From 91303a458de25a221afb89fc5f39b5b79e4a702f Mon Sep 17 00:00:00 2001 From: "Ketelsen, Sven" Date: Tue, 23 May 2023 08:53:23 +0000 Subject: [PATCH] DEV-1042: added new stage for demo mpmx --- create-database-backup.yml | 11 +- create-database.yml | 14 +- create-remote-database-backup.yml | 19 +- create-server.yml | 2 +- docker/dregsy/config.yaml | 120 -- docker/dregsy/docker-compose.yml | 11 - export-database.yml | 2 +- external_monitoring.yml | 7 +- gitlab.clone.k8s-clusters.sh | 3 +- group_vars/all/argocd.yml | 15 +- group_vars/all/awx.yml | 16 + group_vars/all/connect.yml | 11 + group_vars/all/database.yml | 18 + group_vars/all/dns.yml | 1 - group_vars/all/gitea.yml | 7 + group_vars/all/grafana.yml | 2 + group_vars/all/harbor.yml | 10 + group_vars/all/keycloak.yml | 5 + group_vars/all/management.yml | 8 + group_vars/all/plain.yml | 29 +- group_vars/all/prometheus.yml | 1 - group_vars/all/services.yml | 42 +- group_vars/all/versions.yml | 1 - group_vars/connect/plain.yml | 8 +- group_vars/connect_webdav/main.yml | 3 - group_vars/connect_wordpress/main.yml | 1 - group_vars/gitea/plain.yml | 6 +- group_vars/keycloak/plain.yml | 2 +- group_vars/logstash/plain.yml | 3 +- group_vars/management/plain.yml | 52 - group_vars/pdns/plain.yml | 2 +- group_vars/postgres/plain.yml | 2 +- group_vars/redis/plain.yml | 11 - group_vars/stage_demompmx/awx.yml | 6 + group_vars/stage_demompmx/bootstrap.yml | 14 + group_vars/stage_demompmx/database.yml | 21 + group_vars/stage_demompmx/firewall.yml | 143 ++ group_vars/stage_demompmx/gitea.yml | 5 + group_vars/stage_demompmx/grafana.yml | 4 + group_vars/stage_demompmx/kubernetes.yml | 7 + group_vars/stage_demompmx/logging.yml | 2 + group_vars/stage_demompmx/plain.yml | 52 + group_vars/stage_demompmx/prometheus.yml | 12 + group_vars/stage_demompmx/services.yml | 9 + group_vars/stage_demompmx/vault.yml | 130 ++ group_vars/stage_demompmx/vault_backup.yml | 28 + group_vars/stage_demompmx/vault_env.yml | 79 + group_vars/stage_demompmx/vault_pgp.yml | 353 +++++ group_vars/stage_demompmx/vault_postgres.yml | 10 + group_vars/stage_demompmx/versions.yml | 15 + group_vars/stage_dev/bootstrap.yml | 3 - group_vars/stage_dev/grafana.yml | 2 - group_vars/stage_dev/plain.yml | 44 +- group_vars/stage_devscr/bootstrap.yml | 5 +- group_vars/stage_prodnso/bootstrap.yml | 5 +- group_vars/stage_prodnso/grafana.yml | 2 - group_vars/stage_prodnso/plain.yml | 45 +- group_vars/stage_prodwork01/bootstrap.yml | 5 +- group_vars/stage_qa/bootstrap.yml | 5 +- group_vars/stage_qa/grafana.yml | 2 - group_vars/stage_qa/plain.yml | 44 +- group_vars/webdav/plain.yml | 9 - host_vars/demompmx-postgres01-01.yml | 4 + host_vars/demompmx-postgres01-02.yml | 4 + host_vars/prodwork01-keycloak-01.yml | 4 - import-database.yml | 14 +- initialize-stage.yml | 240 +++ pmci-database-backup-create.yml | 57 +- pmci-database-backup-import.yml | 2 +- pmci-database-backup-restore.yml | 50 +- pmci-database-create.yml | 3 - pmci-database-delete.yml | 3 - pmci-inventory-database.yml | 19 +- pmci-service-state-update.yml | 43 +- pmci-tenant-change.yml | 1 - pmci-tenant-create.yml | 1 - pmci-tenant-delete.yml | 1 - pmci-tenant-sync.yml | 1 - remove-database.yml | 11 +- restore-database-backup.yml | 9 +- restore-remote-database-backup.yml | 21 +- roles/argocd_realm/defaults/main.yml | 43 + roles/argocd_realm/tasks/main.yml | 5 + roles/awx_realm/defaults/main.yml | 39 + roles/awx_realm/tasks/main.yml | 5 + roles/connect/tasks/main.yml | 2 +- roles/connect/vars/main.yml | 6 - roles/connect_realm/defaults/main.yml | 20 +- roles/connect_realm/tasks/main.yml | 2 +- roles/connect_realm/vars/main.yml | 1 - roles/connect_wordpress/vars/main.yml | 2 +- roles/gitea/vars/main.yml | 2 +- roles/gitea_realm/defaults/main.yml | 47 +- roles/gitea_realm/tasks/main.yml | 24 +- roles/gitea_realm/vars/main.yml | 1 - roles/harbor/tasks/main.yml | 9 - roles/harbor_config/defaults/main.yml | 82 + .../harbor_config/tasks/configure-system.yml | 15 + .../harbor_config/tasks/configure_project.yml | 26 + .../tasks/configure_project_crud.yml | 100 ++ .../tasks/configure_project_members_crud.yml | 104 ++ .../tasks/configure_project_metadata_crud.yml | 65 + .../tasks/configure_registry.yml | 15 + .../tasks/configure_robot_tokens.yml | 29 + .../tasks/configure_robot_tokens_crud.yml | 211 +++ .../tasks/configure_scanall_schedule.yml | 29 + roles/harbor_config/tasks/main.yml | 59 + .../templates/harbor-project-member.json.j2 | 7 + roles/harbor_realm/defaults/main.yml | 74 +- roles/harbor_realm/tasks/main.yml | 41 +- roles/harbor_realm/vars/main.yml | 1 - roles/iam/defaults/main.yml | 3 - roles/iam/tasks/main.yml | 2 + roles/infrastructure_realm/defaults/main.yml | 54 - roles/infrastructure_realm/tasks/main.yml | 41 - roles/infrastructure_realm/vars/main.yml | 1 - roles/keycloak/defaults/main.yml | 12 +- roles/keycloak/tasks/_authenticate.yml | 6 +- roles/keycloak/tasks/_configure_realm.yml | 8 +- roles/keycloak/tasks/_create_realm_groups.yml | 2 +- roles/keycloak/tasks/_delete_client.yml | 17 +- roles/keycloak/tasks/main.yml | 38 +- roles/keycloak/vars/main.yml | 4 +- roles/keycloak_realm/defaults/main.yml | 2 + roles/keycloak_realm/tasks/main.yml | 78 + roles/kubernetes/argocd/defaults/main.yml | 25 - roles/kubernetes/argocd/tasks/main.yml | 205 --- ...eycloak-realm-create-client-argocd.json.j2 | 86 -- roles/kubernetes/awx/tasks/awx-config.yml | 2 +- roles/kubernetes/bootstrap/tasks/main.yml | 5 - roles/logstash/vars/main.yml | 67 +- roles/management/defaults/main.yml | 46 +- roles/management/tasks/main.yaml | 13 +- roles/pmci/tenant/create/tasks/main.yml | 2 +- roles/pmci/tenant/delete/tasks/main.yml | 2 +- roles/pmci/tenant/edit/tasks/main.yml | 2 +- roles/pmci/tenant/sync/tasks/main.yml | 2 +- .../tenant/sync/tasks/update_user_tenants.yml | 6 +- roles/prometheus/tasks/main.yml | 6 +- roles/prometheus/vars/main.yml | 1 + roles/redis/tasks/main.yml | 7 - roles/service_state/defaults/main.yml | 15 - roles/service_state/tasks/main.yml | 29 +- roles/shared_service/defaults/main.yml | 1 - roles/shared_service/tasks/main.yml | 19 +- roles/shared_service/vars/main.yml | 1 - roles/sma_postfix/tasks/main.yml | 2 +- roles/webdav/defaults/main.yaml | 3 - roles/webdav/tasks/main.yaml | 45 - roles/webdav/vars/main.yml | 56 - roles/webdav_postgres/defaults/main.yml | 10 - roles/webdav_postgres/tasks/main.yml | 18 - setup-infrastructure-realm.yml | 25 - setup.yml | 1 - smardigo.yml | 6 - smardigo/backup/script/ansible-start.groovy | 2 +- smardigo/pmci/app/process.json | 75 +- .../datasource-action/service-management.json | 2 +- .../datasource-file/connect-features.xlsx | Bin 9268 -> 10038 bytes smardigo/pmci/filter/service-create.json | 6 +- .../pmci/filter/service-replay-setup.json | 10 - .../pmci/process-search/service-search.json | 1 + .../pmci/process-search/tenant-search.json | 3 +- smardigo/pmci/process/service-change.bpmn | 24 +- stage-demompmx | 96 ++ stage-demompmx-netgo-hcloud.yml | 27 + stage-dev | 8 - stage-prodnso | 8 - stage-prodwork01 | 1 - stage-qa | 9 +- .../elastic-certs/demompmx-certs/ca/ca.crt | 31 + templates/filebeat/config/filebeat.yml.j2 | 4 +- templates/metricbeat/config/metricbeat.yml.j2 | 4 +- .../dashboards/PostgreSQL_Database.json | 6 +- .../dashboards/Redis_Dashboard.json | 1315 ----------------- .../config/prometheus/alert.rules.j2 | 2 +- .../config/prometheus/prometheus.yml.j2 | 23 +- upload-database-dump.yml | 2 +- 178 files changed, 2699 insertions(+), 2996 deletions(-) delete mode 100644 docker/dregsy/config.yaml delete mode 100644 docker/dregsy/docker-compose.yml create mode 100644 group_vars/all/awx.yml create mode 100644 group_vars/all/connect.yml create mode 100644 group_vars/all/database.yml create mode 100644 group_vars/all/gitea.yml create mode 100644 group_vars/all/harbor.yml create mode 100644 group_vars/all/keycloak.yml create mode 100644 group_vars/all/management.yml delete mode 100644 group_vars/connect_webdav/main.yml delete mode 100644 group_vars/redis/plain.yml create mode 100644 group_vars/stage_demompmx/awx.yml create mode 100644 group_vars/stage_demompmx/bootstrap.yml create mode 100644 group_vars/stage_demompmx/database.yml create mode 100644 group_vars/stage_demompmx/firewall.yml create mode 100644 group_vars/stage_demompmx/gitea.yml create mode 100644 group_vars/stage_demompmx/grafana.yml create mode 100644 group_vars/stage_demompmx/kubernetes.yml create mode 100644 group_vars/stage_demompmx/logging.yml create mode 100644 group_vars/stage_demompmx/plain.yml create mode 100644 group_vars/stage_demompmx/prometheus.yml create mode 100644 group_vars/stage_demompmx/services.yml create mode 100644 group_vars/stage_demompmx/vault.yml create mode 100644 group_vars/stage_demompmx/vault_backup.yml create mode 100644 group_vars/stage_demompmx/vault_env.yml create mode 100644 group_vars/stage_demompmx/vault_pgp.yml create mode 100644 group_vars/stage_demompmx/vault_postgres.yml create mode 100644 group_vars/stage_demompmx/versions.yml delete mode 100644 group_vars/stage_dev/grafana.yml delete mode 100644 group_vars/stage_prodnso/grafana.yml delete mode 100644 group_vars/stage_qa/grafana.yml delete mode 100644 group_vars/webdav/plain.yml create mode 100644 host_vars/demompmx-postgres01-01.yml create mode 100644 host_vars/demompmx-postgres01-02.yml delete mode 100644 host_vars/prodwork01-keycloak-01.yml create mode 100644 initialize-stage.yml create mode 100644 roles/argocd_realm/defaults/main.yml create mode 100644 roles/argocd_realm/tasks/main.yml create mode 100644 roles/awx_realm/defaults/main.yml create mode 100644 roles/awx_realm/tasks/main.yml delete mode 100644 roles/connect_realm/vars/main.yml delete mode 100644 roles/gitea_realm/vars/main.yml create mode 100644 roles/harbor_config/defaults/main.yml create mode 100644 roles/harbor_config/tasks/configure-system.yml create mode 100644 roles/harbor_config/tasks/configure_project.yml create mode 100644 roles/harbor_config/tasks/configure_project_crud.yml create mode 100644 roles/harbor_config/tasks/configure_project_members_crud.yml create mode 100644 roles/harbor_config/tasks/configure_project_metadata_crud.yml create mode 100644 roles/harbor_config/tasks/configure_registry.yml create mode 100644 roles/harbor_config/tasks/configure_robot_tokens.yml create mode 100644 roles/harbor_config/tasks/configure_robot_tokens_crud.yml create mode 100644 roles/harbor_config/tasks/configure_scanall_schedule.yml create mode 100644 roles/harbor_config/tasks/main.yml create mode 100644 roles/harbor_config/templates/harbor-project-member.json.j2 delete mode 100644 roles/harbor_realm/vars/main.yml delete mode 100644 roles/iam/defaults/main.yml delete mode 100644 roles/infrastructure_realm/defaults/main.yml delete mode 100644 roles/infrastructure_realm/tasks/main.yml delete mode 100644 roles/infrastructure_realm/vars/main.yml create mode 100644 roles/keycloak_realm/defaults/main.yml create mode 100644 roles/keycloak_realm/tasks/main.yml delete mode 100644 roles/kubernetes/argocd/defaults/main.yml delete mode 100644 roles/kubernetes/argocd/templates/keycloak-realm-create-client-argocd.json.j2 delete mode 100644 roles/redis/tasks/main.yml delete mode 100644 roles/service_state/defaults/main.yml delete mode 100644 roles/shared_service/defaults/main.yml delete mode 100644 roles/shared_service/vars/main.yml delete mode 100644 roles/webdav/defaults/main.yaml delete mode 100644 roles/webdav/tasks/main.yaml delete mode 100644 roles/webdav/vars/main.yml delete mode 100644 roles/webdav_postgres/defaults/main.yml delete mode 100644 roles/webdav_postgres/tasks/main.yml delete mode 100644 setup-infrastructure-realm.yml delete mode 100644 smardigo/pmci/filter/service-replay-setup.json create mode 100644 stage-demompmx create mode 100644 stage-demompmx-netgo-hcloud.yml create mode 100644 templates/elastic-certs/demompmx-certs/ca/ca.crt delete mode 100644 templates/prometheus/config/grafana/provisioning/dashboards/Redis_Dashboard.json diff --git a/create-database-backup.yml b/create-database-backup.yml index ad65070..8326cd9 100644 --- a/create-database-backup.yml +++ b/create-database-backup.yml @@ -2,7 +2,7 @@ # creates database backup # - postgres -# - executed on stage specific server: {{ stage }}-postgres-01 +# - executed on stage specific server: {{ shared_service_postgres_primary }} # - creates database backup for specific database # Parameters: @@ -44,17 +44,17 @@ tasks: - name: "Add postgres servers to hosts if necessary" add_host: - name: "{{ stage }}-postgres-01" + name: "{{ shared_service_postgres_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" changed_when: False with_items: "{{ cluster_features }}" - when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns'] + when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns'] - name: "Add maria servers to hosts if necessary" add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" @@ -89,9 +89,6 @@ # - role: pdns_postgres # when: "'pdns' in group_names" - - role: webdav_postgres - when: "'webdav' in group_names" - - role: connect_wordpress_maria when: "'connect_wordpress' in group_names" diff --git a/create-database.yml b/create-database.yml index 595acaf..841f629 100644 --- a/create-database.yml +++ b/create-database.yml @@ -2,14 +2,13 @@ # creates databases on shared service servers # - postgres -# - executed on stage specific server: {{ stage }}-postgres-01 +# - executed on stage specific server: {{ shared_service_postgres_primary }} # - creates databases to work with connect: {{ connect_postgres_database }} # - creates databases to work with pdns: {{ pdns_postgres_database }} # - creates databases to work with management connect: {{ management_connect_postgres_database }} -# - creates databases to work with shared webdav: {{ webdav_postgres_database }} # - creates databases to work with shared keycloak: {{ keycloak_postgres_database }} # - maria -# - executed on stage specific server: {{ stage }}-maria-01 +# - executed on stage specific server: {{ shared_service_maria_primary }} # - creates databases to work with connect wordpress: {{ connect_wordpress_maria_database }} # Parameters: @@ -50,17 +49,17 @@ tasks: - name: "Add postgres servers to hosts if necessary" add_host: - name: "{{ stage }}-postgres-01" + name: "{{ shared_service_postgres_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" changed_when: False with_items: "{{ cluster_features }}" - when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns'] + when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns'] - name: "Add maria servers to hosts if necessary" add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" @@ -105,9 +104,6 @@ initialize: True when: "'pdns' in group_names" - - role: webdav_postgres - when: "'webdav' in group_names" - - role: connect_wordpress_maria when: "'connect_wordpress' in group_names" diff --git a/create-remote-database-backup.yml b/create-remote-database-backup.yml index c78bc1a..daa7305 100644 --- a/create-remote-database-backup.yml +++ b/create-remote-database-backup.yml @@ -2,10 +2,10 @@ # creates remote database backup # - postgres -# - executed on stage specific server: {{ stage }}-postgres-02 (currently: slave) +# - executed on stage specific server: {{ shared_service_postgres_secondary }} (currently: slave) # - creates database backup for ALL databases in postgres-server # - mariadb -# - executed on stage specific server: {{ stage }}-maria-01 +# - executed on stage specific server: {{ shared_service_maria_primary }} # - creates database backup for ALL databases in mariadb-server # Parameters: @@ -42,11 +42,21 @@ tasks: - name: "Add {{ database_engine }} servers to hosts if necessary" add_host: - name: "{{ stage }}-{{ database_engine }}-{{'02' if database_engine == 'postgres' else '01'}}" + name: "{{shared_service_postgres_secondary }}" groups: - "stage_{{ stage }}" - '{{ database_engine }}' - changed_when: False + when: + - database_engine is 'postgres' + + - name: "Add {{ database_engine }} servers to hosts if necessary" + add_host: + name: "{{ shared_service_maria_primary }}" + groups: + - "stage_{{ stage }}" + - '{{ database_engine }}' + when: + - database_engine is 'maria' - name: "Add 'storage' servers to hosts if necessary" add_host: @@ -54,7 +64,6 @@ groups: - "stage_{{ stage }}" - storage - changed_when: False ############################################################## ## Creating remote database backups for created inventory diff --git a/create-server.yml b/create-server.yml index ae9f651..3464203 100644 --- a/create-server.yml +++ b/create-server.yml @@ -134,7 +134,7 @@ - docker_enabled - role: hetzner-ansible-common - + - role: devsec.hardening.ssh_hardening tags: - ssh_hardening diff --git a/docker/dregsy/config.yaml b/docker/dregsy/config.yaml deleted file mode 100644 index 9a8363b..0000000 --- a/docker/dregsy/config.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# relay config sections -skopeo: - # path to the skopeo binary; defaults to 'skopeo', in which case it needs to - # be in PATH - binary: skopeo - # directory under which to look for client certs & keys, as well as CA certs - # (see note below) - certs-dir: /etc/skopeo/certs.d - -docker: - # Docker host to use as the relay - dockerhost: unix:///var/run/docker.sock - # Docker API version to use, defaults to 1.24 - api-version: 1.24 - -# settings for image matching (see below) -lister: - # maximum number of repositories to list, set to -1 for no limit, defaults to 100 - maxItems: 100 - # for how long a repository list will be re-used before retrieving again; - # specify as a Go duration value ('s', 'm', or 'h'), set to -1 for not caching, - # defaults to 1h - cacheDuration: 1h - -# list of sync tasks -tasks: - - - name: smardigo # required - - # interval in seconds at which the task should be run; when omitted, - # the task is only run once at start-up - interval: 600 - - # determines whether for this task, more verbose output should be - # produced; defaults to false when omitted - verbose: true - - # 'source' and 'target' are both required and describe the source and - # target registries for this task: - # - 'registry' points to the server; required - # - 'auth' contains the base64 encoded credentials for the registry - # in JSON form {"username": "...", "password": "..."} - # - 'auth-refresh' specifies an interval for automatic retrieval of - # credentials; only for AWS ECR (see below) - # - 'skip-tls-verify' determines whether to skip TLS verification for the - # registry server (only for 'skopeo', see note below); defaults to false - source: - registry: docker.dev-at.de - auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJRNHB6aWhWRFl3eUthZEM3NmxiNCJ9Cg== - target: - registry: dev-harbor-01.smardigo.digital - auth: eyJ1c2VybmFtZSI6InJvYm90JGFuc2libGUiLCJwYXNzd29yZCI6IlAwRmJkb2tSc3V0V2lvVWl2cmI5TzVET05HY2FHNk1KIn0K - - # 'mappings' is a list of 'from':'to' pairs that define mappings of image - # paths in the source registry to paths in the destination; 'from' is - # required, while 'to' can be dropped if the path should remain the same as - # 'from'. Regular expressions are supported in both fields (read on below - # for more details). Additionally, the tags being synced for a mapping can - # be limited by providing a 'tags' list. This list may contain semver and - # regular expressions filters (see below). When omitted, all image tags are - # synced. - mappings: - - from: smardigo/connect-whitelabel-app - to: smardigo/connect-whitelabel-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - from: smardigo/iam-app - to: smardigo/iam-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - from: smardigo/smardigo-webdav-app - to: smardigo/smardigo-webdav-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - from: smardigo/smardigo-workflow-proxy-app - to: smardigo/smardigo-workflow-proxy-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - - name: sensw - interval: 600 - verbose: true - source: - registry: docker.dev-at.de - auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJRNHB6aWhWRFl3eUthZEM3NmxiNCJ9Cg== - target: - registry: dev-harbor-01.smardigo.digital - auth: eyJ1c2VybmFtZSI6InJvYm90JGFuc2libGUiLCJwYXNzd29yZCI6IlAwRmJkb2tSc3V0V2lvVWl2cmI5TzVET05HY2FHNk1KIn0K - mappings: - - from: smardigo/sensw-app - to: sensw/sensw-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - from: smardigo/sensw-bda-adapter-app - to: sensw/sensw-bda-adapter-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - from: smardigo/sensw-profiskal-export-app - to: sensw/sensw-profiskal-export-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - - name: ssp - interval: 600 - verbose: true - source: - registry: docker.dev-at.de - auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJRNHB6aWhWRFl3eUthZEM3NmxiNCJ9Cg== - target: - registry: dev-harbor-01.smardigo.digital - auth: eyJ1c2VybmFtZSI6InJvYm90JGFuc2libGUiLCJwYXNzd29yZCI6IlAwRmJkb2tSc3V0V2lvVWl2cmI5TzVET05HY2FHNk1KIn0K - mappings: - - from: smardigo/ssp-connect-app - to: ssp/ssp-connect-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' - - from: smardigo/smardigo-action-si-dyns-app - to: ssp/smardigo-action-si-dyns-app - tags: - - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' diff --git a/docker/dregsy/docker-compose.yml b/docker/dregsy/docker-compose.yml deleted file mode 100644 index 6ada6ff..0000000 --- a/docker/dregsy/docker-compose.yml +++ /dev/null @@ -1,11 +0,0 @@ -version: '3.7' - -services: - local-dregsy: - image: "xelalex/dregsy:0.4.1" - volumes: - - "./config.yaml:/config.yaml:ro" - - "/var/run/docker.sock:/var/run/docker.sock:ro" - environment: - LOG_LEVEL: "debug" - LOG_FORMAT: "json" \ No newline at end of file diff --git a/export-database.yml b/export-database.yml index 4d0d156..3c2168d 100644 --- a/export-database.yml +++ b/export-database.yml @@ -40,7 +40,7 @@ tasks: - name: Add maria servers to hosts if necessary add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" diff --git a/external_monitoring.yml b/external_monitoring.yml index af0bd1f..a50712d 100644 --- a/external_monitoring.yml +++ b/external_monitoring.yml @@ -10,7 +10,6 @@ - "{{ lookup('community.general.dig', 'dev-prometheus-01.' + domain ) }}" - "{{ lookup('community.general.dig', 'qa-prometheus-01.' + domain ) }}" - "{{ lookup('community.general.dig', 'prodnso-prometheus-01.' + domain ) }}" - - "{{ lookup('community.general.dig', 'demompmx-prometheus-01.' + domain ) }}" k8s_nodes_devnso: - "{{ lookup('community.general.dig', 'devnso-kube-node-01.' + domain ) }}" - "{{ lookup('community.general.dig', 'devnso-kube-node-02.' + domain ) }}" @@ -35,10 +34,8 @@ - "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}" - "{{ lookup('community.general.dig', 'prodwork01-kube-node-04.' + domain ) }}" - "{{ lookup('community.general.dig', 'prodwork01-kube-node-05.' + domain ) }}" - k8s_nodes_demompmx: - - "{{ lookup('community.general.dig', 'demompmx-kube-node-01.' + domain ) }}" - - "{{ lookup('community.general.dig', 'demompmx-kube-node-02.' + domain ) }}" - - "{{ lookup('community.general.dig', 'demompmx-kube-node-03.' + domain ) }}" + - "{{ lookup('community.general.dig', 'prodwork01-kube-node-06.' + domain ) }}" + - "{{ lookup('community.general.dig', 'prodwork01-kube-node-07.' + domain ) }}" - name: "Allow SSH in UFW" ufw: diff --git a/gitlab.clone.k8s-clusters.sh b/gitlab.clone.k8s-clusters.sh index 0ad5098..c1ab6bb 100755 --- a/gitlab.clone.k8s-clusters.sh +++ b/gitlab.clone.k8s-clusters.sh @@ -2,5 +2,6 @@ git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/devnso-argocd.git ../devnso-argocd git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/devscr-argocd.git ../devscr-argocd -git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/prodnso-argocd.git ../prodnso-argocd git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/qanso-argocd.git ../qanso-argocd +git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/prodnso-argocd.git ../prodnso-argocd +git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/demompmx-argocd.git ../demompmx-argocd \ No newline at end of file diff --git a/group_vars/all/argocd.yml b/group_vars/all/argocd.yml index d64cfba..b4c7c62 100644 --- a/group_vars/all/argocd.yml +++ b/group_vars/all/argocd.yml @@ -1,12 +1,15 @@ --- - -k8s_argocd_with_keycloak: false +argocd_oidc_realm: "stage-argocd" +argocd_oidc_client_id: "stage-argocd" +argocd_oidc_client_secret: "{{ argocd_oidc_client_secret_vault | default(argo_keycloak_client_secret_vault) }}" # backwards compatibility +argocd_oidc_admin_username: "argocd-admin" +argocd_oidc_admin_password: "{{ argocd_oidc_admin_password_vault | default(argocd_admin_password_vault) }}" # backwards compatibility +argocd_oidc_admin_email: "{{ devops_email_address }}" +argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}" k8s_argocd_helm__name: "argo-cd" k8s_argocd_helm__release_namespace: "argo-cd" -argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}" - k8s_argocd_helm__chart_version: 5.19.0 # https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd @@ -163,11 +166,11 @@ k8s_argocd_helm__release_values: nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" hosts: - - "{{ shared_service_kube_argocd_hostname }}" + - "{{ shared_service_kube_hostname_argocd }}" tls: - secretName: "{{ stage }}-kube-argocd-cert" hosts: - - "{{ shared_service_kube_argocd_hostname }}" + - "{{ shared_service_kube_hostname_argocd }}" dex: enabled: false applicationSet: diff --git a/group_vars/all/awx.yml b/group_vars/all/awx.yml new file mode 100644 index 0000000..05c68e6 --- /dev/null +++ b/group_vars/all/awx.yml @@ -0,0 +1,16 @@ +--- +awx_oidc_realm: "stage-awx" +awx_oidc_client_id: "stage-awx" +awx_oidc_client_secret: "{{ awx_oidc_client_secret_vault }}" +awx_oidc_admin_username: "{{ awx_admin_username }}" +awx_oidc_admin_password: "{{ awx_admin_password }}" +awx_oidc_admin_email: "{{ devops_email_address }}" + +awx_custom_ee_image: "{{ shared_service_hostname_harbor }}/awx/awx-custom-ee" + +awx_ansible_user_name: "awx" +awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}" +awx_credential_machine_hetzner_name: hetzner-ansible-ssh + +awx_ansible_username: ansible +awx_ansible_password: ansible diff --git a/group_vars/all/connect.yml b/group_vars/all/connect.yml new file mode 100644 index 0000000..2001fe6 --- /dev/null +++ b/group_vars/all/connect.yml @@ -0,0 +1,11 @@ +--- +shared_service_connect_data_hostname: "{{ shared_service_elastic_stack_01_hostname }}" +shared_service_connect_data_username: "{{ elastic_connect_data_username_vault | default(elastic_admin_username) }}" +shared_service_connect_data_password: "{{ elastic_connect_data_password_vault | default(elastic_admin_password) }}" + +connect_id: "{{ inventory_hostname }}-connect" +connect_base_url: "{{ connect_id }}.{{ domain }}" +wordpress_id: "{{ inventory_hostname }}-wordpress" +wordpress_base_url: "{{ wordpress_id }}.{{ domain }}" + +smardigo_auth_token_name: "Smardigo-User-Token" diff --git a/group_vars/all/database.yml b/group_vars/all/database.yml new file mode 100644 index 0000000..24b1669 --- /dev/null +++ b/group_vars/all/database.yml @@ -0,0 +1,18 @@ +--- +shared_service_maria_primary: "{{ stage }}-maria-01" + +shared_service_postgres_primary: "{{ stage }}-postgres-01" +shared_service_postgres_secondary: "{{ stage }}-postgres-02" + +shared_service_pg_master_ip: "{{ stage_server_infos + | selectattr('name', 'match', shared_service_postgres_primary ) + | map(attribute='private_ip') + | list + | first + | default('-') }}" +shared_service_pg_slave_ip: "{{ stage_server_infos + | selectattr('name', 'match', shared_service_postgres_secondary ) + | map(attribute='private_ip') + | list + | first + | default('-') }}" diff --git a/group_vars/all/dns.yml b/group_vars/all/dns.yml index 940cb2e..1c4bd9c 100644 --- a/group_vars/all/dns.yml +++ b/group_vars/all/dns.yml @@ -1,5 +1,4 @@ --- - dns: digitalocean domain: "smardigo.digital" domain_env: "{{ domain }}" diff --git a/group_vars/all/gitea.yml b/group_vars/all/gitea.yml new file mode 100644 index 0000000..ed8023c --- /dev/null +++ b/group_vars/all/gitea.yml @@ -0,0 +1,7 @@ +--- +gitea_oidc_realm: "stage-gitea" +gitea_oidc_client_id: "stage-gitea" +gitea_oidc_client_secret: "{{ gitea_oidc_client_secret_vault | default(gitea_client_secret) }}" # backwards compatibility +gitea_oidc_admin_username: "{{ gitea_admin_username }}" +gitea_oidc_admin_password: "{{ gitea_admin_password }}" +gitea_oidc_admin_email: "{{ devops_email_address }}" diff --git a/group_vars/all/grafana.yml b/group_vars/all/grafana.yml index 33ecf15..8aa7285 100644 --- a/group_vars/all/grafana.yml +++ b/group_vars/all/grafana.yml @@ -7,6 +7,8 @@ grafana_users: email: "{{ grafana_smardigo_email }}" password: "{{ grafana_smardigo_password }}" +grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}" + # Define Grafana Dashboards which should be visible users without admin role # See uids from in hetzner-ansible/templates/prometheus/config/grafana/provisioning/dashboards/*.json grafana_dashboard_whitelist: diff --git a/group_vars/all/harbor.yml b/group_vars/all/harbor.yml new file mode 100644 index 0000000..6f6daee --- /dev/null +++ b/group_vars/all/harbor.yml @@ -0,0 +1,10 @@ +--- +harbor_oidc_realm: "stage-harbor" +harbor_oidc_client_id: "stage-harbor" +harbor_oidc_client_secret: "{{ harbor_oidc_client_secret_vault | default(docker_registry_oidc_client_secret_vault) }}" # backwards compatibility +harbor_oidc_admin_username: "harbor-admin" +harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}" +harbor_oidc_admin_email: "{{ devops_email_address }}" + +harbor_username: "{{ docker_registry_username_vault }}" +harbor_token: "{{ docker_registry_token_vault }}" diff --git a/group_vars/all/keycloak.yml b/group_vars/all/keycloak.yml new file mode 100644 index 0000000..60bad46 --- /dev/null +++ b/group_vars/all/keycloak.yml @@ -0,0 +1,5 @@ +--- +keycloak_admin_username: "keycloak-admin" +keycloak_admin_password: "{{ keycloak_admin_password_vault }}" + +keycloak_default_theme: "smardigo-theme" diff --git a/group_vars/all/management.yml b/group_vars/all/management.yml new file mode 100644 index 0000000..35f6ae5 --- /dev/null +++ b/group_vars/all/management.yml @@ -0,0 +1,8 @@ +--- +management_oidc_realm: "infrastructure" +management_oidc_client_id: "connect" + +management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}" + +management_admin_username: "management-admin" +management_admin_password: "{{ management_admin_password_vault }}" diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index 6484bcc..753f75e 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -1,7 +1,7 @@ --- + ansible_ssh_host: "{{ stage_server_domain }}" -debug: false ssh_macs: - umac-128-etm@openssh.com - hmac-sha2-256-etm@openssh.com @@ -26,6 +26,7 @@ ssh_ciphers: - aes256-gcm@openssh.com ssh_permit_root_login: "yes" +debug: false docker_enabled: true docker_config_enabled: true traefik_enabled: true @@ -65,15 +66,6 @@ hetzner_server_image: ubuntu-20.04 hetzner_location: nbg1 hetzner_load_balancer_type: lb11 -awx_ansible_user_name: "awx" -awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}" -awx_credential_machine_hetzner_name: hetzner-ansible-ssh - -awx_ansible_username: ansible -awx_ansible_password: ansible - -argocd_bootstrap_infrastructure: false - gitlab_ansible_user_name: "gitlabci" backupuser_user_name: backupuser @@ -156,15 +148,12 @@ docker_compose_path: "/usr/bin/docker-compose" service_base_path: "/etc/smardigo" devops_email_address: "nso.devops@netgo.de" -gitea_admin_email: "{{ devops_email_address }}" lets_encrypt_email: "{{ devops_email_address }}" connect_admin_email: "{{ devops_email_address }}" keycloak_admin_email: "{{ devops_email_address }}" pgadmin4_admin_email: "{{ devops_email_address }}" -harbor_oidc_admin_email: "{{ devops_email_address }}" grafana_admin_email: "{{ devops_email_address }}" grafana_smardigo_email: "{{ devops_email_address }}" -argocd_admin_email: "{{ devops_email_address }}" http_port: "80" https_port: "443" @@ -179,7 +168,6 @@ service_port_logstash: "5044" service_port_postgres: "5432" service_port_kibana: "5601" service_port_cadvisor: "8080" -service_port_webdav: "8080" service_port_keycloak: "8080" service_port_iam: "8082" service_port_sonarqube: "9000" @@ -198,13 +186,6 @@ monitor_port_postgres: "9087" admin_port_service: "9081" admin_port_traefik: "9080" -connect_id: "{{ inventory_hostname }}-connect" -connect_base_url: "{{ connect_id }}.{{ domain }}" -wordpress_id: "{{ inventory_hostname }}-wordpress" -wordpress_base_url: "{{ wordpress_id }}.{{ domain }}" - -smardigo_auth_token_name: "Smardigo-User-Token" - filebeat_certificate: "{{ stage }}-elastic-stack-filebeat" logstash_certificate: "{{ stage }}-elastic-stack-logstash-01" @@ -228,12 +209,6 @@ upstream_dns_servers: - 185.12.64.1 - 185.12.64.2 -harbor_username: "{{ docker_registry_username_vault }}" -harbor_token: "{{ docker_registry_token_vault }}" - -keycloak_admin_username: "keycloak-admin" -keycloak_admin_password: "{{ keycloak_admin_password_vault }}" - # Note: all dollar signs in the hash need to be doubled for escaping. # To create user:password pair, it's possible to use this command: # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g diff --git a/group_vars/all/prometheus.yml b/group_vars/all/prometheus.yml index fd5ed39..5058cab 100644 --- a/group_vars/all/prometheus.yml +++ b/group_vars/all/prometheus.yml @@ -1,5 +1,4 @@ --- - # node exporter exposes data only into the private network node_exporter_listen_address: "{{ stage_private_server_ip }}" diff --git a/group_vars/all/services.yml b/group_vars/all/services.yml index 61fc739..efb721c 100644 --- a/group_vars/all/services.yml +++ b/group_vars/all/services.yml @@ -1,5 +1,4 @@ --- - # TODO variable shouldn't used in a global way elastic_id: "{{ inventory_hostname }}-elastic" # TODO variable shouldn't used in a global way @@ -7,25 +6,29 @@ elastic_exporter_id: "{{ inventory_hostname }}-elastic-exporter" shared_service_url_harbor: "https://{{ shared_service_hostname_harbor }}" shared_service_hostname_harbor: "{{ stage }}-harbor-01.{{ domain_env }}" - -shared_service_url_kibana: "https://{{ shared_service_hostname_kibana }}" -shared_service_hostname_kibana: "{{ stage }}-elastic-stack-kibana-01-kibana.{{ domain_env }}" - shared_service_url_keycloak: "https://{{ shared_service_hostname_keycloak }}" shared_service_hostname_keycloak: "{{ stage }}-keycloak-01.{{ domain_env }}" - +shared_service_url_kibana: "https://{{ shared_service_hostname_kibana }}" +shared_service_hostname_kibana: "{{ stage }}-elastic-stack-kibana-01-kibana.{{ domain_env }}" shared_service_host_management: "{{ stage }}-management-01" shared_service_url_management: "https://{{ shared_service_hostname_management }}" shared_service_hostname_management: "{{ shared_service_host_management }}-connect.{{ domain_env }}" # use private loadbalancer ip for all kubernetes services stage_kube: "{{ stage }}" -shared_service_kube_argocd_hostname: "{{ stage_kube }}-argocd.{{ domain_env }}" -shared_service_kube_url_awx: "https://{{ shared_service_kube_awx_hostname }}" -shared_service_kube_awx_hostname: "{{ stage_kube }}-awx.{{ domain_env }}" -shared_service_kube_harbor_hostname: "{{ stage }}-harbor.{{ domain_env }}" +shared_service_kube_url_argocd: "https://{{ shared_service_kube_hostname_argocd }}" +shared_service_kube_hostname_argocd: "{{ stage_kube }}-argocd.{{ domain_env }}" +shared_service_kube_url_gitea: "https://{{ shared_service_kube_hostname_gitea }}" +shared_service_kube_hostname_gitea: "{{ stage_kube }}-gitea.{{ domain_env }}" +shared_service_kube_url_kibana: "https://{{ shared_service_kube_hostname_kibana }}" +shared_service_kube_hostname_kibana: "{{ stage_kube }}-kibana.{{ domain_env }}" +shared_service_kube_url_awx: "https://{{ shared_service_kube_hostname_awx }}" +shared_service_kube_hostname_awx: "{{ stage_kube }}-awx.{{ domain_env }}" +shared_service_kube_url_harbor: "https://{{ shared_service_kube_hostname_harbor }}" +shared_service_kube_hostname_harbor: "{{ stage }}-harbor.{{ domain_env }}" +shared_service_kube_url_prometheus: "https://{{ shared_service_kube_hostname_prometheus }}" +shared_service_kube_hostname_prometheus: "{{ stage_kube }}-prometheus.{{ domain_env }}" shared_service_kube_jaeger_collector_hostname: "{{ stage_kube }}-jaeger-collector.{{ domain_env }}" -shared_service_kube_prometheus_hostname: "{{ stage_kube }}-prometheus.{{ domain_env }}" # TODO make value available for plays with static inventory - by autodiscover_pre_tasks.yml shared_service_kube_loadbalancer_public_ip_not_available: "public loadbalancer ip not available" @@ -33,15 +36,22 @@ shared_service_kube_loadbalancer_public_ip: "{{ stage_public_ingress_loadbalance # TODO make value available for plays with static inventory - by autodiscover_pre_tasks.yml shared_service_kube_loadbalancer_private_ip_not_available: "private loadbalancer ip not available" shared_service_kube_loadbalancer_private_ip: "{{ stage_private_ingress_loadbalancer_ip | default(shared_service_kube_loadbalancer_private_ip_not_available) }}" +# TODO make value available for plays with static inventory - by autodiscover_pre_tasks.yml +shared_service_loadbalancer_logstash_private_ip_not_available: "private logstash loadbalancer ip not available" +shared_service_loadbalancer_logstash_private_ip: "shared_service_loadbalancer_logstash_private_ip_not_available" -shared_service_additional_hosts: - - name: "{{ shared_service_kube_argocd_hostname }}" +shared_service_default_additional_hosts: + - name: "{{ shared_service_kube_hostname_argocd }}" ip: "{{ shared_service_kube_loadbalancer_private_ip }}" - - name: "{{ shared_service_kube_awx_hostname }}" + - name: "{{ shared_service_kube_hostname_awx }}" ip: "{{ shared_service_kube_loadbalancer_private_ip }}" - - name: "{{ shared_service_kube_prometheus_hostname }}" + - name: "{{ shared_service_kube_hostname_prometheus }}" ip: "{{ shared_service_kube_loadbalancer_private_ip }}" - name: "{{ shared_service_kube_jaeger_collector_hostname }}" ip: "{{ shared_service_kube_loadbalancer_private_ip }}" - - name: "{{ shared_service_kube_harbor_hostname }}" + - name: "{{ shared_service_kube_hostname_harbor }}" ip: "{{ shared_service_kube_loadbalancer_private_ip }}" + - name: "{{ shared_service_logstash_hostname }}" + ip: "{{ shared_service_loadbalancer_logstash_private_ip }}" + +shared_service_additional_hosts: "{{ shared_service_default_additional_hosts + (shared_service_custom_additional_hosts | default([])) }}" diff --git a/group_vars/all/versions.yml b/group_vars/all/versions.yml index b776957..8f3e73c 100644 --- a/group_vars/all/versions.yml +++ b/group_vars/all/versions.yml @@ -26,6 +26,5 @@ traefik_version: "v2.8.5" connect_version: "10.5" iam_version: "10.0" -webdav_version: "8.4.1" ansible_minimal_version: "2.12.0" diff --git a/group_vars/connect/plain.yml b/group_vars/connect/plain.yml index 14b7e46..4905fe8 100644 --- a/group_vars/connect/plain.yml +++ b/group_vars/connect/plain.yml @@ -6,14 +6,14 @@ hetzner_server_labels: "stage={{ stage }} service=connect{% if tenant_id is defi # unique id for a service, will be used for service access management as well (e.g. keycloak realm) connect_client_id: "{{ cluster_name }}" -connect_postgres_host: "{{ shared_service_postgres_01_hostname }}" +connect_postgres_host: "{{ shared_service_postgres_primary }}" connect_postgres_database: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}_connect" connect_postgres_username: "{{ connect_postgres_database }}" connect_postgres_password: "connect-postgres-admin" -connect_elastic_host: "{{ shared_service_elastic_stack_01_hostname }}" -connect_elastic_username: "{{ elastic_admin_username }}" -connect_elastic_password: "{{ elastic_admin_password }}" +connect_elastic_host: "{{ shared_service_connect_data_hostname }}" +connect_elastic_username: "{{ shared_service_connect_data_username }}" +connect_elastic_password: "{{ shared_service_connect_data_password }}" connect_elastic_ca: "file:/usr/share/smardigo/ca.crt" connect_elastic_prefix: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}" diff --git a/group_vars/connect_webdav/main.yml b/group_vars/connect_webdav/main.yml deleted file mode 100644 index d4e6057..0000000 --- a/group_vars/connect_webdav/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -connect_webdav_enabled: "true" diff --git a/group_vars/connect_wordpress/main.yml b/group_vars/connect_wordpress/main.yml index 6018b75..c157565 100644 --- a/group_vars/connect_wordpress/main.yml +++ b/group_vars/connect_wordpress/main.yml @@ -1,6 +1,5 @@ --- -connect_wordpress_maria_host: "{{ shared_service_maria_hostname }}" connect_wordpress_maria_database: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}_connect_wordpress" connect_wordpress_maria_username: "{{ connect_wordpress_maria_database }}" connect_wordpress_maria_password: "connect-wordpress-maria-admin" diff --git a/group_vars/gitea/plain.yml b/group_vars/gitea/plain.yml index ae69c02..9a5a0ee 100644 --- a/group_vars/gitea/plain.yml +++ b/group_vars/gitea/plain.yml @@ -8,11 +8,7 @@ gitea_postgres_id: "{{ inventory_hostname }}-postgres-gitea" gitea_base_url: "{{ inventory_hostname }}.{{ domain }}" -# unique id for a service, will be used for service access management as well (e.g. keycloak realm) -gitea_client_id: "{{ cluster_name }}" -gitea_client_secret: "{{ cluster_name }}" - -gitea_postgres_host: "{{ shared_service_postgres_01_hostname }}" +gitea_postgres_host: "{{ shared_service_postgres_primary }}" gitea_postgres_database: "{{ stage }}_gitea" gitea_postgres_username: "{{ gitea_postgres_database }}" gitea_postgres_password: "gitea-postgres-admin" diff --git a/group_vars/keycloak/plain.yml b/group_vars/keycloak/plain.yml index cbdcca9..ec0e45e 100644 --- a/group_vars/keycloak/plain.yml +++ b/group_vars/keycloak/plain.yml @@ -3,7 +3,7 @@ hetzner_server_type: cx11 hetzner_server_labels: "stage={{ stage }} service=keycloak" -keycloak_postgres_host: "{{ shared_service_postgres_01_hostname }}" +keycloak_postgres_host: "{{ shared_service_postgres_primary }}" keycloak_postgres_database: "{{ stage }}_keycloak" keycloak_postgres_username: "{{ keycloak_postgres_database }}" keycloak_postgres_password: "keycloak-postgres-admin" diff --git a/group_vars/logstash/plain.yml b/group_vars/logstash/plain.yml index 9031bbe..7ec3d81 100644 --- a/group_vars/logstash/plain.yml +++ b/group_vars/logstash/plain.yml @@ -1,5 +1,6 @@ --- - hetzner_server_labels: "stage={{ stage }} service=logstash" traefik_enabled: false + +logstash_ssl_enabled: true diff --git a/group_vars/management/plain.yml b/group_vars/management/plain.yml index acc949c..97ccd6b 100644 --- a/group_vars/management/plain.yml +++ b/group_vars/management/plain.yml @@ -1,55 +1,3 @@ --- hetzner_server_type: cx21 - -connect_client_admin_username: "{{ management_admin_username }}" -connect_client_admin_password: "{{ management_admin_password }}" -connect_workflow_env: "baseUrl:{{ connect_base_url }};stage:{{ stage }};smardigoUserToken:{{ smardigo_auth_token_value }}" -connect_oidc_client_secret: "{{ management_oidc_client_secret }}" - -connect_config_delete_scope_enabled: true -connect_datasource_action_enabled: true -connect_element_template_enabled: true -connect_external_task_script_worker_enabled: true -connect_search_elastic_enabled: false -connect_swagger_enabled: true -connect_workflow_heatmap_enabled: true - -tenant_id: "{{ management_oidc_realm }}" -cluster_size: "1" -cluster_name: "{{ management_oidc_client_id }}" -current_realm_name: "management" -current_realm_display_name: "Stage Management" - -postgres_acls: - - name: "{{ connect_postgres_database }}" - password: "{{ connect_postgres_password }}" - trusted_cidr_entry: "{{ shared_service_network }}" - -current_realm_clients: [ - { - name: '{{ management_oidc_client_id }}', - clientId: "{{ management_oidc_client_id }}", - admin_url: '', - root_url: '', - redirect_uris: [ - "{{ http_s }}://{{ connect_base_url }}/*" - ], - secret: '{{ management_oidc_client_secret }}', - web_origins: [ - "{{ http_s }}://{{ connect_base_url }}" - ], - } -] - -current_realm_users: - - username: "{{ management_admin_username }}" - password: "{{ management_admin_password }}" - email: "{{ connect_admin_email }}" - requiredActions: [] - -current_realm_admin_users: - - username: "{{ management_realm_admin_username }}" - password: "{{ management_realm_admin_password }}" - email: "{{ connect_admin_email }}" - requiredActions: [] diff --git a/group_vars/pdns/plain.yml b/group_vars/pdns/plain.yml index 7c226ab..eb66270 100644 --- a/group_vars/pdns/plain.yml +++ b/group_vars/pdns/plain.yml @@ -10,7 +10,7 @@ pdns_admin_id: "{{ inventory_hostname }}-admin-pdns" pdns_admin_postgres_id: "{{ inventory_hostname }}-admin-postgres-pdns" #pdns_api_key: "< see vault >" -pdns_postgres_host: "{{ shared_service_postgres_01_hostname }}" +pdns_postgres_host: "{{ shared_service_postgres_primary }}" pdns_postgres_database: "{{ stage }}_pdns" pdns_postgres_username: "{{ pdns_postgres_database }}" pdns_postgres_password: "pdns-postgres-admin" diff --git a/group_vars/postgres/plain.yml b/group_vars/postgres/plain.yml index b91d393..6a5cf2d 100644 --- a/group_vars/postgres/plain.yml +++ b/group_vars/postgres/plain.yml @@ -1,7 +1,7 @@ --- hetzner_server_type: cpx11 -hetzner_server_labels: "stage={{ stage }} service=postgres" +hetzner_server_labels: "stage={{ stage }} service=postgres role={{ server_type }}" postgres_acls: [] diff --git a/group_vars/redis/plain.yml b/group_vars/redis/plain.yml deleted file mode 100644 index f413e14..0000000 --- a/group_vars/redis/plain.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -hetzner_server_type: cx11 -hetzner_server_labels: "stage={{ stage }} service=redis" - -docker_enabled: false -traefik_enabled: false - -redis_bind_interface: 0.0.0.0 -redis_maxmemory: '{{ ansible_memtotal_mb * 0.8 | int }}' - -redis_exporter_ip: "{{ ansible_ens10.ipv4.address | default('127.0.0.1') }}" diff --git a/group_vars/stage_demompmx/awx.yml b/group_vars/stage_demompmx/awx.yml new file mode 100644 index 0000000..728af57 --- /dev/null +++ b/group_vars/stage_demompmx/awx.yml @@ -0,0 +1,6 @@ +--- +awx_admin_username: "awx-admin" +awx_admin_password: "{{ awx_admin_password_vault }}" + +awx_hetzner_ansible_revision: "main" +awx_custom_ee_image: "{{ shared_service_hostname_harbor }}/prodnso/awx/awx-custom-ee" diff --git a/group_vars/stage_demompmx/bootstrap.yml b/group_vars/stage_demompmx/bootstrap.yml new file mode 100644 index 0000000..3257a75 --- /dev/null +++ b/group_vars/stage_demompmx/bootstrap.yml @@ -0,0 +1,14 @@ +--- +harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure" +harbor_bootstrap_helm_name: "infrastructure" +harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}" +harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}" + +gitea_bootstrap_url: "https://demompmx-gitea.smardigo.digital/demompmx/demompmx-argocd" +gitea_bootstrap_username: "{{ gitea_admin_username }}" +gitea_bootstrap_password: "{{ gitea_admin_password }}" + +custom_ip_whitelist: + - "5.75.131.94" + - "116.203.156.144" + - "91.107.225.163" diff --git a/group_vars/stage_demompmx/database.yml b/group_vars/stage_demompmx/database.yml new file mode 100644 index 0000000..7639b93 --- /dev/null +++ b/group_vars/stage_demompmx/database.yml @@ -0,0 +1,21 @@ +--- +shared_service_postgres_primary: "{{ stage }}-postgres01-01" +shared_service_postgres_secondary: "{{ stage }}-postgres01-02" + +stage_database_management_connect_name: "{{ stage }}_infrastructure_management_connect" +stage_database_management_connect_password: "connect-postgres-admin" +stage_database_management_keycloak_name: "{{ stage }}_infrastructure_management_keycloak" +stage_database_management_keycloak_password: "keycloak-postgres-admin" +stage_database_management_gitea_name: "{{ stage }}_infrastructure_management_gitea" +stage_database_management_gitea_password: "gitea-postgres-admin" + +stage_postgres_acls: + - name: "{{ stage_database_management_connect_name }}" + password: "{{ stage_database_management_connect_password }}" + trusted_cidr_entry: "{{ shared_service_network }}" + - name: "{{ stage_database_management_keycloak_name }}" + password: "{{ stage_database_management_keycloak_password }}" + trusted_cidr_entry: "{{ shared_service_network }}" + - name: "{{ stage_database_management_gitea_name }}" + password: "{{ stage_database_management_gitea_password }}" + trusted_cidr_entry: "{{ shared_service_network }}" diff --git a/group_vars/stage_demompmx/firewall.yml b/group_vars/stage_demompmx/firewall.yml new file mode 100644 index 0000000..8c99601 --- /dev/null +++ b/group_vars/stage_demompmx/firewall.yml @@ -0,0 +1,143 @@ +--- +hcloud_firewall_objects: + - + name: "{{ stage }}-default" + state: present + rules: + - + direction: in + protocol: icmp + port: '' + source_ips: '{{ ip_whitelist }}' + destination_ips: [] + description: ICMP allowed + - + direction: in + protocol: tcp + port: '22' + source_ips: '{{ ip_whitelist }}' + destination_ips: [] + description: SSH allowed + - + direction: in + protocol: tcp + port: '80' + source_ips: '{{ ip_whitelist }}' + destination_ips: [] + description: HTTP allowed + - + direction: in + protocol: tcp + port: '443' + source_ips: '{{ ip_whitelist }}' + destination_ips: [] + description: HTTPS allowed + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }}' + - + name: "{{ stage }}-monitoring" + state: present + rules: + - + direction: in + protocol: tcp + port: '9080-9085' + source_ips: '{{ ip_whitelist + [ lookup("community.general.dig", stage + "-prometheus-01." + domain ) + "/32"] }}' + destination_ips: [] + description: 'Server/Service Monitoring' + - + direction: in + protocol: tcp + port: '9001' + source_ips: '{{ ip_whitelist }}' + destination_ips: [] + description: 'PgAdmin' + - + direction: in + protocol: tcp + port: '9187' + source_ips: '{{ ip_whitelist }}' + destination_ips: [] + description: 'Postgres-Exporter' + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }}' + - + name: "{{ stage }}-monitoring-extern-https" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: + - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32" + destination_ips: [] + description: null + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }},service=connect' + - + type: label_selector + label_selector: + selector: 'stage={{ stage }},service=keycloak' + - + name: "{{ stage }}-access-to-kubernetes-api" + state: present + rules: + - + direction: in + protocol: tcp + port: '6443' + source_ips: "{{ ip_whitelist }}" + destination_ips: [] + description: "Allow access for whitelisted ips" + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }},service=kube_control_plane' + - + name: "{{ stage }}-access-to-connect" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: + - '0.0.0.0/0' + destination_ips: [] + description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for connect-instance(s)" + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }},service=connect' + + +hcloud_firewall_objects_keycloak: + - + name: "{{ stage }}-access-to-keycloak" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: + - '0.0.0.0/0' + destination_ips: [] + description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for keycloak-instance(s))" + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }},service=keycloak' \ No newline at end of file diff --git a/group_vars/stage_demompmx/gitea.yml b/group_vars/stage_demompmx/gitea.yml new file mode 100644 index 0000000..9738133 --- /dev/null +++ b/group_vars/stage_demompmx/gitea.yml @@ -0,0 +1,5 @@ +--- +gitea_admin_username: "gitea-admin" +gitea_admin_password: "{{ gitea_admin_password_vault }}" +gitea_postgres_username: "gitea-postgres" +gitea_postgres_password: "{{ gitea_postgres_password_vault }}" diff --git a/group_vars/stage_demompmx/grafana.yml b/group_vars/stage_demompmx/grafana.yml new file mode 100644 index 0000000..16c9e05 --- /dev/null +++ b/group_vars/stage_demompmx/grafana.yml @@ -0,0 +1,4 @@ +--- +grafana_signing_secret: "{{ grafana_signing_secret_vault }}" +grafana_admin_username: "grafana-admin" +grafana_admin_password: "{{ grafana_admin_password_vault }}" diff --git a/group_vars/stage_demompmx/kubernetes.yml b/group_vars/stage_demompmx/kubernetes.yml new file mode 100644 index 0000000..d00c8ab --- /dev/null +++ b/group_vars/stage_demompmx/kubernetes.yml @@ -0,0 +1,7 @@ +--- + +kubernetes_with_externaldns: true +kubernetes_with_certmanager: true +kubernetes_with_ingress: true +kubernetes_with_gitea: true +kubernetes_with_awx: true diff --git a/group_vars/stage_demompmx/logging.yml b/group_vars/stage_demompmx/logging.yml new file mode 100644 index 0000000..e1d5d6a --- /dev/null +++ b/group_vars/stage_demompmx/logging.yml @@ -0,0 +1,2 @@ +--- +logstash_ssl_enabled: false diff --git a/group_vars/stage_demompmx/plain.yml b/group_vars/stage_demompmx/plain.yml new file mode 100644 index 0000000..8f8aedc --- /dev/null +++ b/group_vars/stage_demompmx/plain.yml @@ -0,0 +1,52 @@ +--- +stage: "demompmx" + +hetzner_server_type_kube_cpl: cpx21 +hetzner_server_type_kube_node: cpx31 + +custom_stage_plattform_users: + - "hp.wissenbach" + +# TODO read configuration with hetzner rest api +shared_service_network: "10.0.0.0/16" + +netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}" +netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}" + +# smardigo automation DEV gpg key +# https://git.dev-at.de/smardigo-hetzner/communication-keys/ +# push mirror: https://{{ stage }}-gitea-01.smardigo.digital/communication-keys.git +gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}" + +pgadmin4_admin_username: "{{ pgadmin4_admin_email }}" +pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}" + +shared_service_gitea_hostname: "{{ shared_service_kube_hostname_gitea }}" +shared_service_hostname_harbor: "{{ shared_service_kube_hostname_harbor }}" + +shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}" +shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}" +shared_service_logstash_hostname: "{{ stage }}-logstash.{{ domain_env }}" + +filebeat_image_name: "{{ shared_service_hostname_harbor }}/docker.elastic.co/beats/filebeat" +metricbeat_image_name: "{{ shared_service_hostname_harbor }}/docker.elastic.co/beats/metricbeat" + +connect_jwt_enabled: true +connect_jwt_secret: "06aa5b66a2e241b7af934035df79e8a8" +iam_jwt_enabled: true +iam_jwt_secret: "b9bb2282a3284bf291173ef202928004" + +keycloak_default_theme: "mpmx-theme" + +harbor_admin_username: "{{ harbor_admin_username_vault }}" +harbor_admin_password: "{{ harbor_admin_password_vault }}" + +shared_service_url_kibana: "{{ shared_service_kube_url_kibana }}" +shared_service_hostname_kibana: "{{ shared_service_kube_hostname_kibana }}" + +elastic_admin_username: "{{ elastic_admin_username_vault }}" +elastic_admin_password: "{{ elastic_admin_password_vault }}" + +shared_service_elastic_stack_01_hostname: "demompmx-connect-data.smardigo.digital:443" + +shared_service_loadbalancer_logstash_private_ip: "10.0.0.21" diff --git a/group_vars/stage_demompmx/prometheus.yml b/group_vars/stage_demompmx/prometheus.yml new file mode 100644 index 0000000..20b37c0 --- /dev/null +++ b/group_vars/stage_demompmx/prometheus.yml @@ -0,0 +1,12 @@ +--- +prometheus_admin_username: "prometheus-admin" +prometheus_admin_password: "{{ prometheus_admin_password_vault }}" +prometheus_admin_password_htpasswd: "{{ prometheus_admin_password_htpasswd_vault }}" + +alertmanager_admin_username: "alertmanager-admin" +alertmanager_admin_password: "{{ alertmanager_admin_password_vault }}" +alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_vault }}" + +prometheus_tsdb_rentention_time: '2w' +# federation for k8s prometheus -> stage prometheus +prometheus_federation_enabled: false \ No newline at end of file diff --git a/group_vars/stage_demompmx/services.yml b/group_vars/stage_demompmx/services.yml new file mode 100644 index 0000000..d318f38 --- /dev/null +++ b/group_vars/stage_demompmx/services.yml @@ -0,0 +1,9 @@ +--- +shared_service_url_harbor: "{{ shared_service_kube_harbor_url }}" + +shared_service_custom_additional_hosts: + - name: "{{ shared_service_connect_data_hostname }}" + ip: "{{ shared_service_kube_loadbalancer_private_ip }}" + +iam_image_name: '{{ shared_service_hostname_harbor }}/prodnso/smardigo/iam-app' +connect_image_name: "{{ shared_service_hostname_harbor }}/prodnso/smardigo/connect-whitelabel-app" diff --git a/group_vars/stage_demompmx/vault.yml b/group_vars/stage_demompmx/vault.yml new file mode 100644 index 0000000..9d069d2 --- /dev/null +++ b/group_vars/stage_demompmx/vault.yml @@ -0,0 +1,130 @@ +$ANSIBLE_VAULT;1.1;AES256 +39316466656139663139383533663864323562303264393333393336316339373436636137373332 +3335663062626562656537313266346339643561383265320a646136366137666338396666386565 +63616237396265613136323361396166623763323761653666656161333039343730316362633938 +6631323836653532380a303038663633386634323235383330373831363536633133333931343430 +35373332376666616137346164303431636635306435336164353332363632356630383334396436 +33633631356663643932626664393932333164626132633536323336393531653133373734303933 +31653335323635313032303739366461393433636231306239306332363533306365363264386138 +63363465363831333762363237353636313262396666333335663966636537353563643561393536 +31313662303065353135643734356439623535633036663337653865373330333934633565386262 +61353166346130636663356365646166303431373131373237323262666237353930353864383433 +64633666613939623832636330353964353865373230393564663937646663306332666462326431 +35366334663836326531396535353164396666666333393666333138313732653438633637396664 +61393865636436613666316166663966306331666538653266313830666136333461356261626461 +39306139326438366632333866356362636162376664316430643530623439383034666532326234 +33383762663036356530663165333562313938356161623063393531316539326439383330633366 +39386563623730666639363363343736663532316334343032396662643338613033333737346564 +34633738613530373332313063343364376264343731613334333463663937323565623265343432 +36326431663631306633393135626462383733633730303966383739316338646635643862376439 +30666636666433393863656537356135616235633865353265323239313539393164383333383535 +35323462373262643730343530633366366135646566396466396335626535333433313161396336 +38356364616339343565336361356263313766336162306263663762323461323739393063323036 +64373763306234663738343436353738653061343737643164396434356532666539633437386639 +63306264363239366437653062643365323330353534393861393932653461353138626234343263 +37333438386362386437333836646563633565653930303630343362386531666635343366346435 +34366666353636363536336135663262393863383764646632663066663436636539633530313361 +30613662333035393233616532353830383363633061353036626331623830333831303262316564 +62383063353334326263623232616133336136393166386236353464306666326563303333366437 +62313130376636626538396439373630316237323534643238353739636664333039653466336666 +37376164373134313430653731333132633636336434303830396336323536313965353736623331 +33656236356137373433633165386430653364663636346463643663333830383430666566393735 +65613232326463666436346531356334396461613961366539623130333563663739393438396464 +66306636643865363737313732303830663437646464336139346433653233366132656532353335 +65303164343033303333316536643131393332643034343061386263313332356333343539383937 +38353863366632633139626261346339626263623565313336333366666439643165396164636663 +36633764616361663536373437346435636564346436663237643930383932396134616331306266 +34653134346166633034353438663430306162613638323561616662383137646231666235316561 +65386563383435653135356237393263373632376564303639383562306564633933396462623730 +35643863626138656331666432663938653765643866666434323336323061333036373561366461 +33663164346538656139626266386633373531333932343830313035343038666435316265306536 +34623534373465613930376637623863643264316633306436316530366165336539333161383734 +36373234613965666535373634313966313466363966373133393336646436323637353536613032 +38343533306663343961396633373564336237663864316334613031626534653733626133666464 +63396331323765656231303966373661323365656432663333613563666266356465623866663735 +37656631313464663838323833646635623362353032663062366335373230333166393034376536 +66306565316533363564656531383963646132333937326438656339393563623631306263313337 +39323235613261393132303139623762306535346362363463383365383639303431323432633938 +35643637303133383662363462646435326439306262646266303738633935383838343930336436 +64613838363530643162363261636432633236313534373262626538303330316432336564366163 +37386539333930616234623437333563316631633636373334356465376338323766643663343238 +34356330303062666230663939626639643937653130326530383935616433343165316332333434 +33383462313961316566643366323139616439393830353638663466643938643632663137646438 +32643466616366636233333832316364313633623561353639386162643963393533613436393637 +66643633643137353564383531303964626331623538323937336538626661383135363639363033 +31623233386334656361656662353666366635373431373837643031333133353732363763376466 +31383132303864366233623837313735353934303137376331313238656262623862626430616566 +61396631376133346334393464626437366432356233303762366363383630373464623162316562 +34393531323263306532396535343035323163363230616164333861623538326266366664393166 +32323932306162323033353237656565353130613463653163303530346665343836366336353333 +36663831396433326664656264326530623038613165306435336436656239333839376339633738 +35663665316261623336333830363863316365393562653633313530366561623636326232643539 +62663238376232346364666661373936316164313334323561303236386134633663623561616265 +63396231313266633861353966383235613734343239396630343764633731643031386634356437 +33346633313632333532353036333761366561363435376366383231353033373032653434353233 +66656331366635626565373661666335666664383362393863313233323636316239643939316436 +36313361376361313539626533313066643036363432393037336162623336383537346138313361 +35663761386634636235373738653635353864383936356364646635653665336661326563303634 +63326563323638376432336530663538656263613362333265656436333534666136393536613437 +30353961363462373362643139353235396330323663626538633866326239633665373736636539 +63393531633833396464393032343333623739343164366362663065323865616338653662656236 +63653763623262333235303334313836353064633863346365373265326239323964633866383764 +34633062326334343835626337363663646633313438636237373362363563376662623333646138 +64623230323035616333303064316233333561393733363236653237376535336162366261653332 +62633031303362333962326665633264333435363739363563316338343966386637646461353934 +37626237633465373139393338643435613430383564386461356266373635306662613339643439 +66323966323239383963323837656465323963303965653737323439613065363632343935623766 +33636437646230656166353031393934346364626565613164353834613464313433663235336666 +30316363343966353039303535323735366663373439393336336365353639623732663362376431 +35623633653931323839376431626661393863316534316333353331646636366533376434656431 +33326237666264386535343037386635383833333463313866633133343863326161653661623937 +36623134613166366261626231303365623737316134633564323635633032326563643233633436 +65623838336161643761333436356566663565376531613331386164393362393064336531633130 +62303534353939623937663365303963356538326334336234666237323664353332633732343333 +31353462613836383936643162373038653637623461363930626466393331623162366265643462 +38613031666334336466653239343633666666313163366663306133316665666638323336653832 +34616261336132656635643731396238636339633133643138616465643638323166653762346132 +36376131316237616339363964363130633065363065303631373732313463633936653731623864 +35353362323365343135643163386361613333383232616534363539356165333938616365663931 +62633230616434613663313130666336306261326135386564373738623365376365636563393732 +35386634643638626630383534383232303836323339316635353562613232636163343630646335 +38653662303466643463646632633965383131323561356638313532613831626537626335666463 +30303735303230313331383033386133343266643536356532636531336234616137643564636562 +38386538663666653034633262303261346136383661393933313738623739656532623634663831 +38623335373637353434323063313336613436633465643135663633383733316362396361313036 +66363363376431343361663137633162373862346161386236383731333732313930663461623563 +61336362346563613065366438393561666261663733646335663031613861366135386231656431 +30666261326437316431616136313861666636666433653536663833316365656139653639363137 +38343839613437373233386232323138363762616665636362663833343439323730313466663633 +37636364363633653365343638326664316631363363663730353139653934333061346635666265 +37323965386337613634653634373139653531353539636132393365366232643033386561356638 +31663764386266656363313131646665303639323364343535626332386639363430303534616236 +32343833653462383831323432373861383662346137393361613263613865326131623163383962 +63636435366566376639313233386230303136646136383064663934373564306234366435636265 +35393938393033366231396433373337613965316264353964396533323136363162386363376566 +30323835303561346166373931313663303266386335663830383630653363373361616664393539 +65303666616535643164316534616134653862353162326336353530656534323966666639373464 +64313132303236666462366265633332366330323463613432326231313631653037366137306237 +65363734656436383930313136383136663734623132613438313630633437303832663666323233 +30376138653231623861396137313132316532616139306265336365643138636331643131373733 +39643333643939613561346233373136366162363166326234313730353965363830303433353736 +30323264376431336233336438366639376232333335663462393834306234336366356633346234 +65333137626564323161386238653634303239623566663736313363336364373662666465303038 +39373765616165353662363432383338643565366364303064326662633035303434346231383266 +34666466336265653031396339303930626232393335303937336164336639393934383265646639 +32643936353561613961613938386331383339663361376135663933613965346430306361303735 +63303365376230343236373633633464626437353565383730636633613737643834386162636530 +39303738666663646133376566613130343132353462316362336239356237626464343634326361 +37663931613066303563666663626433653634323032363533393136353931666339393464653762 +30613437646635653963366664333430643437646264353338383666393835613335396138653434 +66313630393736653164323737306235353336303533666561366635613361303435636230313161 +64333464306661333663626564363131303361343061376138323231353938613033636632656238 +61363964653630666130313664323031316334366537346265303262363835373366353730313163 +62373863373233623838636363643533303132336232363137353337396464626534353863333462 +38316634316335313634313732656264353934393065656465353339313239383837333831353939 +65373864666237306634613463663734373964623130653865396165356564366263313664326562 +63393763353532353962646366363138666636323761613232336631656637323432633935666638 +35653532353964306332376464613061333461666533336234306138373836656433386564396562 +36623637633462386162383835613038633532373230643932363937363732373863336533326334 +33366561656262393965643265623465383935363434356466383038656266303339613130383831 +62613535623563353935626162346332653334613465333862623162643036653861 diff --git a/group_vars/stage_demompmx/vault_backup.yml b/group_vars/stage_demompmx/vault_backup.yml new file mode 100644 index 0000000..4e9fd5a --- /dev/null +++ b/group_vars/stage_demompmx/vault_backup.yml @@ -0,0 +1,28 @@ +$ANSIBLE_VAULT;1.1;AES256 +39306464316231633561666232626464316634306164653164663731373232636433343564306266 +3864333037326533646163383034313733356561336564630a346339376435616538303662636461 +32396538333437633363653533333234666231613936373336356164386563653061663234613233 +3238643332353530380a396162653561373032333333633438313930663539303039623336333766 +61346666613639333038336336633233646338356461663738653866303562656638626264363330 +36666532353434316262336436333136626333366464613534636235633762343362626430616431 +39396264353962366463393530323734383638666262393030336463303863633235633234333365 +39636434303535346266653733633864613436613066306130386639323762346331366336613537 +34313261373962353065326434306639656337643562323538373666366438376239613432333832 +30313262663637386630363830386231353733636131366635643064313539353739336438353431 +39303866363532646136626530353733363131343738383164383830663333643431613834633966 +32333065363833373562633037333030633765323762656438383263633666653466636231323739 +65353937353033613462343666303835386534633662623132656630663864326564613062656135 +30653030333230623531353466333933633634393966386565363366336235666436613938383061 +63666639373936323537373835643938386531626535373931383136386630613063353061656237 +33353865313535306437663834666361306538616533313834336632343934376231643665303030 +36643037633438323964386662326263396361343535383166633137303166353433316335333539 +61383837303664663864396661386434316630626137386662356230636639303037343436313030 +34313562343534383233373939613332323630303131373564333365306439353637316237663433 +37306539653334373636656561626637376362336137633333383434366364383538636263663533 +31303766646135323666343133353938313865343531656662643263333263303435666134373437 +35383032386338373462316133376335313931626263393166633562623265636530636631323435 +65343833613030633262623636346266623962323537363635396238663965653661653138666562 +63386164323130313763313136623636653266306439393333663833363537313236383839326261 +65306636393031643039653830333539383566353063323562663062353137353632393130633066 +65613833383863356138303834346435396365613762643336373065303766636633343832653166 +356366613430343266616461363534383531 diff --git a/group_vars/stage_demompmx/vault_env.yml b/group_vars/stage_demompmx/vault_env.yml new file mode 100644 index 0000000..17b34f4 --- /dev/null +++ b/group_vars/stage_demompmx/vault_env.yml @@ -0,0 +1,79 @@ +$ANSIBLE_VAULT;1.1;AES256 +32323066616635353064366133343063363764623034623934383161666536623033306330303638 +3461656635666631623363666663343339333837663935630a313462306639656565653733346533 +64663964313163393037343263643165343662646630623930396466336231616631386535623963 +6361636664393462650a616665323364383866303762353261303437646434323733346237336639 +62343733663934366233616335613133646638613132623632643032386437396663363131363535 +36663662366264353631343136356139623335303263656437373964646464613035363639646135 +38373430633337376533323663376465616538393536396630393966646534346230653363393066 +62663961346431363035383036316161396363633639373538653736613135633665393537343530 +38313261653261613164636235386237656365336666383237623063643439333533636264376230 +66323236303232303361613461653763663034356166313132343638303831633337373865646162 +34353161323262663136653165323636323737616436336138623030616331363866303332383233 +31346337373664323963626230656466653566653964386161303238656661633233623533613739 +62386638363531613530343631306162333261653965396663386432303638643734353832346464 +62626138356337393532373033626364633166383935316639656335313862336538656336313662 +34616134346639633566353839646639396137333830366432623763343066396537313137363633 +61373239363030313031376338666265353432363566353230336535623465353939346666303164 +31356234643463396639313130303835636232363562643038366236633931366563313931353566 +33613362383533623265616563336432653938653630376231383062366630363437666563313264 +63316437623563356334386232366536623964633231656231373866643032366163326266646237 +64636431383630353765636165396133383035313366623066613533343361306435383735623932 +38643431346334653664396364303934376364383766623931386263616465393534333537633834 +38343461393739386261316264653865386463633330366237323530306135353765343563343432 +64393539636437613064616262303137626364346561646461373366363436333739633363303235 +63363135666430393666663238306338323863343665636166663338636632363438633132303766 +31653032363734613265343437613539323631613334376539613930383362383437366436303834 +64656266623437326161323561373834343462353637666435616265383834323266633464386462 +38653762643532386533656431323939616337666430373766373536633162366532656132623064 +36613461316235663262373630643763303132363738643366316364383962653939643239666361 +65633034626531393338633165386533376564313937366334633731386566643137333136613263 +30646436666165323131353736626134626338313362303732396635393835643938653236346437 +64313435616231323534663936363034613132653233313831636133303061396633313435393866 +36643131323161646532353533613564616232356165376132323963303130393664383065303936 +39363831303531393334376163636531616334333035656236353339633532626137393633623836 +65646535663365646462383866623338303131613338656239376430373339323734653261633130 +64343964393161613139636335366134383362353137646162383432356565643332346365656139 +63303166383962323434663931613532666464636464333035383233323264353461663966646230 +33353663363137363132396433336538333166356162626139336137353962626563613763383765 +66653035373261373333646638626433373834306164313831333964656430373330376365316633 +30313934383163373466643633393863333661633538656664363131303336366634326337346533 +62373036636364656262643737336562336338353432313237613764626633373130373534353533 +66323132666130653062643232653530363564386561643932396237633766353961323838373065 +34363633653463363433326265633630663035396635663639613737343030333630643366376666 +33313664386566653732616666356663393539303638363134346361303164643236313962306231 +37346332373331396566386532363035623461383235633666356662393839646633376565333136 +31303637333833616339633334343965393034313234363361373033343631346331343063383939 +37323733313337346539636135316361336639613233323134363637343434653761633036376265 +36343634376233666262646534613832313235323936316562353235373430363966366432353730 +35663434386631323564323538623365333734653065373664396562383430306531373561613839 +65623063363464663337336533303239346338366665653762653266653333363064383737613033 +30623930383564343065653966373331316563346133623765363838306235306135373165623837 +33376438326332613938393630353263353134333535333337353834303031646663633463633039 +35646466613565336632613532303135396132393063613432626337313533393532346334616465 +34343633626465353263663037363735353735376537663234326163343635353134663766373439 +65656432613164653230393939653133373130643937373835363662336235623065643061386666 +34373237653564336131643635356139386663303639623064306536383062653937333166376230 +37373761623832353262316436386532306338653866313761306237393034383130313932373065 +36386630373333353235323263663736353334306535333565616136366335353839326134323532 +63653334626465303261383230653136636631386138353866383865366663623065383534613265 +61313131323064616562643932306535313135363431646438366134623561313332326664323137 +32323866663931303865326162373633653034363966386164376639616534616139303931306461 +35366132346533383565323134343432396563393130626463323366383139343061343535613636 +32333936376238643439383433356536333863313235356132623638376339636662633131633534 +63386633333735393662646365636439313834393738666630633432633362653639323466613539 +38323031343461373464383036623134633466623334306536303231663863663063313165333365 +32323433396261643864623562306464386339633965613934333964353961393737316330343434 +38646266653632323932653063373239396639366666313336333363623631376634366566663530 +30363966313762386465633438303938323336383336316131366131386633303266623431636537 +32396131316264366530353666646232646263646331363664616563643230633863376538356562 +31646464336363653261626638303738623464373762623165613732313062326530366536656665 +34653231306537646666346561306231303238376532313537656561383861313064653334386332 +61643833363933383534303962623666646363313733653637306664336531653766636331626234 +61353263376465323765373166633664626163323664663230353965313364363066393737386232 +64393662653832376237663035303262303332326138366563393739393165343030383564653236 +34303330666435623066383262626230336366383535653265356236376262643261313666383733 +35633337633339616533633166346336303937646636643865336635373764343661653438303032 +66383466306139353837396531346230633931383666353636303234316435633337363438663861 +65626665336564393134353135613033333536363165633837616332656561383534373764623663 +6261633561663633646466356462363964613364633365623038 diff --git a/group_vars/stage_demompmx/vault_pgp.yml b/group_vars/stage_demompmx/vault_pgp.yml new file mode 100644 index 0000000..80b1570 --- /dev/null +++ b/group_vars/stage_demompmx/vault_pgp.yml @@ -0,0 +1,353 @@ +$ANSIBLE_VAULT;1.1;AES256 +33383336366364656233386239393166336131396632323532346531313239306634306139333538 +6638393163643036333664376230366133353961616332660a393335346263383034333464363863 +66613339613633373833643561366462656430343961303865623931363461346239396164313332 +3362633238373938340a396230336635303039356431333532393234383766346261306337313065 +38303839633463393232346462356133636434336235643638386661383633306266343734376137 +34656634653362333163656564616632303861353638393262353666613565626664333463383865 +33326235393931626132636635346534326432356133353263653165393565343430363963343538 +64303161633936316161356662336430396535633833613864356238376439613262383161353635 +39633130326635653039613035343561626532313437653866333431303335326136333737666137 +30656566653630363333633863343735323761336365383162616263666133366330323238343932 +32626664653464333431633961353564626261336263326363386638323838656330316137633662 +37633965323531643961656231346238616630376562386635333432313730323133396136633830 +64333463333739353862383132633835656234633265623332323161656234356433633030666231 +64646262316464386634633731386530333265366537626436623433373062373065343162396434 +37663331656535613661323566383831326130666630613235396265393630363333363536393032 +33303635613435313830393430623036353035306666393665333161313735356632393136373032 +31626533303635383462356461366532383537353064393566623233386231363366346662376366 +62643732653635343738353230373932323663396164653032393335333766643363333162643836 +36643430366364363263333364343163326135643932383064343834636238383363303166303665 +39383635323565306534633536643935653233663733396636383361393065623438656432346366 +39313134623930356465383964323463313864666330396530646463316661376537333664626335 +37396562636435343934633861653065343635353634393737656235363837646637306332383635 +38663934306331316663353335373931656332646636343336643663396135323838663632633766 +32333630333833306538326538613531383739623634643136653031653236393461333331363130 +34646164353134393030353463626539646630393137323161313331376135353339313236386231 +63323135383533623161373530616431336234326263336563306236363162353334663165333831 +31353266343436663737663163613230656265386434616432313361326434646237616337363331 +36663633326665623265363436326665366135653930373434353130313133373737366433343336 +62313530303236393061346636353932623634343530353130623130666334313535623933353530 +37613165323432386539613365303339633965313531663039383436346165633466613732613439 +65613835306230373232646534343530646535393836636161303661356634653331646536666136 +31666335336430396135323466636333626563613430343161326664316630336361356132393534 +35383339633134313639623035383462353461623165373132613535383462326665313831666536 +62333336623963376564366233316561366633313662323837336232626431653234353230366232 +32366637666362343838383030623331343635653231303437383961363933326131626664623137 +34383330346335326437333232633830343532393532393630396132393637333032343831353565 +66383937376436366136353833373339626261386338623362346164633935376431333230386631 +36393263616438353862663434623563383834613039616338333637356636376462656133363731 +64623565326133303461396439383638323030333431663762656136636230383936343566633432 +38386565363332326463653863353234313434376534613533643830353631643761636261363063 +66356632323962383631393833323866346431666630383533633438346436626339373337333963 +33313838323437623062393834393730396432313263373738653934616561666361346239636433 +30396664363061316334316132626563326561646163356534336339343237653730303766623062 +32363632316536663234616464353239356433613036336165353039373534626361323162656438 +30656237363134663664363862383736636537663663613636336534643165343065386239333037 +63373065306439353138313639373665663565386231346631376134373237376339376536343365 +62636233366565363434373233346462616362303031383632323362313762393239323663636633 +61663430326363656462386463353563653035383161613831376631373039363939326637663837 +36656536666331656539336337396466636431633430393932653766663935366664316563353863 +35656138366261643234393733636330323436346432316239653738376232343363663139376632 +30303266396331326665326639306564393637373234636336623130643539623961323635633164 +33366436393933646265323665336431393162323636623039623066646363656238653538363766 +61653462363061363833623561373233643738633331643336656630663035626337333034316436 +31386161656364653330613739323065656233366234643664326262653438306338663731376631 +32326230313935643863623139613635353131383332633132653136343764303034623033653436 +63323039616165363764653061376139636536313635613266336135376339623737303839646564 +36366465323266313332323035326637623735633463646364366132653131393461313339373265 +37356365336139313562663135636535643764313235376265663732386230376466366236643438 +36343338646334363935623466616238623761656638626164313962346161663562396563633539 +30326661323161343832396638303631353536646330643162623136376237386336396333353064 +37303966313137663761616137353161623133313639613562643437333136303735373936336464 +36326261336139313863396131636463346661336639633263613933353564363933663663663265 +31636364376236326261623763616132646161363534646335303332626438626164363634626632 +34386231376233326132633235653037353061323730376335346437336639363134373133343762 +35383134393663666663656465356630383434633462303431633039323561623064353038616664 +31373231386335393561303966383535623636376335336534353134626566663738646466623033 +65363930623930646332326565363964363861616533643062353064303332373835653365303962 +62656661663538626166323764366464343430663064613364346465313934383263393233323530 +30613636366261633931313436373930643036376532633632346634323232616638346266646235 +62613839623336303430313461363631616532323365316166616535663438393530336534666561 +37373335653536326632363931613836653836373336363961383431383337363362663165633463 +34656361393666613766313134633564323839393731326564346361666664326131636635396630 +30616163633636353736643062323561643533663030333966616432313331306433343465373062 +63656163306331316530623066666162333464643262313964323563623966333061316235316433 +64396531663037666330643166613338373966616464336237336638653465383634346461396363 +32323365383331366531653461316631363264636562313831633337353033633364373731323634 +30663731663139343537663962623061663065643137643836326438646635376234616236633566 +64353866656434326663613833323237663530353139633765393466303037373061343861653639 +30396339363734376665373635343762643434623630623933643365663162646465303665313739 +39663533643434333765303533656662383562633037646561323763616137336164393231373134 +37333665313365303536633533636332663134336564323365653262623935366261633062303336 +61623963666638363437316335626639306263363264373366306163643930353735656332396263 +39346635323739663562653135663637323361393561623631646333633031316231653539333736 +65343330346561316561376163356439633939346433626266643366303739326239623136373935 +39336262643962383538646665633732336265363963343435353734393465323562393162613065 +38383532353833336263326265383665663261303137666537346162643738326230333732616365 +65376634376530663537653734646661626535626233653230306238376265356365333032353436 +32656664356130353838616430373362353765323430333036313064656464303263356637666439 +34396563333237626665633236346135613439363437323163623339626635616235363961373061 +37623832323738643238343034373537613736346236323130663838626232353031313137313536 +34643961323961646538643566613266383334646237633435623564663466616238333638363731 +62396466393034343864346133643632333837646164383235303031353435613565313166636632 +32623836313237376231656131323431393732636231653233613338393337626562313331363364 +31303038336533303933303439633730336662333064633334326666306164393131346232326566 +61313662373164313065623838313138396136623166623363363836303830616232376132653138 +66333133393833306264663238313064323462333164353138383563633136346432396663393436 +39636431393338656132663032366232326164313666386361303364633464323633633864316138 +39383435373863333035396538636437646633623466623164616130636464613336656565353137 +37623266336565383865373638376335313530623437656539613362313139303661363639313533 +62366662623737623239326437663265363034353464383238653037613436313130313764326337 +63316662333434333664333636366138623030326666613135313831643935633362303764623663 +64646339383563313661333130343131306237663533333366633365366466663365623766663634 +33306631616566363133616261633862373262333833316139383266316539656236333632613834 +65613964343162636264636231373139646164376336303932613933313335643661383039343965 +38316330343632316366636437376535663733303832306333303632393232623736386166376365 +31316562303634623138393831373961383566303334356133623631376334613165363831633130 +30633564626362393166333433333333623065656130666430636333373330613139346537386464 +61613463663663653465616333316461616237306636356663313963656135376333333631643536 +62386561336538643536373937653633313731653130376534303362326539373365356231626264 +35643633356361633962623466393334346432393134626331343761623438663632393465373436 +34393934316138663064663964306333623561636466616439363363376433356531353039373530 +34636338303537363962393435623066633863313934323634376233636230363736633432613164 +35623864323330343337643862333664356563366262623532633736386132323333656634653734 +31626162313161396566353636303765663265386637626433666162383636636535323664666436 +35393362353036616539303932616362623038636262653464336164303034626630643439653634 +61353061623137623261343733613061316336663430663231366265313066383732376135383666 +31646634663139656162366462326136393438653063323033323336303134326361363462393838 +30316435346364613563383237633964303764333265616561366638396334353764363832373638 +35356231663961623430323335323936656535666534323463383331363438393130363630636162 +32636231633761336264616235386437313035663461393131366236373137383630343039623733 +65353039306531303832396236623062306264383231656564316536373065633465336231303530 +66363839646464626332303931343331646563396634363064373231613531323336306339623131 +31333535323331306439353532343134363232343261393365333338633261653337356238326637 +30663036313464633137313761636666323838336537353633623665366230663838343665613235 +62656235343332383531313633383165656333633338336663656234316535633838303233623331 +63636665393764333938376432626564313832613334303264313532316665316631616238313966 +35336266316662343733636339333361303437386332386663346265373064656365346566323932 +33353864656361663139336434653464306364663635383466343165326432653066363435643232 +36636364343939663536393266303066626337386531623631373331656231323535323238353030 +65326139393766626539656130336265356561323630633638653861393934643766623338356635 +34366266386362646538636164616438613362373335393736373133643230373462633231306564 +32623865636162323265643864636134373664326361653162343537373432386161383930656137 +36303030623130363534333637653539303637303437613264333662336336306638626266646339 +63316234633261316564633562636238333035663165366136353432326634636136326233306536 +37353266333939316661636565636239613564343830653061323965623039346262373931633239 +39306330323730326134306634616566376532643762623832616363336134666539313335353036 +62306565616162376634316163663631653036643039663663376662323439653564393835343335 +38323063633062633563633165663163383337633035313964626533363434336535366566653565 +36633666663931613533616637383462346538623531386137303866313830333030616433393463 +37303431336530616431636434376539383133663465613632633661323738363938326265353838 +62653938653264613836303637303131326166333834316331343166353431366232663665306665 +64663934636631376337376539393238373630383230633235333530353335396433653461653864 +63313535333862343232613038346464363631353030353762386230303131623565343763643337 +63316633623733386533666430366637386462346437613533313666383833373764373165366264 +34366364353536363533366534373832666539336439326435393964333434636637656361633063 +65656332343132323262356534396266333433373039373037383531353132313664643031623333 +66356239643164356132373037333962613834346334626562343361323834633864346339353831 +38646335366633386135313034343534656563383565633039633962656364363632366230363833 +65323330336661363364353066306137613566303662386134323861393736616465643338303733 +62353364366537616338646437303762656138333630303838306136353031633261306238396433 +66336338343339643739386437653865643237363363613166393465633535333037356233626333 +36643836343335303662386566306565373830323031623336393666616636383535306630346136 +63656164356132346564326332363164353565653061363636653761346535353234666335383138 +34336163353065386263333034323336643035336237323236616339363637663634636236313764 +35303564313566393734343734663338323138653035343131653963353830363430303837386136 +63653763386638313739646264643465646134626661623837616432333437316162363533623234 +65306463373731313830376666396439303464313536353266623863373033636432666531393835 +30613266323733346633346139373137316134633534626238386132616438386234336564353263 +36633734646436373862636531386234326635656533653966613431653665623936313431343263 +37313566343135336264663965623365313666636434656161373563303738643862363831353837 +33383863306633376337386464656331376438663434313234633837633535333831373237636562 +31643332326562346461643636373539616661663464343333353630663965633565383266303937 +64336361366335366265653764386364366133386134626662313434633934613636653536663738 +64316532366563646633386430636264386333313530343466326634396636313965376330336465 +33316436333936626439303339393831666338396433313437333131356463363830323131396361 +66636566353831343163303665373235386338316338623561633933666336623963623666353635 +32373738643136656664386438363638303439663164646233666461663765633162393930626633 +31656330333031343231373835396162343561326632363366343039663830303631623734616265 +64343737396163653131333630663036643833393962356239323238343933323765366135323837 +63373865643435633934346535643833663739366439663535343632616339623766303938646237 +65386562366530646566316433636166326631623532353136643561353233383834346237633335 +37333564373732333165313961316161623134623363303734363764616237373639393333623864 +35666436643565353930636230396439313265316431653735323034303431356538353330393933 +64366535396464343133326661663836623631303261386163343136326566636530313765303964 +36643835666535393831376565326332323938663730333635666233373863663266643035303066 +66306639653530313539636631386234336432316361313633316134373136623433336165303437 +32643061653732613639653663306164366333353065663137356338653137343965346166353831 +39363361643633396338636562376335353339323662313832306436623564613961633035633761 +62313765383562663063653932616463653138646662656661333861313561313436613266656330 +34366264363731346332303866353232333464383834633238626138396237313533303933653437 +63376230303238656362306236326263336238303531616633313566363865353138663638353064 +65643831666664383931363561663830383062623733333838356232373036323561613831633338 +32383833316431633336336339363738396533653264313762336361316631303631343835346234 +66353164623637313264336363303834303037656232666631366337646430636438356631623865 +33653234393961376631396633393365303230656565363635386162643164623364383832343963 +38323865353436663364653965636137303362653934643836623266313830336331343136326466 +61666231633266316663333432353838636665306437643337383666303966313431623661633839 +32626332616434643636353662626338663264623365373932646462353635343962356463366532 +61386436356664663335386534656638393034646161313436366338616338353533373836363163 +33623132343361623934383139303633313436306130613637633761613764643338343064386266 +37636366643862323764376261646235653563353333333835356134646637336366303335386563 +65623862326633393661646438643761626435383835663166613239616363326632396337353966 +62626432326561656537643865313536333562623237633439613466356461393932356334386538 +64323430373230396433653062643335353565656262356636303632646136313262346562623464 +65666132653532616330306566623762613038306665356436343262366666303036323535316635 +36663238386538323362363632346436386137303034616335343438343739613233366433323066 +34376530396666643764623864383961313136383433393938323139643735366261366239376135 +64376330303866393562613233323231346439363566613163323236636565653431326438363562 +38633838313234656166326363353165356433383239646133363635633937623838636539376339 +33303365396636663364363366353130383861366537663437653839316433626137343131383166 +36376638306539376238313438396434646634616435373161383230303066356666656631383730 +32366439386132346666326566633265363838336530616539356263343262336465326235666230 +39343235366433396634323063666464333434616539303830363332396136303733336264343439 +65646232623163663235313638373365643463386435336634656463323338646562373132393433 +61313664643133323835323833613633373064393432303039613365663138633330633665636537 +61376232353838623839636133666664613536663163666339366661383463303937303561393633 +64383161356264646136383134666534636331663364353931343135343834376365326563303063 +30663464343736626266663561616262613532373865323132626262633763353535303839353138 +66306535633933386134303434396231353832323539396638626139613564633335613639346434 +31326162663832663239386661633238323333383133613264633232333133346163626232663736 +65353663613766613731323132393839373863393636643264623061313764313364633364383364 +34333263346261356638386130366464326262343834666532393666613131616337336530646137 +36613438613565303163666238643038636263313464363835313630306432616365303034633631 +62323433333865393531363164653464363335383565333333666164623637326365633130373930 +31393036356439376633623531616265323138626435323230333766323434383138313930643036 +34386236353030643236386135366430666263643562666430663138353930363333303736326333 +66306433373933373837343439366539323862393136313462373434396337363265346636343232 +37343636346133393134383330363338363765613431656265383139346165316436336533313131 +63383939316163323265396135636266383330306632666164633561656237376362383132663766 +30323038623631363730646639383737663037346561616531636131626566363465333938663937 +64336132623266336238353162356631646134376164333534353762353132646534333063323735 +66386434636430396532396264366433376532656365623561336535373236633430333537376562 +64633936346461626464356432396132396632653665326432366265323163303434656433633733 +37663634383935396362336561616362393534373636306461643431303563396335333037373362 +34353731313465383837313465366563353534393866396330343061393730376262656139663365 +61396639323066303662633634333030346335343234353736343335383832346165333430366263 +37626333343366623461333438383636353536393733643131396438613237313138343164636166 +61323332306437643764663466336661313833353539663366613934353333346134306633623331 +31653530336233666232343863666535373963646637323637666337333664373662653563353032 +34643434653466323937623561343530626665653836303633393739616434306130653664373164 +31373135356563373136396662666238616663303934393730383834373934333934633064376661 +63353665666433653965323935303634633338346564333530663862396333643564336363393733 +30613064356562313134613435613436373735383961373330386662366334613361653030643861 +35313562356266343361303438626438373335316430333032663834343138376535383235373561 +30353931633361306361346464313431393466356532613938643333316166376265313739646135 +63303235356630623933303763616432313662616431316535613564346666333132623037343930 +35333366356165636538353135663332373865623236666532376166323530373261353138646232 +31363164313036316462386535356564336231313563346230616139363631653934396430316563 +36316633336261333238383264396139363334366331613964666366653332366134383865366638 +63326239373261373964313337353531366535653931316533313430643362666336373338393535 +39373332646162333732333661663930636261623037343430386361313566656662666663313762 +66303734333663383335356230353463663534303865343464613330346163623565366134303535 +64373362393739613636323361333464343866626130396139623838366163303061626266346366 +30643261373031626433333665326431616435633834363837646330333061316633303862346339 +36356464336564666637323838643563363237343337333034343861616435316463356334373764 +62616361313038633439363838373662373138386265306338653634326138643263393735323862 +35303733316632636365646463613835613134303432383433313836303764623464393830316563 +32643964316434393838376139336465626536663139306634383533623064333831623331383539 +33366533393936636631316264623862313434613863373734636537363466373065613033316133 +36393661663333363239666132393036306266323230633763323430663239663834366535356436 +39623634323237633563656531313062623030353230363932623539386637333266363936656463 +66333538613861373163656331643062323265383036333532666361336566373930333435646261 +30653237346636346362353635623166303239643136643130396161303834623130323632643634 +65303837643564356134353233353635333562623461653030613138393064656130666433663361 +36326337333531636138386366613037326338646132343033376334616265663661383561383734 +35656634323634353866326564366261643131316430663730346436373036333330363632353334 +36353766633939366236393865666338653432326532393732626161353634643731336162363862 +39623339316333353739313235366432623663353935373234363933343362653437316564303366 +65623662623463663764386566653461626531396139373363656337623665313964363439356466 +31656666653662343232623833323132653565306637323638663537613466313632373266616631 +37393264346431323134653334396630316566663335333338663932306538316432343133663030 +65316663366131386636383366663830646162356134623730376332373135633561383234653130 +38666236633137343763303435613162643932626238663738383939616530356463373962363563 +32323263366664386535316164343833306362303665626232613064356433303835623036626331 +31363933626636383965356132366536373835646331623634666434303765636131636462343036 +30343564333463386430653432366665333761616465633232393034643534666238363738633539 +36323435386539323663363031646230343834366233346634376361653438353464666237393663 +35366666646236633366326236653338356531303466356436363466636566333935386665376137 +34646332316430386565666232376535343436386466383031383031636531326430323234353734 +30343766313361366465303332333962343836643963616235333361653730613466313165643761 +66386537366238323562393330303537343038336230303564613962363365393739663137393937 +64663461633564363137613963383433663061616330343031663061316133323234656361386531 +61323965393061633837646332646533386639613430363633306530343761653137383337613737 +31306530386638383039663731626239666666643034616636366232616636393935613830306631 +34366564366264323134316266333835666637616264323566326530643061323635346365383236 +37643231326631323863306333373935643336313132613437316330303239353561336139616631 +61656234633038323336356530653436336661313639363331323435633661333764316330363730 +31383038326261306163666366366431646339363864316263353965373464393233636132386432 +33653463636631623065333564393038376132303162616533326634636563366264366264353233 +34626163653633306433656233366633383366333033303862373766666134626662303138356265 +38383735353237663066363237663361343063633136636566633930666361366666366331643737 +61363663303736393030373236653238633238636330383939633231396630303465626630393061 +65383139626562366338386631396661616636646566663936633738393365326137633536326364 +65623330346633663034363433373038633632386465386132373066353365326536353130363833 +35346332363637363561643537376338313236356333623238393265616331643635646364313466 +39663363666538336434666463306433376164396434333738323234336565343162633266383038 +30323264626438636438383861626338313237363034613434313237363338613639616239303562 +61666134643131323964633562353035383836393237616264303866636135313338343266643733 +63646636646461343664643639353635306666613033373835326465373263643661353136663964 +62623833386338303762323563306231616539643637336433353638356535313333636535623639 +66393531633330363331626366363034383436303239306238366432333934626239303431666233 +30326138623635636530393838336638383064666563646666336632306538363030636431373430 +34303335666562313734373739353862343462623864643037386163656635633630346663646166 +32356533363636383636333361646663643462363632653130366437373030616237633735336664 +31663964383137663535653239613863363764336438653766393135316461666161363730616461 +62616330386366333738323434353963633365646238376430646564316334326262316137613965 +62363863316565663935653233643864663237623661666161363966363365396562666536653434 +63383635363139613834346235323563363039313330303162323766393936373634633464326430 +64633636623237633161653262393166393733656330633533323963663733303932353539313333 +34306163666266636566353639343066643764386132643562343032316230666630306364346136 +39613561313033343666343832643262306535616135346632353032633838613534376662363563 +65356364333038376434626264383837343739316130636635303636333135393764346466393039 +30386631626536646365636331313338386237386130333666643632663234323135353036666333 +66353136326161313630386637633864386638333636623461376534383565623065323233396135 +33376234363030643364643033633232663562643836666338643638613562353636363837303832 +36396631386565623530613463333432376561663937313661373362373839663532383334343861 +39616537356266316532633631383039313130386466366638373735643666306238323763366663 +32303237303335336161346332373732656334623833633934643037353638623566653436616637 +63656263333765653130663561643566396165306337346363346263306263616361306263616139 +30313031323764623032653239336165646365373262306438653563366533303566333536616530 +37336631623330663330383235376432393236313762323830333566626436373461646533383032 +34366639623536643735393831663061376662653531323562366331336532313735633365316562 +65363534306536343733326366656461656464356435393566333536333938353939653137623166 +32656336373265323136396263633439636136633038373930666133626535336563386462323864 +66393335633735303462363137663538373562383266343235396330656263626232363466643566 +30613430313235613935616464366131663161653133343562343666626263383236623461333232 +62663738653362393531373938356635336437386636616439653362666137303665316534393266 +35376539343633383661306430626636373566626363333432386464326165646134636161366331 +64336333323739613133303533373733613666383133623365303237653436363532343339393866 +34303561663164646563623065393632646535663336636361643566376437366632663338373434 +64656631386336643136323763363835663266313536393438623833323461356461613737623035 +37303534326233663237326531346164616139323132666436356536363339333439616433316462 +34383238366639343831666366613966383364643965316239306464333837356263626230633535 +62633562363464343531313737663838303031346438323535353132303561396438663931666330 +31343038313262346431316363623338613030336265386530303937363631643838613737363164 +31393635623333643931373533303533373438386636626265343934336139343335313037363239 +65356531343435363538383563366137643135306565393631316364336234633335313232656537 +34333539663732663763303761376436356436666266633738613632663466326334623262376533 +30656430323935303838386364306631303139376336306533616663346433613736383634626138 +32666330616236623033303539353739353236303366306561366433633731623466336632616262 +35353434323264303861353461333139663039663939323932616336336632366431643437653435 +30316537663230333964393933303062396665396461363330653062313366303738613632636266 +62393632313835633036333439373236653063613163303861316137623666623034346466663162 +62303535616664363536646162376239343132393565383535343462333062363335643665653937 +31666162303839343231623865666336376131623164356638363435356163643831666236663466 +35626638313865393864643166616233356462363365303138653762666561626338323066626530 +65333363306336316132303566616435633463373165316434346232323066323833356465353061 +39363565373439343534306438373935313237323465616435343838656263656233356665326533 +61316437393064313836623130303333356232353564626435626634666438366134306236313561 +64366362343537326665303830646535343433313266653661633365666263643634386538356263 +38616239303065373635383932333938393461333734393436383363303239646133383235323431 +38643236363366313431393462313635623038323733393930333530653865366639323630326234 +31653861393135353739306363336265376232663461613465633662346433343265333438366532 +30356132643531373034653661666235343631623431643533393265633936303930316563363066 +30616366653962396134623237656165626334653636383434356466666566393766333063366665 +34303836646331386531306261363030366330343935333533343933646566666665353334656230 +32323236343736646436356265663933626237356265366163663264313032306231303535383333 +64656437346336303237656661653135336665353264383236336362643064346461646531346635 +36306436383431653334656433383666386635333761333932333966393631373363616163653365 +30333837616562663462316265326264393239613861613363633032396337346639343238633931 +32333936303733376239316466643534656630313961393730336664393337386465343639393331 +33363661303037376461 diff --git a/group_vars/stage_demompmx/vault_postgres.yml b/group_vars/stage_demompmx/vault_postgres.yml new file mode 100644 index 0000000..0187f4f --- /dev/null +++ b/group_vars/stage_demompmx/vault_postgres.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +65656638316434663066316265653231653037616465653633313665333537633062326265353237 +3730363261386331356431653336383531336565373331630a336431303535366239623061333663 +63333832653730643634373639393930363036353435666434343663393365633130323235643430 +3434653836386561340a643932376436626533323762663764646663323532376462343862653231 +65393532303639616663306364636530316136366632623862663430313732353033663236323563 +62306239626135643935373232363266386639326532306138386631386361313834353632643438 +33316439613235313465646265356239623230623431373064386130353539353231666535393462 +36383739613231373533663435636266383335343565666561646537313530306363303735376164 +3838 diff --git a/group_vars/stage_demompmx/versions.yml b/group_vars/stage_demompmx/versions.yml new file mode 100644 index 0000000..f009dd2 --- /dev/null +++ b/group_vars/stage_demompmx/versions.yml @@ -0,0 +1,15 @@ +--- + +keycloak_version: "21.0.2.7" + +pgadmin4_version: "7.1" + +prom_alertmanager_version: "v0.25.0" +prom_blackbox_exporter_version: "v0.23.0" +prom_prometheus_version: "v2.44.0" +prom_prom2teams_version: "3.2.3" # TODO 4.2.1 + +traefik_version: "v2.10.1" + +connect_version: "10.5" +iam_version: "10.5" diff --git a/group_vars/stage_dev/bootstrap.yml b/group_vars/stage_dev/bootstrap.yml index e3fc1e0..98018a3 100644 --- a/group_vars/stage_dev/bootstrap.yml +++ b/group_vars/stage_dev/bootstrap.yml @@ -1,7 +1,4 @@ --- - -argocd_bootstrap_infrastructure: true - harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure" harbor_bootstrap_helm_name: "infrastructure" harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}" diff --git a/group_vars/stage_dev/grafana.yml b/group_vars/stage_dev/grafana.yml deleted file mode 100644 index 4f060c6..0000000 --- a/group_vars/stage_dev/grafana.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}" diff --git a/group_vars/stage_dev/plain.yml b/group_vars/stage_dev/plain.yml index 2c3d6f5..036fdb4 100644 --- a/group_vars/stage_dev/plain.yml +++ b/group_vars/stage_dev/plain.yml @@ -4,47 +4,19 @@ stage_kube: "{{ stage }}nso" # TODO read configuration with hetzner rest api shared_service_network: "10.0.0.0/16" -shared_service_pg_master_ip: "{{ stage_server_infos - | selectattr('name', 'match', stage + '-postgres-01' ) - | map(attribute='private_ip') - | list - | first - | default('-') }}" -shared_service_pg_slave_ip: "{{ stage_server_infos - | selectattr('name', 'match', stage + '-postgres-02' ) - | map(attribute='private_ip') - | list - | first - | default('-') }}" - -shared_service_maria_hostname: "{{ stage }}-maria-01" -shared_service_postgres_01_hostname: "{{ stage }}-postgres-01" -shared_service_postgres_02_hostname: "{{ stage }}-postgres-02" + shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01" shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02" shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03" -shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01" +shared_service_logstash_hostname: "{{ stage }}-elastic-stack-logstash-01" shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}" shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}" shared_service_gitea_hostname: "{{ stage }}-gitea-01.{{ domain_env }}" -shared_service_redis_hostname: "{{ stage }}-redis-01.{{ domain_env }}" shared_service_pdns_hostname: "{{ stage }}-pdns-01.{{ domain_env }}" -shared_service_webdav_hostname: "{{ stage }}-webdav-01.{{ domain_env }}" - -harbor_oidc_realm: "harbor" -harbor_oidc_client_id: "harbor" -harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}" -harbor_oidc_admin_username: "harbor-admin" -harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}" - -management_oidc_realm: "management" -management_oidc_client_id: "smardigo" connect_jwt_enabled: true connect_jwt_secret: "908ae14462d049d3be84964ef379c7c6" -webdav_jwt_enabled: true -webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f" iam_jwt_enabled: true iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6" @@ -56,11 +28,6 @@ grafana_signing_secret: "{{ grafana_signing_secret_vault }}" pgadmin4_admin_username: "{{ pgadmin4_admin_email }}" pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}" -management_admin_username: "management-admin" -management_admin_password: "{{ management_admin_password_vault }}" -management_realm_admin_username: "management-realm-admin" -management_realm_admin_password: "{{ management_realm_admin_password_vault }}" - harbor_admin_username: "{{ harbor_admin_username_vault }}" harbor_admin_password: "{{ harbor_admin_password_vault }}" harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}" @@ -78,11 +45,6 @@ gitea_admin_password: "{{ gitea_admin_password_vault }}" gitea_realm_admin_username: "gitea-realm-admin" gitea_realm_admin_password: "gitea-realm-admin" -argocd_admin_username: "argocd-admin" -argocd_admin_password: "{{ argocd_admin_password_vault }}" -argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}" -argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}" - awx_admin_username: "awx-admin" awx_admin_password: "{{ awx_admin_password_vault }}" @@ -97,8 +59,6 @@ alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_v netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}" netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}" -management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}" - # smardigo automation {{ stage }} gpg key # https://git.dev-at.de/smardigo-hetzner/communication-keys/ # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/ diff --git a/group_vars/stage_devscr/bootstrap.yml b/group_vars/stage_devscr/bootstrap.yml index 55c9db4..f8ced39 100644 --- a/group_vars/stage_devscr/bootstrap.yml +++ b/group_vars/stage_devscr/bootstrap.yml @@ -1,15 +1,12 @@ --- - -argocd_bootstrap_infrastructure: true - harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure" harbor_bootstrap_helm_name: "infrastructure" harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}" harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault }}" +gitea_bootstrap_url: "https://{{ stage_kube }}-gitea.smardigo.digital/{{ stage }}/{{ stage }}-argocd" gitea_bootstrap_username: "{{ gitea_admin_username }}" gitea_bootstrap_password: "{{ gitea_admin_password }}" -gitea_bootstrap_url: "https://{{ stage_kube }}-gitea.smardigo.digital/{{ stage }}/{{ stage }}-argocd" custom_ip_whitelist: - '94.130.225.244' diff --git a/group_vars/stage_prodnso/bootstrap.yml b/group_vars/stage_prodnso/bootstrap.yml index 2b6c57b..2fc7574 100644 --- a/group_vars/stage_prodnso/bootstrap.yml +++ b/group_vars/stage_prodnso/bootstrap.yml @@ -1,7 +1,4 @@ --- - -argocd_bootstrap_infrastructure: true - harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure" harbor_bootstrap_helm_name: "infrastructure" harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}" @@ -9,4 +6,4 @@ harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}" gitea_bootstrap_url: "https://prodnso-gitea-01.smardigo.digital/prodnso/prodnso-argocd" gitea_bootstrap_username: "{{ gitea_admin_username }}" -gitea_bootstrap_password: "{{ gitea_admin_password }}" \ No newline at end of file +gitea_bootstrap_password: "{{ gitea_admin_password }}" diff --git a/group_vars/stage_prodnso/grafana.yml b/group_vars/stage_prodnso/grafana.yml deleted file mode 100644 index 4f060c6..0000000 --- a/group_vars/stage_prodnso/grafana.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}" diff --git a/group_vars/stage_prodnso/plain.yml b/group_vars/stage_prodnso/plain.yml index beb604e..c7d100e 100644 --- a/group_vars/stage_prodnso/plain.yml +++ b/group_vars/stage_prodnso/plain.yml @@ -4,47 +4,18 @@ stage_kube: "{{ stage }}" # TODO read configuration with hetzner rest api shared_service_network: "10.0.0.0/16" -shared_service_pg_master_ip: "{{ stage_server_infos - | selectattr('name', 'match', stage + '-postgres-01' ) - | map(attribute='private_ip') - | list - | first - | default('-') }}" -shared_service_pg_slave_ip: "{{ stage_server_infos - | selectattr('name', 'match', stage + '-postgres-02' ) - | map(attribute='private_ip') - | list - | first - | default('-') }}" - -shared_service_maria_hostname: "{{ stage }}-maria-01" -shared_service_postgres_01_hostname: "{{ stage }}-postgres-01" -shared_service_postgres_02_hostname: "{{ stage }}-postgres-02" + shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01" shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02" shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03" -shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01" - +shared_service_logstash_hostname: "{{ stage }}-elastic-stack-logstash-01" shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}" shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}" shared_service_gitea_hostname: "{{ stage }}-gitea-01.{{ domain_env }}" -shared_service_redis_hostname: "{{ stage }}-redis-01.{{ domain_env }}" shared_service_pdns_hostname: "{{ stage }}-pdns-01.{{ domain_env }}" -shared_service_webdav_hostname: "{{ stage }}-webdav-01.{{ domain_env }}" - -harbor_oidc_realm: "harbor" -harbor_oidc_client_id: "harbor" -harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}" -harbor_oidc_admin_username: "harbor-admin" -harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}" - -management_oidc_realm: "management" -management_oidc_client_id: "smardigo" connect_jwt_enabled: true connect_jwt_secret: "908ae14462d049d3be84964ef379c7c6" -webdav_jwt_enabled: true -webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f" iam_jwt_enabled: true iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6" @@ -56,11 +27,6 @@ grafana_signing_secret: "{{ grafana_signing_secret_vault }}" pgadmin4_admin_username: "{{ pgadmin4_admin_email }}" pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}" -management_admin_username: "management-admin" -management_admin_password: "{{ management_admin_password_vault }}" -management_realm_admin_username: "management-realm-admin" -management_realm_admin_password: "{{ management_realm_admin_password_vault }}" - harbor_admin_username: "{{ harbor_admin_username_vault }}" harbor_admin_password: "{{ harbor_admin_password_vault }}" harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}" @@ -78,11 +44,6 @@ gitea_admin_password: "{{ gitea_admin_password_vault }}" gitea_realm_admin_username: "gitea-realm-admin" gitea_realm_admin_password: "gitea-realm-admin" -argocd_admin_username: "argocd-admin" -argocd_admin_password: "{{ argocd_admin_password_vault }}" -argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}" -argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}" - awx_admin_username: "awx-admin" awx_admin_password: "{{ awx_admin_password_vault }}" @@ -97,8 +58,6 @@ alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_v netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}" netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}" -management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}" - # smardigo automation {{ stage }} gpg key # https://git.dev-at.de/smardigo-hetzner/communication-keys/ # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/ diff --git a/group_vars/stage_prodwork01/bootstrap.yml b/group_vars/stage_prodwork01/bootstrap.yml index ae62e7b..ce69d9c 100644 --- a/group_vars/stage_prodwork01/bootstrap.yml +++ b/group_vars/stage_prodwork01/bootstrap.yml @@ -1,12 +1,9 @@ --- - -argocd_bootstrap_infrastructure: True - harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure" harbor_bootstrap_helm_name: "infrastructure" harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}" harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}" +gitea_bootstrap_url: "https://prodnso-gitea-01.smardigo.digital/argocd/prodwork01-argocd" gitea_bootstrap_username: "{{ gitea_bootstrap_username_vault }}" gitea_bootstrap_password: "{{ gitea_bootstrap_password_vault }}" -gitea_bootstrap_url: "https://prodnso-gitea-01.smardigo.digital/argocd/prodwork01-argocd" \ No newline at end of file diff --git a/group_vars/stage_qa/bootstrap.yml b/group_vars/stage_qa/bootstrap.yml index 58a8f6e..fff0f3b 100644 --- a/group_vars/stage_qa/bootstrap.yml +++ b/group_vars/stage_qa/bootstrap.yml @@ -1,7 +1,4 @@ --- - -argocd_bootstrap_infrastructure: true - harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure" harbor_bootstrap_helm_name: "infrastructure" harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}" @@ -9,4 +6,4 @@ harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}" gitea_bootstrap_url: "https://qa-gitea-01.smardigo.digital/qanso/qanso-argocd" gitea_bootstrap_username: "{{ gitea_admin_username }}" -gitea_bootstrap_password: "{{ gitea_admin_password }}" \ No newline at end of file +gitea_bootstrap_password: "{{ gitea_admin_password }}" diff --git a/group_vars/stage_qa/grafana.yml b/group_vars/stage_qa/grafana.yml deleted file mode 100644 index 4f060c6..0000000 --- a/group_vars/stage_qa/grafana.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}" diff --git a/group_vars/stage_qa/plain.yml b/group_vars/stage_qa/plain.yml index 237383e..f8bdd87 100644 --- a/group_vars/stage_qa/plain.yml +++ b/group_vars/stage_qa/plain.yml @@ -4,47 +4,19 @@ stage_kube: "{{ stage }}nso" # TODO read configuration with hetzner rest api shared_service_network: "10.1.0.0/16" -shared_service_pg_master_ip: "{{ stage_server_infos - | selectattr('name', 'match', stage + '-postgres-01' ) - | map(attribute='private_ip') - | list - | first - | default('-') }}" -shared_service_pg_slave_ip: "{{ stage_server_infos - | selectattr('name', 'match', stage + '-postgres-02' ) - | map(attribute='private_ip') - | list - | first - | default('-') }}" - -shared_service_maria_hostname: "{{ stage }}-maria-01" -shared_service_postgres_01_hostname: "{{ stage }}-postgres-01" -shared_service_postgres_02_hostname: "{{ stage }}-postgres-02" + shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01" shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02" shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03" -shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01" +shared_service_logstash_hostname: "{{ stage }}-elastic-stack-logstash-01" shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}" shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}" shared_service_gitea_hostname: "{{ stage }}-gitea-01.{{ domain_env }}" -shared_service_redis_hostname: "{{ stage }}-redis-01.{{ domain_env }}" shared_service_pdns_hostname: "{{ stage }}-pdns-01.{{ domain_env }}" -shared_service_webdav_hostname: "{{ stage }}-webdav-01.{{ domain_env }}" - -harbor_oidc_realm: "harbor" -harbor_oidc_client_id: "harbor" -harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}" -harbor_oidc_admin_username: "harbor-admin" -harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}" - -management_oidc_realm: "management" -management_oidc_client_id: "smardigo" connect_jwt_enabled: true connect_jwt_secret: "908ae14462d049d3be84964ef379c7c6" -webdav_jwt_enabled: true -webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f" iam_jwt_enabled: true iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6" @@ -56,11 +28,6 @@ grafana_signing_secret: "{{ grafana_signing_secret_vault }}" pgadmin4_admin_username: "{{ pgadmin4_admin_email }}" pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}" -management_admin_username: "management-admin" -management_admin_password: "{{ management_admin_password_vault }}" -management_realm_admin_username: "management-realm-admin" -management_realm_admin_password: "{{ management_realm_admin_password_vault }}" - harbor_admin_username: "{{ harbor_admin_username_vault }}" harbor_admin_password: "{{ harbor_admin_password_vault }}" harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}" @@ -78,11 +45,6 @@ gitea_admin_password: "{{ gitea_admin_password_vault }}" gitea_realm_admin_username: "gitea-realm-admin" gitea_realm_admin_password: "gitea-realm-admin" -argocd_admin_username: "argocd-admin" -argocd_admin_password: "{{ argocd_admin_password_vault }}" -argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}" -argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}" - awx_admin_username: "awx-admin" awx_admin_password: "{{ awx_admin_password_vault }}" @@ -97,8 +59,6 @@ alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_v netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}" netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}" -management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}" - # smardigo automation {{ stage }} gpg key # https://git.dev-at.de/smardigo-hetzner/communication-keys/ # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/ diff --git a/group_vars/webdav/plain.yml b/group_vars/webdav/plain.yml deleted file mode 100644 index 8dc1e0a..0000000 --- a/group_vars/webdav/plain.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -hetzner_server_type: cpx11 -hetzner_server_labels: "stage={{ stage }} service=webdav" - -webdav_postgres_host: "{{ shared_service_postgres_01_hostname }}" -webdav_postgres_database: "{{ stage }}_webdav" -webdav_postgres_username: "{{ webdav_postgres_database }}" -webdav_postgres_password: "webdav-postgres-admin" diff --git a/host_vars/demompmx-postgres01-01.yml b/host_vars/demompmx-postgres01-01.yml new file mode 100644 index 0000000..fd65816 --- /dev/null +++ b/host_vars/demompmx-postgres01-01.yml @@ -0,0 +1,4 @@ +--- + +hetzner_server_type: cpx21 +server_type: "master" diff --git a/host_vars/demompmx-postgres01-02.yml b/host_vars/demompmx-postgres01-02.yml new file mode 100644 index 0000000..ed431e3 --- /dev/null +++ b/host_vars/demompmx-postgres01-02.yml @@ -0,0 +1,4 @@ +--- + +hetzner_server_type: cpx21 +server_type: "slave" diff --git a/host_vars/prodwork01-keycloak-01.yml b/host_vars/prodwork01-keycloak-01.yml deleted file mode 100644 index d77c7ff..0000000 --- a/host_vars/prodwork01-keycloak-01.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -keycloak_external_subdomain: "{{ inventory_hostname }}" - -keycloak_compact_tls_cert_resolver: letsencrypt diff --git a/import-database.yml b/import-database.yml index 3997f72..3eb8c3b 100644 --- a/import-database.yml +++ b/import-database.yml @@ -37,10 +37,20 @@ - "stage_{{ stage }}" changed_when: False +############################################################# +# Importing database backups for created inventory +############################################################# + +- hosts: "{{ stage }}-virtual-host-to-read-groups-vars" + serial: "{{ serial_number | default(1) }}" + gather_facts: false + connection: local + run_once: true + tasks: - - name: Add maria servers to hosts if necessary + - name: "Add maria server to hosts if necessary" add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" diff --git a/initialize-stage.yml b/initialize-stage.yml new file mode 100644 index 0000000..29208fb --- /dev/null +++ b/initialize-stage.yml @@ -0,0 +1,240 @@ +--- + +### tags: +### update_database +### update_deployment (keycloak, iam, connect) +### update_realms +### update_harbor_realm +### update_argocd_realm +### update_gitea_realm +### update_awx_realm +### update_connect_realm +### update_harbor +### update_connections (connect) +### update_configurations (connect) + +############################################################# +# Setup stage default databases (postgres) +############################################################# + +- name: 'apply setup to {{ host | default("postgres") }}' + hosts: '{{ host | default("postgres") }}' + serial: "{{ serial_number | default(5) }}" + become: true + vars: + ansible_ssh_host: "{{ stage_server_domain }}" + + pre_tasks: + - name: "Import constraints check" + import_tasks: tasks/constraints_check.yml + tags: + - always + + tasks: + - name: "Updating databases on {{ inventory_hostname }}" + include_role: + name: postgres + tasks_from: _update_database_state + apply: + tags: + - update_database + tags: + - update_database + vars: + postgres_acls: "{{ stage_postgres_acls }}" + +############################################################# +# Setup stage keycloak with stage default realms +############################################################# + +- name: 'apply setup to {{ host | default("keycloak") }}' + hosts: '{{ host | default("keycloak") }}' + serial: "{{ serial_number | default(5) }}" + vars: + ansible_ssh_host: "{{ stage_server_domain }}" + + pre_tasks: + - name: "Import autodiscover pre-tasks" + import_tasks: tasks/autodiscover_pre_tasks.yml + become: false + tags: + - always + + tasks: + - name: "Install server based keycloak" + include_role: + name: keycloak + vars: + keycloak_postgres_database: "{{ stage_database_management_keycloak_name }}" + keycloak_postgres_username: "{{ stage_database_management_keycloak_name }}" + keycloak_postgres_password: "{{ stage_database_management_keycloak_password }}" + shared_service_hostname_harbor: "{{ shared_service_kube_hostname_harbor }}/prodnso" + tags: + - update_deployment + + - name: "Setup stage harbor realm" + include_role: + name: harbor_realm + apply: + tags: + - update_realms + - update_harbor_realm + tags: + - update_realms + - update_harbor_realm + vars: + current_realm_password_policy: "" + + - name: "Setup stage argocd realm" + include_role: + name: argocd_realm + apply: + tags: + - update_realms + - update_argocd_realm + tags: + - update_realms + - update_argocd_realm + vars: + current_realm_password_policy: "" + + - name: "Setup stage gitea realm" + include_role: + name: gitea_realm + apply: + tags: + - update_realms + - update_gitea_realm + tags: + - update_realms + - update_gitea_realm + vars: + current_realm_password_policy: "" + + - name: "Setup stage awx realm" + include_role: + name: awx_realm + apply: + tags: + - update_realms + - update_awx_realm + tags: + - update_realms + - update_awx_realm + vars: + current_realm_password_policy: "" + + - name: "Setup stage connect realm" + include_role: + name: connect_realm + apply: + tags: + - update_realms + - update_connect_realm + tags: + - update_realms + - update_connect_realm + vars: + current_realm_password_policy: "" + current_realm_name: "stage-connect" # TODO migrate from realm infrastructure + current_realm_users_base: + - username: "{{ management_admin_username }}" + password: "{{ management_admin_password }}" + email: "{{ connect_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" + requiredActions: [] + connect_client_id: "connect" + client_web_origin_connect: "{{ shared_service_url_management }}" + connect_oidc_client_secret: "{{ management_oidc_client_secret }}" + +############################################################# +# Setup stage harbor configuration +############################################################# + +- name: 'apply setup to {{ host | default("virtual") }}' + hosts: '{{ host | default("virtual") }}' + serial: "{{ serial_number | default(5) }}" + connection: local + gather_facts: no + become: no + + pre_tasks: + - name: "Import autodiscover pre-tasks" + import_tasks: tasks/autodiscover_pre_tasks.yml + become: false + tags: + - always + + tasks: + - name: "Setup stage harbor configuration" + include_role: + name: harbor_config + apply: + tags: + - update_harbor + tags: + - update_harbor + +############################################################# +# Setup stage iam +############################################################# + +- name: 'apply setup to {{ host | default("iam") }}' + hosts: '{{ host | default("iam") }}' + serial: "{{ serial_number | default(5) }}" + become: true + vars: + ansible_ssh_host: "{{ stage_server_domain }}" + + pre_tasks: + - name: "Import autodiscover pre-tasks" + import_tasks: tasks/autodiscover_pre_tasks.yml + become: false + tags: + - always + + tasks: + - name: "Install server based iam" + include_role: + name: iam + tags: + - update_deployment + +############################################################# +# +############################################################# + +- name: 'apply setup to {{ host | default("management") }}' + hosts: '{{ host | default("management") }}' + serial: "{{ serial_number | default(5) }}" + become: true + vars: + ansible_ssh_host: "{{ stage_server_domain }}" + + pre_tasks: + - name: "Import autodiscover pre-tasks" + import_tasks: tasks/autodiscover_pre_tasks.yml + become: false + tags: + - always + + tasks: + - name: "Install server based connect" + include_role: + name: management + vars: + current_realm_name: "{{ management_oidc_realm }}" + connect_postgres_database: "{{ stage_database_management_connect_name }}" + tags: + - update_deployment + + - name: "Setup stage connect configuration" + include_role: + name: management + vars: + current_realm_name: "{{ management_oidc_realm }}" + connect_postgres_database: "{{ stage_database_management_connect_name }}" + tags: + - update_connections + - update_configurations diff --git a/pmci-database-backup-create.yml b/pmci-database-backup-create.yml index 0232989..8c23d97 100644 --- a/pmci-database-backup-create.yml +++ b/pmci-database-backup-create.yml @@ -1,62 +1,10 @@ --- -# Parameters: -# playbook inventory -# stage := the name of the stage (e.g. dev, int, qa, prod) -# tenant := object with tenant related data -# key := -# name := -# cluster := object with cluster specific data (optional) -# ... -# data := object with action specific data (optional) -# custom_backup_name := -# smardigo message callback -# scope_id := (scope id of the management process) -# process_instance_id := (process instance id of the management process) -# smardigo_management_action := (smardigo management action anme of the management process) - ############################################################# # Creating inventory dynamically for given parameters ############################################################# -- hosts: localhost - connection: local - gather_facts: false - - pre_tasks: - - name: "Import constraints check" - import_tasks: tasks/constraints_check.yml - tags: - - always - -# add virtual server to load stage specific variables as context - - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts" - add_host: - name: "{{ stage }}-virtual-host-to-read-groups-vars" - groups: - - "stage_{{ stage }}" - changed_when: False - - tasks: - - name: "Add postgres servers to hosts if necessary" - add_host: - name: "{{ stage }}-postgres-01" - groups: - - "stage_{{ stage }}" - - "{{ item }}" - changed_when: False - with_items: "{{ cluster_features }}" - when: item in ['connect'] - - - name: "Add maria servers to hosts if necessary" - add_host: - name: "{{ stage }}-maria-01" - groups: - - "stage_{{ stage }}" - - "{{ item }}" - changed_when: False - with_items: "{{ cluster_features }}" - when: item in ['connect_wordpress'] +- import_playbook: pmci-inventory-database.yml ############################################################# # Creating database backups for created inventory @@ -68,6 +16,9 @@ vars: database_backup_state: dump ansible_ssh_host: "{{ stage_server_domain }}" + tenant_id: "{{ tenant.key }}" # legacy paramater, backwards compatibility + cluster_name: "{{ cluster.key }}" # legacy paramater, backwards compatibility + custom_backup_name: "backup" # legacy paramater, backwards compatibility roles: - role: connect_postgres diff --git a/pmci-database-backup-import.yml b/pmci-database-backup-import.yml index 9746eb8..60a2d52 100644 --- a/pmci-database-backup-import.yml +++ b/pmci-database-backup-import.yml @@ -40,7 +40,7 @@ tasks: - name: Add maria servers to hosts if necessary add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" diff --git a/pmci-database-backup-restore.yml b/pmci-database-backup-restore.yml index 6919105..c70f407 100644 --- a/pmci-database-backup-restore.yml +++ b/pmci-database-backup-restore.yml @@ -1,55 +1,10 @@ --- -# restores a database backup -# - postgres -# - executed on stage specific server: {{ stage }}-postgres-01 -# - restores a database backup - -# Parameters: -# playbook inventory -# stage := the name of the stage (e.g. dev, int, qa, prod) -# tenant_id := (unique key for the tenant, e.g. customer) -# cluster_name := (business name for the cluster, e.g. product, department ) -# cluster_service := (service to setup, e.g. 'connect', ...) -# cluster_features := (optional features to use, e.g. ['wordpress', 'resubmission', ...]) -# custom_backup_name := defines a substring for backup file => {{ stage }}_{{ tenant_id }}_{{ cluster_name }}_{{ cluster_service }}__gehtdichnixan.sql -# smardigo message callback -# scope_id := (scope id of the management process) -# process_instance_id := (process instance id of the management process) -# smardigo_management_action := (smardigo management action anme of the management process) - ############################################################# # Creating inventory dynamically for given parameters ############################################################# -- hosts: localhost - connection: local - gather_facts: false - - pre_tasks: - - name: "Import constraints check" - import_tasks: tasks/constraints_check.yml - tags: - - always - -# add virtual server to load stage specific variables as context - - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts" - add_host: - name: "{{ stage }}-virtual-host-to-read-groups-vars" - groups: - - "stage_{{ stage }}" - changed_when: False - - tasks: - - name: "Add postgres servers to hosts if necessary" - add_host: - name: "{{ stage }}-postgres-01" - groups: - - "stage_{{ stage }}" - - "{{ item }}" - changed_when: False - with_items: "{{ cluster_features }}" - when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns'] +- import_playbook: pmci-inventory-database.yml ############################################################# # Restoring databases for created inventory @@ -61,6 +16,9 @@ vars: database_backup_state: restore ansible_ssh_host: "{{ stage_server_domain }}" + tenant_id: "{{ tenant.key }}" # legacy paramater, backwards compatibility + cluster_name: "{{ cluster.key }}" # legacy paramater, backwards compatibility + custom_backup_name: "backup" # legacy paramater, backwards compatibility roles: - role: connect_postgres diff --git a/pmci-database-create.yml b/pmci-database-create.yml index 80ff85e..a02ee5c 100644 --- a/pmci-database-create.yml +++ b/pmci-database-create.yml @@ -50,9 +50,6 @@ - role: keycloak_postgres when: "'keycloak' in group_names" - - role: webdav_postgres - when: "'webdav' in group_names" - - role: connect_wordpress_maria when: "'connect_wordpress' in group_names" diff --git a/pmci-database-delete.yml b/pmci-database-delete.yml index fc25b2c..dae70b3 100644 --- a/pmci-database-delete.yml +++ b/pmci-database-delete.yml @@ -51,9 +51,6 @@ - role: keycloak_postgres when: "'keycloak' in group_names" - - role: webdav_postgres - when: "'webdav' in group_names" - - role: connect_wordpress_maria when: "'connect_wordpress' in group_names" diff --git a/pmci-inventory-database.yml b/pmci-inventory-database.yml index fca4474..faa4a4d 100644 --- a/pmci-inventory-database.yml +++ b/pmci-inventory-database.yml @@ -27,7 +27,8 @@ tags: - always -# add virtual server to load stage specific variables as context + tasks: +# add virtual server to load stage specific variables as context - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts" add_host: name: "{{ stage }}-virtual-host-to-read-groups-vars" @@ -35,20 +36,30 @@ - "stage_{{ stage }}" changed_when: False +############################################################# +# +############################################################# + +- hosts: "{{ stage }}-virtual-host-to-read-groups-vars" + serial: "{{ serial_number | default(1) }}" + gather_facts: false + connection: local + run_once: true + tasks: - name: "Add postgres servers to hosts if necessary" add_host: - name: "{{ stage }}-postgres-01" + name: "{{ shared_service_postgres_primary }}" groups: - "{{ item }}" - "stage_{{ stage }}" changed_when: False with_items: "{{ ['hcloud'] + ['stage_' + stage ] + [cluster.service] + (cluster.features | default([])) }}" - when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns'] + when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns'] - name: "Add maria servers to hosts if necessary" add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "{{ item }}" - "stage_{{ stage }}" diff --git a/pmci-service-state-update.yml b/pmci-service-state-update.yml index 4fc14f6..dcd5ad6 100644 --- a/pmci-service-state-update.yml +++ b/pmci-service-state-update.yml @@ -1,47 +1,10 @@ --- -# Parameters: -# playbook inventory -# stage := the name of the stage (e.g. dev, int, qa, prod) -# tenant_id := (unique key for the tenant, e.g. customer) -# cluster_name := (business name for the cluster, e.g. product, department ) -# cluster_features := (services to setup, e.g. ['connect', 'wordpress', ...]) -# service_state := the state of the service (e.g. up, down, upgrade) -# smardigo message callback -# scope_id := (scope id of the management process) -# process_instance_id := (process instance id of the management process) -# smardigo_management_action := (smardigo management action anme of the management process) - ############################################################# # Creating inventory dynamically for given parameters ############################################################# -- hosts: localhost - gather_facts: false - connection: local - - pre_tasks: - - name: "Check if ansible version is at least {{ ansible_minimal_version }}" - assert: - that: - - ansible_version.string is version(ansible_minimal_version, ">=") - msg: "The ansible version has to be at least {{ ansible_minimal_version }}" - -# add virtual server to load stage specific variables as context - - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts" - add_host: - name: "{{ stage }}-virtual-host-to-read-groups-vars" - groups: - - "stage_{{ stage }}" - changed_when: False - - tasks: - - name: Add hosts - add_host: - name: "{{ stage }}-{{ tenant_id }}-{{ cluster_name }}-{{ '%02d' | format(item|int) }}" - groups: "{{ ['stage_' + stage ] + [cluster_service] + cluster_features }}" - with_sequence: start=1 end={{ cluster_size | default(1) }} - changed_when: False +- import_playbook: pmci-inventory-cluster.yml ############################################################# # Stopping services for created inventory @@ -51,8 +14,10 @@ serial: "{{ serial_number | default(1) }}" remote_user: root vars: - service_state: up ansible_ssh_host: "{{ stage_server_domain }}" + tenant_id: "{{ tenant.key }}" # legacy paramater, backwards compatibility + cluster_name: "{{ cluster.key }}" # legacy paramater, backwards compatibility + service_state: "{{ data.service_state | default('up') }}" # legacy paramater, backwards compatibility pre_tasks: - name: "Import autodiscover pre-tasks" diff --git a/pmci-tenant-change.yml b/pmci-tenant-change.yml index 6b25b8d..12b587d 100644 --- a/pmci-tenant-change.yml +++ b/pmci-tenant-change.yml @@ -44,7 +44,6 @@ gather_facts: false connection: local vars: - management_realm_name: "management" management_base_url: "{{ stage }}-management-01-connect.{{ domain }}" pre_tasks: diff --git a/pmci-tenant-create.yml b/pmci-tenant-create.yml index aa7f3fa..5f243fb 100644 --- a/pmci-tenant-create.yml +++ b/pmci-tenant-create.yml @@ -44,7 +44,6 @@ gather_facts: false connection: local vars: - management_realm_name: "management" management_base_url: "{{ stage }}-management-01-connect.{{ domain }}" pre_tasks: diff --git a/pmci-tenant-delete.yml b/pmci-tenant-delete.yml index a5c8702..c983610 100644 --- a/pmci-tenant-delete.yml +++ b/pmci-tenant-delete.yml @@ -44,7 +44,6 @@ gather_facts: false connection: local vars: - management_realm_name: "management" management_base_url: "{{ stage }}-management-01-connect.{{ domain }}" pre_tasks: diff --git a/pmci-tenant-sync.yml b/pmci-tenant-sync.yml index 83501ec..af5a353 100644 --- a/pmci-tenant-sync.yml +++ b/pmci-tenant-sync.yml @@ -44,7 +44,6 @@ gather_facts: false connection: local vars: - management_realm_name: "management" management_base_url: "{{ stage }}-management-01-connect.{{ domain }}" sma_management_scope_id: "pmci" sma_management_role_id: "user" diff --git a/remove-database.yml b/remove-database.yml index 85f6fe3..61eb61e 100644 --- a/remove-database.yml +++ b/remove-database.yml @@ -2,7 +2,7 @@ # deletes databases and roles on shared service servers # - postgres -# - executed on stage specific server: {{ stage }}-postgres-01 +# - executed on stage specific server: {{ shared_service_postgres_primary }} # Parameters: # playbook inventory @@ -42,17 +42,17 @@ tasks: - name: Add postgres servers to hosts if necessary add_host: - name: "{{ stage }}-postgres-01" + name: "{{ shared_service_postgres_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" changed_when: False with_items: "{{ cluster_features }}" - when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns'] + when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns'] - name: Add maria servers to hosts if necessary add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" @@ -94,9 +94,6 @@ # - role: pdns_postgres # when: "'pdns' in group_names" - - role: webdav_postgres - when: "'webdav' in group_names" - - role: connect_wordpress_maria when: "'connect_wordpress' in group_names" diff --git a/restore-database-backup.yml b/restore-database-backup.yml index d1edc74..d4cc8c6 100644 --- a/restore-database-backup.yml +++ b/restore-database-backup.yml @@ -2,7 +2,7 @@ # restores a database backup # - postgres -# - executed on stage specific server: {{ stage }}-postgres-01 +# - executed on stage specific server: {{ shared_service_postgres_primary }} # - restores a database backup # Parameters: @@ -43,13 +43,13 @@ tasks: - name: "Add postgres servers to hosts if necessary" add_host: - name: "{{ stage }}-postgres-01" + name: "{{ shared_service_postgres_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}" changed_when: False with_items: "{{ cluster_features }}" - when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea'] + when: item in ['connect', 'management_connect', 'keycloak', 'gitea'] ############################################################# # Restoring databases for created inventory @@ -72,9 +72,6 @@ - role: keycloak_postgres when: "'keycloak' in group_names" - - role: webdav_postgres - when: "'webdav' in group_names" - ############################################################# # Sending smardigo management message to process ############################################################# diff --git a/restore-remote-database-backup.yml b/restore-remote-database-backup.yml index b974631..975d69a 100644 --- a/restore-remote-database-backup.yml +++ b/restore-remote-database-backup.yml @@ -2,10 +2,10 @@ # restores remote database backup # - postgres -# - executed on stage specific server: {{ stage }}-restore-postgres-01 +# - executed on stage specific server: {{ shared_service_postgres_primary }}-restore # - restores a server from full-backup # - mariadb -# - executed on stage specific server: {{ stage }}-restore-maria-01 +# - executed on stage specific server: {{ shared_service_maria_primary }}-restore # - restores a server from full-backup # Parameters: @@ -40,13 +40,24 @@ changed_when: False tasks: - - name: "Add {{ database_engine }} servers to hosts if necessary" + - name: "Add {{ database_engine }}-restore servers to hosts if necessary" add_host: - name: "{{ stage }}-restore-{{ database_engine }}-01" + name: "{{ shared_service_postgres_secondary }}-restore" groups: - "stage_{{ stage }}" - 'restore' - changed_when: False + when: + - database_engine is 'postgres' + + - name: "Add {{ database_engine }}-restore servers to hosts if necessary" + add_host: + name: "{{ shared_service_maria_primary }}-restore" + groups: + - "stage_{{ stage }}" + - 'restore' + when: + - database_engine is 'maria' + - name: "Add 'backup' servers to hosts if necessary" add_host: name: "{{ stage }}-backup-01" diff --git a/roles/argocd_realm/defaults/main.yml b/roles/argocd_realm/defaults/main.yml new file mode 100644 index 0000000..4df0b0e --- /dev/null +++ b/roles/argocd_realm/defaults/main.yml @@ -0,0 +1,43 @@ +--- +current_realm_name: "{{ argocd_oidc_realm }}" + +current_realm_clients: + - name: "{{ argocd_oidc_client_id }}" + base_url: "/applications" + clientId: "{{ argocd_oidc_client_id }}" + admin_url: "{{ shared_service_kube_url_argocd }}/" + root_url: "{{ shared_service_kube_url_argocd }}/" + redirect_uris: + - "{{ shared_service_kube_url_argocd }}/auth/callback" + secret: "{{ argocd_oidc_client_secret }}" + web_origins: + - "{{ shared_service_kube_url_argocd }}/" + default_client_scopes: "{{ keycloak_default_client_scopes + ['groups'] }}" + +current_realm_users: + - username: "{{ argocd_oidc_admin_username }}" + password: "{{ argocd_oidc_admin_password }}" + email: "{{ argocd_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" + requiredActions: [] + +current_realm_admin_users: + - username: "argocd-realm-admin" + password: "{{ infrastructure_realm_admin_password_vault }}" + email: "{{ argocd_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" + requiredActions: [] + +current_realm_groups: + - name: "admin" + - name: "argocd-admin" # not working yet + +current_user_groupmembership: + - username: "argocd-admin" + destination_group: "admin" + - username: "argocd-admin" + destination_group: "argocd-admin" + +keycloak_force_prune: true diff --git a/roles/argocd_realm/tasks/main.yml b/roles/argocd_realm/tasks/main.yml new file mode 100644 index 0000000..debb0f5 --- /dev/null +++ b/roles/argocd_realm/tasks/main.yml @@ -0,0 +1,5 @@ +--- + +- name: "Setup realm for <{{ current_realm_name }}>" + include_role: + name: keycloak_realm diff --git a/roles/awx_realm/defaults/main.yml b/roles/awx_realm/defaults/main.yml new file mode 100644 index 0000000..19dac2c --- /dev/null +++ b/roles/awx_realm/defaults/main.yml @@ -0,0 +1,39 @@ +--- +current_realm_name: "{{ awx_oidc_realm }}" + +current_realm_clients: + - name: "{{ awx_oidc_client_id }}" + clientId: "{{ awx_oidc_client_id }}" + admin_url: "{{ shared_service_kube_url_awx }}/" + root_url: "{{ shared_service_kube_url_awx }}/" + redirect_uris: + - "{{ shared_service_kube_url_awx }}/sso/complete/oidc/" + secret: "{{ awx_oidc_client_secret }}" + web_origins: + - "{{ shared_service_kube_url_argocd }}/" + default_client_scopes: "{{ keycloak_default_client_scopes + ['groups'] }}" + +current_realm_users: + - username: "{{ awx_oidc_admin_username }}" + password: "{{ awx_oidc_admin_password }}" + email: "{{ awx_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" + requiredActions: [] + +current_realm_admin_users: + - username: "awx-realm-admin" + password: "{{ infrastructure_realm_admin_password_vault }}" + email: "{{ awx_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" + requiredActions: [] + +current_realm_groups: + - name: "awx-admin" + +current_user_groupmembership: + - username: "awx-admin" + destination_group: "awx-admin" + +keycloak_force_prune: true diff --git a/roles/awx_realm/tasks/main.yml b/roles/awx_realm/tasks/main.yml new file mode 100644 index 0000000..debb0f5 --- /dev/null +++ b/roles/awx_realm/tasks/main.yml @@ -0,0 +1,5 @@ +--- + +- name: "Setup realm for <{{ current_realm_name }}>" + include_role: + name: keycloak_realm diff --git a/roles/connect/tasks/main.yml b/roles/connect/tasks/main.yml index 30915e4..0cabeb4 100644 --- a/roles/connect/tasks/main.yml +++ b/roles/connect/tasks/main.yml @@ -4,7 +4,6 @@ ### update_certs ### update_deployment - - name: "Setup hcloud firewalls for <{{ inventory_hostname }}>" include_role: name: hetzner-ansible-hcloud @@ -89,6 +88,7 @@ restarted: yes build: no tags: + - never - update_certs - name: "Update {{ connect_id }}" diff --git a/roles/connect/vars/main.yml b/roles/connect/vars/main.yml index 24a7fc3..df2245f 100644 --- a/roles/connect/vars/main.yml +++ b/roles/connect/vars/main.yml @@ -96,12 +96,6 @@ connect_environment: [ "RESUBMISSION_ENABLED: \"{{ connect_resubmission_enabled }}\"", "SMA_WORKFLOW_HEATMAP_ENABLED: \"{{ connect_workflow_heatmap_enabled }}\"", - "SMA_ENABLE_WEBDAV_DOC_EDITING: \"{{ connect_webdav_enabled | default('false') }}\"", - "SMA_WEBDAV_BASE_PATH: \"{{ http_s }}://{{ connect_base_url }}\"", - "SMA_WEBDAV_HOST_URL: \"{{ http_s }}://{{ shared_service_webdav_hostname }}/\"", - "SMA_WEBDAV_FRONTEND_URL: \"{{ http_s }}://{{ shared_service_webdav_hostname }}/\"", - "SMA_WEBDAV_JWT_SECRET: \"{{ webdav_jwt_secret }}\"", - "SPRINGDOC_SERVER_URL: \"{{ http_s }}://{{ connect_base_url }}\"", "SMA_CORS_ORIGINS: \"{{ http_s }}://{{ connect_base_url }}:{{ admin_port_service }}\"", diff --git a/roles/connect_realm/defaults/main.yml b/roles/connect_realm/defaults/main.yml index ab1e180..0bcdfd8 100644 --- a/roles/connect_realm/defaults/main.yml +++ b/roles/connect_realm/defaults/main.yml @@ -1,28 +1,26 @@ --- +connect_client_secret: "{{ connect_client_id }}" client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}" client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}" client_web_origin_connect_external: "{{ http_s }}://{{ connect_external_subdomain | default('unset') }}.{{ domain }}" -current_realm_clients: [ - { - name: "{{ connect_client_id }}", - clientId: "{{ connect_client_id }}", - admin_url: "", - root_url: "", +current_realm_clients: + - name: "{{ connect_client_id }}" + clientId: "{{ connect_client_id }}" + admin_url: "{{ client_web_origin_connect }}" + root_url: "{{ client_web_origin_connect }}" redirect_uris: "{{ [client_web_origin_connect + '/*'] + ([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) + ([client_web_origin_connect_external + '/*'] if connect_external_subdomain is defined else []) - }}", - secret: '{{ connect_client_id }}', + }}" + secret: "{{ connect_oidc_client_secret }}" web_origins: "{{ [client_web_origin_connect] + ([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) + ([client_web_origin_connect_external] if connect_external_subdomain is defined else []) - }}", - } -] + }}" current_realm_users_base: - username: "{{ connect_client_admin_username }}" diff --git a/roles/connect_realm/tasks/main.yml b/roles/connect_realm/tasks/main.yml index dfe9684..2b7caf3 100644 --- a/roles/connect_realm/tasks/main.yml +++ b/roles/connect_realm/tasks/main.yml @@ -2,7 +2,7 @@ ### tags: -- name: "Setup realm for {{ inventory_hostname }}" +- name: "Authenticate on keycloak for {{ inventory_hostname }}" include_role: name: keycloak tasks_from: _authenticate diff --git a/roles/connect_realm/vars/main.yml b/roles/connect_realm/vars/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/connect_realm/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/connect_wordpress/vars/main.yml b/roles/connect_wordpress/vars/main.yml index 68e1163..23cbedb 100644 --- a/roles/connect_wordpress/vars/main.yml +++ b/roles/connect_wordpress/vars/main.yml @@ -33,7 +33,7 @@ wordpress_docker: { image_version: "{{ wordpress_image_version }}", labels: "{{ wordpress_labels + ( wordpress_labels_additional | default([])) }}", environment: [ - "WORDPRESS_DB_HOST: \"{{ connect_wordpress_maria_host }}:{{ wordpress_mysql_port | default('3306') }}\"", + "WORDPRESS_DB_HOST: \"{{ shared_service_maria_primary }}:{{ wordpress_mysql_port | default('3306') }}\"", "WORDPRESS_DB_USER: \"{{ connect_wordpress_maria_username }}\"", "WORDPRESS_DB_PASSWORD: \"{{ connect_wordpress_maria_password }}\"", "WORDPRESS_DB_NAME: \"{{ connect_wordpress_maria_database }}\"", diff --git a/roles/gitea/vars/main.yml b/roles/gitea/vars/main.yml index a5a2116..bdcd8ec 100644 --- a/roles/gitea/vars/main.yml +++ b/roles/gitea/vars/main.yml @@ -27,7 +27,7 @@ gitea_environment: [ "USER_UID: \"1000\"", "USER_GID: \"1000\"", "GITEA__database__DB_TYPE: \"postgres\"", - "GITEA__database__HOST: \"{{ shared_service_postgres_01_hostname }}\"", + "GITEA__database__HOST: \"{{ gitea_postgres_host }}\"", "GITEA__database__NAME: \"{{ gitea_postgres_database }}\"", "GITEA__database__USER: \"{{ gitea_postgres_database }}\"", "GITEA__database__PASSWD: \"{{ gitea_postgres_password }}\"", diff --git a/roles/gitea_realm/defaults/main.yml b/roles/gitea_realm/defaults/main.yml index 04cab0b..c743c6d 100644 --- a/roles/gitea_realm/defaults/main.yml +++ b/roles/gitea_realm/defaults/main.yml @@ -1,31 +1,32 @@ --- +current_realm_name: "{{ gitea_oidc_realm }}" -current_realm_clients: [ - { - name: '{{ gitea_client_id }}', - clientId: "{{ gitea_client_id }}", - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "{{ http_s }}://{{ gitea_base_url }}/*", - ]', - secret: '{{ gitea_client_secret }}', - web_origins: ' - [ - "{{ http_s }}://{{ gitea_base_url }}", - ]', - } -] +current_realm_clients: + - name: "{{ gitea_oidc_client_id }}" + base_url: "" + clientId: "{{ gitea_oidc_client_id }}" + admin_url: "{{ shared_service_kube_url_gitea }}" + root_url: "{{ shared_service_kube_url_gitea }}" + redirect_uris: + - "{{ shared_service_kube_url_gitea }}/*" + secret: "{{ gitea_oidc_client_secret }}" + web_origins: + - "{{ shared_service_kube_url_gitea }}/" current_realm_users: - - username: "{{ gitea_admin_username }}" - password: "{{ gitea_admin_password }}" - email: "{{ gitea_admin_email }}" + - username: "{{ gitea_oidc_admin_username }}" + password: "{{ gitea_oidc_admin_password }}" + email: "{{ gitea_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" requiredActions: [] current_realm_admin_users: - - username: "{{ gitea_realm_admin_username }}" - password: "{{ gitea_realm_admin_password }}" - email: "{{ gitea_admin_email }}" + - username: "gitea-realm-admin" + password: "{{ infrastructure_realm_admin_password_vault }}" + email: "{{ gitea_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" requiredActions: [] + +keycloak_force_prune: true diff --git a/roles/gitea_realm/tasks/main.yml b/roles/gitea_realm/tasks/main.yml index 1091c13..debb0f5 100644 --- a/roles/gitea_realm/tasks/main.yml +++ b/roles/gitea_realm/tasks/main.yml @@ -1,25 +1,5 @@ --- -### tags: - -- name: "Setup realm for {{ inventory_hostname }}" - include_role: - name: keycloak - tasks_from: _authenticate - -- name: "Setup realm for {{ inventory_hostname }}" - include_role: - name: keycloak - tasks_from: _configure_realm - vars: - current_realm_password_policy: '' - -- name: "Create realm users" - include_role: - name: keycloak - tasks_from: _create_realm_users - -- name: "Create realm admin" +- name: "Setup realm for <{{ current_realm_name }}>" include_role: - name: keycloak - tasks_from: _create_realm_admin + name: keycloak_realm diff --git a/roles/gitea_realm/vars/main.yml b/roles/gitea_realm/vars/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/gitea_realm/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/harbor/tasks/main.yml b/roles/harbor/tasks/main.yml index 1a2fcc2..43a4c5f 100644 --- a/roles/harbor/tasks/main.yml +++ b/roles/harbor/tasks/main.yml @@ -1,14 +1,5 @@ --- -- name: "Create realm for <{{ inventory_hostname }}> if necessary" - include_role: - name: harbor_realm - vars: - current_realm_name: "harbor" - current_realm_display_name: "harbor" - tags: - - always - - name: "Install harbor" include_tasks: install.yml diff --git a/roles/harbor_config/defaults/main.yml b/roles/harbor_config/defaults/main.yml new file mode 100644 index 0000000..122b7f5 --- /dev/null +++ b/roles/harbor_config/defaults/main.yml @@ -0,0 +1,82 @@ +--- +harbor_system_configuration: + email_host: '{{ shared_service_mail_hostname }}' + email_port: 25 + email_from: 'harbor@{{ domain_env }}' + email_password: '' + email_username: '' + email_insecure: true + auth_mode: oidc_auth + oidc_name: "{{ harbor_oidc_realm }}" + oidc_endpoint: 'https://{{ shared_service_hostname_keycloak }}/auth/realms/{{ harbor_oidc_realm }}' + oidc_client_id: "{{ harbor_oidc_client_id }}" + oidc_client_secret: "{{ harbor_oidc_client_secret }}" + oidc_groups_claim: groups + oidc_scope: openid + oidc_verify_cert: true + oidc_auto_onboard: true + oidc_admin_group: 'admin' + oidc_user_claim: 'sub' + scan_all_policy: + parameter: + daily_time: 0 + +harbor_project_names: + - awx + - sken + - infrastructure + +# default configuration for all harbor projects +harbor_project_template: + project_attributes: + project_name: '{{ project_name }}' + meta_data: + auto_scan: true + project_state: present + members: + - + group_name: '{{ project_name }}' + group_type: oidc + role: projectadmin + +harbor_robot_tokens: + - + secret_refresh: true + name: ansible + level: system + description: 'smardigo docker pull credentials' + secret: '{{ harbor_token }}' + disable: false + duration: -1 + editable: true + expires_at: -1 + permissions: + - access: + - action: push + resource: repository + - action: pull + resource: repository + - action: delete + resource: artifact + - action: read + resource: helm-chart + - action: create + resource: helm-chart-version + - action: delete + resource: helm-chart-version + - action: create + resource: tag + - action: delete + resource: tag + - action: create + resource: artifact-label + - action: create + resource: scan + kind: project + namespace: "*" + +harbor_scanall: + - + schedule: + cron: 0 0 1 * * * + type: Custom diff --git a/roles/harbor_config/tasks/configure-system.yml b/roles/harbor_config/tasks/configure-system.yml new file mode 100644 index 0000000..ec4d3e6 --- /dev/null +++ b/roles/harbor_config/tasks/configure-system.yml @@ -0,0 +1,15 @@ +--- +- name: "Add harbor base configuration via API" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/configurations" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PUT + body_format: json + force_basic_auth: yes + body: "{{ harbor_system_configuration }}" + headers: + Content-Type: application/json + status_code: [200] diff --git a/roles/harbor_config/tasks/configure_project.yml b/roles/harbor_config/tasks/configure_project.yml new file mode 100644 index 0000000..9240a24 --- /dev/null +++ b/roles/harbor_config/tasks/configure_project.yml @@ -0,0 +1,26 @@ +--- +- name: "Apply project state <{{ project.project_state }}>" + include_tasks: configure_project_crud.yml + vars: + project_name: '{{ project.project_attributes.project_name }}' + +- name: "Configure project metadata" + include_tasks: configure_project_metadata_crud.yml + vars: + project_name: '{{ project.project_attributes.project_name }}' + loop: '{{ project.meta_data | dict2items }}' + loop_control: + loop_var: meta_data_elem + when: + - project.meta_data is defined + - project.project_state == 'present' + +- name: "Configure project members" + include_tasks: configure_project_members_crud.yml + vars: + project_name: '{{ project.project_attributes.project_name }}' + loop: '{{ project.members }}' + loop_control: + loop_var: member + when: + - project.project_state == 'present' diff --git a/roles/harbor_config/tasks/configure_project_crud.yml b/roles/harbor_config/tasks/configure_project_crud.yml new file mode 100644 index 0000000..5506cc1 --- /dev/null +++ b/roles/harbor_config/tasks/configure_project_crud.yml @@ -0,0 +1,100 @@ +--- +- name: "Check if project <{{ project_name }}> exists" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: GET + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,404] + register: project_exists + +- name: "Check if project <{{ project_name }}> exists" + debug: + msg: '{{ project_exists.json }}' + when: debug + +- name: "Create project <{{ project_name }}>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: POST + body_format: json + body: '{{ project.project_attributes | to_json }}' + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + register: project_create + when: + - project_exists.status in [404] + - project.project_state == 'present' + +- name: "Create project <{{ project_name }}>" + debug: + msg: '{{ project_create.json }}' + when: + - debug + - project_exists.status in [404] + - project.project_state == 'present' + +- name: "Update project <{{ project_name }}>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PUT + body_format: json + body: '{{ project.project_attributes | to_json }}' + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + register: project_update + when: + - project_exists.status in [200] + - project.project_state == 'present' + +- name: "Update project <{{ project_name }}>" + debug: + msg: '{{ project_update.json }}' + when: + - debug + - project_exists.status in [200] + - project.project_state == 'present' + +- name: "Delete project <{{ project_name }}>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: DELETE + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200] + register: project_delete + when: + - project_exists.status in [200] + - project.project_state == 'absent' + +- name: "Delete project <{{ project_name }}>" + debug: + msg: '{{ project_update.json }}' + when: + - debug + - project_exists.status in [200] + - project.project_state == 'absent' diff --git a/roles/harbor_config/tasks/configure_project_members_crud.yml b/roles/harbor_config/tasks/configure_project_members_crud.yml new file mode 100644 index 0000000..31436f6 --- /dev/null +++ b/roles/harbor_config/tasks/configure_project_members_crud.yml @@ -0,0 +1,104 @@ +--- +- name: "Initialze VARs due to hardcoded stuff in harbor API" + set_fact: + member_state: '{{ member.member_state | default("present") }}' + harbor_member_roles: + - + name: projectadmin + role_id: 1 + - + name: developer + role_id: 2 + - + name: guest + role_id: 3 + - + name: maintainer + role_id: 4 + harbor_member_grouptypes: + - + name: ldap + group_type: 1 + - + name: http + group_type: 2 + - + name: oidc + group_type: 3 + +- name: "Initialze VARs due to hardcoded stuff in harbor API" + set_fact: + group_type: "{{ ( harbor_member_grouptypes | selectattr('name','==',( member.group_type | lower )) | list | first ).group_type | int }}" + role_id: "{{ ( harbor_member_roles | selectattr('name','==',( member.role| lower ) ) | list | first ).role_id | int }}" + +- name: "Get all project members" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}/members" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: GET + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200] + register: all_project_members + +- name: "Create project membership" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}/members" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: POST + body_format: json + body: "{{ lookup('template','harbor-project-member.json.j2') }}" + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + when: + - all_project_members.json | selectattr('entity_name','equalto',member.group_name) | list | length == 0 + - member_state == 'present' + +- name: "Update project member <{{ member.group_name }}>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}/members/{{ ( all_project_members.json | selectattr('entity_name','equalto',member.group_name) | list | first ).id }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PUT + body_format: json + body: "{{ lookup('template','harbor-project-member.json.j2') }}" + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + when: + - all_project_members.json | selectattr('entity_name','equalto',member.group_name) | list | length == 1 + - member_state == 'present' + +- name: "Delete member: <<{{ member.group_name }}>>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}/members/{{ ( all_project_members.json | selectattr('entity_name','equalto',member.group_name) | list | first ).id }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: DELETE + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + register: delete_project_member + delay: 10 + retries: 3 + until: delete_project_member.status in [200,201] + when: + - all_project_members.json | selectattr('entity_name','equalto',member.group_name) | list | length == 1 + - member_state == 'absent' diff --git a/roles/harbor_config/tasks/configure_project_metadata_crud.yml b/roles/harbor_config/tasks/configure_project_metadata_crud.yml new file mode 100644 index 0000000..ff63fed --- /dev/null +++ b/roles/harbor_config/tasks/configure_project_metadata_crud.yml @@ -0,0 +1,65 @@ +--- +- name: "Get all meta_data" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}/metadatas/{{ meta_data_elem.key }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: GET + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200] + register: all_metadata + delay: 10 + retries: 3 + +- name: "Set fact" + set_fact: + body_content: "{ \"{{ meta_data_elem.key }}\":\"{{ meta_data_elem.value }}\" }" + +- name: "Add meta_data: <<{{ meta_data_elem.key }}>>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}/metadatas" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: POST + body_format: json + body: '{{ body_content }}' + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + register: create_metadata + delay: 10 + retries: 3 + until: create_metadata.status in [200,201] + when: + - meta_data_elem.key not in all_metadata.json + +- name: "Update meta_data: <<{{ meta_data_elem.key }}>>" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}/metadatas/{{ meta_data_elem.key }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PUT + body_format: json + body: '{{ body_content }}' + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + register: update_metadata + delay: 10 + retries: 3 + until: update_metadata.status in [200,201] + when: + - meta_data_elem.key in all_metadata.json + +# DELETION currently out-of-scope diff --git a/roles/harbor_config/tasks/configure_registry.yml b/roles/harbor_config/tasks/configure_registry.yml new file mode 100644 index 0000000..ec4d3e6 --- /dev/null +++ b/roles/harbor_config/tasks/configure_registry.yml @@ -0,0 +1,15 @@ +--- +- name: "Add harbor base configuration via API" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/configurations" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PUT + body_format: json + force_basic_auth: yes + body: "{{ harbor_system_configuration }}" + headers: + Content-Type: application/json + status_code: [200] diff --git a/roles/harbor_config/tasks/configure_robot_tokens.yml b/roles/harbor_config/tasks/configure_robot_tokens.yml new file mode 100644 index 0000000..f14e27d --- /dev/null +++ b/roles/harbor_config/tasks/configure_robot_tokens.yml @@ -0,0 +1,29 @@ +--- +- name: "Initialze VARs" + set_fact: + tok_obj: {} + tags: + - harbor-configure-robots + +- name: "DEBUG" + debug: + msg: "DEBUGGING - robot_token: {{ robot_token }}" + when: + - debug + - harbor-configure-robots + +- name: "Drop token_state from dict to avoid rejecting object by harbor API due to unknown field" + set_fact: + tok_obj: "{{ tok_obj | combine( { item.key: item.value } ) }}" + when: item.key not in ['token_state'] + with_dict: "{{ robot_token }}" + tags: + - harbor-configure-robots + +- name: + include_tasks: configure_robot_tokens_crud.yml + vars: + token_state: "{{ robot_token.token_state | default('present') }}" + token_object: "{{ tok_obj }}" + tags: + - harbor-configure-robots diff --git a/roles/harbor_config/tasks/configure_robot_tokens_crud.yml b/roles/harbor_config/tasks/configure_robot_tokens_crud.yml new file mode 100644 index 0000000..9f051d7 --- /dev/null +++ b/roles/harbor_config/tasks/configure_robot_tokens_crud.yml @@ -0,0 +1,211 @@ +--- + +### tags: +### harbor-configure-robots + +- name: "Initialze VARs" + set_fact: + token_object_combined: {} + tags: + - harbor-configure-robots + +- name: "Get all robot tokens" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/robots" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: GET + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200] + register: all_robot_tokens + delay: 10 + retries: 3 + no_log: true + tags: + - harbor-configure-robots + +- name: "Create robot token" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/robots" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: POST + body_format: json + body: '{{ token_object | to_json }}' + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200,201] + register: create + delay: 10 + retries: 3 + until: create.status in [200,201] + when: + - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 0 + - token_state == 'present' + tags: + - harbor-configure-robots + +- name: "Set VARs if current robot token object already exists" + set_fact: + robots_id: "{{ ( all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | first ).id }}" + remote_robot_token_object: "{{ all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | first }}" + token_object_combined: "{{ all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | first | combine(token_object, recursive=True) }}" + token_object_dropped: {} + when: + - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 1 + tags: + - harbor-configure-robots + +- name: "Refresh the robot secret" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/robots/{{ robots_id }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PATCH + body_format: json + body: >- + {{ + ( + { + "secret": token_object.secret + } + ) + }} + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200] + register: update + delay: 10 + retries: 3 + until: update.status in [200] + when: + - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 1 + - token_state == 'present' + - token_object.secret_refresh is defined + - token_object.secret_refresh + no_log: true + tags: + - harbor-configure-robots + +- name: "Block to Update robot token data" + block: + - name: "DEBUG" + debug: + msg: "DEBUGGING before dropping - combined token_object_combined: {{ token_object_combined }}" + when: + - debug + tags: + - harbor-configure-robots + + # unknown param/key in object robot-token will result in errors with harbor API + # therefore we drop $keys from dict + - name: "Drop some keys from updated robot token object" + set_fact: + token_object_dropped: "{{ token_object_dropped | combine( { item.key: item.value } ) }}" + with_dict: "{{ token_object_combined }}" + when: + - item.key not in ['secret','secret_refresh'] + tags: + - harbor-configure-robots + + # harbor API behaviour: + # in case of initial creation for robot token objects, harbor creates a name for this + # in form of << robot$OBJECT_NAME >> - plz be aware of the dollar sign! + # but only the OBJECT_NAME was defined in object declaration. + # In case of updating we have to make sure that the << robot$OBJECT_NAME >> is used in the + # updated object thrown against harbor API. + # + # so harbor API forces me to create this workaround to avoid such errors + # + # part 1: define name of object + - name: "Set fact" + set_fact: + robot_token_name_cleaned: + name: 'robot${{ token_object_dropped.name }}' + tags: + - harbor-configure-robots + + # part 2: override name with new defined name of object + - name: "Set fact" + set_fact: + token_object_finished: '{{ token_object_dropped | combine(robot_token_name_cleaned, recursive=True) }}' + tags: + - harbor-configure-robots + + - name: "DEBUG" + debug: + msg: "DEBUGGING after dropping - combined token_object_finished: {{ token_object_finished }}" + when: + - debug + + # to update a robot token, the following conditions must be satisfied + # 1. ALL params of robot token object must be set + # 1.1. except the secret param - it must be removed/rejected from object - it will be updated with PATCH-method instead of PUT-method + # 2. the update (of parameter) itself + # + # there is no possibility to update if one of mentioned conditions is not statisfied. + # the API call will fail with one of the following errors: + # - HTTP 400 - "cannot update the level or name of robot" + # - HTTP 400 - "bad request error level input:" + # + - name: "Update robot token object" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/robots/{{ robots_id }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PUT + body_format: json + body: '{{ token_object_finished | to_json }}' + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200] + register: update + delay: 10 + retries: 3 + until: update.status in [200] + no_log: true + tags: + - harbor-configure-robots + +# when - part of BLOCK-statement + when: + - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 1 + - token_state == 'present' + tags: + - harbor-configure-robots +# end of BLOCK to Update robot token data + +- name: "Delete robot token" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/robots/{{ robots_id }}" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: DELETE + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + status_code: [200] + register: delete_project_member + delay: 10 + retries: 3 + until: delete_project_member.status in [200] + when: + - all_robot_tokens.json | selectattr('name','contains',token_object.name) | list | length == 1 + - token_state == 'absent' diff --git a/roles/harbor_config/tasks/configure_scanall_schedule.yml b/roles/harbor_config/tasks/configure_scanall_schedule.yml new file mode 100644 index 0000000..a9c88d9 --- /dev/null +++ b/roles/harbor_config/tasks/configure_scanall_schedule.yml @@ -0,0 +1,29 @@ +--- +- name: "configure | configure scanall schedule | CREATE scanschedule" + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/system/scanAll/schedule" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: POST + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + body: '{{ scanschedule |to_json }}' + status_code: [201,412] + register: create_scanschedule + +- name: "configure | configure scanall schedule | UPDATE scanschedule" + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/system/scanAll/schedule" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: PUT + body_format: json + force_basic_auth: yes + headers: + Content-Type: application/json + body: '{{ scanschedule |to_json }}' + status_code: [200] + when: + - create_scanschedule.status in [412] diff --git a/roles/harbor_config/tasks/main.yml b/roles/harbor_config/tasks/main.yml new file mode 100644 index 0000000..c5a6880 --- /dev/null +++ b/roles/harbor_config/tasks/main.yml @@ -0,0 +1,59 @@ +--- + +### tags: +### harbor-configure-system +### harbor-configure-robots + +- name: "Check if harbor is up and running" + delegate_to: 127.0.0.1 + become: false + uri: + url: "{{ shared_service_url_harbor }}/api/v2.0/configurations" + user: '{{ harbor_admin_username }}' + password: '{{ harbor_admin_password }}' + method: GET + body_format: json + force_basic_auth: yes + status_code: [200] + register: check_harbor + delay: 10 + retries: 20 + until: check_harbor.status in [200] + +- name: "Configure harbor system configurations" + include_tasks: configure-system.yml + args: + apply: + tags: + - harbor-configure-system + tags: + - harbor-configure-system + +- name: "Create harbor projects with project template" + set_fact: + harbor_projects: "{{ ( harbor_projects | default([]) ) + [ harbor_project_template ] }}" + loop: '{{ harbor_project_names }}' + loop_control: + loop_var: project_name + when: + - harbor_project_names is defined + +- name: "Update harbor projects" + include_tasks: configure_project.yml + loop: '{{ harbor_projects }}' + loop_control: + loop_var: project + +- name: "CRUD - robot tokens" + include_tasks: configure_robot_tokens.yml + loop: '{{ harbor_robot_tokens }}' + loop_control: + loop_var: robot_token + tags: + - harbor-configure-robots + +- name: "CRUD - scanall schedule" + include_tasks: configure_scanall_schedule.yml + loop: '{{ harbor_scanall }}' + loop_control: + loop_var: scanschedule diff --git a/roles/harbor_config/templates/harbor-project-member.json.j2 b/roles/harbor_config/templates/harbor-project-member.json.j2 new file mode 100644 index 0000000..3f25846 --- /dev/null +++ b/roles/harbor_config/templates/harbor-project-member.json.j2 @@ -0,0 +1,7 @@ +{ + "role_id": {{ role_id }}, + "member_group": { + "group_name": "{{ member.group_name }}", + "group_type": {{ group_type }} + } +} \ No newline at end of file diff --git a/roles/harbor_realm/defaults/main.yml b/roles/harbor_realm/defaults/main.yml index 7bc00a4..1556c5e 100644 --- a/roles/harbor_realm/defaults/main.yml +++ b/roles/harbor_realm/defaults/main.yml @@ -1,56 +1,44 @@ --- +current_realm_name: "{{ harbor_oidc_realm }}" -current_realm_clients: [ - { - name: "{{ harbor_oidc_client_id }}", - clientId: "{{ harbor_oidc_client_id }}", - admin_url: "{{ http_s }}://{{ shared_service_hostname_harbor }}", - root_url: "{{ http_s }}://{{ shared_service_hostname_harbor }}", - redirect_uris: [ - "{{ http_s }}://{{ shared_service_hostname_harbor }}/*" - ], - secret: "{{ harbor_oidc_client_secret }}", - web_origins: [ - "{{ http_s }}://{{ shared_service_hostname_harbor }}" - ] - } -] - -current_realm_groups: [ - { - "name": "awx", - }, - { - "name": "admin", - }, - { - "name": "smardigo", - }, -] +current_realm_clients: + - name: "{{ harbor_oidc_client_id }}" + clientId: "{{ harbor_oidc_client_id }}" + admin_url: "{{ http_s }}://{{ shared_service_hostname_harbor }}" + root_url: "{{ http_s }}://{{ shared_service_hostname_harbor }}" + redirect_uris: + - "{{ http_s }}://{{ shared_service_hostname_harbor }}/*" + secret: "{{ harbor_oidc_client_secret }}" + web_origins: + - "{{ http_s }}://{{ shared_service_hostname_harbor }}" current_realm_users: - username: "{{ harbor_oidc_admin_username }}" password: "{{ harbor_oidc_admin_password }}" email: "{{ harbor_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" requiredActions: [] current_realm_admin_users: - - username: "{{ harbor_oidc_admin_username }}" - password: "{{ harbor_oidc_admin_password }}" + - username: "harbor-realm-admin" + password: "{{ infrastructure_realm_admin_password_vault }}" email: "{{ harbor_oidc_admin_email }}" + firstName: "Netgo" + lastName: "Administrator" requiredActions: [] -current_user_groupmembership: [ - { - "username": "{{ harbor_oidc_admin_username }}", - "destination_group": "awx", - }, - { - "username": "{{ harbor_oidc_admin_username }}", - "destination_group": "admin", - }, - { - "username": "{{ harbor_oidc_admin_username }}", - "destination_group": "smardigo", - } -] +current_realm_groups: + - name: "awx" + - name: "admin" + - name: "smardigo" + +current_user_groupmembership: + - username: "{{ harbor_oidc_admin_username }}" + destination_group: "awx" + - username: "{{ harbor_oidc_admin_username }}" + destination_group: "admin" + - username: "{{ harbor_oidc_admin_username }}" + destination_group: "smardigo" + +keycloak_force_prune: true diff --git a/roles/harbor_realm/tasks/main.yml b/roles/harbor_realm/tasks/main.yml index 8a09695..def7d66 100644 --- a/roles/harbor_realm/tasks/main.yml +++ b/roles/harbor_realm/tasks/main.yml @@ -1,41 +1,4 @@ --- - -- name: "Setup realm for {{ inventory_hostname }}" +- name: "Setup realm for <{{ current_realm_name }}>" include_role: - name: keycloak - tasks_from: _authenticate - -- name: "Setup realm for {{ inventory_hostname }}" - include_role: - name: keycloak - tasks_from: _configure_realm - vars: - current_realm_password_policy: '' - -- name: "Create realm users" - include_role: - name: keycloak - tasks_from: _create_realm_groups - -- name: "Create realm users" - include_role: - name: keycloak - tasks_from: _create_realm_users - -- name: "Create realm admin" - include_role: - name: keycloak - tasks_from: _create_realm_admin - -- name: "Create user group mappings" - include_role: - name: keycloak - tasks_from: _configure_user_groupmembership_crud - vars: - realm_name: '{{ current_realm_name }}' - bearer_token: '{{ access_token }}' - username: '{{ item.username }}' - destination_group: '{{ item.destination_group }}' - loop: "{{ current_user_groupmembership }}" - loop_control: - label: "{{ item.username }} >> {{ item.destination_group }}" + name: keycloak_realm diff --git a/roles/harbor_realm/vars/main.yml b/roles/harbor_realm/vars/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/harbor_realm/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/iam/defaults/main.yml b/roles/iam/defaults/main.yml deleted file mode 100644 index 4a69e12..0000000 --- a/roles/iam/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -iam_image_name: '{{ shared_service_hostname_harbor }}/smardigo/iam-app' diff --git a/roles/iam/tasks/main.yml b/roles/iam/tasks/main.yml index 19b7985..4a025f8 100644 --- a/roles/iam/tasks/main.yml +++ b/roles/iam/tasks/main.yml @@ -13,3 +13,5 @@ current_dns_entries : "{{ iam_public_dns_entries | default([]) }}" current_service_id : "{{ iam_id }}" current_service_docker : "{{ iam_docker }}" + tags: + - update_deployment diff --git a/roles/infrastructure_realm/defaults/main.yml b/roles/infrastructure_realm/defaults/main.yml deleted file mode 100644 index 5f6cb62..0000000 --- a/roles/infrastructure_realm/defaults/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -infrastructure_realm_name: "infrastructure" - -argocd_server_url: "{{ http_s}}://{{ stage }}-argocd.{{ domain }}" -shared_service_url_keycloak: "{{ http_s}}://{{ stage }}-keycloak-01-keycloak.{{ domain }}" - -current_realm_name: "{{ infrastructure_realm_name }}" -shared_service_mail_hostname: "not_available" -current_realm_password_policy: "" - -argocd_admin_username: "argocd-admin" - -current_realm_clients: [ - { - name: "argocd", - clientId: "argocd", - base_url: "/applications", - admin_url: "{{ argocd_server_url }}/", - root_url: "{{ argocd_server_url }}/", - redirect_uris: "{{ argocd_server_url }}/auth/callback", - secret: "{{ argocd_keycloak_client_secret_vault }}", - web_origins: "{{ argocd_server_url }}/", - default_client_scopes: "{{ keycloak_default_client_scopes + ['groups'] }}" - } -] - -current_realm_users: - - username: "{{ argocd_admin_username }}" - password: "{{ argocd_admin_password_vault }}" - email: "{{ argocd_admin_email }}" - firstName: "Netgo" - lastName: "Administrator" - requiredActions: [] - -current_realm_admin_users: - - username: "infrastructure-realm-admin" - password: "{{ infrastructure_realm_admin_password_vault }}" - email: "{{ argocd_admin_email }}" - firstName: "Netgo" - lastName: "Administrator" - requiredActions: [] - -current_realm_groups: - - name: "argocd-admins" - -current_user_groupmembership: - - username: "argocd-admin" - destination_group: "argocd-admins" - -current_realm_clientscopes: - - name: "groups" - realm_name: "{{ infrastructure_realm_name }}" - protocol: "openid-connect" diff --git a/roles/infrastructure_realm/tasks/main.yml b/roles/infrastructure_realm/tasks/main.yml deleted file mode 100644 index 8a09695..0000000 --- a/roles/infrastructure_realm/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- name: "Setup realm for {{ inventory_hostname }}" - include_role: - name: keycloak - tasks_from: _authenticate - -- name: "Setup realm for {{ inventory_hostname }}" - include_role: - name: keycloak - tasks_from: _configure_realm - vars: - current_realm_password_policy: '' - -- name: "Create realm users" - include_role: - name: keycloak - tasks_from: _create_realm_groups - -- name: "Create realm users" - include_role: - name: keycloak - tasks_from: _create_realm_users - -- name: "Create realm admin" - include_role: - name: keycloak - tasks_from: _create_realm_admin - -- name: "Create user group mappings" - include_role: - name: keycloak - tasks_from: _configure_user_groupmembership_crud - vars: - realm_name: '{{ current_realm_name }}' - bearer_token: '{{ access_token }}' - username: '{{ item.username }}' - destination_group: '{{ item.destination_group }}' - loop: "{{ current_user_groupmembership }}" - loop_control: - label: "{{ item.username }} >> {{ item.destination_group }}" diff --git a/roles/infrastructure_realm/vars/main.yml b/roles/infrastructure_realm/vars/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/infrastructure_realm/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index fd86150..5130840 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -8,11 +8,17 @@ keycloak_image: "{{ shared_service_hostname_harbor }}/smardigo/keycloak" keycloak_default_client_scopes: - web-origins - profile - - roles - email keycloak_optional_client_scopes: - address - phone - - offline_access - - microprofile-jwt + - roles + - groups + +keycloak_realm_clientscopes: + - name: "groups" + realm_name: "{{ argocd_oidc_realm }}" + protocol: "openid-connect" + +keycloak_force_prune: false diff --git a/roles/keycloak/tasks/_authenticate.yml b/roles/keycloak/tasks/_authenticate.yml index dacbe74..cfb681a 100644 --- a/roles/keycloak/tasks/_authenticate.yml +++ b/roles/keycloak/tasks/_authenticate.yml @@ -6,14 +6,18 @@ url: "{{ shared_service_url_keycloak }}/auth/realms/master/protocol/openid-connect/token" method: POST body_format: form-urlencoded - body: 'username={{ keycloak_admin_username }}&password={{ keycloak_admin_password }}&client_id=admin-cli&grant_type=password' + body: 'username={{ keycloak_admin_username | urlencode() }}&password={{ keycloak_admin_password | urlencode() }}&client_id=admin-cli&grant_type=password' register: keycloak_authentication retries: 5 delay: 5 + tags: + - always - name: "Saving access_token as variable (fact)" set_fact: access_token: "{{ keycloak_authentication.json.access_token }}" + tags: + - always - name: "Printing access_token for keycloak server" debug: diff --git a/roles/keycloak/tasks/_configure_realm.yml b/roles/keycloak/tasks/_configure_realm.yml index d559fe8..09f9de6 100644 --- a/roles/keycloak/tasks/_configure_realm.yml +++ b/roles/keycloak/tasks/_configure_realm.yml @@ -10,9 +10,9 @@ auth_username: "{{ keycloak_admin_username }}" auth_password: "{{ keycloak_admin_password }}" auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth" - account_theme: "smardigo-theme" - admin_theme: "smardigo-theme" - login_theme: "smardigo-theme" + account_theme: "{{ keycloak_default_theme }}" + admin_theme: "{{ keycloak_default_theme }}" + login_theme: "{{ keycloak_default_theme }}" registration_allowed: no reset_password_allowed: yes login_with_email_allowed: no @@ -47,7 +47,7 @@ name: "{{ clientscope.name }}" realm: "{{ clientscope.realm_name }}" protocol: "{{ clientscope.protocol }}" - with_items: "{{ current_realm_clientscopes | default([]) }}" + with_items: "{{ current_realm_clientscopes | default(keycloak_realm_clientscopes) }}" loop_control: loop_var: clientscope diff --git a/roles/keycloak/tasks/_create_realm_groups.yml b/roles/keycloak/tasks/_create_realm_groups.yml index a4f159c..6e95064 100644 --- a/roles/keycloak/tasks/_create_realm_groups.yml +++ b/roles/keycloak/tasks/_create_realm_groups.yml @@ -53,7 +53,7 @@ Content-Type: "application/json" Authorization: "Bearer {{ access_token }}" status_code: [201] - with_items: "{{ current_realm_groups }}" + with_items: "{{ current_realm_groups | default([]) }}" when: current_realm_group.name not in realm_groupnames loop_control: loop_var: current_realm_group diff --git a/roles/keycloak/tasks/_delete_client.yml b/roles/keycloak/tasks/_delete_client.yml index b62b858..b8d2b4f 100644 --- a/roles/keycloak/tasks/_delete_client.yml +++ b/roles/keycloak/tasks/_delete_client.yml @@ -5,17 +5,12 @@ # realm_name := name of the realm to delete the client from # client_name := client name to delete -- name: "Authenticate with Keycloak server" - uri: - url: "{{ shared_service_url_keycloak }}/auth/realms/master/protocol/openid-connect/token" - method: POST - body_format: form-urlencoded - body: 'username={{ keycloak_admin_username }}&password={{ keycloak_admin_password }}&client_id=admin-cli&grant_type=password' - retries: 5 - delay: 5 - register: keycloak_authentication - delegate_to: 127.0.0.1 - become: false +- name: "Authenticate on keycloak for {{ inventory_hostname }}" + include_role: + name: keycloak + tasks_from: _authenticate + tags: + - always - name: "Read clients from realm {{ realm_name }}" uri: diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 6f7a881..91fbbc2 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -37,6 +37,8 @@ current_owner: "{{ docker_owner }}" current_group: "{{ docker_group }}" current_docker: "{{ keycloak_docker }}" + tags: + - update_deployment - name: "Deploy service templates for {{ inventory_hostname }}" include_role: @@ -48,6 +50,8 @@ current_destination: "{{ inventory_hostname }}" current_owner: "{{ docker_owner }}" current_group: "{{ docker_group }}" + tags: + - update_deployment - name: "Start {{ inventory_hostname }}" community.docker.docker_compose: @@ -57,36 +61,20 @@ tags: - update_deployment -- name: "Setting local keycloak url" - set_fact: - shared_service_url_keycloak: "http://localhost:{{ service_port_keycloak_external }}" - when: "'keycloak' in group_names" - - name: "Wait for " wait_for: host: "localhost" port: '{{ service_port_keycloak_external }}' delay: 60 - -- name: "Authenticate with Keycloak server" - uri: - url: "{{ shared_service_url_keycloak }}/auth/realms/master/protocol/openid-connect/token" - method: POST - body_format: form-urlencoded - body: 'username={{ keycloak_admin_username }}&password={{ keycloak_admin_password }}&client_id=admin-cli&grant_type=password' - retries: 5 - delay: 5 - register: keycloak_authentication tags: - - update_realms + - update_deployment -- name: "Printing master realm access_token" - debug: - msg: "{{ keycloak_authentication.json.access_token }}" +- name: "Authenticate on keycloak for {{ inventory_hostname }}" + include_role: + name: keycloak + tasks_from: _authenticate tags: - - always - when: - - debug + - update_realms - name: "Setting smardigo-theme for master realm" community.general.keycloak_realm: @@ -97,9 +85,9 @@ auth_username: "{{ keycloak_admin_username }}" auth_password: "{{ keycloak_admin_password }}" auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth" - account_theme: "smardigo-theme" - admin_theme: "smardigo-theme" - login_theme: "smardigo-theme" + account_theme: "{{ keycloak_default_theme }}" + admin_theme: "{{ keycloak_default_theme }}" + login_theme: "{{ keycloak_default_theme }}" registration_allowed: no reset_password_allowed: no login_with_email_allowed: no diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index 2797f3c..ee59fe3 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -28,14 +28,14 @@ keycloak_docker: { labels: "{{ keycloak_labels + ( keycloak_labels_additional | default([])) }}", command: "start", environment: [ - "KEYCLOAK_USER: \"{{ keycloak_admin_username }}\"", + "KEYCLOAK_ADMIN: \"{{ keycloak_admin_username }}\"", "KEYCLOAK_ADMIN_PASSWORD: \"{{ keycloak_admin_password }}\"", "KC_PROXY: \"edge\"", "KC_HOSTNAME: \"{{ stage_server_domain }}\"", "KC_DB: \"postgres\"", "KC_DB_USERNAME: \"{{ keycloak_postgres_username }}\"", "KC_DB_PASSWORD: \"{{ keycloak_postgres_password }}\"", - "KC_DB_URL: \"jdbc:postgresql://{{ shared_service_postgres_01_hostname }}:{{ service_port_postgres }}/{{ keycloak_postgres_database }}?sslmode=require\"" + "KC_DB_URL: \"jdbc:postgresql://{{ shared_service_postgres_primary }}:{{ service_port_postgres }}/{{ keycloak_postgres_database }}?sslmode=require\"" ], networks: [ '"front-tier"', diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml new file mode 100644 index 0000000..062bd20 --- /dev/null +++ b/roles/keycloak_realm/defaults/main.yml @@ -0,0 +1,2 @@ +--- +keycloak_force_prune: false diff --git a/roles/keycloak_realm/tasks/main.yml b/roles/keycloak_realm/tasks/main.yml new file mode 100644 index 0000000..0d90cbb --- /dev/null +++ b/roles/keycloak_realm/tasks/main.yml @@ -0,0 +1,78 @@ +--- + +- name: "Authenticate on keycloak for {{ inventory_hostname }}" + include_role: + name: keycloak + tasks_from: _authenticate + +- name: "Deleting realm <{{ current_realm_name }}>" + community.general.keycloak_realm: + id: "{{ current_realm_name }}" + realm: "{{ current_realm_name }}" + auth_realm: "master" + auth_client_id: "admin-cli" + auth_username: "{{ keycloak_admin_username }}" + auth_password: "{{ keycloak_admin_password }}" + auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth" + state: absent + tags: + - always + when: + - keycloak_force_prune + +- name: "Setup realm for {{ inventory_hostname }}" + include_role: + name: keycloak + tasks_from: _configure_realm + +- name: "Create realm users" + include_role: + name: keycloak + tasks_from: _create_realm_groups + +- name: "Create realm users" + include_role: + name: keycloak + tasks_from: _create_realm_users + +- name: "Create realm admin" + include_role: + name: keycloak + tasks_from: _create_realm_admin + +- name: "Create user group mappings" + include_role: + name: keycloak + tasks_from: _configure_user_groupmembership_crud + vars: + realm_name: '{{ current_realm_name }}' + bearer_token: '{{ access_token }}' + username: '{{ item.username }}' + destination_group: '{{ item.destination_group }}' + loop: "{{ current_user_groupmembership | default([]) }}" + loop_control: + label: "{{ item.username }} >> {{ item.destination_group }}" + +- name: "Create custom clientscope mappers" + delegate_to: 127.0.0.1 + become: false + community.general.keycloak_clientscope: + auth_client_id: "admin-cli" + auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth" + auth_realm: "master" + auth_username: "{{ keycloak_admin_username }}" + auth_password: "{{ keycloak_admin_password }}" + name: "groups" + realm: "{{ current_realm_name }}" + protocol: "openid-connect" + protocol_mappers: + # add custom group mapper to avoid paths in group names + - name: "groups" + protocol: "openid-connect" + protocolMapper: "oidc-group-membership-mapper" + config: + access.token.claim: true + claim.name: "groups" + full.path: false + id.token.claim: true + userinfo.token.claim: true diff --git a/roles/kubernetes/argocd/defaults/main.yml b/roles/kubernetes/argocd/defaults/main.yml deleted file mode 100644 index c2bd5a9..0000000 --- a/roles/kubernetes/argocd/defaults/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -argo_realm_name: &argoname 'argocd' -argo_realm_display_name: *argoname - -argo_realm_group: argoadmins # shouldn't be 'admin' due to default adminuser called 'admin' in argo -argo_keycloak_clientscope_protocol: openid-connect -argo_keycloak_clientscope_name: groups -argo_client_id: *argoname - -argo_client_root_url: 'https://{{ shared_service_kube_argocd_hostname }}' -argo_client_redirect_uris: - - 'https://{{ shared_service_kube_argocd_hostname }}/auth/callback' -argo_client_base_url: '/applications' -argo_client_admin_url: 'https://{{ shared_service_kube_argocd_hostname }}' -argo_client_web_origins: - - 'https://{{ shared_service_kube_argocd_hostname }}' - -argo_realm_users: [ - { - "username": "{{ argocd_admin_username }}", - "password": "{{ argocd_admin_password }}", - "requiredActions": [] - } -] diff --git a/roles/kubernetes/argocd/tasks/main.yml b/roles/kubernetes/argocd/tasks/main.yml index f564aa5..6094d68 100644 --- a/roles/kubernetes/argocd/tasks/main.yml +++ b/roles/kubernetes/argocd/tasks/main.yml @@ -1,208 +1,4 @@ --- - -- name: "Do some stuff with keycloak as OIDC provider" - block: - - name: "Login with keycloak-admin" - include_role: - name: keycloak - tasks_from: _authenticate - args: - apply: - tags: - - argo-cd - tags: - - argo-cd - - - name: "Setup keycloak-realm for argocd" - include_role: - name: keycloak - tasks_from: _configure_realm - vars: - current_realm_name: '{{ argo_realm_name }}' - current_realm_display_name: '{{ argo_realm_display_name }}' - create_client: False - current_realm_password_policy: '' - when: - - inventory_hostname == groups['kube_control_plane'][0] - args: - apply: - tags: - - argo-cd - tags: - - argo-cd - - - name: "Create a Keycloak group, authentication with credentials" - include_role: - name: keycloak - tasks_from: _create_realm_groups - vars: - current_realm_name: '{{ argo_realm_name }}' - current_realm_display_name: '{{ argo_realm_display_name }}' - current_realm_groups: - - name: "{{ argo_realm_group }}" - when: - - inventory_hostname == groups['kube_control_plane'][0] - args: - apply: - tags: - - argo-cd - tags: - - argo-cd - - - name: "Create keycloak user(s)" - include_role: - name: keycloak - tasks_from: _create_realm_users - vars: - current_realm_name: '{{ argo_realm_name }}' - current_realm_users: '{{ argo_realm_users }}' - when: - - inventory_hostname == groups['kube_control_plane'][0] - args: - apply: - tags: - - argo-cd - tags: - - argo-cd - - - name: "ADD user group mapping" - include_role: - name: keycloak - tasks_from: _configure_user_groupmembership_crud - vars: - username: '{{ argocd_admin_username }}' - destination_group: '{{ argo_realm_group }}' - realm_name: '{{ argo_realm_name }}' - bearer_token: '{{ access_token }}' - when: - - inventory_hostname == groups['kube_control_plane'][0] - args: - apply: - tags: - - argo-cd - tags: - - argo-cd - - - name: "Create keycloak clientscope" - delegate_to: localhost - become: False - community.general.keycloak_clientscope: - auth_client_id: admin-cli - auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth" - auth_realm: 'master' - auth_username: "{{ keycloak_admin_username }}" - auth_password: "{{ keycloak_admin_password }}" - name: '{{ argo_keycloak_clientscope_name }}' - realm: '{{ argo_realm_name }}' - protocol: '{{ argo_keycloak_clientscope_protocol }}' - protocol_mappers: - - config: - access.token.claim: True - claim.name: '{{ argo_keycloak_clientscope_name }}' - full.path: False # set it to true and you will be DAMNED => groupname for argo k8s configmap argocd-rbac-cm will be "/{{ group_name }}" !!!! instead of "{{ group_name }}" - id.token.claim: True - userinfo.token.claim: True - name: '{{ argo_keycloak_clientscope_name }}' - protocol: openid-connect - protocolMapper: oidc-group-membership-mapper - when: - - inventory_hostname == groups['kube_control_plane'][0] - tags: - - argo-cd - - # using template from exported keycloak client object - # due to needed params but missing in community.general.keycloak_client - # e.g. defaultClientScopes - - name: "Create json object as VAR from template" - set_fact: - keycloak_realm_create_client: "{{ lookup('template','keycloak-realm-create-client-argocd.json.j2') }}" - vars: - client_redirect_uri: '{{ argo_client_redirect_uris }}' - client_web_origins: '{{ argo_client_web_origins }}' - client_id: '{{ argo_client_id }}' - realm_name: '{{ argo_realm_name }}' - client_root_url: '{{ argo_client_root_url }}' - client_admin_url: '{{ argo_client_admin_url }}' - client_base_url: '{{ argo_client_base_url }}' - keycloak_clientscope_name: '{{ argo_keycloak_clientscope_name }}' - keycloak_clientscope_protocol: '{{ argo_keycloak_clientscope_protocol }}' - keycloak_client_secret: '{{ argo_keycloak_client_secret }}' - tags: - - argo-cd - - # throw needed VARs against keycloak API - # to CRUD - - name: "Create client" - include_role: - name: keycloak - tasks_from: _configure_client_crud - vars: - client_id: '{{ argo_client_id }}' - realm_name: '{{ argo_realm_name }}' - keycloak_client_object: '{{ keycloak_realm_create_client }}' - bearer_token: '{{ access_token }}' - when: - - inventory_hostname == groups['kube_control_plane'][0] - args: - apply: - tags: - - argo-cd - tags: - - argo-cd - - - name: "GET available clients from <<{{ argo_realm_name }}>>-realm" - delegate_to: localhost - become: False - uri: - url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ argo_realm_name }}/clients" - method: GET - headers: - Content-Type: "application/json" - Authorization: "Bearer {{ access_token }}" - status_code: [200] - register: argo_realm_clients - when: - - inventory_hostname == groups['kube_control_plane'][0] - tags: - - argo-cd - - # available clients: get needed ID - - name: "Get ID of client by paring argo_realm_clients object" - set_fact: - id_of_client: '{{ ( argo_realm_clients.json | selectattr("clientId","equalto",argo_client_id ) | first ).id }}' - when: - - inventory_hostname == groups['kube_control_plane'][0] - tags: - - argo-cd - - - name: "GET client-secret for client <<{{ argo_client_id }}>> in realm <<{{ argo_realm_name }}>>" - delegate_to: localhost - become: False - uri: - url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ argo_realm_name }}/clients/{{ id_of_client }}/client-secret" - method: GET - headers: - Content-Type: "application/json" - Authorization: "Bearer {{ access_token }}" - status_code: [200] - register: client_secret - when: - - inventory_hostname == groups['kube_control_plane'][0] - tags: - - argo-cd - - - name: "DEBUG" - debug: - msg: "DEBUGGING: {{ client_secret.json.value }}" - when: - - debug - - inventory_hostname == groups['kube_control_plane'][0] - tags: - - argo-cd - when: - - k8s_argocd_with_keycloak - # end of block statement - - name: "Create namespace <{{ k8s_argocd_helm__release_namespace }}>" become: yes kubernetes.core.k8s: @@ -241,7 +37,6 @@ extra: oidc.keycloak.clientSecret: '{{ client_secret.json.value }}' when: - - k8s_argocd_with_keycloak - inventory_hostname == groups['kube_control_plane'][0] tags: - argo-cd diff --git a/roles/kubernetes/argocd/templates/keycloak-realm-create-client-argocd.json.j2 b/roles/kubernetes/argocd/templates/keycloak-realm-create-client-argocd.json.j2 deleted file mode 100644 index bb15567..0000000 --- a/roles/kubernetes/argocd/templates/keycloak-realm-create-client-argocd.json.j2 +++ /dev/null @@ -1,86 +0,0 @@ -#jinja2: trim_blocks:False -{ - "clientId": "{{ client_id }}", - "rootUrl": "{{ client_root_url }}", - "adminUrl": "{{ client_admin_url }}", - "baseUrl": "{{ client_base_url | default('') }}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ -{% for uri in client_redirect_uri %} - "{{ uri }}", -{% endfor %} - ], - "webOrigins": [ -{% for uri in client_web_origins %} - "{{ uri }}" -{% endfor %} - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "{{ keycloak_clientscope_protocol }}", - "attributes": { - "saml.assertion.signature": "false", - "id.token.as.detached.signature": "false", - "access.token.lifespan": "{{ keycloak_accesstoken_ttl | default(3600) }}", - "saml.multivalued.roles": "false", - "saml.force.post.binding": "false", - "saml.encrypt": "false", - "oauth2.device.authorization.grant.enabled": "false", - "saml.server.signature": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "saml.artifact.binding": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "docker-v2-allow-all-mapper", - "protocol": "docker-v2", - "protocolMapper": "docker-v2-allow-all-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "{{ keycloak_clientscope_name }}", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - }, - "secret": '{{ keycloak_client_secret }}' -} diff --git a/roles/kubernetes/awx/tasks/awx-config.yml b/roles/kubernetes/awx/tasks/awx-config.yml index 31df774..0e690cd 100644 --- a/roles/kubernetes/awx/tasks/awx-config.yml +++ b/roles/kubernetes/awx/tasks/awx-config.yml @@ -365,7 +365,7 @@ vars: name: "hetzner-ansible" description: "hetzner-ansible" - image: "{{ shared_service_hostname_harbor }}/awx/awx-custom-ee" + image: "{{ awx_custom_ee_image }}" credential: "{{ awx_credential_harbor_id }}" pull: "always" uri: diff --git a/roles/kubernetes/bootstrap/tasks/main.yml b/roles/kubernetes/bootstrap/tasks/main.yml index a572eb4..e1e0da9 100644 --- a/roles/kubernetes/bootstrap/tasks/main.yml +++ b/roles/kubernetes/bootstrap/tasks/main.yml @@ -1,12 +1,10 @@ --- - - name: Setup gitea Secret become: yes kubernetes.core.k8s: state: present template: 'gitea-secret.j2' when: - - argocd_bootstrap_infrastructure - inventory_hostname == groups['kube_control_plane'][0] tags: - argo-cd @@ -17,7 +15,6 @@ state: present template: 'harbor-secret.j2' when: - - argocd_bootstrap_infrastructure - inventory_hostname == groups['kube_control_plane'][0] tags: - argo-cd @@ -28,7 +25,6 @@ state: present template: 'bootstrap-application.j2' when: - - argocd_bootstrap_infrastructure - inventory_hostname == groups['kube_control_plane'][0] tags: - argo-cd @@ -39,7 +35,6 @@ state: present template: 'project-infrastructure.j2' when: - - argocd_bootstrap_infrastructure - inventory_hostname == groups['kube_control_plane'][0] tags: - argo-cd diff --git a/roles/logstash/vars/main.yml b/roles/logstash/vars/main.yml index f26aa15..e38a80c 100644 --- a/roles/logstash/vars/main.yml +++ b/roles/logstash/vars/main.yml @@ -1,42 +1,37 @@ --- - logstash_id: "{{ inventory_hostname }}-logstash" -elastic_docker: { - volumes: [ - { - name: "{{ logstash_id }}-data" - } - ], - services: [ - { - name: "{{ logstash_id }}", - image_name: "{{ logstash_image_name }}", - image_version: "{{ elastic_logstash_version }}", - environment: [ - "log.format: \"json\"", - "node.name: \"{{ logstash_id }}\"", - "config.reload.automatic: \"true\"", - "pipeline.ecs_compatibility: v1", - "pipeline.ordered: \"false\"", - "xpack.monitoring.enabled: \"true\"", - "xpack.monitoring.elasticsearch.username: \"{{ elastic_admin_username }}\"", - "xpack.monitoring.elasticsearch.password: \"{{ elastic_admin_password }}\"", - "xpack.monitoring.elasticsearch.hosts: https://{{ shared_service_elastic_stack_01_hostname }}:9200", - "xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/certificates/ca/ca.crt", - ], - volumes: [ - '"{{ logstash_id }}-data:/usr/share/logstash/data"', - '"./config/logstash/pipeline:/usr/share/logstash/pipeline:ro"', - '"./certs:/usr/share/logstash/config/certificates:ro"', - ], - extra_hosts: "{{ elastic_extra_hosts | default([]) }}", - ports: [ +elastic_docker: + { + volumes: [{ name: "{{ logstash_id }}-data" }], + services: + [ { - external: "5044", - internal: "5044", + name: "{{ logstash_id }}", + image_name: "{{ logstash_image_name }}", + image_version: "{{ elastic_logstash_version }}", + environment: + [ + 'log.format: "json"', + 'node.name: "{{ logstash_id }}"', + 'config.reload.automatic: "true"', + "pipeline.ecs_compatibility: v1", + 'pipeline.ordered: "false"', + 'xpack.monitoring.enabled: "true"', + 'xpack.monitoring.elasticsearch.username: "{{ elastic_admin_username }}"', + 'xpack.monitoring.elasticsearch.password: "{{ elastic_admin_password }}"', + "xpack.monitoring.elasticsearch.hosts: https://{{ shared_service_elastic_stack_01_hostname }}:9200", + "xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/certificates/ca/ca.crt", + ], + volumes: + [ + '"{{ logstash_id }}-data:/usr/share/logstash/data"', + '"./config/logstash/pipeline:/usr/share/logstash/pipeline:ro"', + '"./certs:/usr/share/logstash/config/certificates:ro"', + ], + extra_hosts: "{{ elastic_extra_hosts | default([]) }}", + ports: + [{ external: "{{ service_port_logstash }}", internal: "5044" }], }, ], - }, - ], -} + } diff --git a/roles/management/defaults/main.yml b/roles/management/defaults/main.yml index b59a976..0a654c8 100644 --- a/roles/management/defaults/main.yml +++ b/roles/management/defaults/main.yml @@ -1,5 +1,40 @@ --- +tenant_id: "{{ management_oidc_realm }}" +cluster_name: "{{ management_oidc_client_id }}" + +connect_client_admin_username: "{{ management_admin_username }}" +connect_client_admin_password: "{{ management_admin_password }}" +connect_workflow_env: "baseUrl:{{ connect_base_url }};stage:{{ stage }};smardigoUserToken:{{ smardigo_auth_token_value }}" +connect_oidc_client_secret: "{{ management_oidc_client_secret }}" + +connect_config_delete_scope_enabled: true +connect_datasource_action_enabled: true +connect_element_template_enabled: true +connect_external_task_script_worker_enabled: true +connect_search_elastic_enabled: true +connect_swagger_enabled: true +connect_workflow_heatmap_enabled: true + +current_realm_clients: + - name: "{{ management_oidc_client_id }}" + clientId: "{{ management_oidc_client_id }}" + admin_url: "{{ shared_service_url_management }}/" + root_url: "{{ shared_service_url_management }}/" + redirect_uris: + - "{{ shared_service_url_management }}/*" + secret: "{{ management_oidc_client_secret }}" + web_origins: + - "{{ shared_service_url_management }}" + +current_realm_users: + - username: "{{ management_admin_username }}" + password: "{{ management_admin_password }}" + email: "{{ connect_admin_email }}" + requiredActions: [] + +current_realm_admin_users: [] + connect_connections: - id: "teams" name: "MS Teams" @@ -8,7 +43,7 @@ connect_connections: authType: "NO_AUTH" - id: "awx" name: "AWX" - url: "https://{{ shared_service_kube_awx_hostname }}/" + url: "https://{{ shared_service_kube_hostname_awx }}/" connectionType: "HTTP" authType: "BASIC_AUTH" username: "{{ awx_admin_username }}" @@ -21,15 +56,6 @@ connect_connections: username: "{{ harbor_admin_username }}" password: "{{ harbor_admin_password }}" -current_realm_users_base: -- username: "{{ management_admin_username }}" - password: "{{ management_admin_password }}" - email: "{{ connect_admin_email }}" - requiredActions: [] -current_realm_password_policy: '' - -connect_config_delete_scope_enabled: true - connect_configurations: - pmci - backup diff --git a/roles/management/tasks/main.yaml b/roles/management/tasks/main.yaml index 05a5fc5..a3e37c9 100644 --- a/roles/management/tasks/main.yaml +++ b/roles/management/tasks/main.yaml @@ -1,6 +1,7 @@ --- ### tags: +### update_deployment ### update_connections ### update_configurations @@ -20,19 +21,11 @@ tags: - always -- name: "Create database for <{{ inventory_hostname }}> if necessary" - include_role: - name: connect_postgres - vars: - ansible_ssh_host: "{{ stage }}-postgres-01.{{ domain }}" - -- name: "Create realm for <{{ inventory_hostname }}> if necessary" - include_role: - name: connect_realm - - name: "Create connect for <{{ inventory_hostname }}> if necessary" include_role: name: connect + tags: + - update_deployment - name: "Configure connect connections" include_tasks: connections.yml diff --git a/roles/pmci/tenant/create/tasks/main.yml b/roles/pmci/tenant/create/tasks/main.yml index c8371e5..c6eb8f2 100644 --- a/roles/pmci/tenant/create/tasks/main.yml +++ b/roles/pmci/tenant/create/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: "Authenticate on keycloak " +- name: "Authenticate on keycloak for {{ inventory_hostname }}" include_role: name: keycloak tasks_from: _authenticate diff --git a/roles/pmci/tenant/delete/tasks/main.yml b/roles/pmci/tenant/delete/tasks/main.yml index c26b6f8..17eafeb 100644 --- a/roles/pmci/tenant/delete/tasks/main.yml +++ b/roles/pmci/tenant/delete/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: "Authenticate on keycloak " +- name: "Authenticate on keycloak for {{ inventory_hostname }}" include_role: name: keycloak tasks_from: _authenticate diff --git a/roles/pmci/tenant/edit/tasks/main.yml b/roles/pmci/tenant/edit/tasks/main.yml index c8371e5..c6eb8f2 100644 --- a/roles/pmci/tenant/edit/tasks/main.yml +++ b/roles/pmci/tenant/edit/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: "Authenticate on keycloak " +- name: "Authenticate on keycloak for {{ inventory_hostname }}" include_role: name: keycloak tasks_from: _authenticate diff --git a/roles/pmci/tenant/sync/tasks/main.yml b/roles/pmci/tenant/sync/tasks/main.yml index 2fdb804..1229db9 100644 --- a/roles/pmci/tenant/sync/tasks/main.yml +++ b/roles/pmci/tenant/sync/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: "Authenticate on keycloak " +- name: "Authenticate on keycloak for {{ inventory_hostname }}" include_role: name: keycloak tasks_from: _authenticate diff --git a/roles/pmci/tenant/sync/tasks/update_user_tenants.yml b/roles/pmci/tenant/sync/tasks/update_user_tenants.yml index 9910f00..572a6a5 100644 --- a/roles/pmci/tenant/sync/tasks/update_user_tenants.yml +++ b/roles/pmci/tenant/sync/tasks/update_user_tenants.yml @@ -1,10 +1,10 @@ --- -- name: "Reading users by username <{{ current_user_id }}> from realm <{{ management_realm_name }}>" +- name: "Reading users by username <{{ current_user_id }}> from realm <{{ management_oidc_realm }}>" delegate_to: 127.0.0.1 become: false uri: - url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ management_realm_name }}/users?username={{ current_user_id }}" + url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ management_oidc_realm }}/users?username={{ current_user_id }}" method: GET headers: Authorization: "Bearer {{ access_token }} " @@ -49,7 +49,7 @@ delegate_to: 127.0.0.1 become: false uri: - url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ management_realm_name }}/users/{{ keycloak_user_id }}" + url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ management_oidc_realm }}/users/{{ keycloak_user_id }}" method: PUT body_format: json body: '{"attributes": {{ keycloak_user_attributes }}}' diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 7e07538..43ef57c 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -93,8 +93,8 @@ method: GET status_code: 200 return_content: yes - register: grafana_dashboards - until: grafana_dashboards.status == 200 + register: grafana_dashboards_plain + until: grafana_dashboards_plain.status == 200 retries: 10 delay: 60 tags: @@ -102,7 +102,7 @@ - name: "Get all existing Dashboard uids" set_fact: - grafana_dashboards: "{{ grafana_dashboards.json | json_query('[].{uid: uid, type: type, title: title}') }}" + grafana_dashboards: "{{ grafana_dashboards_plain.json | json_query('[].{uid: uid, type: type, title: title}') }}" tags: - grafana-user-update diff --git a/roles/prometheus/vars/main.yml b/roles/prometheus/vars/main.yml index b797d6f..0708c08 100644 --- a/roles/prometheus/vars/main.yml +++ b/roles/prometheus/vars/main.yml @@ -33,6 +33,7 @@ prometheus_docker: { name: "{{ prometheus_id }}", image_name: "{{ prometheus_image_name }}", image_version: "{{ prom_prometheus_version }}", + user: "root", labels: [ '"traefik.enable=true"', '"traefik.http.routers.{{ prometheus_id }}.service={{ prometheus_id }}"', diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml deleted file mode 100644 index ddbd6c2..0000000 --- a/roles/redis/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: install redis - include_role: - name: geerlingguy.redis -- name: install redis-exporter - include_role: - name: idealista.prometheus_redis_exporter_role diff --git a/roles/service_state/defaults/main.yml b/roles/service_state/defaults/main.yml deleted file mode 100644 index ca17a6d..0000000 --- a/roles/service_state/defaults/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -service_state_commands: - - key: up - command: "docker-compose up -d" - - key: down - command: "docker-compose down" - - key: upgrade - command: "docker-compose pull && docker-compose down && docker-compose up -d" - -service_state_command: "{{ service_state_commands - | selectattr('key', 'match', service_state ) - | map(attribute='command') - | list - | first }}" \ No newline at end of file diff --git a/roles/service_state/tasks/main.yml b/roles/service_state/tasks/main.yml index 2e048df..78f91f2 100644 --- a/roles/service_state/tasks/main.yml +++ b/roles/service_state/tasks/main.yml @@ -2,16 +2,21 @@ ### tags: -- name: "Setting service state for <{{ service_id }}> to <{{ service_state }}>" - ansible.builtin.shell: "{{ service_state_command }}" # noqa command-instead-of-shell no-changed-when - args: - chdir: '{{ service_base_path }}/{{ service_id }}' - register: service_state_command_output +- name: "Setting service state of <{{ connect_id }}> to " + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ connect_id }}' + state: present + when: service_state == 'up' -- name: "Printing service state stdout_lines" - debug: - msg: "{{ service_state_command_output }}" - delegate_to: 127.0.0.1 - become: false - when: - - debug +- name: "Setting service state of <{{ connect_id }}> to " + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ connect_id }}' + state: absent + when: service_state == 'down' + +- name: "Setting service state of <{{ connect_id }}> to " + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ connect_id }}' + restarted: yes + pull: yes + when: service_state == 'upgrade' diff --git a/roles/shared_service/defaults/main.yml b/roles/shared_service/defaults/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/shared_service/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/shared_service/tasks/main.yml b/roles/shared_service/tasks/main.yml index d8b2ec6..68ef2bc 100644 --- a/roles/shared_service/tasks/main.yml +++ b/roles/shared_service/tasks/main.yml @@ -1,16 +1,5 @@ --- -### params: -### current_service: gitea -### current_server_ip : 1.2.3.4 -### current_dns_entry : dev-gitea-01 -### current_dns_entries : ['dev-gitea'] -### service_base_path : /etc/smardigo/ -### current_service_id : dev-gitea-01-gitea -### current_service_docker : -### docker_owner : root -### docker_group : root - ### tags: ### update_deployment @@ -20,6 +9,8 @@ vars: record_data: "{{ current_server_ip }}" record_name: "{{ current_dns_entry }}" + tags: + - update_deployment - name: "Updating public DNS for <{{ current_host }}>" include_role: @@ -28,6 +19,8 @@ record_data: "{{ item.ip }}" record_name: "{{ item.name }}" loop: "{{ current_dns_entries }}" + tags: + - update_deployment - name: "Checking if <{{ current_service_id }}/docker-compose.yml> exists" stat: @@ -55,6 +48,8 @@ current_owner: "{{ docker_owner }}" current_group: "{{ docker_group }}" current_docker: "{{ current_service_docker }}" + tags: + - update_deployment - name: "Deploying service templates for <{{ current_service_id }}>" include_role: @@ -66,6 +61,8 @@ current_destination: "{{ current_service_id }}" current_owner: "{{ docker_owner }}" current_group: "{{ docker_group }}" + tags: + - update_deployment - name: "Starting <{{ current_service_id }}>" community.docker.docker_compose: diff --git a/roles/shared_service/vars/main.yml b/roles/shared_service/vars/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/shared_service/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/sma_postfix/tasks/main.yml b/roles/sma_postfix/tasks/main.yml index 96248f3..80e7f8d 100644 --- a/roles/sma_postfix/tasks/main.yml +++ b/roles/sma_postfix/tasks/main.yml @@ -2,4 +2,4 @@ - name: "Install postfix via included upstream role" include_role: - name: postfix + name: postfix diff --git a/roles/webdav/defaults/main.yaml b/roles/webdav/defaults/main.yaml deleted file mode 100644 index 7677aa3..0000000 --- a/roles/webdav/defaults/main.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -webdav_image_name: "{{ shared_service_hostname_harbor }}/smardigo/smardigo-webdav-app" diff --git a/roles/webdav/tasks/main.yaml b/roles/webdav/tasks/main.yaml deleted file mode 100644 index 58dd60d..0000000 --- a/roles/webdav/tasks/main.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- - -### tags: - -- name: "Check if webdav/docker-compose.yml exists" - stat: - path: '{{ service_base_path }}/{{ inventory_hostname }}/docker-compose.yml' - register: check_docker_compose_file - -- name: "Stop webdav" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ inventory_hostname }}' - state: absent - when: check_docker_compose_file.stat.exists - -- name: "Deploy docker templates for {{ inventory_hostname }}" - include_role: - name: hetzner-ansible-sma-deploy - tasks_from: templates - vars: - current_config: "_docker" - current_base_path: "{{ service_base_path }}" - current_destination: "{{ inventory_hostname }}" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - current_docker: "{{ webdav_docker }}" - -- name: "Deploy service templates for webdav" - include_role: - name: hetzner-ansible-sma-deploy - tasks_from: templates - vars: - current_config: "webdav" - current_base_path: "{{ service_base_path }}" - current_destination: "{{ inventory_hostname }}" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - -- name: "Update {{ inventory_hostname }}" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ inventory_hostname }}' - state: present - pull: yes - tags: - - update_deployment diff --git a/roles/webdav/vars/main.yml b/roles/webdav/vars/main.yml deleted file mode 100644 index d8a12e7..0000000 --- a/roles/webdav/vars/main.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- - -webdav_id: "{{ inventory_hostname }}-webdav" - -webdav_labels: [ - '"traefik.enable=true"', - '"traefik.http.routers.{{ webdav_id }}.service={{ webdav_id }}"', - '"traefik.http.routers.{{ webdav_id }}.rule=Host(`{{ stage_server_domain }}`)"', - '"traefik.http.routers.{{ webdav_id }}.entrypoints=websecure"', - '"traefik.http.routers.{{ webdav_id }}.tls=true"', - '"traefik.http.routers.{{ webdav_id }}.tls.certresolver=letsencrypt"', - '"traefik.http.services.{{ webdav_id }}.loadbalancer.server.port={{ service_port_webdav }}"', - - '"traefik.http.routers.{{ webdav_id }}-admin.service={{ webdav_id }}-admin"', - '"traefik.http.routers.{{ webdav_id }}-admin.rule=Host(`{{ stage_server_domain }}`)"', - '"traefik.http.routers.{{ webdav_id }}-admin.entrypoints=admin-service"', - '"traefik.http.routers.{{ webdav_id }}-admin.tls=true"', - '"traefik.http.routers.{{ webdav_id }}-admin.tls.certresolver=letsencrypt"', - '"traefik.http.services.{{ webdav_id }}-admin.loadbalancer.server.port={{ management_port }}"', -] - -webdav_docker: { - networks: [ - { - name: front-tier, - external: true, - }, - ], - services: [ - { - name: "{{ webdav_id }}", - image_name: "{{ webdav_image_name }}", - image_version: "{{ webdav_version }}", - labels: "{{ webdav_labels + ( webdav_labels_additional | default([])) }}", - restart: "{{ webdav_service_restart | default('always') }}", - user: root, - environment: [ - "SPRING_PROFILES_INCLUDE: \"swagger,postgres\"", - "DATASOURCE_URL: \"jdbc:postgresql://{{ webdav_postgres_host }}:{{ service_port_postgres }}/{{ webdav_postgres_database }}?sslmode=require\"", - "DATASOURCE_USERNAME: \"{{ webdav_postgres_username }}\"", - "DATASOURCE_PASSWORD: \"{{ webdav_postgres_password }}\"", - - "SMA_JWT_SECRET: \"{{ webdav_jwt_secret }}\"", - - "OPENTRACING_JAEGER_ENABLED: \"{{ webdav_opentracing_jaeger_enabled | default(false) }}\"", - "OPENTRACING_JAEGER_LOG_SPANS: \"{{ webdav_opentracing_jaeger_log_spans | default(false) }}\"", - "OPENTRACING_JAEGER_SERVICE_NAME: \"{{ webdav_opentracing_jaeger_service_name | default(webdav_id) }}\"", - "OPENTRACING_JAEGER_HTTP_SENDER_URL: \"{{ webdav_opentracing_jaeger_http_sender_url | default() }}\"", - ], - networks: [ - '"front-tier"', - ], - extra_hosts: "{{ webdav_extra_hosts | default([]) }}", - }, - ], -} diff --git a/roles/webdav_postgres/defaults/main.yml b/roles/webdav_postgres/defaults/main.yml deleted file mode 100644 index 783916b..0000000 --- a/roles/webdav_postgres/defaults/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -postgres_acls: - - name: "{{ webdav_postgres_database }}" - password: "{{ webdav_postgres_password }}" - trusted_cidr_entry: "{{ shared_service_network }}" - -database_create: True -database_backup: False -database_restore: False diff --git a/roles/webdav_postgres/tasks/main.yml b/roles/webdav_postgres/tasks/main.yml deleted file mode 100644 index b2f1a39..0000000 --- a/roles/webdav_postgres/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -### tags: - -- name: "Updating database on {{ inventory_hostname }}" - include_role: - name: postgres - tasks_from: _update_database_state - when: - - database_backup_state is not defined - -- name: "Creating/Restoring database backup on {{ inventory_hostname }}" - include_role: - name: postgres - tasks_from: _create_database_backup.yml - when: - - database_backup_state is defined - - database_backup_state in ['dump', 'restore'] diff --git a/setup-infrastructure-realm.yml b/setup-infrastructure-realm.yml deleted file mode 100644 index 411d973..0000000 --- a/setup-infrastructure-realm.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: 'apply setup to {{ host | default("infrastructure_realm") }}' - hosts: '{{ host | default("infrastructure_realm") }}' - serial: "{{ serial_number | default(5) }}" - strategy: free - vars: - ansible_ssh_host: "{{ stage_server_domain }}" - become: yes - - pre_tasks: - - name: "Import constraints check" - import_tasks: tasks/constraints_check.yml - tags: - - always - - - name: "Import autodiscover pre-tasks" - import_tasks: tasks/autodiscover_pre_tasks.yml - become: false - tags: - - always - - roles: - - role: infrastructure_realm - when: - - "'infrastructure_realm' in group_names" diff --git a/setup.yml b/setup.yml index ce8bed6..c44e2f8 100644 --- a/setup.yml +++ b/setup.yml @@ -1,5 +1,4 @@ --- - - name: 'apply setup to {{ host | default("all") }}' hosts: '{{ host | default("all") }}' serial: "{{ serial_number | default(10) }}" diff --git a/smardigo.yml b/smardigo.yml index 20d11d1..f1fbdb6 100644 --- a/smardigo.yml +++ b/smardigo.yml @@ -56,15 +56,9 @@ - role: iam when: "'iam' in group_names" - - role: webdav - when: "'webdav' in group_names" - - role: management when: "'management' in group_names" - - role: redis - when: "'redis' in group_names" - - role: pdns when: "'pdns' in group_names" diff --git a/smardigo/backup/script/ansible-start.groovy b/smardigo/backup/script/ansible-start.groovy index 43ba8bd..77b2632 100644 --- a/smardigo/backup/script/ansible-start.groovy +++ b/smardigo/backup/script/ansible-start.groovy @@ -11,7 +11,7 @@ if (binding.hasVariable('extraVariables')) { def filename = 'xvars-' + smardigoManagementAction + '-' + execution.getProcessInstanceId() + '.yml' def ansibleCommand= 'ansible-playbook ' + smardigoManagementAction + '.yml --vault-password-file ~/vault-pass -e "@' + filename + '"' -def ansibleVariables= 'cat <> ' + filename + '\n' +def ansibleVariables= 'cat < ' + filename + '\n' ansibleVariables+= '---\n' env.each { key, val -> if (val instanceof List) { diff --git a/smardigo/pmci/app/process.json b/smardigo/pmci/app/process.json index 1565857..3b37913 100644 --- a/smardigo/pmci/app/process.json +++ b/smardigo/pmci/app/process.json @@ -16,48 +16,13 @@ "groups" : [ "service-create", "service-delete", "service-change" ], "additionalProperties" : null }, { - "name" : "Service erstellen", - "tabName" : "Service erstellen", + "name" : "Servicevorgänge", + "tabName" : "Servicevorgänge", "logoId" : "playlist_add", - "configKey" : null, - "configType" : "process-search", - "processDefinitionKey" : "service-create", - "processDefinitionKeys" : [ "service-create" ], - "items" : [ ], - "groups" : [ "service-create" ], - "additionalProperties" : null - }, { - "name" : "Service erneut erstellen", - "tabName" : "Service erneut erstellen", - "logoId" : "playlist_play", - "configKey" : null, + "configKey" : "service-search", "configType" : "process-search", - "processDefinitionKey" : "service-replay-setup", - "processDefinitionKeys" : [ "service-replay-setup" ], "items" : [ ], - "groups" : [ "service-replay-setup" ], - "additionalProperties" : null - }, { - "name" : "Service ändern", - "tabName" : "Service ändern", - "logoId" : "edit_note", - "configKey" : null, - "configType" : "process-search", - "processDefinitionKey" : "service-change", - "processDefinitionKeys" : [ "service-change" ], - "items" : [ ], - "groups" : [ "service-change" ], - "additionalProperties" : null - }, { - "name" : "Service entfernen", - "tabName" : "Service entfernen", - "logoId" : "delete_sweep", - "configKey" : null, - "configType" : "process-search", - "processDefinitionKey" : "service-delete", - "processDefinitionKeys" : [ "service-delete" ], - "items" : [ ], - "groups" : [ "service-delete" ], + "groups" : [ "service-create", "service-delete", "service-change" ], "additionalProperties" : null }, { "name" : "Mandantenverwaltung", @@ -71,37 +36,13 @@ "groups" : [ "tenant-create", "tenant-delete", "tenant-change" ], "additionalProperties" : null }, { - "name" : "Mandant erstellen", - "tabName" : "Mandant erstellen", + "name" : "Mandantenvorgänge", + "tabName" : "Mandantenvorgänge", "logoId" : "person_add", - "configKey" : null, - "configType" : "process-search", - "processDefinitionKey" : "tenant-create", - "processDefinitionKeys" : [ "tenant-create" ], - "items" : [ ], - "groups" : [ "tenant-create" ], - "additionalProperties" : null - }, { - "name" : "Mandant bearbeiten", - "tabName" : "Mandant bearbeiten", - "logoId" : "engineering", - "configKey" : null, + "configKey" : "tenant-search", "configType" : "process-search", - "processDefinitionKey" : "tenant-change", - "processDefinitionKeys" : [ "tenant-change" ], "items" : [ ], - "groups" : [ "tenant-change" ], - "additionalProperties" : null - }, { - "name" : "Mandant entfernen", - "tabName" : "Mandant entfernen", - "logoId" : "person_remove", - "configKey" : null, - "configType" : "process-search", - "processDefinitionKey" : "tenant-delete", - "processDefinitionKeys" : [ "tenant-delete" ], - "items" : [ ], - "groups" : [ "tenant-delete" ], + "groups" : [ "tenant-create", "tenant-delete", "tenant-change" ], "additionalProperties" : null }, { "name" : "Vorfälle", diff --git a/smardigo/pmci/datasource-action/service-management.json b/smardigo/pmci/datasource-action/service-management.json index 6846c33..66551b7 100644 --- a/smardigo/pmci/datasource-action/service-management.json +++ b/smardigo/pmci/datasource-action/service-management.json @@ -41,7 +41,7 @@ } ], "rowActions" : [ { "icon" : "replay", - "name" : "Setup starten...", + "name" : "Setup erneut starten...", "processDefinitionKey" : "service-replay-setup", "variable" : "service" }, { diff --git a/smardigo/pmci/datasource-file/connect-features.xlsx b/smardigo/pmci/datasource-file/connect-features.xlsx index 4322f8ca9cba3dffa0f381cdbd3147ad4668496a..2e990bb0856b1719daf0633f46c56f44a7f0ace5 100644 GIT binary patch delta 3942 zcmZWsXHXN37EK7Dmjn>$krH~BDnW`811KU2A{`+V0V$!QgbpFp1W+QqiUQI_M37#j z3Q8Ag61sjM9eMb@nfH~qKX$g9yEA*{-gC~aLDd;>80v#4*#J}k8UO&m4=83>3vdDg z0F2;D4j~Hc!&X^{&R*&vbMkBB`{cYA;uQGHX;MZj)b+a&ru*(R7!JPe6A9V`mWU%)n`g<*Yf^jZwPT zl9(NF*Q%DWDC|M~{!Z{MUiKBwm1jtOLn~=Fl4c}-nBh1@lA^Jdghb8M(dGAp9o^gV zjTN@Zn@AUR0XR@f|bcCtDv2a!~P4(h1+tFiw0k^=WF7ZaqavAn3bPS+q z)G(mD%lnN7jY`TlUO9gVbnht?lt?PNI*@d4KWRdHbz3pdB)3qgr6Ra@C8qaCzz)PG zVs?^E-f|f>GD5;5NubPc2kR=}n#KYh3@dgz9rU~n5%oKE>h5%l))5|Kmb4{k%|_M-R24-m1+Yl3w@1!syDiNfg+~B zzKJ5;SCgl~b}R&6%%!D<^HA=fsAxxrEV(gjUmtX%AwQ?PaM9z)8{tZ-GN#p8PiN1k zpCd)xDG)<-a9@(ME>UQ{jy>H7{LtahbI=J0K^pWKl_+VWzQN0Ijq_4&@2lqXgz3`m z$JkS$vJmR(>kp*6=araO>vjC za>Yzy*@qsYZzA_|GMt3Wyr#SsMPF5VVLfw$TMc*@faPxc%HU2hGV$_38ol&^o+VIW zl6VGQDEbj75*U!Aw;GhQAAX+w20ipg0Gc+rF2-ZMpkQ?y)zL&eGwTx7F6!a zuzF>x1Kazkh?)w9*OuQwbDc{TmwKAl(azICa9@dL9Io~360evXZ?j{)k?7TQ9;tP= z;N>Vq1mbUo$$oKG+zezT3E%YeG&dw^Gv@A`vHq zP3$)M!fMQw`CM4|P@3Og$l3{0n;UCFP(r;fbk#K&CY8iW-qQVK&3KO8SqLO1NK29# zC*{`-aEiwW5c~v+(*}eCMILy4(K^-oEHw5;JE`=s=Fw3$E43%iDQWW^3)S?j&}+jc z_eF3lEkTUwU2y)(rOV21V%C>m+bkX$U{|9|NVa2KaH|KAx+-<+Dl{2CRJiSeeu2WE zS}B;1C4c0wGOEj|Lpst|64t5k@%ahoM7Z4dzgO=ZkI0S(lS6*u_Pfa@S!{(*IyZ5O z;8}y~=c6H`YZW};ipkwN5tHXEJjhMwE#}_OaELEroxBT85LS|#&9K?*19iQ|-k;^Z z=e!#ES+d7SqS8^WGdQDTqEsZ}i`;6WmCfftZ&THZdTvr^0*_zdkP&5O7ixrkW zZE(cuOsv)@006eLiS>7t!8qA^q3v&bdpSRJ#7O(Qxq1@@4ccTGI=4`bS5nlxJpd66 z0_`wQ>UKGK+!#_ngXOJjBZtg;d~&PibJwnMjiYLf;wICs94oo%n+jvsqA!*uxq4+y zz6pL*udXr@3+~oJMPN>%N@YkV*mtCRcS_({YX$`xuf*$kkzdNj{nlT}mYd_krcht5R&$19&CLl2>m@6m2h9i|6(;i>Q(34ZBJ{wX`SR^_$w(NKh4BE9N&>ut9%t zeuV}4yx|FL-n_e1t&|M_5D6gG>bDHT6m+fi86br-b!?^~o;wf267>_G$+AVBnKevu zt7Q&K$Vs}T&E?~3ob6&K-9pzn>dTk^;`H5lCwW0MYkYef$95*>P1lEF{DW@VxYUMz zr>{3fLrus=bw_c(_M5i9rI>b25tJJu>d}oq@VqnB0KK0x$8<7f z=DVwRdmfrG|IK3^k!u_sqpkGu9fP4>3MzZAOsUbSVpAW2(UPW0gbb3!FZRufiHXJ4 zHF#YnOpp(nj=|=#(hm!c4q>g7au+=ak3rVA=8h!6Bis_$N0B;P5pZSG)3?_HQ_#p$ zA-pqRm+dCJMPM%skrlAE@o3fUa>uRu^p27K!0jjHX@%`fd&W?ZF>*|cG$>{+6@7f1 z;!)?`+5TgmTj2sv4pLJWHmJRJrTIH&u`sHpEi9`$k|@%h>kL7(MV#^}I=lnC6>H?R z{^WZlrp?lOwBS<4pszCf63aI7zb~ZB|G! zRk}Z1Z`YiewM!;{56Y<%oYYPf$}lnt@ll@y+|t7%yMbuAv^Itgew3W$hE&PGt# zhUa4cG{`?sDWm30VX_eLP+5}nd!sJ|ZLB~=a*@&xdPey3w|=rki8!TQ=K8$_?@OU; zc%wBTli}^9z?*3avIO$8r;3PLRb9SPNR_&VNMRvqETJGeZpUKt6RYHDVreK3bb74PHOA-S{%PQ->VMb`L(5`IR>Dk^r&V5{-OM}%aAgb z2H?#YG6$`ngVM$(<-|cW$LPMx*V{%?qEUuAG&wGmiVc*?E|45LH!WUZNI5TXvbKeO zI3dm_X6Py;$A#8uib|$^Z0Hf(@F?6LNEG4nt&U^HQp1|!+gO{=6lW9+0I&jRfcEZo zhFe)5L=U?kDvP8|B=6_^WSw=9V_`p>1Kq68mJ}J;2(zZ-DM4z z;xyOg?mgZUcXQOHo2mB?cr#B{d(tN6-t1TA7h&rfS8nKWC5hUMV}iU)_xQ_~1%`lp zv{}_>r{_boNbk4)r{#~ht}}APo70WxBW2Yc^H(a9C4`SL7iad-L94u*dB=jmf8258zLyL0X?(Hv zwEb!M_Bke0MSH;0;-~fzLvYKPWxuuai$9mU*aApC1BVOW=A8FJJ)Qh4L{k?D3z7_1 zc#)1*Hc|igTm>Mvh+v^ zJw2zG86S!U#(9D3c+p>%=zSDY525Q{EV6yKB?`kczzSJ(hr>F{t999$V&{L=L67dC zh&@_Pk_e0J6tob7Jbz^pt~I&fE5)EHJET`MCZ^Z_5+3LM0)bPrwM;%i3+8%KA?#G< zg*u@0s^1jQDz?DT3%H9#`;tl)eg-cSQinfB+E0vQ9$T)49n+6AkN%h!`7;Dp&+xTT z5Ys^nV4I8%-rLppc!YsiYyCD^wvJhF^Oc^UXTK(UCE%>1yUYSV_h27Vz6vW+c@ zroAPF^`OIk)Kw87N5QItA!FvR3|GL4C>Ia5tNT+fT4UeFLaowOTx=8L*SurZ&={qd z{3DxoC)X(@C*tL(53sqh{x*#Dr}I@)=RhgN8PK9ov%>9o8#7L0v#m-=Fv#6Sv)F&0 zTzBu5o$|vUg#c`D(6I~oBiU*d&o~I&v$!MArY0fNGxN9-8Nkz-43j?bzjc+L)=?;{ z*+(_F&u=&yf0*(Odw)I}qY;aDG9ZA{Z{Qp?v*z(z1nk)WorPdd(Rf8qN* zT>m_Xz5HU80z0m(H2cMDg Qnh%|8BjHyiVlhH~@3s5$yWTBvDFZLfn9^g1x-A`flx1HHeuj5(a_9Kl+3u7;d9>uX zot!dm7Xb47TKmitbyu|w2rzec4$YYLqWM89R`S3LrfR!NRou`*&x(=NGONl+6$!jf zWP9W3As*p)ur7_FNf(S*ob~Kk4vPASkHW z5+U^UJm{FlHtI`2oN*t5DQO4!BYEg(dMOKh4IQG5d?{cN9fMkAY0fAU=2_|z7 z;;Hp<9nn8V7M9dAwuS@_*Axlq5a<=5mXMmHhu{5z=p{t_AL#iJR{L3lrzz8i`T7Q7 zV!<7m63^NyOVPt*AwANbZUcBi#u^4yljZ&fbY z!cP?7W*<~+Uc8#3iupX1&ps4@b(^b=9P$#Ne1lnOA;lS`V`a)+~gj<0~hv(TzM$yBT0+RS_hgd^{ zMs(=y_xZ!`9(pg>OjsZXUiJ@g)_N0bH`qT}rJhDPs<18Oqy@5jgzB@MBpRHIPVaQx zxZ7qUtKwu2m>lk}&E0ZIaJ3~p7-C!|F&jN_XwvO5BV>KX(ZX{H;+Ed=>a!P3(Kc>7 zV5}cAos*0$O2Ls?dixEt?qrf!iR_)3QEEH;V(M8)17G;l4R01O;|zj=)$)EOz5dB^ zkk(dl<&cAZ#;RL6fj{`>F0)Tu8Q!{?0Cm_eZwI(H2}P}44Q3tSzgDl2(G!N$gnZ54 zpaJuCp?)MTEA>QqGp3KFn*=&>_y^6@}xE{nKmn>h%^vGK;uH+FfY@U zESs{MblRnE85^WoVU%2BJ*$6iRr(@Dxslwc$;ek$yp*^dVe0aG5|2|h;>D`U%F>oo z3kt2Ka9PUYL1SPV?+SEIZg@i(nckEK zGx&H(l#~!#kY6(n9nXO%#jKT(KXG`kdD#oj_^{6ARzU*WY;r0R%!qioLg(4^ruD#Q zcb~{BRNkl3{``{E!1L{1K_+nUk#4cVo_?{yfr2c{Kp36sl=u`*Xzz@OF>L5hKEsK= zelBwDHLdvUWlBUlCY8o;n-|!*GhERl9Hg&Bl=WRbR`D-Vyci`qlxB(;n3G~jQ+_^w z`cBk-jwXL0xrExI@gBwIb4X^v$>L`PO6iZa6U<-~?u5+L6?=41gVYwPLh?PN1V=|y zY#VCg!lf`e$NE0m!%2J@Nf-rEHFd{#o?rBA#4;0sjYUu#J%hJkG=sxAKgU3L4OV^} z37t8Q0MqYAltDkK6|H!HidoybsK#ca~Alwcs-Da9|HA`ixtB z%*n_ghnh<=uz=(XF#$@?=DN44p6*4hYnWp%-H{XtVpP?LFPBZvdG4EHuJ2iOW}8>)XCmuL zf`qVI^2wA1y}-lA;y*7u&70f4l6hxZz?4CJF-%L`R6Sy;Wxn1FOMZ&DSy;%_DX6}N z9;=Uj_=HAzerw*)-k7dDuJZp7@40Kjy)4bg`l9 zY|aAmy=1Ekf1=z-f~d#6=sw%k#OwPT(z6rhJ{0lPvT1Yq8`9ReO{^nmakWztTQa^W zKbD3l`H9tJnlz@;KOw975q{7?+Nha8;+r2D--OSSkJHdpIl*nEqTC^C09xeSsLI#F zBl{8Xs*?i8!NNDVkHXkjPMnUx?b6Bphm{WTr9&1bjU9nbls$zM?{#0LSIZ}>!_@~c zsllpOSP@e)Xcl4^DQfWbOp{kF81{^RSfx0@1M-A;KLBh+SAZl7MHH zCcHP+h%a1332p=x&)#$xv{Ju2u|h6@Pd(=i_#zHkB5z9-1vFfIo($P9{F}!>LE+Ifx+?}<>DkmHmUL*r=H3M6m zdm%|#FPRuvs7EB?8SD_;$$e9twNWPFTqaf%fO|LGwAC5Q(WUz)B?POO(-~WEM5P0R z`u>YNF#^0k?bJGL;4LlDsr6cA-3ZHnLV}lp`Y_B(97!gg%Oor{evt`=i^OZ+UHGMx zXv68_PV|g8uA3qm{;1GCLM@adL8K-V7qUW2a7pH9A?zRa<;SVlW+8o3@jK)uwM zx|RL3MvA;KRKl|6_Pbd)uvAD2B+{?dE=mfhGBwhl{bVYn)h=TrI^+1ALnS&mNIWQ0 z_Le}9EoKx4kBd2&pUCqHzG;;yo^yFl^`;;z%;QjWAC_e~VCbuU>v_GOyWBQ*e^TbQ ziYnro{Ec`%o5FmwdPYTn>mI^~;PGgXuj;zl&xsxJiNv#EAWIxBwObju7|}wlJGBo1q9MPcD1&VpXLW1>-VVp zM~el#S>w=?orUg?4_9YfKRa{q>!SFP11~_F+jed4MNzi>&!F*%ytcgf9=bmqLYZ0I zv}#U3p%E_Ee+p5koN_?yw2iW!^k$781w^QDrpD(fn@BeN!SZCsWTZmoV!iI`Vh6?S z>+AL;#}++zl>M!fBaXLV1xka)hiHut6`TG});*$JlFcLFR4g=R%?{c8da}YMkr8S$ zc;7kKDyx**rfE!8)@<3N_M$rXQj8zOYXvo8w(RQu!9ho^C6ZpLF*`&|_QCv{v2SI# zxwWLdkQUm){ynAI9=RUgzDo!%JwY`=TK??U$yMPoD_jzl+N$X&-QCvN*sAS1>JE9o znW;-K@+Mcv2uCDX|7dxH__oFS&G>gN&8t0ipOQaxdWu=LN-~QX(>`4U1k7*T8O~^F z5A1QVHDK-;h(qo56TKU;Gc~7cXwVw^aCdg{1+nW5Cr>do>v3hESg@Jn?U18a4DV2d zSqR63VMA>!Y{J8zGV|_Oj(nY8X3OQzvs4sPJUIT08zngwqt0_Xi*e*gfk-!|u~Qx3c~D@@7+{lCurW+&j><-a2n zhF@Xgz?Z@~ diff --git a/smardigo/pmci/filter/service-create.json b/smardigo/pmci/filter/service-create.json index 8590501..e6f1bc7 100644 --- a/smardigo/pmci/filter/service-create.json +++ b/smardigo/pmci/filter/service-create.json @@ -4,11 +4,7 @@ "documents" : [ ], "dossiers" : [ { "configKey" : "vorgang", - "currentUserConfig" : [ [ { - "key" : "filterTenantId", - "operation" : "in", - "value" : "${currentUserAttributes.tenantIds}" - } ] ], + "currentUserConfig" : [ [ ] ], "gruppenConfigs" : { } } ] } \ No newline at end of file diff --git a/smardigo/pmci/filter/service-replay-setup.json b/smardigo/pmci/filter/service-replay-setup.json deleted file mode 100644 index 981e832..0000000 --- a/smardigo/pmci/filter/service-replay-setup.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "configKey" : "service-replay-setup", - "processDefinitionKey" : "service-replay-setup", - "documents" : [ ], - "dossiers" : [ { - "configKey" : "vorgang", - "currentUserConfig" : [ [ ] ], - "gruppenConfigs" : { } - } ] -} \ No newline at end of file diff --git a/smardigo/pmci/process-search/service-search.json b/smardigo/pmci/process-search/service-search.json index fa0e9e2..9a29e4e 100644 --- a/smardigo/pmci/process-search/service-search.json +++ b/smardigo/pmci/process-search/service-search.json @@ -1,6 +1,7 @@ { "name" : "service-search", "configKey" : "service-search", + "processDefinitionKeys" : [ "service-create", "service-delete", "service-change", "service-replay-setup" ], "columns" : [ { "key" : "id", "name" : "ID", diff --git a/smardigo/pmci/process-search/tenant-search.json b/smardigo/pmci/process-search/tenant-search.json index e232791..65944fd 100644 --- a/smardigo/pmci/process-search/tenant-search.json +++ b/smardigo/pmci/process-search/tenant-search.json @@ -90,5 +90,6 @@ "sorts" : [ { "key" : "creation_date", "direction" : "desc" - } ] + } ], + "processDefinitionKeys" : [ "tenant-create", "tenant-delete", "tenant-change" ] } \ No newline at end of file diff --git a/smardigo/pmci/process/service-change.bpmn b/smardigo/pmci/process/service-change.bpmn index e2af586..ebc4afd 100644 --- a/smardigo/pmci/process/service-change.bpmn +++ b/smardigo/pmci/process/service-change.bpmn @@ -24,12 +24,23 @@ - + + + + + + + + + + + + ${$action == 'ok'} @@ -71,6 +82,7 @@ + @@ -78,6 +90,7 @@ + @@ -85,6 +98,7 @@ + @@ -942,10 +956,6 @@ - - - - @@ -1254,6 +1264,10 @@ + + + + diff --git a/stage-demompmx b/stage-demompmx new file mode 100644 index 0000000..f7d1a48 --- /dev/null +++ b/stage-demompmx @@ -0,0 +1,96 @@ +[backup] +demompmx-backup-01 + +[connect] +demompmx-management-01 + +[elastic] + +[gateway] +demompmx-gateway-01 + +[gitea] + +[harbor] + +[iam] +demompmx-iam-01 + +[keycloak] +demompmx-keycloak-01 + +[kibana] + +[logstash] + +[management] +demompmx-management-01 + +[maria] + +[pgadmin4] +demompmx-pgadmin4-01 + +[postfix] +demompmx-mail-01 + +[postgres01] +demompmx-postgres01-01 +demompmx-postgres01-02 + +[prometheus] +demompmx-prometheus-01 + +[ubuntu_docker] + +[virtual] # virtual server for stage variables +demompmx-virtual-01 + +[kube_control_plane] +demompmx-kube-cpl-01 +demompmx-kube-cpl-02 +demompmx-kube-cpl-03 + +[etcd] +demompmx-kube-cpl-01 +demompmx-kube-cpl-02 +demompmx-kube-cpl-03 + +[kube_node] +demompmx-kube-node-01 +demompmx-kube-node-02 +demompmx-kube-node-03 + +[postgres:children] +postgres01 + +[k8s_cluster:children] +kube_control_plane +kube_node + +[stage_demompmx:children] +backup +connect +elastic +gateway +gitea +harbor +iam +k8s_cluster +keycloak +kibana +logstash +management +maria +pgadmin4 +postfix +postgres +prometheus +ubuntu_docker +virtual + +[all:children] +stage_demompmx + +[hcloud:children] +stage_demompmx diff --git a/stage-demompmx-netgo-hcloud.yml b/stage-demompmx-netgo-hcloud.yml new file mode 100644 index 0000000..10fe194 --- /dev/null +++ b/stage-demompmx-netgo-hcloud.yml @@ -0,0 +1,27 @@ +# dynamic inventory for hetzner which reads the stage variable from environment +# +# parameters: +# HETZNER_CLOUD_TOKEN := hetzner cloud api token +# HETZNER_LABEL_SELECTOR := the label selector to use (note: multiple selectors are not supported by rest api) +# (e.g. stage=dev) +# (e.g. service=prometheus) +# usage: +# export HETZNER_LABEL_SELECTOR='stage=dev' +# ansible-playbook -i stage-netgo-hcloud.yml ... + +plugin: netgo-hcloud + +stage: "demompmx" +stage_kube: "demompmx" +label_selector: "stage=demompmx" # jinja isn't available here + +api_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38653565333431613866363164666336386332376234376330383731646138303834626466643539 + 3430366232303864646361383434333537663537326662310a633236313937643132343431363564 + 34633063633937643337633937306263303831396533343637326461373463363366636339333136 + 3231343431363830320a663234303939316164323830663564363032326563333731306563326663 + 61326262396231353066333461323832643635363333386537393264643833383063656332326264 + 36393866616631616236663935646666383330393866663631666335306236636463393963333263 + 35306338376239303163396630356232373761303333613038326662646464373433656537663432 + 30636134303332333861 diff --git a/stage-dev b/stage-dev index 30471e6..2786056 100644 --- a/stage-dev +++ b/stage-dev @@ -50,15 +50,9 @@ dev-postgres-02 [prometheus] dev-prometheus-01 -[redis] -#dev-redis-01 - [ubuntu_docker] dev-devops-iaas-01 -[webdav] -#dev-webdav-01 - [kube_control_plane] devnso-kube-cpl-01 devnso-kube-cpl-02 @@ -98,9 +92,7 @@ pgadmin4 postfix postgres prometheus -redis ubuntu_docker -webdav [all:children] stage_dev diff --git a/stage-prodnso b/stage-prodnso index b15cc28..108e6dd 100644 --- a/stage-prodnso +++ b/stage-prodnso @@ -49,16 +49,10 @@ prodnso-postgres-02 [prometheus] prodnso-prometheus-01 -[redis] -#prodnso-redis-01 - [ubuntu_docker] prodnso-platform-iaas-01 prodnso-hocr-iaas-01 -[webdav] -#prodnso-webdav-01 - [kube_control_plane] prodnso-kube-cpl-01 prodnso-kube-cpl-02 @@ -98,9 +92,7 @@ pgadmin4 postfix postgres prometheus -redis ubuntu_docker -webdav [all:children] stage_prodnso diff --git a/stage-prodwork01 b/stage-prodwork01 index 801d78e..6dcd041 100644 --- a/stage-prodwork01 +++ b/stage-prodwork01 @@ -26,7 +26,6 @@ kube_node [stage_prodwork01:children] k8s_cluster -keycloak_compact backup_minio [all:children] diff --git a/stage-qa b/stage-qa index 2484da5..1b614cb 100644 --- a/stage-qa +++ b/stage-qa @@ -49,11 +49,7 @@ qa-postgres-02 [prometheus] qa-prometheus-01 -[redis] -#qa-redis-01 - -[webdav] -#qa-webdav-01 +[ubuntu_docker] [kube_control_plane] qanso-kube-cpl-01 @@ -94,8 +90,7 @@ pgadmin4 postfix postgres prometheus -redis -webdav +ubuntu_docker [all:children] stage_qa diff --git a/templates/elastic-certs/demompmx-certs/ca/ca.crt b/templates/elastic-certs/demompmx-certs/ca/ca.crt new file mode 100644 index 0000000..adb46c8 --- /dev/null +++ b/templates/elastic-certs/demompmx-certs/ca/ca.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC +ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL +wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D +LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK +4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 +bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y +sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ +Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 +FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc +SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql +PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND +TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 +c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx ++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB +ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu +b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E +U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu +MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC +5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW +9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG +WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O +he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC +Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/templates/filebeat/config/filebeat.yml.j2 b/templates/filebeat/config/filebeat.yml.j2 index e9a0305..e7faff5 100644 --- a/templates/filebeat/config/filebeat.yml.j2 +++ b/templates/filebeat/config/filebeat.yml.j2 @@ -79,9 +79,11 @@ processors: ignore_missing: yes output.logstash: - hosts: ["{{ shared_service_elastic_stack_logstash_01_hostname }}:5044"] + hosts: ["{{ shared_service_logstash_hostname }}:{{ service_port_logstash }}"] +{% if logstash_ssl_enabled | default(true) %} ssl: certificate_authorities: - /usr/share/filebeat/config/certificates/ca/ca.crt certificate: /usr/share/filebeat/config/certificates/{{ filebeat_certificate }}/{{ filebeat_certificate }}.crt key: /usr/share/filebeat/config/certificates/{{ filebeat_certificate }}/{{ filebeat_certificate }}.key +{% endif %} \ No newline at end of file diff --git a/templates/metricbeat/config/metricbeat.yml.j2 b/templates/metricbeat/config/metricbeat.yml.j2 index 5fc66cf..15b193c 100644 --- a/templates/metricbeat/config/metricbeat.yml.j2 +++ b/templates/metricbeat/config/metricbeat.yml.j2 @@ -51,9 +51,11 @@ fields: hostname: {{ inventory_hostname }} output.logstash: - hosts: ["{{ shared_service_elastic_stack_logstash_01_hostname }}:5044"] + hosts: ["{{ shared_service_logstash_hostname }}:{{ service_port_logstash }}"] +{% if logstash_ssl_enabled | default(true) %} ssl: certificate_authorities: - /usr/share/metricbeat/config/certificates/ca/ca.crt certificate: /usr/share/metricbeat/config/certificates/{{ filebeat_certificate }}/{{ filebeat_certificate }}.crt key: /usr/share/metricbeat/config/certificates/{{ filebeat_certificate }}/{{ filebeat_certificate }}.key +{% endif %} \ No newline at end of file diff --git a/templates/prometheus/config/grafana/provisioning/dashboards/PostgreSQL_Database.json b/templates/prometheus/config/grafana/provisioning/dashboards/PostgreSQL_Database.json index b5c1527..3cc75a0 100644 --- a/templates/prometheus/config/grafana/provisioning/dashboards/PostgreSQL_Database.json +++ b/templates/prometheus/config/grafana/provisioning/dashboards/PostgreSQL_Database.json @@ -3346,11 +3346,7 @@ "type": "interval" }, { - "current": { - "selected": false, - "text": "dev-postgres-01.smardigo.digital", - "value": "dev-postgres-01.smardigo.digital" - }, + "current": {}, "datasource": { "type": "prometheus", "uid": "PBFA97CFB590B2093" diff --git a/templates/prometheus/config/grafana/provisioning/dashboards/Redis_Dashboard.json b/templates/prometheus/config/grafana/provisioning/dashboards/Redis_Dashboard.json deleted file mode 100644 index da46223..0000000 --- a/templates/prometheus/config/grafana/provisioning/dashboards/Redis_Dashboard.json +++ /dev/null @@ -1,1315 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "target": { - "limit": 100, - "matchAny": false, - "tags": [], - "type": "dashboard" - }, - "type": "dashboard" - } - ] - }, - "description": "Redis Dashboard for Prometheus Redis ", - "editable": true, - "gnetId": 10819, - "graphTooltip": 0, - "id": 13, - "iteration": 1637686234590, - "links": [], - "panels": [ - { - "cacheTimeout": null, - "columns": [ - { - "text": "Current", - "value": "current" - } - ], - "datasource": "Prometheus", - "fontSize": "100%", - "gridPos": { - "h": 7, - "w": 4, - "x": 0, - "y": 0 - }, - "id": 9, - "links": [], - "pageSize": null, - "scroll": true, - "showHeader": true, - "sort": { - "col": 0, - "desc": true - }, - "styles": [ - { - "alias": "", - "align": "auto", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "mappingType": 1, - "pattern": "", - "thresholds": [], - "type": "number", - "unit": "short" - }, - { - "alias": "Uptime", - "align": "auto", - "colorMode": "cell", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "decimals": 2, - "link": false, - "pattern": "/.*/", - "thresholds": [ - "600", - "1200" - ], - "type": "number", - "unit": "s" - } - ], - "targets": [ - { - "expr": "redis_uptime_in_seconds{release=~\"$release\"}", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ instance }}", - "metric": "", - "refId": "A", - "step": 1800 - } - ], - "title": "Uptime", - "transform": "timeseries_aggregations", - "type": "table-old" - }, - { - "cacheTimeout": null, - "datasource": "Prometheus", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "max": 100, - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 80 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 95 - } - ] - }, - "unit": "percent" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 4, - "x": 4, - "y": 0 - }, - "hideTimeOverride": true, - "id": 11, - "interval": null, - "links": [], - "maxDataPoints": 100, - "options": { - "orientation": "horizontal", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "pluginVersion": "8.1.2", - "targets": [ - { - "expr": "100 * (redis_memory_used_bytes{instance=~\"$instance\"} / redis_memory_max_bytes{instance=~\"$instance\"} )", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "", - "metric": "", - "refId": "A", - "step": 2 - } - ], - "timeFrom": "1m", - "timeShift": null, - "title": "Memory Usage", - "type": "gauge" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 8, - "x": 8, - "y": 0 - }, - "hiddenSeries": false, - "id": 2, - "isNew": true, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(redis_commands_processed_total{instance=~\"$instance\"}[1m])", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ instance }}", - "metric": "A", - "refId": "A", - "step": 240, - "target": "" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Commands Executed / sec", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 0, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "decimals": 2, - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 8, - "x": 16, - "y": 0 - }, - "hiddenSeries": false, - "id": 1, - "isNew": true, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": true, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "irate(redis_keyspace_hits_total{instance=~\"$instance\"}[5m])", - "format": "time_series", - "hide": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "hits-{{instance}}", - "metric": "", - "refId": "A", - "step": 240, - "target": "" - }, - { - "expr": "irate(redis_keyspace_misses_total{instance=~\"$instance\"}[5m])", - "format": "time_series", - "hide": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "misses-{{instance}}", - "metric": "", - "refId": "B", - "step": 240, - "target": "" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Hits / Misses per Sec", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": 0, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": { - "max": "#BF1B00" - }, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 7 - }, - "hiddenSeries": false, - "id": 7, - "isNew": true, - "legend": { - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "null as zero", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "redis_memory_used_bytes{instance=~\"$instance\"} ", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "used-{{instance}}", - "metric": "", - "refId": "A", - "step": 240, - "target": "" - }, - { - "expr": "redis_memory_max_bytes{instance=~\"$instance\"} ", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "max", - "refId": "B", - "step": 240 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Total Memory Usage", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 0, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": 0, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 7 - }, - "hiddenSeries": false, - "id": 10, - "isNew": true, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(redis_net_input_bytes_total{instance=~\"$instance\"}[5m])", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ input }}", - "refId": "A", - "step": 240 - }, - { - "expr": "rate(redis_net_output_bytes_total{instance=~\"$instance\"}[5m])", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ output }}", - "refId": "B", - "step": 240 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Network I/O", - "tooltip": { - "msResolution": true, - "shared": true, - "sort": 0, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 7, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 14 - }, - "hiddenSeries": false, - "id": 5, - "isNew": true, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, - "targets": [ - { - "expr": "sum (redis_db_keys{instance=~\"$instance\"}) by (db)", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ db }} ", - "refId": "A", - "step": 240, - "target": "" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Total Items per DB", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "none", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 7, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 14 - }, - "hiddenSeries": false, - "id": 13, - "isNew": true, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, - "targets": [ - { - "expr": "sum (redis_db_keys{instance=~\"$instance\"}) - sum (redis_db_keys_expiring{instance=~\"$instance\"}) ", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "not expiring", - "refId": "A", - "step": 240, - "target": "" - }, - { - "expr": "sum (redis_db_keys_expiring{instance=~\"$instance\"}) ", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "expiring", - "metric": "", - "refId": "B", - "step": 240 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Expiring vs Not-Expiring Keys", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": { - "evicts": "#890F02", - "memcached_items_evicted_total{instance=\"172.17.0.1:9150\",job=\"prometheus\"}": "#890F02", - "reclaims": "#3F6833" - }, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 21 - }, - "hiddenSeries": false, - "id": 8, - "isNew": true, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "reclaims", - "yaxis": 2 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(redis_expired_keys_total{instance=~\"$instance\"}[5m])) by (instance)", - "format": "time_series", - "hide": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "expired", - "metric": "", - "refId": "A", - "step": 240, - "target": "" - }, - { - "expr": "sum(rate(redis_evicted_keys_total{instance=~\"$instance\"}[5m])) by (instance)", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "evicted", - "refId": "B", - "step": 240 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Expired / Evicted", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 0, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 8, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 21 - }, - "hiddenSeries": false, - "id": 14, - "isNew": true, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, - "targets": [ - { - "expr": "topk(5, irate(redis_commands_total{instance=~\"$instance\"} [1m]))", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ cmd }}", - "metric": "redis_command_calls_total", - "refId": "A", - "step": 240 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Command Calls / sec", - "tooltip": { - "msResolution": true, - "shared": true, - "sort": 0, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "editable": true, - "error": false, - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 8, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 8, - "w": 24, - "x": 0, - "y": 28 - }, - "hiddenSeries": false, - "id": 15, - "isNew": true, - "legend": { - "alignAsTable": false, - "avg": true, - "current": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "8.1.2", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "topk(5, irate(redis_commands_duration_seconds_total{instance=~\"$instance\"} [1m]))", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "{{ cmd }}-{{instance}}", - "metric": "redis_command_calls_total", - "refId": "A", - "step": 240 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Command Duration", - "tooltip": { - "msResolution": true, - "shared": true, - "sort": 0, - "value_type": "cumulative" - }, - "transparent": true, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "30s", - "schemaVersion": 30, - "style": "dark", - "tags": [ - "prometheus", - "redis" - ], - "templating": { - "list": [ - { - "allValue": null, - "current": { - "isNone": true, - "selected": false, - "text": "None", - "value": "" - }, - "datasource": "Prometheus", - "definition": "label_values(redis_up, release)", - "description": null, - "error": null, - "hide": 0, - "includeAll": false, - "label": null, - "multi": false, - "name": "release", - "options": [], - "query": { - "query": "label_values(redis_up, release)", - "refId": "Prometheus-release-Variable-Query" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "definition": "query_result(up{release=\"$release\"})", - "description": null, - "error": null, - "hide": 0, - "includeAll": true, - "label": null, - "multi": false, - "name": "instance", - "options": [], - "query": { - "query": "query_result(up{release=\"$release\"})", - "refId": "Prometheus-instance-Variable-Query" - }, - "refresh": 1, - "regex": "/.*instance=\"([^\"]+).*/", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-1h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "browser", - "title": "Redis Dashboard", - "uid": "dvSx1Dpnz", - "version": 1 -} \ No newline at end of file diff --git a/templates/prometheus/config/prometheus/alert.rules.j2 b/templates/prometheus/config/prometheus/alert.rules.j2 index 9f6af5b..1fc2333 100644 --- a/templates/prometheus/config/prometheus/alert.rules.j2 +++ b/templates/prometheus/config/prometheus/alert.rules.j2 @@ -465,7 +465,7 @@ groups: description: "Alert awx jobs failed" - alert: postgres backup zombies - expr: 100 - ((node_filesystem_avail_bytes{instance=~"{{ stage }}-postgres-01.smardigo.digital",job=~"node-exporter",device='/dev/mapper/vg.postgres_backup-lv.postgres_backup'} * 100) / node_filesystem_size_bytes{instance=~"{{ stage }}-postgres-01.smardigo.digital",job=~"node-exporter",device='/dev/mapper/vg.postgres_backup-lv.postgres_backup'}) > 10 + expr: 100 - ((node_filesystem_avail_bytes{instance=~"{{ shared_service_postgres_primary }}.smardigo.digital",job=~"node-exporter",device='/dev/mapper/vg.postgres_backup-lv.postgres_backup'} * 100) / node_filesystem_size_bytes{instance=~"{{ shared_service_postgres_primary }}.smardigo.digital",job=~"node-exporter",device='/dev/mapper/vg.postgres_backup-lv.postgres_backup'}) > 10 for: 2h labels: severity: critical diff --git a/templates/prometheus/config/prometheus/prometheus.yml.j2 b/templates/prometheus/config/prometheus/prometheus.yml.j2 index b9d4905..9cdf0cb 100644 --- a/templates/prometheus/config/prometheus/prometheus.yml.j2 +++ b/templates/prometheus/config/prometheus/prometheus.yml.j2 @@ -317,7 +317,7 @@ scrape_configs: username: '{{ awx_ansible_username }}' password: '{{ awx_ansible_password }}' static_configs: - - targets: ['{{ shared_service_kube_awx_hostname }}'] + - targets: ['{{ shared_service_kube_hostname_awx }}'] labels: env: {{ stage }} project: awx @@ -357,27 +357,6 @@ scrape_configs: target_label: instance replacement: $1 - - job_name: 'redis' - scheme: http - metrics_path: '/metrics' - static_configs: - - targets: [ -{% for server_info in stage_server_infos | default([]) %} -{% if server_info.service == 'redis' %} - '{{ server_info.name }}.{{ hostvars[server_info.name].domain }}:{{ redis_exporter_service_port | default("9121") }}', -{% endif %} -{% endfor %} - ] - labels: - env: {{ stage }} - project: infrastructure - application: redis - relabel_configs: - - source_labels: [__address__] - regex: (.*) - target_label: instance - replacement: $1 - ############################################## ### Servers #### ############################################## diff --git a/upload-database-dump.yml b/upload-database-dump.yml index 5292bba..fa1bc4b 100644 --- a/upload-database-dump.yml +++ b/upload-database-dump.yml @@ -31,7 +31,7 @@ tasks: - name: "Add maria servers to hosts if necessary" add_host: - name: "{{ stage }}-maria-01" + name: "{{ shared_service_maria_primary }}" groups: - "stage_{{ stage }}" - "{{ item }}"