From f53c1ff5f78c738b20cf68d8fb41b1b45b3aa0b3 Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Tue, 26 Jul 2022 12:34:20 +0200 Subject: [PATCH] SC-55: added separate keycloak instance for k8s-RBAC purpose --- group_vars/stage_dev/plain.yml | 3 --- group_vars/stage_devscr/keycloak.yml | 5 ++++ group_vars/stage_devscr/plain.yml | 25 +++++++++++++++++++ group_vars/stage_prodnso/plain.yml | 6 ----- group_vars/stage_qa/plain.yml | 6 ----- host_vars/devscr-keycloak-01.yml | 6 +++++ host_vars/devscr-postgres-01.yml | 4 +++ roles/keycloak/defaults/main.yml | 3 +++ roles/postgres/defaults/main.yml | 2 ++ .../tasks/base-requirements_backup.yml | 3 +++ roles/postgres/tasks/master-requirements.yml | 2 ++ roles/traefik/defaults/main.yml | 7 ++++++ stage-devscr | 8 ++++++ 13 files changed, 65 insertions(+), 15 deletions(-) create mode 100644 group_vars/stage_devscr/keycloak.yml create mode 100644 host_vars/devscr-keycloak-01.yml create mode 100644 host_vars/devscr-postgres-01.yml diff --git a/group_vars/stage_dev/plain.yml b/group_vars/stage_dev/plain.yml index 4b6e55c..a64ba46 100644 --- a/group_vars/stage_dev/plain.yml +++ b/group_vars/stage_dev/plain.yml @@ -307,9 +307,6 @@ webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f" iam_jwt_enabled: true iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6" -keycloak_admin_username: "keycloak-admin" -keycloak_admin_password: "keycloak-admin" - # Note: all dollar signs in the hash need to be doubled for escaping. # To create user:password pair, it's possible to use this command: # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g diff --git a/group_vars/stage_devscr/keycloak.yml b/group_vars/stage_devscr/keycloak.yml new file mode 100644 index 0000000..5e613f9 --- /dev/null +++ b/group_vars/stage_devscr/keycloak.yml @@ -0,0 +1,5 @@ +--- +keycloak_version: 18.0.2-legacy +keycloak_image: quay.io/keycloak/keycloak + +keycloak_server_url: "https://{{ shared_service_keycloak_hostname }}" diff --git a/group_vars/stage_devscr/plain.yml b/group_vars/stage_devscr/plain.yml index 4d4c2ee..4a8e0c2 100644 --- a/group_vars/stage_devscr/plain.yml +++ b/group_vars/stage_devscr/plain.yml @@ -17,6 +17,18 @@ default_plattform_users: # TODO read configuration with hetzner rest api shared_service_network: "10.1.0.0/16" +shared_service_pg_master_ip: "{{ stage_server_infos + | selectattr('name', 'match', stage + '-postgres-01' ) + | map(attribute='private_ip') + | list + | first + | default('-') }}" +shared_service_keycloak_ip: "{{ stage_server_infos + | selectattr('name', 'match', stage + '-keycloak-01' ) + | map(attribute='private_ip') + | list + | first + | default('-') }}" shared_service_kube_cpl_01: "{{ stage_server_infos | selectattr('name', 'match', stage + '-kube-cpl-01' ) | map(attribute='private_ip') @@ -55,6 +67,11 @@ shared_service_kube_node_03: "{{ stage_server_infos | default('-') }}" shared_service_kube_ip: "{{ stage_private_ingress_loadbalancer_ip | default('-') }}" +shared_service_postgres_01_hostname: "{{ stage }}-postgres-01" +shared_service_keycloak_hostname: "{{ stage }}-keycloak-01.{{ domain }}" +# following server does not exist +# but needs to be set for configuring keycloak realms ... crap +shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain }}" kube_cpl_01_hostname: "{{ stage }}-kube-cpl-01.{{ domain }}" kube_cpl_02_hostname: "{{ stage }}-kube-cpl-02.{{ domain }}" @@ -72,6 +89,10 @@ shared_service_hosts: [ ip: "127.0.1.1", name: "{{ inventory_hostname }}" }, + { + ip: "{{ shared_service_pg_master_ip }}", + name: "{{ shared_service_postgres_01_hostname }}" + }, { ip: "{{ shared_service_kube_cpl_01 }}", name: "{{ kube_cpl_01_hostname }}" @@ -108,6 +129,10 @@ shared_service_hosts: [ ip: "{{ shared_service_kube_ip }}", name: "{{ shared_service_kube_harbor_hostname }}" }, + { + ip: "{{ shared_service_keycloak_ip }}", + name: "{{ shared_service_keycloak_hostname }}" + } ] netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}" diff --git a/group_vars/stage_prodnso/plain.yml b/group_vars/stage_prodnso/plain.yml index 544e575..8cdbe6c 100644 --- a/group_vars/stage_prodnso/plain.yml +++ b/group_vars/stage_prodnso/plain.yml @@ -307,14 +307,8 @@ webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f" iam_jwt_enabled: true iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6" -keycloak_admin_username: "keycloak-admin" keycloak_admin_password: "{{ keycloak_admin_password_vault }}" -# Note: all dollar signs in the hash need to be doubled for escaping. -# To create user:password pair, it's possible to use this command: -# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g -# TODO should be part of the automation (htpasswd -nb traefik-admin traefik-admin) -traefik_admin_username: "traefik-admin" traefik_admin_password: "{{ traefik_admin_password_vault }}" grafana_admin_username: "grafana-admin" diff --git a/group_vars/stage_qa/plain.yml b/group_vars/stage_qa/plain.yml index b53a187..9562a8b 100644 --- a/group_vars/stage_qa/plain.yml +++ b/group_vars/stage_qa/plain.yml @@ -307,14 +307,8 @@ webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f" iam_jwt_enabled: true iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6" -keycloak_admin_username: "keycloak-admin" keycloak_admin_password: "{{ keycloak_admin_password_vault }}" -# Note: all dollar signs in the hash need to be doubled for escaping. -# To create user:password pair, it's possible to use this command: -# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g -# TODO should be part of the automation (htpasswd -nb traefik-admin traefik-admin) -traefik_admin_username: "traefik-admin" traefik_admin_password: "{{ traefik_admin_password_vault }}" grafana_admin_username: "grafana-admin" diff --git a/host_vars/devscr-keycloak-01.yml b/host_vars/devscr-keycloak-01.yml new file mode 100644 index 0000000..7f259e5 --- /dev/null +++ b/host_vars/devscr-keycloak-01.yml @@ -0,0 +1,6 @@ +--- + + +filebeat_enabled: false + +pg_backup_hcloud: false diff --git a/host_vars/devscr-postgres-01.yml b/host_vars/devscr-postgres-01.yml new file mode 100644 index 0000000..a8d47fc --- /dev/null +++ b/host_vars/devscr-postgres-01.yml @@ -0,0 +1,4 @@ +--- + +server_type: "master" +filebeat_enabled: false diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index c8af49f..c7a6384 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -3,5 +3,8 @@ # TODO doesn't bind to local port (currently used by setup keycloak with ansible) service_port_keycloak_external: "8110" +keycloak_admin_username: "keycloak-admin" +keycloak_admin_password: "keycloak-admin" + keycloak_version: "14.0.0.1" keycloak_image: "{{ shared_service_harbor_hostname }}/smardigo/keycloak" diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml index ae0ba84..c72430d 100644 --- a/roles/postgres/defaults/main.yml +++ b/roles/postgres/defaults/main.yml @@ -367,6 +367,8 @@ postgres_exporter_additional_queries: usage: "COUNTER" description: "Total time the statement spent writing blocks, in milliseconds (if track_io_timing is enabled, otherwise zero)" +pg_backup_hcloud: true + database_engine: postgres backup_dest_dir: "{{ backup_directory }}/{{ database_engine }}/{{ get_current_date }}" backup_status_file: '{{ backup_dest_dir }}/backup_finished' diff --git a/roles/postgres/tasks/base-requirements_backup.yml b/roles/postgres/tasks/base-requirements_backup.yml index 5f68412..b80a745 100644 --- a/roles/postgres/tasks/base-requirements_backup.yml +++ b/roles/postgres/tasks/base-requirements_backup.yml @@ -14,6 +14,9 @@ register: created_volume delegate_to: localhost become: false + when: + - pg_backup_hcloud is defined + - pg_backup_hcloud - name: "Getting all hcloud volumes for" hcloud_volume_info: diff --git a/roles/postgres/tasks/master-requirements.yml b/roles/postgres/tasks/master-requirements.yml index 998557f..e003fe7 100644 --- a/roles/postgres/tasks/master-requirements.yml +++ b/roles/postgres/tasks/master-requirements.yml @@ -27,6 +27,7 @@ line: "host replication replicator {{ shared_service_pg_slave_ip }}/32 trust" path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf register: pg_hba_conf_replicator + when: shared_service_pg_slave_ip is defined - name: Set 'wal_level = replica' for master postgresql instance lineinfile: @@ -81,6 +82,7 @@ line: "/postgresql/replication/ {{ shared_service_pg_slave_ip }}/32(rw,crossmnt,root_squash,no_subtree_check,sync)" state: present register: nfsshare_archive_check + when: shared_service_pg_slave_ip is defined - name: Restart nfs-server if necessary # noqa no-handler service: diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index 5e202c0..82ad835 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -2,3 +2,10 @@ traefik_image_name: "traefik" traefik_image_version: "v2.6" + +# Note: all dollar signs in the hash need to be doubled for escaping. +# To create user:password pair, it's possible to use this command: +# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g +# TODO should be part of the automation (htpasswd -nb ) +traefik_admin_username: "traefik-admin" +traefik_admin_password: "$apr1$nJfFcFaI$ylS3Qa9BWAvhrMo5tWiD9." diff --git a/stage-devscr b/stage-devscr index dd9d487..63a82df 100644 --- a/stage-devscr +++ b/stage-devscr @@ -1,3 +1,9 @@ +[keycloak] +devscr-keycloak-01 + +[postgres] +devscr-postgres-01 + [kube_control_plane] devscr-kube-cpl-01 devscr-kube-cpl-02 @@ -22,6 +28,8 @@ kube_node [stage_devscr:children] k8s_cluster +keycloak +postgres [all:children] stage_devscr