Feature/dev 927

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "kubespray"]
   path = kubespray
   url = https://github.com/kubernetes-sigs/kubespray.git
-  branch = release-2.19
+  branch = release-2.21

ansible.cfg

@@ -1,7 +1,7 @@
 [defaults]
 pipelining = True
 host_key_checking = False
-inventory_plugins = ./inventory_plugins
+inventory_plugins = inventory_plugins
 callbacks_enabled = profile_tasks
 interpreter_python = auto_silent
 log_path=last_ansible_run

external_monitoring.yml

@@ -16,6 +16,19 @@
         - "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}"
         - "{{ lookup('community.general.dig', 'prodwork01-kube-node-04.' + domain ) }}"
         - "{{ lookup('community.general.dig', 'prodwork01-kube-node-05.' + domain ) }}"
+      k8s_nodes_devnso:
+        - "{{ lookup('community.general.dig', 'devnso-kube-node-01.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'devnso-kube-node-02.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'devnso-kube-node-03.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'devnso-kube-node-04.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'devnso-kube-node-05.' + domain ) }}"
+      k8s_nodes_qanso:
+        - "{{ lookup('community.general.dig', 'qanso-kube-node-01.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'qanso-kube-node-02.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'qanso-kube-node-03.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'qanso-kube-node-04.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'qanso-kube-node-05.' + domain ) }}"
+      k8s_nodes_prodnso: []
 
   - name: "Allow SSH in UFW"
     ufw:
@@ -39,7 +52,7 @@
       port: 9115
       proto: tcp
       src: "{{ item }}"
-    loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + k8s_nodes_mobene }}"
+    loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + k8s_nodes_mobene + k8s_nodes_devnso + k8s_nodes_qanso + k8s_nodes_prodnso }}"
 
   - name: "Set firewall default policy"
     ufw:

group_vars/all/services.yml

@@ -19,11 +19,12 @@ shared_service_url_management: "https://{{ shared_service_hostname_management }}
 shared_service_hostname_management: "{{ shared_service_host_management }}-connect.{{ domain_env }}"
 
 # use private loadbalancer ip for all kubernetes services
-shared_service_kube_argocd_hostname: "{{ stage }}-kube-argocd.{{ domain_env }}"
-shared_service_kube_awx_hostname: "{{ stage }}-kube-awx.{{ domain_env }}"
+stage_kube: "{{ stage }}"
+shared_service_kube_argocd_hostname: "{{ stage_kube }}-argocd.{{ domain_env }}"
+shared_service_kube_awx_hostname: "{{ stage_kube }}-awx.{{ domain_env }}"
 shared_service_kube_harbor_hostname: "{{ stage }}-harbor.{{ domain_env }}"
-shared_service_kube_jaeger_collector_hostname: "{{ stage }}-kube-jaeger-collector.{{ domain_env }}"
-shared_service_kube_prometheus_hostname: "{{ stage }}-kube-prometheus.{{ domain_env }}"
+shared_service_kube_jaeger_collector_hostname: "{{ stage_kube }}-jaeger-collector.{{ domain_env }}"
+shared_service_kube_prometheus_hostname: "{{ stage_kube }}-prometheus.{{ domain_env }}"
 # TODO make value available for plays with static inventory - by autodiscover_pre_tasks.yml
 shared_service_kube_loadbalancer_ip_not_available: "private loadbalancer ip not available"
 shared_service_kube_loadbalancer_ip: "{{ stage_private_ingress_loadbalancer_ip | default(shared_service_kube_loadbalancer_ip_not_available) }}"

group_vars/k8s_cluster/plain.yml

@@ -1,13 +1,10 @@
 ---
 
-ip: "{{ stage_private_server_ip | default('-') }}"
+ip: "{{ stage_private_server_ip | default('### use dynamic inventory ###') }}"
 
 ### parameters used by kubespray ###
 
-# must be set when using kubespray release-2.19
-# but cluster was installed with kubespray release-2.18
-# => defaults changed!!!
-ipip: true
+kube_version: v1.23.16
 
 cloud_provider: external
 kube_network_plugin: calico
@@ -27,5 +24,16 @@ helm_enabled: true
 #TODO configuration migration needed
 #krew_enabled: true
 
+kube_service_addresses: 10.233.0.0/18
+kube_pods_subnet: 10.233.64.0/18
+kube_network_node_prefix: 24
+
+## Automatically renew K8S control plane certificates on first Monday of each month
+auto_renew_certificates: true
+# First Monday of each month
+# auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00"
+
+unsafe_show_logs: true
+
 additional_pip_dependencies:
   - kubernetes

group_vars/stage_dev/argocd.yml

@@ -1,3 +1,158 @@
 ---
 
-awx_smardigo_revision: "main"
+argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
+k8s_argocd_helm__name: "argo-cd"
+k8s_argocd_helm__release_namespace: "argo-cd"
+
+#k8s_argocd_with_keycloak: False
+
+# https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
+k8s_argocd_helm__release_values:
+  repoServer:
+    serviceAccount:
+      create: true
+      name: argo-cd-argocd-repo-server
+    rbac:
+    - apiGroups:
+      - ""
+      resources:
+      - secrets
+      verbs:
+      - get
+    logLevel: warn
+    logFormat: json
+    env:
+      - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
+        value: "0"
+      - name: ARGOCD_EXEC_TIMEOUT
+        value: "300s"
+      - name: XDG_CONFIG_HOME
+        value: /.config
+      - name: GNUPGHOME
+        value: /home/argocd/.gnupg
+      - name: HELM_PLUGINS
+        value: /custom-tools/helm-plugins/
+      - name: HELM_SECRETS_SOPS_PATH
+        value: /custom-tools/sops
+      - name: HELM_SECRETS_VALS_PATH
+        value: /custom-tools/vals
+      - name: HELM_SECRETS_KUBECTL_PATH
+        value: /custom-tools/kubectl
+      - name: HELM_SECRETS_CURL_PATH
+        value: /custom-tools/curl
+      # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
+      - name: HELM_SECRETS_KEY_LOCATION_PREFIX
+        value: "/sops-gpg/"
+      - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
+        value: "false"
+    volumes:
+      - name: custom-tools
+        emptyDir: {}
+      - name: custom-tools-helm
+        emptyDir: {}
+      - name: gnupg-home
+        emptyDir: {}
+      - name: sops-gpg
+        secret:
+          secretName: sops-gpg
+    volumeMounts:
+      - mountPath: /home/argocd/.gnupg
+        name: gnupg-home
+        subPath: .gnupg
+      - mountPath: /usr/local/bin/kustomize
+        name: custom-tools
+        subPath: kustomize
+        # Verify this matches a XDG_CONFIG_HOME=/.config env variable
+      - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
+        name: custom-tools
+        subPath: ksops
+      - mountPath: /custom-tools/helm-plugins
+        name: custom-tools-helm
+        subPath: helm-plugins
+      - mountPath: /custom-tools/kubectl
+        name: custom-tools-helm
+        subPath: kubectl
+      - mountPath: /custom-tools/sops
+        name: custom-tools-helm
+        subPath: sops
+      - mountPath: /custom-tools/vals
+        name: custom-tools-helm
+        subPath: vals
+    initContainers:
+      - name: 1-install-ksops
+        image: viaductoss/ksops:v3.0.1
+        command: ["/bin/sh", "-c"]
+        args:
+          - echo "Installing KSOPS...";
+            mv ksops /custom-tools/;
+            mv $GOPATH/bin/kustomize /custom-tools/;
+            echo "Done.";
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools
+      - name: 2-download-tools
+        image: alpine:latest
+        command: [sh, -ec]
+        env:
+          - name: HELM_SECRETS_VERSION
+            value: "3.12.0"
+          - name: KUBECTL_VERSION
+            value: "1.24.3"
+          - name: VALS_VERSION
+            value: "0.18.0"
+          - name: SOPS_VERSION
+            value: "3.7.3"
+        args:
+          - |
+            echo "Installing helm secrets...";
+            mkdir -p /custom-tools/helm-plugins
+            wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
+            echo "Done.";
+
+            echo "Downloading SOPS=${SOPS_VERSION} and kubectl ...";
+            wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
+            wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
+            echo "Done.";
+
+            echo "Downloading vals...";
+            wget -qO- https://github.com/variantdev/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals;
+            echo "Done.";
+
+            chmod +x /custom-tools/*;
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools-helm
+      - name: 3-import-gpg-key
+        image: argoproj/argocd:v2.2.5
+        command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
+        env:
+          - name: GNUPGHOME
+            value: /gnupg-home/.gnupg
+        volumeMounts:
+          - mountPath: /sops-gpg
+            name: sops-gpg
+          - mountPath: /gnupg-home
+            name: gnupg-home
+  server:
+    logLevel: warn
+    logFormat: json
+    config:
+      kustomize.buildOptions: "--enable-alpha-plugins"
+      helm.valuesFileSchemes: >-
+        secrets+gpg-import, secrets+gpg-import-kubernetes,
+        secrets+age-import, secrets+age-import-kubernetes,
+        secrets,secrets+literal,
+        https
+    service:
+      sessionAffinity: ClientIP
+  dex:
+    enabled: false
+  applicationSet:
+    enabled: false
+  configs:
+    secret:
+      argocdServerAdminPassword: '{{ argocd_server_admin_password | password_hash("bcrypt") }}'

group_vars/stage_dev/bootstrap.yml

@@ -0,0 +1,12 @@
+---
+
+argocd_bootstrap_infrastructure: true
+
+harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
+harbor_bootstrap_helm_name: "infrastructure"
+harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
+harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}"
+
+gitea_bootstrap_url: "https://dev-gitea-01.smardigo.digital/devnso/devnso-argocd"
+gitea_bootstrap_username: "{{ gitea_admin_username }}"
+gitea_bootstrap_password: "{{ gitea_admin_password }}"

group_vars/stage_dev/plain.yml

@@ -1,6 +1,7 @@
 ---
 
 stage: "dev"
+stage_kube: "{{ stage }}nso"
 
 # TODO read configuration with hetzner rest api
 shared_service_network: "10.0.0.0/16"

group_vars/stage_dev/prometheus.yml

@@ -1,3 +1,3 @@
 ---
-
 prometheus_tsdb_rentention_time: '2w'
+kubernetes_prometheus_endpoint: "devnso-prometheus.{{ domain }}"

inventory_plugins/netgo-hcloud.py

@@ -32,6 +32,11 @@ DOCUMENTATION = r"""
             required: true
             env:
                 - name: HETZNER_STAGE
+        stage_kube:
+            description: Filter servers by this stage.
+            required: true
+            env:
+                - name: HETZNER_STAGE_KUBE
         label_selector:
             description: Filter servers by this label selector.
             required: true
@@ -178,8 +183,8 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
         loadbalancerPublicIp = "-"
         loadbalancerPrivateIp = "-"
 
-        # filter all loadbalancers by naming convention -> {{ stage }}-ingress
-        loadbalancers = [x for x in loadbalancers if x["name"] == self.get_option("stage") + "-ingress"]
+        # filter all loadbalancers by naming convention -> {{ stage_kube }}-ingress
+        loadbalancers = [x for x in loadbalancers if x["name"] == self.get_option("stage_kube") + "-ingress"]
         loadbalancers.sort(key=lambda x: x.get('name'))
 
         for loadbalancer in loadbalancers:

kubernetes.yml

@@ -23,31 +23,34 @@
 
   roles:
     - { role: kubernetes/base }
-    - { role: kubernetes/namespace }
+    - role: kubernetes/argocd
+      when: kubernetes_with_argocd | default(true)
+      tags:
+        - argocd
+
+#    - { role: kubernetes/namespace }
     - role: kubernetes/cloud_controller_manager
-      when: kubernetes_with_ccm | default(True)
+      when: kubernetes_with_ccm | default(true)
       tags:
         - ccm
     - { role: kubernetes/container_storage_interface }
-    - role: kubernetes/prometheus
-      tags:
-        - prometheus
-      when: kubernetes_with_prometheus | default(True)
-    - role: kubernetes/cert_manager
-      when: kubernetes_with_certmanager | default(True)
-    - role: kubernetes/external_dns
-      when: kubernetes_with_extdns | default(True)
-      tags:
-        - external-dns
-    - role: kubernetes/ingress_controller
-      when: kubernetes_with_ingress | default(True)
-    - role: kubernetes/argocd
-      when: kubernetes_with_argocd | default(True)
-      tags:
-        - argocd
+#    - role: kubernetes/prometheus
+#      tags:
+#        - prometheus
+#      when: kubernetes_with_prometheus | default(True)
+#    - role: kubernetes/cert_manager
+#      when: kubernetes_with_certmanager | default(True)
+#    - role: kubernetes/external_dns
+#      when: kubernetes_with_extdns | default(True)
+#      tags:
+#        - external-dns
+#    - role: kubernetes/ingress_controller
+#      when: kubernetes_with_ingress | default(True)
     - role: kubernetes/awx
       when: kubernetes_with_awx | default(True)
-    - role: kubernetes/gitea
-      when: kubernetes_with_gitea | default(False)
       tags:
-        - gitea
+        - awx
+#    - role: kubernetes/gitea
+#      when: kubernetes_with_gitea | default(False)
+#      tags:
+#        - gitea

poetry.lock

@@ -32,6 +32,41 @@ packaging = "*"
 PyYAML = "*"
 resolvelib = ">=0.5.3,<0.6.0"
 
+[[package]]
+name = "bcrypt"
+version = "4.0.1"
+description = "Modern password hashing for your software and your servers"
+category = "main"
+optional = false
+python-versions = ">=3.6"
+files = [
+    {file = "bcrypt-4.0.1-cp36-abi3-macosx_10_10_universal2.whl", hash = "sha256:b1023030aec778185a6c16cf70f359cbb6e0c289fd564a7cfa29e727a1c38f8f"},
+    {file = "bcrypt-4.0.1-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_24_aarch64.whl", hash = "sha256:08d2947c490093a11416df18043c27abe3921558d2c03e2076ccb28a116cb6d0"},
+    {file = "bcrypt-4.0.1-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0eaa47d4661c326bfc9d08d16debbc4edf78778e6aaba29c1bc7ce67214d4410"},
+    {file = "bcrypt-4.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ae88eca3024bb34bb3430f964beab71226e761f51b912de5133470b649d82344"},
+    {file = "bcrypt-4.0.1-cp36-abi3-manylinux_2_24_x86_64.whl", hash = "sha256:a522427293d77e1c29e303fc282e2d71864579527a04ddcfda6d4f8396c6c36a"},
+    {file = "bcrypt-4.0.1-cp36-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:fbdaec13c5105f0c4e5c52614d04f0bca5f5af007910daa8b6b12095edaa67b3"},
+    {file = "bcrypt-4.0.1-cp36-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:ca3204d00d3cb2dfed07f2d74a25f12fc12f73e606fcaa6975d1f7ae69cacbb2"},
+    {file = "bcrypt-4.0.1-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:089098effa1bc35dc055366740a067a2fc76987e8ec75349eb9484061c54f535"},
+    {file = "bcrypt-4.0.1-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:e9a51bbfe7e9802b5f3508687758b564069ba937748ad7b9e890086290d2f79e"},
+    {file = "bcrypt-4.0.1-cp36-abi3-win32.whl", hash = "sha256:2caffdae059e06ac23fce178d31b4a702f2a3264c20bfb5ff541b338194d8fab"},
+    {file = "bcrypt-4.0.1-cp36-abi3-win_amd64.whl", hash = "sha256:8a68f4341daf7522fe8d73874de8906f3a339048ba406be6ddc1b3ccb16fc0d9"},
+    {file = "bcrypt-4.0.1-pp37-pypy37_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bf4fa8b2ca74381bb5442c089350f09a3f17797829d958fad058d6e44d9eb83c"},
+    {file = "bcrypt-4.0.1-pp37-pypy37_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:67a97e1c405b24f19d08890e7ae0c4f7ce1e56a712a016746c8b2d7732d65d4b"},
+    {file = "bcrypt-4.0.1-pp37-pypy37_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:b3b85202d95dd568efcb35b53936c5e3b3600c7cdcc6115ba461df3a8e89f38d"},
+    {file = "bcrypt-4.0.1-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cbb03eec97496166b704ed663a53680ab57c5084b2fc98ef23291987b525cb7d"},
+    {file = "bcrypt-4.0.1-pp38-pypy38_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:5ad4d32a28b80c5fa6671ccfb43676e8c1cc232887759d1cd7b6f56ea4355215"},
+    {file = "bcrypt-4.0.1-pp38-pypy38_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:b57adba8a1444faf784394de3436233728a1ecaeb6e07e8c22c8848f179b893c"},
+    {file = "bcrypt-4.0.1-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:705b2cea8a9ed3d55b4491887ceadb0106acf7c6387699fca771af56b1cdeeda"},
+    {file = "bcrypt-4.0.1-pp39-pypy39_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:2b3ac11cf45161628f1f3733263e63194f22664bf4d0c0f3ab34099c02134665"},
+    {file = "bcrypt-4.0.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:3100851841186c25f127731b9fa11909ab7b1df6fc4b9f8353f4f1fd952fbf71"},
+    {file = "bcrypt-4.0.1.tar.gz", hash = "sha256:27d375903ac8261cfe4047f6709d16f7d18d39b1ec92aaf72af989552a650ebd"},
+]
+
+[package.extras]
+tests = ["pytest (>=3.2.1,!=3.3.0)"]
+typecheck = ["mypy"]
+
 [[package]]
 name = "certifi"
 version = "2022.12.7"
@@ -183,6 +218,27 @@ sdist = ["setuptools-rust (>=0.11.4)"]
 ssh = ["bcrypt (>=3.1.5)"]
 test = ["hypothesis (>=1.11.4,!=3.79.2)", "iso8601", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-subtests", "pytest-xdist", "pytz"]
 
+[[package]]
+name = "dnspython"
+version = "2.3.0"
+description = "DNS toolkit"
+category = "main"
+optional = false
+python-versions = ">=3.7,<4.0"
+files = [
+    {file = "dnspython-2.3.0-py3-none-any.whl", hash = "sha256:89141536394f909066cabd112e3e1a37e4e654db00a25308b0f130bc3152eb46"},
+    {file = "dnspython-2.3.0.tar.gz", hash = "sha256:224e32b03eb46be70e12ef6d64e0be123a64e621ab4c0822ff6d450d52a540b9"},
+]
+
+[package.extras]
+curio = ["curio (>=1.2,<2.0)", "sniffio (>=1.1,<2.0)"]
+dnssec = ["cryptography (>=2.6,<40.0)"]
+doh = ["h2 (>=4.1.0)", "httpx (>=0.21.1)", "requests (>=2.23.0,<3.0.0)", "requests-toolbelt (>=0.9.1,<0.11.0)"]
+doq = ["aioquic (>=0.9.20)"]
+idna = ["idna (>=2.1,<4.0)"]
+trio = ["trio (>=0.14,<0.23)"]
+wmi = ["wmi (>=1.5.1,<2.0.0)"]
+
 [[package]]
 name = "future"
 version = "0.18.2"
@@ -330,6 +386,24 @@ files = [
     {file = "packaging-22.0.tar.gz", hash = "sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3"},
 ]
 
+[[package]]
+name = "passlib"
+version = "1.7.4"
+description = "comprehensive password hashing framework supporting over 30 schemes"
+category = "main"
+optional = false
+python-versions = "*"
+files = [
+    {file = "passlib-1.7.4-py2.py3-none-any.whl", hash = "sha256:aa6bca462b8d8bda89c70b382f0c298a20b5560af6cbfa2dce410c0a2fb669f1"},
+    {file = "passlib-1.7.4.tar.gz", hash = "sha256:defd50f72b65c5402ab2c573830a6978e5f202ad0d984793c8dde2c4152ebe04"},
+]
+
+[package.extras]
+argon2 = ["argon2-cffi (>=18.2.0)"]
+bcrypt = ["bcrypt (>=3.1.0)"]
+build-docs = ["cloud-sptheme (>=1.10.1)", "sphinx (>=1.6)", "sphinxcontrib-fulltoc (>=1.2.0)"]
+totp = ["cryptography"]
+
 [[package]]
 name = "pycparser"
 version = "2.21"
@@ -478,5 +552,5 @@ socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
 
 [metadata]
 lock-version = "2.0"
-python-versions = ">=3.9"
-content-hash = "c3bffa7f2c1ce18d7d49e32d9b390f698b24e1fc78a2c1c2cfef6fb7684bef27"
+python-versions = ">=3.9,<4.0"
+content-hash = "bda18449f412e28aab75582698a17f5f0c1a893a5af3246b961d21db355eb431"

provisioning.yml

@@ -2,7 +2,7 @@
 
 - name: 'apply setup to {{ host | default("all") }}'
   hosts: '{{ host | default("all") }}'
-  serial: "{{ serial_number | default(5) }}"
+  serial: "{{ serial_number | default(1) }}"
   gather_facts: no
   become: no
 

pyproject.toml

@@ -5,11 +5,14 @@ description = ""
 authors = ["Peter Heise <peter.heise@netgo.de>"]
 
 [tool.poetry.dependencies]
-python = ">=3.9"
+python = ">=3.9,<4.0"
 ansible = "^4.3.0"
 hcloud = "^1.13.0"
 jmespath = "^0.10.0"
 netaddr = "^0.8.0"
+passlib = "^1.7.4"
+bcrypt = "^4.0.1"
+dnspython = "^2.3.0"
 
 [tool.poetry.dev-dependencies]
 

roles/kubernetes/awx/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: "Set awx_base_url"
   set_fact:
-    awx_base_url: "https://{{ stage }}-kube-awx.{{ domain }}"
+    awx_base_url: "https://{{ stage_kube }}-awx.{{ domain }}"
   tags:
     - awx
 
@@ -51,7 +51,6 @@
 - name: "Configure some stuff"
   include_tasks: awx-config.yml
   vars:
-    awx_base_url: "https://{{ stage }}-kube-awx.{{ domain }}"
     awx_rest_api_access_user: "{{ awx_admin_username }}"
     awx_rest_api_access_pw: "{{ awx_admin_password }}"
   when:

roles/node_exporter/tasks/main.yml

@@ -7,11 +7,15 @@
     pkg:
       - prometheus-node-exporter
       - prometheus-node-exporter-collectors
+  tags:
+    - node_exporter
 
 - name: "checking for default config"
   stat:
     path: /etc/default/prometheus-node-exporter
   register: default_config
+  tags:
+    - node_exporter
 
 - name: "providing default config"
   copy:
@@ -22,6 +26,8 @@
     mode: '0644'
   when:
     - not default_config.stat.exists
+  tags:
+    - node_exporter
 
 - name: "Setup prometheus-node-exporter interface bind"
   lineinfile:
@@ -29,8 +35,12 @@
     regex: "^ARGS="
     line: "ARGS=\"--web.listen-address='{{ node_exporter_listen_address }}:{{ monitor_port_system }}'\""
   notify: restart node-exporter
+  tags:
+    - node_exporter
 
 - name: "Ensure prometheus-node-exporter is running"
   service:
     name: prometheus-node-exporter
     state: started
+  tags:
+    - node_exporter

stage-dev

@@ -60,20 +60,21 @@ dev-devops-iaas-01
 #dev-webdav-01
 
 [kube_control_plane]
-dev-kube-master-01
-dev-kube-master-02
-dev-kube-master-03
+devnso-kube-cpl-01
+devnso-kube-cpl-02
+devnso-kube-cpl-03
 
 [etcd]
-dev-kube-master-01
-dev-kube-master-02
-dev-kube-master-03
+devnso-kube-cpl-01
+devnso-kube-cpl-02
+devnso-kube-cpl-03
 
 [kube_node]
-dev-kube-node-01
-dev-kube-node-02
-dev-kube-node-03
-dev-kube-node-04
+devnso-kube-node-01
+devnso-kube-node-02
+devnso-kube-node-03
+devnso-kube-node-04
+devnso-kube-node-05
 
 [k8s_cluster:children]
 kube_control_plane

stage-dev-netgo-hcloud.yml

@@ -12,6 +12,7 @@
 plugin: netgo-hcloud
 
 stage: "dev"
+stage_kube: "devnso"
 label_selector: "stage=dev" # jinja isn't available here
 
 api_token: !vault |

stage-prodnso-netgo-hcloud.yml

@@ -12,6 +12,7 @@
 plugin: netgo-hcloud
 
 stage: "prodnso"
+stage_kube: "prodnso"
 label_selector: "stage=prodnso" # jinja isn't available here
 
 api_token: !vault |

stage-qa-netgo-hcloud.yml

@@ -12,6 +12,7 @@
 plugin: netgo-hcloud
 
 stage: "qa"
+stage_kube: "qanso"
 label_selector: "stage=qa" # jinja isn't available here
 
 api_token: !vault |

tasks/autodiscover_pre_tasks.yml

@@ -94,7 +94,7 @@
   when:
     - debug
 
-- name: "Reading hetzner loadbalancer infos for stage <{{ stage }}>"
+- name: "Reading hetzner loadbalancer infos for stage <{{ stage_kube }}>"
   uri:
     url: "https://api.hetzner.cloud/v1/load_balancers"
     method: GET
@@ -105,7 +105,7 @@
   tags:
     - always
 
-- name: "Printing hetzner loadbalancer infos for stage <{{ stage }}>"
+- name: "Printing hetzner loadbalancer infos for stage <{{ stage_kube }}>"
   debug:
     msg: "{{ hetzner_loadbalancers.json.load_balancers }}"
   delegate_to: 127.0.0.1
@@ -114,7 +114,7 @@
   when:
     - debug
 
-- name: "Reading hetzner loadbalancer infos for stage <{{ stage }}> with pagination"
+- name: "Reading hetzner loadbalancer infos for stage <{{ stage_kube }}> with pagination"
   set_fact:
     shared_service_kube_loadbalancer_ip: "{{
        hetzner_loadbalancers.json.load_balancers
@@ -124,12 +124,12 @@
        | first
        | default(shared_service_kube_loadbalancer_ip_not_available) }}"
   vars:
-    querystr1: "[?name=='{{ stage }}-ingress'].private_net[*].ip"
+    querystr1: "[?name=='{{ stage_kube }}-ingress'].private_net[*].ip"
   delegate_to: 127.0.0.1
   tags:
     - always
 
-- name: "Printing hetzner loadbalancer infos for stage <{{ stage }}>"
+- name: "Printing hetzner loadbalancer infos for stage <{{ stage_kube }}>"
   debug:
     msg: "{{ shared_service_kube_loadbalancer_ip }}"
   delegate_to: 127.0.0.1
@@ -139,7 +139,7 @@
     - debug
 
 # due to a hetzner api bug for label selector: only last given selector is used - label_selector=stage=XXX,!manual not working correctly
-- name: "Reading hetzner server infos for stage <{{ stage }}>"
+- name: "Reading hetzner server infos for stage <{{ stage }}/{{ stage_kube }}>"
   set_fact:
     stage_server_infos: "\
       {% set  list= [] %}\
@@ -161,7 +161,7 @@
   tags:
     - always
 
-- name: "Printing hetzner server infos for stage <{{ stage }}>"
+- name: "Printing hetzner server infos for stage <{{ stage }}/{{ stage_kube }}>"
   debug:
     msg: "{{ stage_server_infos }}"
   delegate_to: 127.0.0.1