_client_id: admin-cli
+    current_realm_name: '{{ argo_realm_name }}'
-    auth_realm: 'master'
+    current_realm_display_name: '{{ argo_realm_display_name }}'
-    auth_username: "{{ keycloak_admin_username }}"
+    current_realm_groups:
-    auth_password: "{{ keycloak_admin_password }}"
+      - name: "{{ argo_realm_group }}"
    name: '{{ argo_realm_group }}'
    realm: '{{ argo_realm_name }}'
    state: present
  when:
  - inventory_hostname == groups['kube_control_plane'][0]
@ -157,6 +148,13 @@
  - debug
  - inventory_hostname == groups['kube_control_plane'][0]
 - name: "Create namespace <{{ k8s_argocd_helm__release_namespace }}>"
  kubernetes.core.k8s:
    name: "{{ k8s_argocd_helm__release_namespace }}"
    api_version: v1
    kind: Namespace
    state: present
 - name: "Create a k8s Secret containing GPG key"
  kubernetes.core.k8s:
    state: present
@ -196,8 +194,8 @@
 - name: Deploy argo-cd inside argo-cd namespace
  kubernetes.core.helm:
    name: "{{ k8s_argocd_helm__name }}"
    chart_repo_url: "{{ k8s_argocd_helm__chart_repo_url | default('https://argoproj.github.io/argo-helm') }}"
    chart_ref: "{{ k8s_argocd_helm__chart_ref | default('argo-cd') }}"
    chart_repo_url: "{{ k8s_argocd_helm__chart_repo_url | default('https://argoproj.github.io/argo-helm') }}"
    release_namespace: "{{ k8s_argocd_helm__release_namespace }}"
    create_namespace: yes
    release_values: "{{ combined_helm__release_values }}"
--- a/roles/kubernetes/cert-manager/defaults/main.yml
+++ b/roles/kubernetes/cert-manager/defaults/main.yml
@ -4,7 +4,6 @@ k8s_prometheus_helm__name: "prometheus"
 k8s_certmanager_helm__chart_ref: cert-manager
 k8s_certmanager_helm__chart_repo_url: https://charts.jetstack.io
 k8s_certmanager_helm__chart_version: v1.5.4
 k8s_certmanager_helm__release_namespace: cert-manager
 k8s_certmanager_helm__release_values:
--- a/roles/kubernetes/cert-manager/tasks/main.yml
+++ b/roles/kubernetes/cert-manager/tasks/main.yml
@ -8,7 +8,6 @@
    name: cert-manager
    chart_ref: "{{ k8s_certmanager_helm__chart_ref }}"
    chart_repo_url: "{{ k8s_certmanager_helm__chart_repo_url }}"
    chart_version: "{{ k8s_certmanager_helm__chart_version }}"
    release_namespace: "{{ k8s_certmanager_helm__release_namespace }}"
    create_namespace: yes
    release_values: "{{ k8s_certmanager_helm__release_values }}"
--- a/roles/kubernetes/container-storage-interface/defaults/main.yml
+++ b/roles/kubernetes/container-storage-interface/defaults/main.yml
@ -1,3 +1,3 @@
 ---
-k8s_csi__template: "hcloud-csi.v1.5.1.yaml.j2"
+k8s_csi__template: "hcloud-csi.v1.6.0.yaml.j2"
--- a/roles/kubernetes/container-storage-interface/templates/hcloud-csi.v1.6.0.yaml.j2
+++ b/roles/kubernetes/container-storage-interface/templates/hcloud-csi.v1.6.0.yaml.j2
@ -1,5 +1,5 @@
 ---
-apiVersion: storage.k8s.io/v1beta1
+apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
  name: csi.hetzner.cloud
@ -47,6 +47,9 @@ rules:
  - apiGroups: ["storage.k8s.io"]
    resources: ["volumeattachments"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["volumeattachments/status"]
    verbs: ["patch"]
  # provisioner
  - apiGroups: [""]
    resources: ["secrets"]
@ -69,6 +72,10 @@ rules:
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents"]
    verbs: ["get", "list"]
  # resizer
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  # node
  - apiGroups: [""]
    resources: ["events"]
@ -106,54 +113,48 @@ spec:
      serviceAccount: hcloud-csi
      containers:
        - name: csi-attacher
-          image: quay.io/k8scsi/csi-attacher:v2.2.0
+          image: k8s.gcr.io/sig-storage/csi-attacher:v3.2.1
          args:
            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
            - --v=5
          volumeMounts:
            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
+              mountPath: /run/csi
          securityContext:
            privileged: true
            capabilities:
              add: ["SYS_ADMIN"]
            allowPrivilegeEscalation: true
        - name: csi-resizer
-          image: quay.io/k8scsi/csi-resizer:v0.3.0
+          image: k8s.gcr.io/sig-storage/csi-resizer:v1.2.0
          args:
            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
            - --v=5
          volumeMounts:
            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
+              mountPath: /run/csi
          securityContext:
            privileged: true
            capabilities:
              add: ["SYS_ADMIN"]
            allowPrivilegeEscalation: true
        - name: csi-provisioner
-          image: quay.io/k8scsi/csi-provisioner:v1.6.0
+          image: k8s.gcr.io/sig-storage/csi-provisioner:v2.2.2
          args:
            - --provisioner=csi.hetzner.cloud
            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
            - --feature-gates=Topology=true
-            - --v=5
+            - --default-fstype=ext4
          volumeMounts:
            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
+              mountPath: /run/csi
          securityContext:
            privileged: true
            capabilities:
              add: ["SYS_ADMIN"]
            allowPrivilegeEscalation: true
        - name: hcloud-csi-driver
-          image: hetznercloud/hcloud-csi-driver:1.5.1
+          image: hetznercloud/hcloud-csi-driver:1.6.0
          imagePullPolicy: Always
          env:
            - name: CSI_ENDPOINT
-              value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
+              value: unix:///run/csi/socket
            - name: METRICS_ENDPOINT
              value: 0.0.0.0:9189
            - name: ENABLE_METRICS
              value: "true"
            - name: KUBE_NODE_NAME
              valueFrom:
                fieldRef:
@ -166,7 +167,7 @@ spec:
                  key: token
          volumeMounts:
            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
+              mountPath: /run/csi
          ports:
            - containerPort: 9189
              name: metrics
@ -188,11 +189,9 @@ spec:
            allowPrivilegeEscalation: true
        - name: liveness-probe
          imagePullPolicy: Always
-          image: quay.io/k8scsi/livenessprobe:v1.1.0
+          image: k8s.gcr.io/sig-storage/livenessprobe:v2.3.0
          args:
            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
          volumeMounts:
-            - mountPath: /var/lib/csi/sockets/pluginproxy/
+            - mountPath: /run/csi
              name: socket-dir
      volumes:
        - name: socket-dir
@ -221,14 +220,21 @@ spec:
          operator: Exists
        - key: CriticalAddonsOnly
          operator: Exists
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: "instance.hetzner.cloud/is-root-server"
                    operator: NotIn
                    values:
                      - "true"
      serviceAccount: hcloud-csi
      containers:
        - name: csi-node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
+          image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.2.0
          args:
-            - --v=5
+            - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/socket
            - --csi-address=/csi/csi.sock
            - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/csi.sock
          env:
            - name: KUBE_NODE_NAME
              valueFrom:
@ -237,19 +243,21 @@ spec:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: plugin-dir
-              mountPath: /csi
+              mountPath: /run/csi
            - name: registration-dir
              mountPath: /registration
          securityContext:
            privileged: true
        - name: hcloud-csi-driver
-          image: hetznercloud/hcloud-csi-driver:1.5.1
+          image: hetznercloud/hcloud-csi-driver:1.6.0
          imagePullPolicy: Always
          env:
            - name: CSI_ENDPOINT
-              value: unix:///csi/csi.sock
+              value: unix:///run/csi/socket
            - name: METRICS_ENDPOINT
              value: 0.0.0.0:9189
            - name: ENABLE_METRICS
              value: "true"
            - name: HCLOUD_TOKEN
              valueFrom:
                secretKeyRef:
@ -265,7 +273,7 @@ spec:
              mountPath: /var/lib/kubelet
              mountPropagation: "Bidirectional"
            - name: plugin-dir
-              mountPath: /csi
+              mountPath: /run/csi
            - name: device-dir
              mountPath: /dev
          securityContext:
@ -286,11 +294,9 @@ spec:
            periodSeconds: 2
        - name: liveness-probe
          imagePullPolicy: Always
-          image: quay.io/k8scsi/livenessprobe:v1.1.0
+          image: k8s.gcr.io/sig-storage/livenessprobe:v2.3.0
          args:
            - --csi-address=/csi/csi.sock
          volumeMounts:
-            - mountPath: /csi
+            - mountPath: /run/csi
              name: plugin-dir
      volumes:
        - name: kubelet-dir
@ -324,6 +330,7 @@ spec:
    - port: 9189
      name: metrics
      targetPort: metrics
 ---
 apiVersion: v1
 kind: Service
--- a/roles/kubernetes/external-dns/defaults/main.yml
+++ b/roles/kubernetes/external-dns/defaults/main.yml
@ -4,7 +4,6 @@ k8s_prometheus_helm__name: "prometheus"
 k8s_externaldns_helm__chart_ref: external-dns
 k8s_externaldns_helm__chart_repo_url: https://kubernetes-sigs.github.io/external-dns/
 k8s_externaldns_helm__chart_version: v1.6.0
 k8s_externaldns_helm__release_namespace: external-dns
 k8s_externaldns_helm__release_values:
--- a/roles/kubernetes/external-dns/tasks/main.yml
+++ b/roles/kubernetes/external-dns/tasks/main.yml
@ -8,7 +8,6 @@
    name: external-dns
    chart_ref: "{{ k8s_externaldns_helm__chart_ref }}"
    chart_repo_url: "{{ k8s_externaldns_helm__chart_repo_url }}"
    chart_version: "{{ k8s_externaldns_helm__chart_version }}"
    release_namespace: "{{ k8s_externaldns_helm__release_namespace }}"
    create_namespace: yes
    release_values: "{{ k8s_externaldns_helm__release_values }}"
--- a/roles/kubernetes/ingress-controller/tasks/main.yml
+++ b/roles/kubernetes/ingress-controller/tasks/main.yml
@ -8,7 +8,6 @@
    name: ingress
    chart_repo_url: "{{ k8s_ingress_helm__chart_repo_url | default('https://kubernetes.github.io/ingress-nginx') }}"
    chart_ref: "{{ k8s_ingress_helm__chart_ref | default('ingress-nginx') }}"
    chart_version: "{{ k8s_ingress_helm__chart_version | default('4.0.6') }}"
    release_namespace: "{{ k8s_ingress_helm__release_namespace }}"
    create_namespace: yes
    release_values: "{{ k8s_ingress_helm__release_values }}"
--- a/roles/workflow_proxy_realm/defaults/main.yml
+++ b/roles/workflow_proxy_realm/defaults/main.yml
@ -30,9 +30,6 @@ current_realm_users: [
    "password": "{{ connect_client_admin_password }}",
  }
 ]
-current_realm_admin_users: [
+current_realm_admin_user:
-  {
+  username: "{{ connect_realm_admin_username }}"
-    "username": "{{ connect_realm_admin_username }}",
+  password: "{{ connect_realm_admin_password }}"
    "password": "{{ connect_realm_admin_password }}",
  }
 ]
--- a/setup.yml
+++ b/setup.yml
@ -49,7 +49,8 @@
        - install
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
--- a/smardigo.yml
+++ b/smardigo.yml
@ -18,7 +18,8 @@
      become: false
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
--- a/4
+++ b/4
@ -51,10 +51,10 @@ dev-postgres-02
 dev-prometheus-01
 [redis]
-dev-redis-01
+#dev-redis-01
 [webdav]
-dev-webdav-01
+#dev-webdav-01
 [kube_control_plane]
 dev-kube-master-01
--- a/36
+++ b/36
@ -4,11 +4,17 @@ prodnso-awx-01
 [connect]
 prodnso-management-01
 [pdns]
 #prodnso-pdns-01
 [elastic]
 prodnso-elastic-stack-elastic-01
 prodnso-elastic-stack-elastic-02
 prodnso-elastic-stack-elastic-03
 [gitea]
 #prodnso-gitea-01
 [harbor]
 prodnso-harbor-01
@ -43,12 +49,40 @@ prodnso-postgres-02
 [prometheus]
 prodnso-prometheus-01
 [redis]
 #prodnso-redis-01
 [webdav]
 #prodnso-webdav-01
 [kube_control_plane]
 #prodnso-kube-master-01
 #prodnso-kube-master-02
 #prodnso-kube-master-03
 [etcd]
 #prodnso-kube-master-01
 #prodnso-kube-master-02
 #prodnso-kube-master-03
 [kube_node]
 #prodnso-kube-node-01
 #prodnso-kube-node-02
 #prodnso-kube-node-03
 [k8s_cluster:children]
 kube_control_plane
 kube_node
 [stage_prodnso:children]
 awx
 connect
 elastic
 pdns
 gitea
 harbor
 iam
 k8s_cluster
 keycloak
 kibana
 logstash
@ -58,6 +92,8 @@ pgadmin4
 postfix
 postgres
 prometheus
 redis
 webdav
 [all:children]
 stage_prodnso
--- a/4
+++ b/4
@ -50,10 +50,10 @@ qa-postgres-02
 qa-prometheus-01
 [redis]
-qa-redis-01
+#qa-redis-01
 [webdav]
-qa-webdav-01
+#qa-webdav-01
 [kube_control_plane]
 qa-kube-master-01
--- a/stage-qa-netgo-hcloud.yml
+++ b/stage-qa-netgo-hcloud.yml
@ -15,11 +15,11 @@ label_selector: "stage=qa"
 api_token: !vault |
        $ANSIBLE_VAULT;1.1;AES256
-        36326436363431623035633730393332623665663439613835373436636637393838333865646564
+        38623731356563643239636338623835356561616237386164396637313063386366323734383163
-        6461343366393765383332323662326339623836336566660a666462633333613236663362643835
+        3661333761616165636238316165633934313835643063650a326434656336333165366464383237
-        39313166323139616162353366303839346664386237306562306363333731626338316134396561
+        32306538643733643635346132306630393562643632356135353937396566636563613963323137
-        3435316335343534620a396432353430396138343933663866613730333564646639323935366134
+        6564626233323139330a396661656364653562666461316666616531336631363965636130313232
-        37653935313437313263366462643033316662363366353866663664633835376661623737336363
+        32366263623739313538323336613434653338396236303439663432363735623362396161666536
-        32393431666138303538356138663163303965623339343063353234643664363933663330356237
+        30323735326133626633646333366166613238303465313833396137313839623561313632346366
-        32386139363033656538646236323237333631626161383966663839303666373266633039363337
+        30616636613964643832383534323561633761653839643637373331363239353363346462643632
-        64313830353765633865
+        35346162656666366438
--- a/tasks/autodiscover_pre_tasks.yml
+++ b/tasks/autodiscover_pre_tasks.yml
@ -8,21 +8,18 @@
      authorization: Bearer {{ hetzner_authentication_ansible }}
  register: hetzner_servers_result
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
 - name: "Setting hetzner server pagination count: <{{ hetzner_servers_result.json.meta.pagination.last_page }}>"
  set_fact:
    total_server_pages: "{{ hetzner_servers_result.json.meta.pagination.last_page }}"
  become: false
  tags:
    - always
 - name: "Reading hetzner server infos for stage <{{ stage }}> without pagination"
  set_fact:
    hetzner_servers: "{{ hetzner_servers_result.json.servers }}"
  become: false
  tags:
    - always
  when:
@ -39,7 +36,6 @@
    register: hetzner_servers_results
    with_sequence: start=1 end={{ total_server_pages }}
    delegate_to: 127.0.0.1
    become: false
  - name: "Reading hetzner server infos for stage <{{ stage }}> with pagination"
    set_fact:
@ -48,7 +44,6 @@
      querystr1: "[[*].json.servers]"
      querystr2: "[]"
    delegate_to: 127.0.0.1
    become: false
  when:
    - total_server_pages != '1'
  tags:
@ -58,7 +53,6 @@
  debug:
    msg: "{{ hetzner_servers }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
  when:
@ -72,7 +66,6 @@
      authorization: Bearer {{ hetzner_authentication_ansible }}
  register: hetzner_networks
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
@ -80,7 +73,6 @@
  debug:
    msg: "{{ hetzner_networks.json.networks }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
  when:
@ -90,7 +82,6 @@
  set_fact:
    stage_private_network_id: "{{ hetzner_networks.json.networks | map(attribute='id') | first }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
@ -98,7 +89,6 @@
  debug:
    msg: "{{ stage_private_network_id }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
  when:
@ -117,7 +107,6 @@
      {% endfor %}\
      {{ list|list }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
@ -125,7 +114,6 @@
  debug:
    msg: "{{ stage_server_infos }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
  when:
@ -143,7 +131,6 @@
        {% endif %}\
      {% endfor %}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
@ -153,7 +140,6 @@
  vars:
    querystr: "[?name=='{{ inventory_hostname }}'].public_net.ipv4.ip"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
@ -161,7 +147,6 @@
  debug:
    msg: "{{ stage_server_ip }} / {{ stage_private_server_ip }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
 #  when:
@ -171,7 +156,6 @@
  debug:
    msg: "{{ group_names }}"
  delegate_to: 127.0.0.1
  become: false
  tags:
    - always
 #  when:
--- a/update-monitoring.yml
+++ b/update-monitoring.yml
@ -45,7 +45,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  tasks:
    - name: "Add all servers for stage {{ stage }} to inventory"
--- a/update-service-state.yml
+++ b/update-service-state.yml
@ -57,7 +57,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: service_state
--- a/upload-database-dumb.yml
+++ b/upload-database-dumb.yml
@ -53,7 +53,10 @@
  pre_tasks:
    - name: "Import autodiscover pre-tasks"
-      include_tasks: tasks/autodiscover_pre_tasks.yml
+      import_tasks: tasks/autodiscover_pre_tasks.yml
      become: false
      tags:
        - always
  roles:
    - role: upload_local_file
--- a/users/friedrich.goerz/ssh.pub
+++ b/users/friedrich.goerz/ssh.pub
@ -1 +1 @@
-ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFRlmqgkIJxBC45cbVX25P1Uam/+Ct7XFvgMm60TDOWkQiTuVp5vd1sHq2HCRRfGxPrsKmwSQS5wMYIjeiclTag= friedrich@friedrich-HP-ZBook
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFRlmqgkIJxBC45cbVX25P1Uam/+Ct7XFvgMm60TDOWkQiTuVp5vd1sHq2HCRRfGxPrsKmwSQS5wMYIjeiclTag= friedrich.goerz@netgo.de
		`@ -1 +1 @@`
			`Subproject commit eeeca4a1d0334efebcf732d08bffc7e10240fc9c`				`Subproject commit 92f25bf267ffd3393f6caffa588169d3a44a799c`
`@ -1,3 +1,3 @@`
	`---`	`---`

	`k8s_csi__template: "hcloud-csi.v1.5.1.yaml.j2"`	`k8s_csi__template: "hcloud-csi.v1.6.0.yaml.j2"`
`@ -1 +1 @@`
	`ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFRlmqgkIJxBC45cbVX25P1Uam/+Ct7XFvgMm60TDOWkQiTuVp5vd1sHq2HCRRfGxPrsKmwSQS5wMYIjeiclTag= friedrich@friedrich-HP-ZBook`	`ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFRlmqgkIJxBC45cbVX25P1Uam/+Ct7XFvgMm60TDOWkQiTuVp5vd1sHq2HCRRfGxPrsKmwSQS5wMYIjeiclTag= friedrich.goerz@netgo.de`