SC/124: added LB for apiserver + related properties for kubepsray

- after connect/wordpress update through the portal the
  wordpress used a wrong useris in communication with
  the connect backend

.gitlab-ci.yml

@@ -11,16 +11,18 @@ services:
     alias: docker
 
 stages:
-  - ansible-lint
+  - lint
   - ansible-builder
-  - ansible-run-setup
-  - ansible-run-kubernetes
-  - ansible-patchday
+  - run-setup
+  - run-setup-digitalocean
+  - run-kubernetes
+  - run-management-update
+  - run-patchday
 
-ansible-lint-job:
-  stage: ansible-lint
+lint-job:
+  stage: lint
   script:
-    - echo "Running ansible-lint to check for linting violations"
+    - echo "Running lint to check for linting violations"
     - ansible-lint -c ansible-lint.cfg
   only:
     - branches
@@ -29,19 +31,19 @@ ansible-lint-job:
   tags:
     - dind
 
-ansible-builder-job:
+builder-job:
   # A resource group ensures a job is mutually exclusive across different pipelines for the same project.
-  resource_group: deployment
+  resource_group: dev
   stage: ansible-builder
   before_script:
     - cd ansible-builder
   script:
-    - echo "Running ansible-build to build awx execution environment"
+    - echo "Running ansible-builder to build awx execution environment"
     - ansible-builder build -v 3 --tag $AWX_EE_DOCKER_IMAGE_EXTERN:latest
     - docker push $AWX_EE_DOCKER_IMAGE_EXTERN:latest
   only:
     refs:
-      - master
+      - main
     changes:
       - pip-requirements
       - galaxy-requirements.yml
@@ -52,22 +54,30 @@ ansible-builder-job:
     - dind
     - harbor # 05.02.22 TODO some runners run into timeouts
 
+##################################################################################
+
+.run-ansible:
+  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
+  tags:
+    - dind
+    - harbor # 05.02.22 TODO some runners run into timeouts
+
 ########
-###   https://patorjk.com/software/taag/#p=display&f=Doom&t=ansible%20-%20run
+###   http://patorjk.com/software/taag/#p=display&f=Doom&t=setup.yml
 ###
-###                    _ _     _                                                       _                               _
-###                   (_) |   | |                                                     | |                             | |
-###     __ _ _ __  ___ _| |__ | | ___   ______   _ __ _   _ _ __     ______   ___  ___| |_ _   _ _ __  _   _ _ __ ___ | |
-###    / _` | '_ \/ __| | '_ \| |/ _ \ |______| | '__| | | | '_ \   |______| / __|/ _ \ __| | | | '_ \| | | | '_ ` _ \| |
-###   | (_| | | | \__ \ | |_) | |  __/          | |  | |_| | | | |           \__ \  __/ |_| |_| | |_) | |_| | | | | | | |
-###    \__,_|_| |_|___/_|_.__/|_|\___|          |_|   \__,_|_| |_|           |___/\___|\__|\__,_| .__(_)__, |_| |_| |_|_|
+###             _                               _ 
+###            | |                             | |
+###    ___  ___| |_ _   _ _ __  _   _ _ __ ___ | |
+###   / __|/ _ \ __| | | | '_ \| | | | '_ ` _ \| |
+###   \__ \  __/ |_| |_| | |_) | |_| | | | | | | |
+###   |___/\___|\__|\__,_| .__(_)__, |_| |_| |_|_|
 ###                      | |     __/ |            
 ###                      |_|    |___/             
 
-ansible-run-setup-1-dev:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-setup
-  before_script:
+.run-setup:
+  extends: .run-ansible
+  stage: run-setup
+  script:
     - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
     - eval $(ssh-agent -s)
     - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
@@ -75,81 +85,87 @@ ansible-run-setup-1-dev:
     - chmod 0700 ~/.ssh
     - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
     - ssh-add -L
-  script:
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-    - STAGE=dev && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml setup.yml --tags common --vault-password-file /tmp/vault-pass -u gitlabci
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
   after_script:
     - rm /tmp/vault-pass
-  only:
-    - master
+  except:
     - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
-  resource_group: dev
 
-ansible-run-setup-2-qa:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-setup
+run-setup-digitalocean:
+  extends: .run-ansible
+  stage: run-setup
   before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  script:
     - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
     - eval $(ssh-agent -s)
     - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
     - mkdir -p ~/.ssh
     - chmod 0700 ~/.ssh
     - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-  script:
-    - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
-    - STAGE=qa && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml setup.yml --tags common --vault-password-file /tmp/vault-pass -u gitlabci
+    - ssh-add -L
+    - ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
   after_script:
     - rm /tmp/vault-pass
   only:
-    - qa
+    - main
+  except:
     - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
+
+run-setup-dev:
+  extends: .run-setup
+  resource_group: dev
+  before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
+
+run-setup-devscr:
+  extends: .run-setup
+  resource_group: devscr
+  before_script:
+    - export STAGE=devscr
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
+
+run-setup-qa:
+  extends: .run-setup
   resource_group: qa
+  before_script:
+    - export STAGE=qa
+    - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
+  only:
+    - qa
 
-ansible-run-setup-3-prodnso:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-setup
+run-setup-prodnso:
+  extends: .run-setup
+  resource_group: prodnso
   before_script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-  script:
+    - export STAGE=prodnso
     - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
-    - STAGE=prodnso && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml setup.yml --tags common --vault-password-file /tmp/vault-pass -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
   only:
     - prodnso
-    - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
-  resource_group: prodnso
 
 ########
-###   https://patorjk.com/software/taag/#p=display&f=Doom&t=ansible%20-%20run
+###   This Page: http://patorjk.com/software/taag/#p=display&f=Doom&t=kubernetes.yml
 ###
-###                    _ _     _                                              _          _                          _                             _
-###                   (_) |   | |                                            | |        | |                        | |                           | |
-###     __ _ _ __  ___ _| |__ | | ___   ______   _ __ _   _ _ __     ______  | | ___   _| |__   ___ _ __ _ __   ___| |_ ___  ___  _   _ _ __ ___ | |
-###    / _` | '_ \/ __| | '_ \| |/ _ \ |______| | '__| | | | '_ \   |______| | |/ / | | | '_ \ / _ \ '__| '_ \ / _ \ __/ _ \/ __|| | | | '_ ` _ \| |
-###   | (_| | | | \__ \ | |_) | |  __/          | |  | |_| | | | |           |   <| |_| | |_) |  __/ |  | | | |  __/ ||  __/\__ \| |_| | | | | | | |
-###    \__,_|_| |_|___/_|_.__/|_|\___|          |_|   \__,_|_| |_|           |_|\_\\__,_|_.__/ \___|_|  |_| |_|\___|\__\___||___(_)__, |_| |_| |_|_|
+###    _          _                          _                             _
+###   | |        | |                        | |                           | |
+###   | | ___   _| |__   ___ _ __ _ __   ___| |_ ___  ___  _   _ _ __ ___ | |
+###   | |/ / | | | '_ \ / _ \ '__| '_ \ / _ \ __/ _ \/ __|| | | | '_ ` _ \| |
+###   |   <| |_| | |_) |  __/ |  | | | |  __/ ||  __/\__ \| |_| | | | | | | |
+###   |_|\_\\__,_|_.__/ \___|_|  |_| |_|\___|\__\___||___(_)__, |_| |_| |_|_|
 ###                                                         __/ |
 ###                                                        |___/
 
-ansible-run-kubernetes-1-dev:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-kubernetes
-  before_script:
+.run-kubernetes:
+  extends: .run-ansible
+  stage: run-kubernetes
+  script:
     - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
     - eval $(ssh-agent -s)
     - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
@@ -157,144 +173,152 @@ ansible-run-kubernetes-1-dev:
     - chmod 0700 ~/.ssh
     - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
     - ssh-add -L
-  script:
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-    - STAGE=dev && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml kubernetes.yml --vault-password-file /tmp/vault-pass -u gitlabci
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml kubernetes.yml --vault-password-file /tmp/vault-pass -u gitlabci
   after_script:
     - rm /tmp/vault-pass
-  only:
-    - master
+  except:
     - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
+
+run-kubernetes-dev:
+  extends: .run-kubernetes
   resource_group: dev
+  before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
 
-ansible-run-kubernetes-2-qa:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-kubernetes
+run-kubernetes-qa:
+  extends: .run-kubernetes
+  resource_group: qa
   before_script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-  script:
+    - export STAGE=qa
     - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
-    - STAGE=qa && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml kubernetes.yml --vault-password-file /tmp/vault-pass -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
   only:
     - qa
-    - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
-  resource_group: qa
 
-ansible-run-kubernetes-3-prodnso:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-kubernetes
+run-kubernetes-prodnso:
+  extends: .run-kubernetes
+  resource_group: prodnso
   before_script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-  script:
+    - export STAGE=prodnso
     - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
-    - STAGE=prodnso && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml kubernetes.yml --vault-password-file /tmp/vault-pass -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
   only:
     - prodnso
-    - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
-  resource_group: prodnso
 
 ########
-###   https://patorjk.com/software/taag/#p=display&f=Doom&t=patchday
-###                _       _         _
-###               | |     | |       | |
-###    _ __   __ _| |_ ___| |__   __| | __ _ _   _
-###   | '_ \ / _` | __/ __| '_ \ / _` |/ _` | | | |
-###   | |_) | (_| | || (__| | | | (_| | (_| | |_| |
-###   | .__/ \__,_|\__\___|_| |_|\__,_|\__,_|\__, |
-###   | |                                     __/ |
-###   |_|                                    |___/
+###   http://patorjk.com/software/taag/#p=display&f=Doom&t=smardigo.yml
 ###
+###                                _ _                             _ 
+###                               | (_)                           | |
+###    ___ _ __ ___   __ _ _ __ __| |_  __ _  ___  _   _ _ __ ___ | |
+###   / __| '_ ` _ \ / _` | '__/ _` | |/ _` |/ _ \| | | | '_ ` _ \| |
+###   \__ \ | | | | | (_| | | | (_| | | (_| | (_) | |_| | | | | | | |
+###   |___/_| |_| |_|\__,_|_|  \__,_|_|\__, |\___(_)__, |_| |_| |_|_|
+###                                     __/ |       __/ |            
+###                                    |___/       |___/             
 
-ansible-patchday-1-dev:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-patchday
-  before_script:
+.run-management-update:
+  extends: .run-ansible
+  stage: run-management-update
+  script:
     - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
     - eval $(ssh-agent -s)
     - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
     - mkdir -p ~/.ssh
     - chmod 0700 ~/.ssh
     - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-  script:
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-    - STAGE=dev && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
+    - ssh-add -L
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - ansible-playbook -i stage-$STAGE smardigo.yml --vault-password-file=/tmp/vault-pass -l management -t update_configurations -u gitlabci
   after_script:
     - rm /tmp/vault-pass
-  when: manual
   only:
-    - master
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
+    changes:
+      - smardigo/**/*
+  except:
+    - schedules
+
+run-management-update-dev:
+  extends: .run-management-update
   resource_group: dev
+  before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
 
-ansible-patchday-2-qa:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-patchday
+run-management-update-qa:
+  extends: .run-management-update
+  resource_group: qa
   before_script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-  script:
+    - export STAGE=qa
     - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
-    - STAGE=qa && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
-  when: manual
   only:
     - qa
-    - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
-  resource_group: qa
 
-ansible-patchday-3-prodnso:
-  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-patchday
+run-management-update-prodnso:
+  extends: .run-management-update
+  resource_group: prodnso
   before_script:
+    - export STAGE=prodnso
+    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
+  only:
+    - prodnso
+
+########
+###   http://patorjk.com/software/taag/#p=display&f=Doom&t=patchday.yml
+###   
+###                _       _         _                              _ 
+###               | |     | |       | |                            | |
+###    _ __   __ _| |_ ___| |__   __| | __ _ _   _  _   _ _ __ ___ | |
+###   | '_ \ / _` | __/ __| '_ \ / _` |/ _` | | | || | | | '_ ` _ \| |
+###   | |_) | (_| | || (__| | | | (_| | (_| | |_| || |_| | | | | | | |
+###   | .__/ \__,_|\__\___|_| |_|\__,_|\__,_|\__, (_)__, |_| |_| |_|_|
+###   | |                                     __/ |  __/ |            
+###   |_|                                    |___/  |___/             
+
+.run-patchday:
+  extends: .run-ansible
+  stage: run-patchday
+  script:
     - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
     - eval $(ssh-agent -s)
     - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
     - mkdir -p ~/.ssh
     - chmod 0700 ~/.ssh
     - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-  script:
-    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
-    - STAGE=prodnso && HETZNER_LABEL_SELECTOR="stage=${STAGE}" && ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
+    - ssh-add -L
+    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
+    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
   after_script:
     - rm /tmp/vault-pass
-  when: manual
-  only:
-    - prodnso
-    - schedules
-  tags:
-    - dind
-    - harbor # 05.02.22 TODO some runners run into timeouts
+  timeout: 2h
+
+run-patchday-dev:
+  extends: .run-patchday
+  resource_group: dev
+  before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
+
+run-patchday-qa:
+  extends: .run-patchday
+  resource_group: qa
+  before_script:
+    - export STAGE=qa
+    - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "qa"
+
+run-patchday-prodnso:
+  extends: .run-patchday
   resource_group: prodnso
+  before_script:
+    - export STAGE=prodnso
+    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "kubespray"]
   path = kubespray
   url = https://github.com/kubernetes-sigs/kubespray.git
-  branch = v2.18.0
+  branch = release-2.19

ansible.cfg

@@ -2,7 +2,12 @@
 pipelining = True
 host_key_checking = False
 inventory_plugins = ./inventory_plugins
-callbacks_enabled = timer
+callbacks_enabled = profile_tasks
 interpreter_python = auto_silent
 log_path=last_ansible_run
 forks = 30
+# https://issues.arxes-tolina.de/browse/DEV-499?focusedCommentId=93615&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-93615
+# https://github.com/ansible/ansible/issues/30411#issuecomment-766488342
+[ssh_connection]
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o ServerAliveInterval=30
+retries = 3

create-database-backup.yml

@@ -54,6 +54,16 @@
       with_items: "{{ cluster_features }}"
       when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'workflow_index', 'workflow_proxy', 'pdns']
 
+    - name: "Add maria servers to hosts if necessary"
+      add_host:
+        name: "{{ stage }}-maria-01"
+        groups:
+        - "stage_{{ stage }}"
+        - "{{ item }}"
+      changed_when: False
+      with_items: "{{ cluster_features }}"
+      when: item in ['connect_wordpress']
+
 #############################################################
 #   Creating database backups for created inventory
 #############################################################
@@ -62,7 +72,7 @@
   serial: "{{ serial_number | default(1) }}"
   remote_user: root
   vars:
-    postgres_backup_state: dump
+    database_backup_state: dump
     ansible_ssh_host: "{{ stage_server_domain }}"
 
   roles:
@@ -75,6 +85,12 @@
     - role: keycloak_postgres
       when: "'keycloak' in group_names"
 
+#    - role: pdns_admin_postgres
+#      when: "'pdns' in group_names"
+
+#    - role: pdns_postgres
+#      when: "'pdns' in group_names"
+
     - role: webdav_postgres
       when: "'webdav' in group_names"
 
@@ -84,6 +100,9 @@
     - role: workflow_proxy_postgres
       when: "'workflow_proxy' in group_names"
 
+    - role: connect_wordpress_maria
+      when: "'connect_wordpress' in group_names"
+
 #############################################################
 #   Sending smardigo management message to process
 #############################################################

create-database.yml

@@ -58,7 +58,7 @@
         - "{{ item }}"
       changed_when: False
       with_items: "{{ cluster_features }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'workflow_index', 'workflow_proxy', 'pdns']
+      when: item in ['confirm', 'connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'workflow_index', 'workflow_proxy', 'pdns']
 
     - name: "Add maria servers to hosts if necessary"
       add_host:
@@ -88,9 +88,18 @@
         - always
 
   roles:
+    - role: confirm_postgres
+      when: "'confirm' in group_names"
+
     - role: connect_postgres
       when: "'connect' in group_names"
 
+    - role: gitea_postgres
+      when: "'gitea' in group_names"
+
+    - role: keycloak_postgres
+      when: "'keycloak' in group_names"
+
     - role: pdns_postgres
       vars:
         initialize: True
@@ -101,12 +110,6 @@
         initialize: True
       when: "'pdns' in group_names"
 
-    - role: gitea_postgres
-      when: "'gitea' in group_names"
-
-    - role: keycloak_postgres
-      when: "'keycloak' in group_names"
-
     - role: webdav_postgres
       when: "'webdav' in group_names"
 

create-kibana-objects.yml

@@ -61,7 +61,7 @@
   vars:
     ansible_connection: local
     ansible_ssh_host: "{{ stage_server_domain }}"
-    api_endpoint: '{{ stage }}-elastic-stack-kibana-01-kibana.{{ domain }}'
+    kibana_api_endpoint: '{{ shared_service_elastic_stack_kibana_01_hostname }}-kibana.{{ domain }}'
     elastic_state: present
     elastic_users:
       -

create-remote-database-backup.yml

@@ -11,6 +11,7 @@
 # Parameters:
 #   playbook inventory
 #     stage := the name of the stage (e.g. dev, int, qa, prod)
+#     database_engine := the database engine to generate a complete backup for (e.g. postgres, maria)
 #   smardigo message callback
 #     scope_id := (scope id of the management process)
 #     process_instance_id := (process instance id of the management process)
@@ -50,7 +51,7 @@
       changed_when: False
     - name: "Add 'storage' servers to hosts if necessary"
       add_host:
-        name: "{{ stage }}-fgrz-01"
+        name: "{{ stage }}-backup-01"
         groups:
         - "stage_{{ stage }}"
         - storage
@@ -62,6 +63,11 @@
 
 - hosts: "postgres:maria"
   serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+    current_date_time: '{{ get_current_date_time }}'
+
   tasks:
     - name: "Trigger backup mechanism"
       include_role:
@@ -74,8 +80,11 @@
 
 - hosts: "postgres:maria:storage"
   serial: "{{ serial_number | default(5) }}"
+  gather_facts: false
   vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
     storageserver_system_user: 'backuphamster'
+
   tasks:
     # I could not get it up and running with <synchronize> module
     # to sync data from remote server A to remote server B
@@ -83,7 +92,8 @@
       become: yes
       become_user: '{{ storageserver_system_user }}'
       vars:
-        database_server_ip: "{{ stage }}-{{ database_engine }}-01.{{ domain }}"
+        # should work with non-fqdn due to existing entry in /etc/hosts
+        database_server_ip: "{{ stage }}-{{ database_engine }}-01"
       shell: '/home/{{ storageserver_system_user }}/pull_remote_backups.sh {{ database_server_ip }} {{ stage }} {{ database_engine }}'
       when:
         - inventory_hostname in groups['storage']
@@ -91,7 +101,7 @@
     - name: "Cleanup remote backup dirs: {{ database_engine }}"
       become: yes
       file:
-        path: '{{ backup_directory }}/{{ database_engine }}/{{ ansible_date_time.date }}'
+        path: '{{ backup_directory }}/{{ database_engine }}/{{ get_current_date }}'
         state: absent
       when:
         - not inventory_hostname in groups['storage']

create-server.yml

@@ -43,6 +43,7 @@
         groups:
         - "stage_{{ stage }}"
         - "{{ cluster_service }}"
+        - hcloud
       with_sequence: start=1 end={{ cluster_size | default(1) }}
       changed_when: False
 
@@ -52,6 +53,7 @@
 
 - hosts: "stage_{{ stage }}:!{{ stage }}-virtual-host-to-read-groups-vars"
   serial: "{{ serial_number | default(5) }}"
+  remote_user: root
   gather_facts: false
 
   pre_tasks:

elastic-certs.sh

@@ -1,3 +1,9 @@
 #!/bin/bash
 
+if [ "x$1" == "x" ];then
+  echo "Stage as param \$1 is missing. exit"
+  exit 1
+fi
+
+
 docker run -v `pwd`/templates/elastic-certs:/certs -v `pwd`/templates/elastic-certs/$1-instances.yaml:/usr/share/elasticsearch/config/certificates/$1-instances.yml docker.elastic.co/elasticsearch/elasticsearch:7.12.0 /bin/sh "/certs/certutil.sh" $1

export-database.yml

@@ -0,0 +1,99 @@
+---
+
+# Parameters:
+#   playbook inventory
+#     stage := the name of the stage (e.g. dev, int, qa, prod)
+#     tenant_id := (unique key for the tenant, e.g. customer)
+#     cluster_name := (business name for the cluster, e.g. product, department )
+#     cluster_size := (WIP node count for the cluster)
+#     cluster_service := (service to setup, e.g. 'connect', ...)
+#     cluster_features := (optional features to use, e.g. ['wordpress', 'resubmission', ...])
+#     database_backup_file := the dump file to export, has to be on the database server under /tmp (e.g. wordpress_portal.sql)
+#     target_database := (optional) the database to export into ( see {{ connect_wordpress_maria_database }})
+#   smardigo message callback
+#     scope_id := (scope id of the management process)
+#     process_instance_id := (process instance id of the management process)
+#     smardigo_management_action := (smardigo management action anme of the management process)
+
+#############################################################
+#   Creating inventory dynamically for given parameters
+#############################################################
+
+- hosts: localhost
+  connection: local
+  gather_facts: false
+
+  pre_tasks:
+    - name: "Check if ansible version is at least 2.10.x"
+      assert:
+        that:
+          - ansible_version.major >= 2
+          - ansible_version.minor >= 10
+        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
+
+#     add virtual server to load stage specific variables as context
+    - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts"
+      add_host:
+        name: "{{ stage }}-virtual-host-to-read-groups-vars"
+        groups:
+        - "stage_{{ stage }}"
+      changed_when: False
+
+  tasks:
+    - name: Add maria servers to hosts if necessary
+      add_host:
+        name: "{{ stage }}-maria-01"
+        groups:
+        - "stage_{{ stage }}"
+        - "{{ item }}"
+      changed_when: False
+      with_items: "{{ cluster_features }}"
+      when: item in ['connect_wordpress']
+
+#############################################################
+#   exporting database backups for created inventory
+#############################################################
+
+- hosts: "stage_{{ stage }}:!{{ stage }}-virtual-host-to-read-groups-vars"
+  serial: "{{ serial_number | default(1) }}"
+  remote_user: root
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+
+  pre_tasks:
+    - name: "export autodiscover pre-tasks"
+      import_tasks: tasks/autodiscover_pre_tasks.yml
+      become: false
+      tags:
+        - always
+
+  roles:
+    - role: export_maria_database
+      vars:
+        database_backup_file: "{{ stage }}-{{ tenant_id }}-{{ cluster_name }}-wordpress.sql.gz"
+      when:
+        - "'connect_wordpress' in group_names"
+        - "target_database is defined"
+
+    - role: export_maria_database
+      vars:
+        target_database: "{{ connect_wordpress_maria_database }}"
+        database_backup_file: "{{ stage }}-{{ tenant_id }}-{{ cluster_name }}-wordpress.sql.gz"
+      when:
+        - "'connect_wordpress' in group_names"
+
+#############################################################
+#   Sending smardigo management message to process
+#############################################################
+
+- hosts: "{{ stage }}-virtual-host-to-read-groups-vars"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  connection: local
+  run_once: true
+  vars:
+    connect_jwt_username: "{{ management_admin_username }}"
+
+  tasks:
+    - name: "Sending smardigo management message to <{{ smardigo_management_url }}>"
+      include_tasks: tasks/smardigo_management_message.yml

external_monitoring.yml

@@ -46,10 +46,6 @@
     tags:
       - ssh_hardening
 
-  - name: "Install node-exporter via include_role"
-    include_role:
-      name:  cloudalchemy.node-exporter
-
   - name: "Install blackbox-exporter via include_role"
     include_role:
       name: cloudalchemy.blackbox-exporter

galaxy-requirements.yml

@@ -20,10 +20,12 @@ roles:
   version: v3.6.1
   src: https://github.com/Oefenweb/ansible-postfix.git
   scm: git
+- name: geerlingguy.mysql
+  version: 3.3.2
 
 collections:
 - name: hetzner.hcloud
-  version: 1.6.0
+  version: 1.8.1
 - name: community.general
 - name: community.docker
   version: 2.1.1

gitlab-mirrors.yml

@@ -0,0 +1,60 @@
+---
+# Parameters:
+#   playbook inventory
+#     stage := the name of the stage (e.g. dev, int, qa, prod)
+#   environment variable
+#     GITLAB_API_TOKEN := Access token from gitlab
+
+#############################################################
+#   Creating inventory dynamically for given parameters
+#############################################################
+
+- hosts: localhost
+  gather_facts: false
+  connection: local
+
+  tasks:
+    - name: Add hosts
+      add_host:
+        name: "{{ stage }}-gitlab"
+        groups: "{{ ['stage_' + stage ] }}"
+
+#############################################################
+#   Creating gitlab mirrors for current stage
+#############################################################
+
+- hosts: "stage_{{ stage }}"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  connection: local
+  vars:
+    projects:
+    - id: 1210
+      name: argocd
+    - id: 1216
+      name: operator-awx
+    - id: 1212
+      name: operator-jaeger
+    - id: 1231
+      name: operator-knative
+    - id: 1233
+      name: smardigo-awx
+    - id: 1232
+      name: smardigo-jaeger
+
+  pre_tasks:
+    - name: "Add repository remote mirror to project"
+      delegate_to: 127.0.0.1
+      become: false
+      uri:
+        url: "https://git.dev-at.de/api/v4/projects/{{ item.id }}/remote_mirrors"
+        method: POST
+        body_format: json
+        body:
+          enabled: true
+          only_protected_branches: true
+          url: "https://{{ gitea_admin_username }}:{{ gitea_admin_password }}@{{ shared_service_gitea_hostname }}/argocd/{{ item.name }}.git"
+        headers:
+          PRIVATE-TOKEN: "{{ lookup('env', 'GITLAB_API_TOKEN') }}"
+        status_code: [201]
+      loop: "{{ projects }}"

group_vars/all/connect.yml

@@ -0,0 +1,4 @@
+---
+
+connect_client_admin_username: "connect-admin"
+connect_realm_admin_username: "connect-realm-admin"

group_vars/all/firewall.yml

@@ -0,0 +1,269 @@
+---
+hcloud_firewall_objects:
+   -
+     name: "{{ stage }}-default"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: icmp
+        port: ''
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: ICMP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: SSH allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '80'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTPS allowed
+     -
+        direction: in
+        protocol: tcp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: TCP - allow work from home without VPN
+     -
+        direction: in
+        protocol: udp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: UDP - allow work from home without VPN
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-monitoring"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '9080-9085'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: 'Server/Service Monitoring'
+     -
+        direction: in
+        protocol: tcp
+        port: '9001'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: 'PgAdmin'
+     -
+        direction: in
+        protocol: tcp
+        port: '9187'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: 'Postgres-Exporter'
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-monitoring-extern-https"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips:
+         - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=connect'
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=keycloak'
+
+hcloud_firewall_objects_awx:
+   -
+     name: "{{ stage }}-awx-ssh-access-for-k8s-nodes"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips: "{{ awx_source_ips }}"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+
+hcloud_firewall_objects_backup:
+   -
+     name: "{{ stage }}-backup-ssh-access"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips:
+          - "{{ offsite_storage_server_ip }}"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=backup'
+
+hcloud_firewall_objects_gitea:
+   -
+     name: "{{ stage }}-access-to-gitea"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ ip_whitelist }}"
+        destination_ips: []
+        description: "Allow access for whitelisted ips"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + awx_source_ips }}"
+        destination_ips: []
+        description: "Allow access for kubernetes worker nodes"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + (gitea_https_whitelisted_ips | default([])) }}"
+        destination_ips: []
+        description: "Allow access for custom whitelisted ips"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=gitea'
+
+hcloud_firewall_objects_keycloak:
+   -
+     name: "{{ stage }}-access-to-keycloak"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ ip_whitelist }}"
+        destination_ips: []
+        description: "Allow access for whitelisted ips"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + awx_source_ips }}"
+        destination_ips: []
+        description: "Allow access for kubernetes worker nodes"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + (keycloak_https_whitelisted_ips | default([])) }}"
+        destination_ips: []
+        description: "Allow access for custom whitelisted ips"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=keycloak'
+
+hcloud_firewall_objects_kibana:
+   -
+     name: "{{ stage }}-access-to-kibana"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ ip_whitelist }}"
+        destination_ips: []
+        description: "Allow access for whitelisted ips"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + awx_source_ips }}"
+        destination_ips: []
+        description: "Allow access for kubernetes worker nodes"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + (kibana_https_whitelisted_ips | default([])) }}"
+        destination_ips: []
+        description: "Allow access for custom whitelisted ips"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=kibana'
+
+hcloud_firewall_objects_management:
+   -
+     name: "{{ stage }}-access-to-management"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ ip_whitelist }}"
+        destination_ips: []
+        description: "Allow access for whitelisted ips"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + awx_source_ips }}"
+        destination_ips: []
+        description: "Allow access for kubernetes worker nodes"
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ [shared_service_network] + (management_https_whitelisted_ips | default([])) }}"
+        destination_ips: []
+        description: "Allow access for custom whitelisted ips"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=connect,tenant=management'

group_vars/all/plain.yml

@@ -39,6 +39,7 @@ common_apt_dependencies:
   - zip
   - curl
   - htop
+  - iotop
   - net-tools
   - bash-completion
   - python3-pip
@@ -64,14 +65,17 @@ awx_credential_machine_hetzner_name: hetzner-ansible-ssh
 
 gitlab_ansible_user_name: "gitlabci"
 
+backupuser_user_name: backupuser
+
 # used for root-access by hetzner on server creation (@see cloud console/security/ssh-keys)
 hetzner_ssh_keys:
   - "claus.paetow@netgo.de"
   - "friedrich.goerz@netgo.de"
   - "peter.heise@netgo.de"
   - "sven.ketelsen@netgo.de"
+  - "michael.haehnel@netgo.de"
   - "{{ awx_ansible_user_name }}@netgo.de"
-  - "{{ gitlab_ansible_user_name }}@netgo.de"
+  - "{{ gitlab_ansible_user_name }}@git.dev-at.de"
 
 hetzner_server_labels: "stage={{ stage }}"
 
@@ -99,25 +103,27 @@ sudo_group: "{{ sudo_groups
   | replace('.','-') }}"
 
 # whitelist for outdated user detection - they wont't be deleted at all
-default_plattform_users:
+default_users:
   - 'nobody'
   - 'elastic'
   - 'postgres'
   - 'administrator'
   - '{{ admin_user }}'
-  - '{{ backupuser_username }}'
 
-smardigo_plattform_users:
+default_plattform_users:
   - 'claus.paetow'
   - 'friedrich.goerz'
   - 'peter.heise'
   - 'sven.ketelsen'
+  - 'michael.haehnel'
+  - 'philipp.eichhorn'
   - '{{ awx_ansible_user_name }}'
   - '{{ gitlab_ansible_user_name }}'
 
+smardigo_plattform_users: "{{ default_plattform_users + custom_plattform_users | default([]) }}"
+
 ip_whitelist_admins:
-  - "79.215.10.239/32" # sven
-  - "212.86.56.112/32" # peter
+  - "87.150.33.14/32" # sven
 
 ip_whitelist:
   - "212.121.131.106/32" # netgo berlin
@@ -125,9 +131,7 @@ ip_whitelist:
   - "46.245.219.98/32" # netgo borken
   - "{{ shared_service_network }}"
 
-# for test purpose DEV-361
-# currently (2022.03.18) set to IP of hetzner VM
-gitlab_storage_server: 167.235.18.147/32
+offsite_storage_server_ip: 142.132.155.83/32
 
 docker_owner: "{{ admin_user }}"
 docker_group: "{{ admin_user }}"
@@ -137,12 +141,13 @@ docker_compose_path: "/usr/bin/docker-compose"
 
 service_base_path: '/etc/smardigo'
 
-gitea_admin_email: "nso.devops@netgo.de"
-lets_encrypt_email: "nso.devops@netgo.de"
-connect_admin_email: "nso.devops@netgo.de"
-keycloak_admin_email: "nso.devops@netgo.de"
-pgadmin4_admin_email: "nso.devops@netgo.de"
-harbor_oidc_admin_email: "nso.devops@netgo.de"
+devops_email_address: "nso.devops@netgo.de"
+gitea_admin_email: '{{ devops_email_address }}'
+lets_encrypt_email: '{{ devops_email_address }}'
+connect_admin_email: '{{ devops_email_address }}'
+keycloak_admin_email: '{{ devops_email_address }}'
+pgadmin4_admin_email: '{{ devops_email_address }}'
+harbor_oidc_admin_email: '{{ devops_email_address }}'
 
 http_port: "80"
 https_port: "443"
@@ -197,121 +202,8 @@ blackbox_http_2xx_additional_targets: []
 prometheus_federation_enabled: true
 kubernetes_prometheus_endpoint: "{{ stage }}-kube-prometheus.{{ domain }}"
 
-backupuser_username: backupuser
-backupuser_ssh_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAFRYAy3PqimYUWcO4Q9pdTvDQTsq7hKjWYoQEsJICnRRv+W+5d2lJvC3gqMpmWy9XxtrYePkVHCgIvfJSas9Jv7n7eeYoeWLWJq0nRSKg6EKFCH9y3v8tGPJQQf7wogOhHwr6m79c+lpNVUsVR+QOf76+47ZuwnuEBzK6xbDkmwyt7SPrJ59IFxOlmtz2HgVlTLczLalMygM4qlXqIt+lwuuFz4CsGcr4TwMKp9Uk6SCP3OV12oLnUUUOA3r72qmE4+JeUN6VNbXoBXEANfXm5kbM8w+dFhulCi1fQZCssB8PStA7Cs0gVqL6DYNUKRZaFL8e77hljGkPlOQDxOsBexPuceSDmmr6s5qT1wA6bnEFoeWbLlxixGlFA+1Q/LqWsYzoOZiTHDoaXvsc4VizlPp4Fn0OgJefPjuzBsWOyf0ob5oucfnmCAvEh/k+ioq0bIQDcliAM1UezitblHQgGHhqnKPMi664i0ULLiExARe4IV3KJiaG++RJyzUL5HNz3Qru+K5/pdj2jffluYTC4w+6ZYfjWEZS/DAumExv9T97kFOsapHCQJwTBa368Ch6uKkPCZO8p/ra3xTIUh/PibHaVCadgX2NR9q6jdiQtmc0SOyNJlMlPZD/Q1NrjXJ18ASny7gCBFItMyMtinVx9xQxQ+PFLB8oNYERw1ejIw== storage-server-smardigo'
-
-current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}"
-
-hcloud_firewall_objects:
-   -
-     name: "{{ stage }}-default"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: icmp
-        port: ''
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: ICMP allowed
-     -
-        direction: in
-        protocol: tcp
-        port: '22'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: SSH allowed
-     -
-        direction: in
-        protocol: tcp
-        port: '80'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: HTTP allowed
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: HTTPS allowed
-     -
-        direction: in
-        protocol: tcp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: TCP - allow work from home without VPN
-     -
-        direction: in
-        protocol: udp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: UDP - allow work from home without VPN
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'stage={{ stage }}'
-   -
-     name: "{{ stage }}-monitoring"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '9080-9085'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'Server/Service Monitoring'
-     -
-        direction: in
-        protocol: tcp
-        port: '9001'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'PgAdmin'
-     -
-        direction: in
-        protocol: tcp
-        port: '9187'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'Postgres-Exporter'
-     -
-        direction: in
-        protocol: tcp
-        port: '80'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'AWX'
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'stage={{ stage }}'
-   -
-     name: "{{ stage }}-monitoring-extern-https"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips:
-         - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=connect'
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=keycloak'
+get_current_date: "{{ lookup('pipe','date +%Y-%m-%d') }}"
+get_current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}"
 
 hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}"
 hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}"
@@ -321,83 +213,12 @@ k8s_basic_services:
   - kubelet
   - containerd
 
-hcloud_firewall_objects_awx:
-   -
-     name: "{{ stage }}-awx-ssh-access-for-k8s-nodes"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '22'
-        source_ips: "{{ src_ips }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'stage={{ stage }}'
-   -
-     name: "{{ stage }}-awx-access-SMA-mgmt-instance"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips: "{{ src_ips }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=connect,tenant=management'
-   -
-     name: "{{ stage }}-awx-access-443-SMA-peripheral-instances"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips: "{{ src_ips }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=gitea'
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=keycloak'
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=kibana'
-
-hcloud_firewall_objects_backup:
-   -
-     name: "{{ stage }}-database-backup-ssh-access"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '22'
-        source_ips:
-          - "{{ gitlab_storage_server }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=postgres'
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=maria'
+selfsigned_ca_private_key_passphrase: '{{ selfsigned_ca_private_key_passphrase_vault }}'
+  
+prometheus_alert_diskspaceusage_warning: 85
+prometheus_alert_pg_replication_lag: 120
+
+# hetzner upstream DNSservers
+upstream_dns_servers:
+- 185.12.64.1
+- 185.12.64.2

group_vars/backup/plain.yml

@@ -1,9 +1,11 @@
 ---
 #TODO needs to be removed after story DEV-361 is finished
 hetzner_server_type: "{{ hetzner_server_type_bastelserver | default('cx21') }}"
-hetzner_server_labels: "stage={{ stage }} service=bastelserver"
+hetzner_server_labels: "stage={{ stage }} service=backup"
 
 docker_enabled: false
 traefik_enabled: false
 filebeat_enabled: false
-node_exporter_enabled: false
+
+custom_plattform_users:
+  - backuphamster

group_vars/connect/plain.yml

@@ -33,10 +33,5 @@ connect_iam_user_management_url: "{{ http_s }}://{{ shared_service_keycloak_host
 
 connect_mail_properties_simulation: false
 
-connect_loglevel_message_queue: "DEBUG"
-connect_loglevel_document_index: "DEBUG"
-connect_loglevel_workflow_index: "DEBUG"
-connect_loglevel_workflow_analysis: "DEBUG"
-
 connect_csrf_token_name: "21f4d682-dbad-45e5-b3b5-47d274b9772d"
 connect_csrf_token_value: "4d2ef8cc-f7d9-46d4-b4d6-f20f9dc48040"

group_vars/connect_wordpress/main.yml

@@ -11,4 +11,4 @@ connect_wordpress_oidc_client_id: "{{ cluster_name }}"
 connect_wordpress_oidc_client_secret: "{{ cluster_name }}"
 
 connect_wordpress_buergerportal_username: "buergerportal"
-connect_wordpress_buergerportal_password: "buergerportal"
+connect_wordpress_buergerportal_password: "Buerger?P0rtal."

group_vars/connect_workflow_heatmap/main.yml

@@ -0,0 +1,3 @@
+---
+
+connect_workflow_heatmap_enabled: "true"

group_vars/harbor/plain.yml

@@ -2,3 +2,71 @@
 
 hetzner_server_type: cpx31
 hetzner_server_labels: "stage={{ stage }} service=harbor"
+
+filebeat_inputs:
+- type: log
+  paths:
+    - /var/log/harbor/portal.log
+  fields:
+    harbor: true
+    harbor-component: harbor-portal
+- type: log
+  paths:
+    - /var/log/harbor/exporter.log
+  fields:
+    harbor: true
+    harbor-component: harbor-exporter
+- type: log
+  paths:
+    - /var/log/harbor/redis.log
+  fields:
+    harbor: true
+    harbor-component: redis
+- type: log
+  paths:
+    - /var/log/harbor/registryctl.log
+  fields:
+    harbor: true
+    harbor-component: registryctl
+- type: log
+  paths:
+    - /var/log/harbor/chartmuseum.log
+  fields:
+    harbor: true
+    harbor-component: chartmuseum
+- type: log
+  paths:
+    - /var/log/harbor/trivy-adapter.log
+  fields:
+    harbor: true
+    harbor-component: trivy-adapter
+- type: log
+  paths:
+    - /var/log/harbor/postgresql.log
+  fields:
+    harbor: true
+    harbor-component: harbor-db
+- type: log
+  paths:
+    - /var/log/harbor/jobservice.log
+  fields:
+    harbor: true
+    harbor-component: harbor-jobservice
+- type: log
+  paths:
+    - /var/log/harbor/proxy.log
+  fields:
+    harbor: true
+    harbor-component: nginx
+- type: log
+  paths:
+    - /var/log/harbor/registry.log
+  fields:
+    harbor: true
+    harbor-component: registry
+- type: log
+  paths:
+    - /var/log/harbor/core.log
+  fields:
+    harbor: true
+    harbor-component: harbor-core

group_vars/kube_control_plane/plain.yml

@@ -6,4 +6,3 @@ hetzner_server_labels: "stage={{ stage }} service=kube_control_plane"
 docker_enabled: false
 traefik_enabled: false
 filebeat_enabled: false
-node_exporter_enabled: false

group_vars/kube_node/plain.yml

@@ -6,4 +6,3 @@ hetzner_server_labels: "stage={{ stage }} service=kube_node"
 docker_enabled: false
 traefik_enabled: false
 filebeat_enabled: false
-node_exporter_enabled: false

group_vars/management/plain.yml

@@ -2,13 +2,15 @@
 
 hetzner_server_type: cx21
 
-connect_image_version: "latest"
+connect_image_version: "9.0"
 
-connect_admin_username: "{{ management_admin_username }}"
-connect_admin_password: "{{ management_admin_password }}"
+connect_client_admin_username: "{{ management_admin_username }}"
+connect_client_admin_password: "{{ management_admin_password }}"
 connect_workflow_env: "stage:{{ stage }};smardigoUserToken:{{ smardigo_auth_token_value }}"
 connect_process_search_module: "external"
 connect_oidc_client_secret: "{{ management_oidc_client_secret }}"
+connect_external_task_script_worker_enabled: "true"
+
 spring_profiles_include: "prod,postgres,elastic,swagger"
 
 tenant_id: "{{ management_oidc_realm }}"

group_vars/maria/plain.yml

@@ -7,6 +7,9 @@ mysql_databases: []
 
 mysql_users: []
 
-docker_enabled: false
 traefik_enabled: false
-filebeat_enabled: false
+
+filebeat_maria_enabled: true
+
+custom_plattform_users:
+  - '{{ backupuser_user_name }}'

group_vars/postgres/plain.yml

@@ -5,6 +5,9 @@ hetzner_server_labels: "stage={{ stage }} service=postgres"
 
 postgres_acls: []
 
-docker_enabled: false
 traefik_enabled: false
-filebeat_enabled: false
+
+filebeat_postgres_enabled: true
+
+custom_plattform_users:
+  - '{{ backupuser_user_name }}'

group_vars/restore/plain.yml

@@ -0,0 +1,15 @@
+---
+
+hetzner_server_type: "{{ hetzner_server_type_restore_database | default('cpx21') }}"
+hetzner_server_labels: "stage={{ stage }} service=restore database_engine={{ database_engine | default('') }} manual=''"
+
+docker_enabled: false
+traefik_enabled: false
+filebeat_enabled: false
+
+custom_plattform_users:
+  - '{{ backupuser_user_name }}'
+
+# postgresql related
+# defining type of server (naster|slave|restore)
+server_type: restore

group_vars/stage_dev/awx.yml

@@ -1,3 +1,3 @@
 ---
 
-awx_hetzner_ansible_revision: "master"
+awx_hetzner_ansible_revision: "main"

group_vars/stage_dev/plain.yml

@@ -145,6 +145,7 @@ shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01"
 shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02"
 shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03"
 shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01"
+shared_service_elastic_stack_kibana_01_hostname: "{{ stage }}-elastic-stack-kibana-01"
 
 kube_master_01_hostname: "{{ stage }}-kube-master-01.{{ domain }}"
 kube_master_02_hostname: "{{ stage }}-kube-master-02.{{ domain }}"
@@ -290,9 +291,8 @@ harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 harbor_oidc_admin_username: "harbor-admin"
 harbor_oidc_admin_password: "harbor-admin"
 
-postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},{{ stage_private_server_ip }}'"
 
-connect_image_version: "8.5.47"
+connect_image_version: "8.6"
 iam_image_version: "latest"
 
 management_oidc_realm: "management"
@@ -356,6 +356,9 @@ argocd_admin_password: "argocd-admin"
 argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}"
 argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 
+awx_admin_username: "awx-admin"
+awx_admin_password: "{{ awx_admin_password_vault }}"
+
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
 
@@ -363,7 +366,7 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 
 # smardigo automation DEV gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
-# push mirror: https://dev-gitea-01.smardigo.digital/gitea-admin/communication-keys/
+# push mirror: https://{{ stage }}-gitea-01.smardigo.digital/communication-keys.git
 gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
 
 iam_opentracing_jaeger_enabled: true
@@ -372,3 +375,5 @@ webdav_opentracing_jaeger_enabled: true
 webdav_opentracing_jaeger_http_sender_url: "http://{{ shared_service_kube_jaeger_collector_hostname }}/api/traces"
 connect_opentracing_jaeger_enabled: true
 connect_opentracing_jaeger_http_sender_url: "http://{{ shared_service_kube_jaeger_collector_hostname }}/api/traces"
+
+prometheus_tsdb_rentention_time: '2w'

group_vars/stage_devscr/argocd.yml

@@ -0,0 +1,179 @@
+---
+k8s_argocd_helm__name: "argo-cd"
+k8s_argocd_helm__release_namespace: "argo-cd"
+
+k8s_argocd_with_keycloak: False
+
+k8s_argocd_helm__domain: &argourl "{{ stage }}-argocd.{{ domain }}"
+
+# https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
+k8s_argocd_helm__release_values:
+  controller:
+    logLevel: info
+    logFormat: json
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: "{{ k8s_prometheus_helm__name }}"
+  repoServer:
+    logLevel: info
+    logFormat: json
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: "{{ k8s_prometheus_helm__name }}"
+    env:
+      - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
+        value: "0"
+      - name: ARGOCD_EXEC_TIMEOUT
+        value: "300s"
+      - name: XDG_CONFIG_HOME
+        value: /.config
+      - name: GNUPGHOME
+        value: /home/argocd/.gnupg
+      - name: HELM_PLUGINS
+        value: /custom-tools/helm-plugins/
+      - name: HELM_SECRETS_HELM_PATH
+        value: /usr/local/bin/helm
+      - name: HELM_SECRETS_SOPS_PATH
+        value: /custom-tools/sops
+      - name: HELM_SECRETS_KUBECTL_PATH
+        value: /custom-tools/kubectl
+      - name: HELM_SECRETS_CURL_PATH
+        value: /custom-tools/curl
+      # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
+      - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
+        value: "false"
+      - name: HELM_SECRETS_KEY_LOCATION_PREFIX
+        value: "/sops-gpg/"
+    volumes:
+      - name: custom-tools
+        emptyDir: {}
+      - name: gnupg-home
+        emptyDir: {}
+      - name: sops-gpg
+        secret:
+          secretName: sops-gpg
+    volumeMounts:
+      - mountPath: /home/argocd/.gnupg
+        name: gnupg-home
+        subPath: .gnupg
+      - mountPath: /usr/local/bin/kustomize
+        name: custom-tools
+        subPath: kustomize
+        # Verify this matches a XDG_CONFIG_HOME=/.config env variable
+      - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
+        name: custom-tools
+        subPath: ksops
+    initContainers:
+      - name: 1-install-ksops
+        image: viaductoss/ksops:v3.0.1
+        command: ["/bin/sh", "-c"]
+        args:
+          - echo "Installing KSOPS...";
+            mv ksops /custom-tools/;
+            mv $GOPATH/bin/kustomize /custom-tools/;
+            echo "Done.";
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools
+      - name: 2-download-tools
+        image: alpine:latest
+        command: ["/bin/sh", "-ec"]
+        env:
+          - name: HELM_SECRETS_VERSION
+            value: "3.12.0"
+          - name: SOPS_VERSION
+            value: "3.7.1"
+          - name: KUBECTL_VERSION
+            value: "1.22.0"
+        args:
+          - |
+            mkdir -p /custom-tools/helm-plugins
+            wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
+
+            wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
+            wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
+            wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64 \
+
+            chmod +x /custom-tools/*
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools
+      - name: 3-import-gpg-key
+        image: argoproj/argocd:v2.2.5
+        command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
+        env:
+          - name: GNUPGHOME
+            value: /gnupg-home/.gnupg
+        volumeMounts:
+          - mountPath: /sops-gpg
+            name: sops-gpg
+          - mountPath: /gnupg-home
+            name: gnupg-home
+  server:
+    logLevel: info
+    logFormat: json
+    config:
+      url: 'https://{{ k8s_argocd_helm__domain }}'
+      helm.valuesFileSchemes: >-
+        secrets+gpg-import, secrets+gpg-import-kubernetes,
+        secrets+age-import, secrets+age-import-kubernetes,
+        secrets,
+        https
+      kustomize.buildOptions: "--enable-alpha-plugins"
+    rbacConfig:
+      policy.default: role:readonly
+      policy.csv: |
+        g, {{ argo_realm_group }}, role:admin
+        g, admin, role:admin
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: "{{ k8s_prometheus_helm__name }}"
+    service:
+      sessionAffinity: ClientIP
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        cert-manager.io/issue-temporary-certificate: "true"
+        kubernetes.io/ingress.class: nginx
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
+        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+      hosts:
+        - "{{ k8s_argocd_helm__domain }}"
+      tls:
+        - secretName: "{{ stage }}-argocd-cert"
+          hosts:
+            - "{{ k8s_argocd_helm__domain }}"
+  redis:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: "{{ k8s_prometheus_helm__name }}"
+  dex:
+    enabled: false
+  applicationSet:
+    enabled: false
+  configs:
+    secret:
+      argocdServerAdminPassword: '{{ argocd_server_admin_password | password_hash("bcrypt") }}'

group_vars/stage_devscr/hcloud_firewall.yml

@@ -0,0 +1,53 @@
+---
+hcloud_firewall_objects:
+   -
+     name: "{{ stage }}-default"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: icmp
+        port: ''
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: ICMP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: SSH allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '80'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTPS allowed
+     -
+        direction: in
+        protocol: tcp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: TCP - allow work from home without VPN
+     -
+        direction: in
+        protocol: udp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: UDP - allow work from home without VPN
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'

group_vars/stage_devscr/hetzner_loadbalancer.yml

@@ -0,0 +1,23 @@
+---
+hcloud_lb_objects:
+  -
+    name: &devscr_apiserver '{{ stage }}-k8s-apiserver'
+    hcloud_lb_type: lb11
+    labels:
+      stage: '{{ stage }}'
+      service: kube_control_plane
+      managed_by: ansible
+    network: '{{ stage }}'
+    location: nbg1
+    services:
+    -
+      load_balancer: *devscr_apiserver
+      protocol: tcp
+      listen_port: 443
+      destination_port: 6443
+    targets:
+    -
+      load_balancer: *devscr_apiserver
+      type: label_selector
+      label_selector: stage={{ stage }},service=kube_control_plane
+      use_private_ip: yes

group_vars/stage_devscr/kubespray.yml

@@ -0,0 +1,7 @@
+---
+helm_enabled: true
+
+apiserver_loadbalancer_domain_name: "apiserver.devscr.smardigo.digital"
+loadbalancer_apiserver:
+  address: "{{ lookup('community.general.dig', 'apiserver.devscr' + domain ) }}"
+  port: 443

group_vars/stage_devscr/plain.yml

@@ -0,0 +1,126 @@
+---
+
+stage: "devscr"
+
+default_plattform_users:
+  - 'claus.paetow'
+  - 'friedrich.goerz'
+  - 'peter.heise'
+  - 'sven.ketelsen'
+  - 'michael.haehnel'
+  - 'philipp.eichhorn'
+  - '{{ awx_ansible_user_name }}'
+  - '{{ gitlab_ansible_user_name }}'
+  - 'daniel.risse'
+  - 'esther.fuhrmann'
+  - 'bas.cancrinus'
+
+# TODO read configuration with hetzner rest api
+shared_service_network: "10.1.0.0/16"
+shared_service_kube_cpl_01: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-cpl-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_cpl_02: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-cpl-02' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_cpl_03: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-cpl-03' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_node_01: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-node-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_node_02: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-node-02' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_node_03: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-node-03' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+
+shared_service_kube_ip: "{{ stage_private_ingress_loadbalancer_ip | default('-') }}"
+
+kube_cpl_01_hostname: "{{ stage }}-kube-cpl-01.{{ domain }}"
+kube_cpl_02_hostname: "{{ stage }}-kube-cpl-02.{{ domain }}"
+kube_cpl_03_hostname: "{{ stage }}-kube-cpl-03.{{ domain }}"
+kube_node_01_hostname: "{{ stage }}-kube-node-01.{{ domain }}"
+kube_node_02_hostname: "{{ stage }}-kube-node-02.{{ domain }}"
+kube_node_03_hostname: "{{ stage }}-kube-node-03.{{ domain }}"
+
+shared_service_kube_argocd_hostname: "{{ stage }}-kube-argocd.{{ domain }}"
+shared_service_kube_prometheus_hostname: "{{ stage }}-kube-prometheus.{{ domain }}"
+shared_service_kube_harbor_hostname: "{{ stage }}-harbor.{{ domain }}"
+
+shared_service_hosts: [
+  {
+    ip: "127.0.1.1",
+    name: "{{ inventory_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_cpl_01 }}",
+    name: "{{ kube_cpl_01_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_cpl_02 }}",
+    name: "{{ kube_cpl_02_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_cpl_03 }}",
+    name: "{{ kube_cpl_03_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_node_01 }}",
+    name: "{{ kube_node_01_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_node_02 }}",
+    name: "{{ kube_node_02_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_node_03 }}",
+    name: "{{ kube_node_03_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_ip }}",
+    name: "{{ shared_service_kube_argocd_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_ip }}",
+    name: "{{ shared_service_kube_prometheus_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_ip }}",
+    name: "{{ shared_service_kube_harbor_hostname }}"
+  },
+]
+
+netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
+netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
+
+# smardigo automation DEV gpg key
+# https://git.dev-at.de/smardigo-hetzner/communication-keys/
+# push mirror: https://{{ stage }}-gitea-01.smardigo.digital/communication-keys.git
+gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+
+kubernetes_with_awx: False
+kubernetes_with_gitea: True
+
+harbor_username: "{{ docker_registry_username_vault }}"
+harbor_token: "{{ docker_registry_token_vault }}"
+shared_service_harbor_hostname: "{{ stage }}-harbor.{{ domain }}"

group_vars/stage_devscr/prometheus.yml

@@ -0,0 +1,85 @@
+---
+
+k8s_prometheus_helm__name: "prometheus"
+k8s_prometheus_helm__release_namespace: "monitoring"
+
+grafana_admin_username: "grafana-admin"
+grafana_admin_password: "grafana-admin"
+
+# https://github.com/grafana/helm-charts
+# https://github.com/prometheus-community/helm-charts
+k8s_prometheus_helm__release_values:
+  prometheus:
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        cert-manager.io/issue-temporary-certificate: "true"
+        kubernetes.io/ingress.class: nginx
+        nginx.ingress.kubernetes.io/ssl-redirect: "false"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+      hosts:
+        - "{{ stage }}-prometheus.{{ domain }}"
+      tls:
+        - secretName: "{{ stage }}-prometheus-cert"
+          hosts:
+            - "{{ stage }}-prometheus.{{ domain }}"
+    prometheusSpec:
+      # TODO Using PersistentVolumeClaim
+      storageSpec: {}
+      volumeClaimTemplate:
+        spec:
+          storageClassName: hcloud-volumes
+          accessModes: ["ReadWriteOnce"]
+          resources:
+            requests:
+              storage: 10Gi
+        selector: {}
+    deploymentStrategy:
+      type: Recreate
+  alertmanager:
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        cert-manager.io/issue-temporary-certificate: "true"
+        kubernetes.io/ingress.class: nginx
+        nginx.ingress.kubernetes.io/ssl-redirect: "false"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+      hosts:
+        - "{{ stage }}-alertmanager.{{ domain }}"
+      tls:
+        - secretName: "{{ stage }}-alertmanager-cert"
+          hosts:
+            - "{{ stage }}-alertmanager.{{ domain }}"
+    deploymentStrategy:
+      type: Recreate
+  grafana:
+    adminUser: "{{ grafana_admin_username }}"
+    adminPassword: "{{ grafana_admin_password }}"
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        cert-manager.io/issue-temporary-certificate: "true"
+        kubernetes.io/ingress.class: nginx
+        nginx.ingress.kubernetes.io/ssl-redirect: "false"
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+      hosts:
+        - "{{ stage }}-grafana.{{ domain }}"
+      tls:
+        - secretName: "{{ stage }}-grafana-cert"
+          hosts:
+            - "{{ stage }}-grafana.{{ domain }}"
+    persistence:
+      enabled: true
+      size: 10Gi
+    deploymentStrategy:
+      type: Recreate
+  kubeControllerManager:
+    service:
+      port: 10257
+      targetPort: 10257
+    serviceMonitor:
+      https: true
+      insecureSkipVerify: true

group_vars/stage_devscr/vault.yml

@@ -0,0 +1,469 @@
+$ANSIBLE_VAULT;1.1;AES256
+30643065666638323233653136336633363138356431356166313531346166336565626666333266
+3430386162333535653837313831636234666138373938300a636264613166386464616231343366
+61303664343865343864313937663930363137343164316461656264323739636434623262363233
+3462616634386163300a313164303939376431396261623039616334623835336538643363356234
+38623336323730656164363263323466373035326161653636323065303933373837323566313134
+33356663306435336136666665333035666133663035346466333031633530373339633034636665
+30633561626637393666653133363636643261343163633062396133626335343837333966366334
+31326664333837323437666464343966396461393461336538303032646531393065656435616631
+34326634616334383166373437626438626434313664326430343966646465343235633835353439
+63616339333332653833636666313564386339653139393536376339633561666435666566346434
+38616636326462393634636336646362613331633331383936613966393334623037333362636635
+32613438663834383735316665366461396130303831643465333364383630363261323034323665
+37653433343961666666333034626534313338323035613365636131396236656163646362303537
+65353036386538626630343765393461336636623730376466663437663638646262346238613066
+31623463303166663838356363633835643233343930383031646438386661663631623233636361
+64336433363563646135333139656463633039373965663333363137616133343862363537306465
+30316437313530393132646234336230663063313632616236636366643332653035643462613632
+33343865373132366430306364656131366261633537663931316163386434316335323864323864
+65313565316631333166396530333161336236636461303964636230646338386533626334356130
+33326262333866653233616265653466346566656436653633343239303131313833353430333732
+31363433313636333137316563373833656561323538656636623064333664633637386636373139
+66633462393137653633336233393536306232386539656637336363303434646633373433326265
+66353765633966326430623763376335613761663130343165373131366664653839656239653066
+64353163313937616138663566663532356661636564323630633864666361383032313634383734
+33636464623532313935656430306464663334323236646531306562303061353836353863636163
+39303531613239616365366332343364383738353335396437366331643666343064633935666234
+62366135323833363431373331363732376339336265636336346637356564306435306530303534
+36323534653136316539616238336437393061643363383066356361383131656266613134633935
+33383037333236623635626666623234376561326536336530623838306435343135313761346438
+37633763373862343930343131393664616261353130623062636465346164393637366436346462
+32643430343064326335383430353563316531353461376666353230626437373438343932636630
+32636234653435363662333932383930303437333237633164313735356463383962376137343662
+64653861323361623435383366616530636130643661336663393333303165346435636335353934
+64303839336563666331326630303236373139326565653139646564363864373739633632376165
+62666263323362653661633437646662336464383761653332616232366331633731313366376532
+61633439313338303565323636303935663064623637666536323561396365383065643636653763
+33313536383039323735666462623135643835333735616430316430326631373164663965393566
+31323235373739663963373465343534383261633036653663386332616365343363663739376636
+65383766626362663133626638393536646635646130323030633830373737656164356338366136
+65343761626136353631323162383438656163333936613732643366396566393730306332613463
+32386137633962616337663065393965373761313035333135633164636332393133383137653036
+62663434636163376130386162396130653735376661323064663264643034393466346339633230
+37626232306664306436646337356365653936636538663965363237646636663561626561623230
+32383165323934666462363764316630346339346261353865313866626135633331323833383439
+35623936346164656565373338386463656262336632643636303864663964383739313164613663
+30383833386662333266613137356233643335393335666432386466306330313266363362626430
+33663162343734636335363639363039633161323631333161373033353732316265643634303166
+32306630336239376363396566333265356266643861353435343064356532646164633165346135
+62396161613865633839343630343436366166623537383239393562653233323239356534346364
+39383639386263613564303834613138326339343838336231303531313037663131363538343666
+65626365323434663636653138353862303764306338393034353763626338323032653336663033
+30656665386332303736303765656130393133636336383131616633643536396633313364663361
+64333533653838623338326535653261346336396331623835363165363231653630613061366663
+32323463393532366532333630376233313437316239333130353465623066643932306466323637
+66326362666131633533303836633561393862356639306562386466363336333030363037306665
+35316333386538636135363364626463656234383836613161633537383662643064336133303662
+36323034663131626262623834646463633266386537663261646339343665623336663337313465
+66616264393263663365663937393266633036656536636562663437626630376365313561306662
+34336365653466313132613462326361663263346135336261333766306339616261653232363531
+37646165363338363632613331323664306130643832636336376438346664666138366432623836
+35393531396261346138656562663763393535646534633565333537333361636264326231386665
+65383864663632656636393038333766303935633932333266376239323565353164346138633738
+35303237656265333133316464356564336361393536353262346462346135613833656532396461
+32393461656163346565323732653761343332303533363530333535366236616533636366613038
+61343065663234663765336437363864313064646338333864333637343639346238383766376464
+39616562663764306639323339356336666363373635636565613038663936393464623938613635
+33623139313838663764373163376238393334636236383866323033633963626534656363386439
+38353435663037353338373533373539663834316439373136356136386231626639313732303661
+64643039313535613066623036376665306164333962336337633031396162626664396262323463
+64313635633430643735633039353663663662353434376331313066363066656130343331336363
+61373863353535393632613038346339346533653031313636336263376564346138336466356234
+35326439383061366433366239623030333236363437646666653038393039363730616132646532
+31373764326131396630336135633831353633626462386266613035666337303932313361663364
+62623438396166386339663563623665336537393066623863656538313334313466366531643832
+30633331393838313137636636633235393563383366323365643737613237303639336434356232
+33373464326435396463373165333039396239333835356234396136346663313062396537653765
+62346636633133383635363236633665643038333765383733343133366363363332393934373362
+30646265346537646435363831636265343834633739333730386165306437636462356534363332
+31343636396366373163326334386135353430653264303132343439323862386238363132633932
+37393461656561316632343837346564386537373262343439376537666639303635656165306236
+31326131336161373734356233623231366662373266356531383861383361313537336364613934
+63333030373335366435666437383933616236303263333466616635396138633466636564313335
+38626534643236623838636637633330616161663663303365386332353030313162643332393932
+38343038666332323430396437663563393963356432336363666666393861363233626166623636
+34326336323035613137313834303462313939653161633531323666353335636534393739626236
+33363966346636376432643530363734326530316638623962333335373039326235383539313530
+30616636313464313862326636386338303564653834653963613233313165626339343962353164
+34616134343363646465623131636132386564363731623631396333626539623962356133343164
+31366236656334313930333834333039363833396135323932333130303730366638613136353435
+39333035343936346662356233346238386433363736643339336330653733356537333662613030
+34376634393738663036666565616330386535313833373336366632323032626131613834643265
+32326466383362623064396662343836303838623934313665646666383835366132353261383464
+33326130373963366331333939363664663031336531656663653265333564303035363364313162
+37373136376339323766396165356261323864616563386563373431373238346264616465333266
+65346661666530356135396566303639303861633233363435343262336663313337313437326133
+31653266363761306666343737343861643261363566363837626530636338313666323135653264
+66333332653734613637383964383133383435616638633639313362393839333832356139396266
+31343035636464316332356161616364373532343163393765376466636561623739623038333935
+34313738333962336638633835316565666162383265346166383138636131303931306530386130
+65396533366233373361306234356533306330353836363764333530643165316266386530326334
+34376431656332363531306537323361343065663132393839386366363837616137653035306434
+33346136666365613530366461623663643239643235643966306632646639346536373563376538
+32653039326164383633653165316364383961653730396539646566653630633139666333373038
+37643934666230366136303738366366343933323935636335636235333866633365326433633164
+63386163316361313836653637353836626238633330633731313434303462613962323362333562
+32313439626466313231346435626535623363363966313631393538353166353431323930616462
+39623337336431666264393861316261636635633961656636663462643635303233323935396138
+64316334386535353331376431356438323064373538386630656238623734373765316266323264
+33323964666564333561643936353262626333303834323761383262393865393830616138326263
+30616238393864656463383233316138396432303538653061633433393535383565626233343961
+31313835343937386636383865373134323433353433656565313932313564333339656235356366
+30326533313838643033383763373933626339323533303037663262366565323365616663333936
+31316334303832376333303962663738363437613261616532393332616333396562303861663363
+64393034373865383866306130303533366132383562343664306238303861326166633830643662
+37653065653766323236623539666564613931326633386231346537353232323635636432346364
+66316339633164353432356632393863323537323838646537666433623864373636643931663834
+37613265363333613863663161326637333637316331336133313333343963383834653038623866
+66343735326463326538303639653764663439666334646362666431313838303139356562633235
+39653135323835646533303266306263393837356235323038373739363061353931396433326530
+62373639666662306430343939376631623331303765386631616438356532636566613866346133
+39323166383230663531393632346632623563303662303964366432636233313335313763316337
+63613734396330303236393131356461303837376639346436313365616237366237363461313066
+34623834333138353232633235373231643633613539663265303733363234323765633265366334
+37313364336238623065383936653461633761363938636632623035653636666335653061643261
+30366137366434366366616331653432636466636363333539626333656434633937633035356439
+39623130393936356465636264623565623534666461353036356436313736333131616361303330
+62343435383132613233666662653635383865306166366235633961656139623530623362353163
+61643939636161346436353334663537373838323737313562313631393639636362363732393263
+63383366366661313735623839363664383638663065363337666562373338363539363662393566
+65313865393730303830656363313761346531663733623131636634346432636162623431323237
+61386333666638383735666264366365383065666334313839616364663531323066663932306165
+62626237393361316336616337383765363566383866346635303436656136663762646336626165
+65393565356635323033333933633236336366646331636530383463396661653361393364356664
+32616164636436323939306232363533666666643632333636326336316130646161643837383634
+61333133313335353262323935353762363439353836663063323139363030653632393236623931
+33626235326561343265393832643530643166376334666665623633363066346238313331623633
+64303538393131643330316361633337376331613361656139383663343962363162326566666365
+37316435313962346664313762366261393037346666363836376233666231666162336264396365
+63646539646562313537333737336366633435343231306539656463613132643063353962326263
+33336330386138386631363334336162326366373238383465663533326165366538623330376437
+35666633626234633062383339373966386535356532333733313633373964336330643964626234
+34653036383836303832313365386363373834326664323539383064356666313430316437356565
+33393638356636323338613161396361343831333534363963383137393837616161363265636338
+34613731653435376561316435613462386436613333383966633034356565626365633235396265
+62313131363665636365653234626437336163643439313639386463303961636436323932316135
+35383739663564383037633735646536393234666439383733386464306561646437626535366565
+65353532663137393433643436346132393562663135393266373631346536626163653465323938
+33633766386435393864623337636136343133383431636462343564336531333031353339623033
+38353738306366643964623639626135336661306264333836623564306532626631333635333237
+36356638363133663564653837633366306134653330633337616330383063343636633233383961
+34613238336332333362333363363335353566313161356133373436346238633266363966393466
+35663961346563393239366565623539356263306539656638353830326666626266323663383261
+33383765386265363533656666316439653530333933343034663863653861366262316366363331
+33616239663533653334646134656135663063363039653961653064333432333738666132643334
+61646639613733666361343831623334336663643864656362666166346437373162643735636234
+31356463376330633461336366366263366466663935313338373834626630376363313831373036
+30643732323930316261373539623866303562336239383536306161363361663337656163363038
+65343932393139653433306537623933613439666362383337663135303232393535653639646533
+62393438613939313762613164323264623032656230313966373432323931356232343932326438
+36623561326632313038306333663230393164343264343830353962323933313537303634656362
+30626437366430376332346139303435386363373930363962366631343464333066646564383061
+31343834356436363130333566373936303764653763613063363536666664343637333337383037
+36306333376539373937303664633139396533393866633235393439326332646132343764353565
+64353262346133623034343066316361373561623634616262366138636565356637373634383135
+30366463626130643736653633376562376433376532393038633933643836373631366436356561
+31333433313039666336663337353436303463323137313666656137613538663231643565353035
+63386336346566383764313038303235333962326235636331313637326637353362636638343835
+33393135626539383538396361666266303061313932356364356436666564626238383639323637
+30643265396364393336306338366364643337303365313335323835643631363762393733353664
+64316235313864653434626363636537373562333731353533323864363062633663656638643433
+37623565353764646338666435366264383538636338383937376437643835333738373030636538
+36363265363130323930353235393731393432396661336565653235373130643734393138616665
+32343337343932623464323361313436373161336663613065623063346533346466643066386330
+63643366343136653264383432313263393864383438623863386230633434383962323762663465
+34623033326438636131633237616131396437623264653831333634323134653338613765663936
+62333435343461633939613365626637386534633335666330623536373135333761646339353934
+61373762643439616331613634613963316265323331633130666263623462613061646263393763
+31376166316639666334343466633738353931316163366635363737313738343439636532393361
+35363831643166383765633462363561376330396663383534373136306430376661376438376565
+66633562366164643535633633353838663162636537356131353265356436393531663862653734
+62646535663761323439666535653462386638303630333862303965323761373237373266666237
+37353636653734363634616461333062373463373861386436366130653532303934393130663863
+33616138383234623866333432316164653564656237636138616365663735306631653434616535
+64653561643262626162343363353762653632363338363832323436303636386265653138383230
+63366530633934623839666434613930626130313537633734383865636461313034613764343039
+37343566623437656539333534383136333737363035303866323562613937303863356635663636
+36383265653532393831666337303437316562636132663230613239303630613034666635623535
+38393164393965373233623266353133376135333038613462653566666430633963323162396562
+30666164393736343033333736326165643964326661373037303364353531376132346461656363
+37313463643936353830346434353132623662643439643539636638643731383133393830323635
+34383464393535396263633936633665316463333466376465633534666430336132646361386138
+38653330646435613564366662666163643464373539393830356265643532616365333431303532
+62363432343739366433646136343731363161646331623530316333303762623438636531613561
+37663264656539323333366230656536623663306635353566336338363638353732303434333134
+32373065666337393632303063613135343030333935343337663838323361386564656534636438
+31666333363461633866663863346162636131313566323830393239333563306662626337636661
+65356534313462386366643261343066376530333331326237306530303938663561343739656332
+66396663646438323666343230346261306438313430636135383163313336396639653530373665
+36393637616534656566316230663233626563363965383861323961386365363838626235353564
+33386165646663323831643964653666636662636133313666353262366232323131616462353966
+63326531376461333066666262336663316361653733346166393163623039636330643563653165
+64616137396435646135383130656132383062623930346337646433313838333433646133313935
+63383536326538666533393332393462386433653231326435346432336562353066313463393966
+38366338306230373261303131643532336563303533316334333030613830663739366463373934
+65363039663931616637623664373665353062373330326634386365316462623166356134643634
+30353265663834396366623634373763313939353833373133383833306131383737643566633930
+37316235653237616566376232393465643737376164303138323766663537373932633431313465
+39316232663932386262363262306435333233323233383032626232636130366362373332613663
+31323463303264363234383931363435663834383562636166353936303433386439313435626563
+34356161643535633335376336656338633632356266383330306562666462306434623463363836
+36636134613664326439316437313135643664353434343264666562373463616630373135613062
+32366431653134323738636433613765646530636432313865626132303163373835303730666233
+64646135376130333639323533643633376632306562653264323635386233353038666439383065
+34363735356234366132643233303534376535393739663437613032356164313835613133623733
+66373830663233643365633536626161346136336564316333313563303235336262323831646662
+39316236653335643633613334386530356161613631323332306135653731336361386135636566
+64653131663036663565313031323135663031653734323931326435663432356534363762376663
+63626261386361323835396637616235623034393533336338653430373237393466393037363134
+36393930303664306164316364643931613736646433383635643564333634303939376633663362
+35663865623135623735653761333164663665343163656438353238393561333930343262663263
+65353261633037363563646662616466386333323430623562383732666166393834626339343766
+65373935343436643366393264323337363438393532613965303261373332366663343163666333
+31613963393830306462363863323034383236333630323038343934313836646564343734323835
+31646439386132626465316534633432663665643561306531636236366432353131343630366538
+66626461393338373232633930666635636537376465663963366131333364303133396138333437
+38393130333932333065366136616633326338613737373233303862316563623333323037613861
+39613938376231653131396331396261353666633161363062646261336633366636303536383635
+37616436323932333464313834346634396662653466323132383764346437353865363064623162
+37353963616430613162323762303866336436623531333132643933316335316439626230343539
+66306665643739373764346538643663353439633638396230366432363837356161623339643863
+61353337336239373337653462313435383033623761333434343837393339616431663763623632
+32313832303539653736653764623361383961643533313733393061336663333137313335643462
+38323937336365653338656137383937316366313562386366306232646666316663616231653232
+62366564656334653937633565363932383137336137616163616365656462623338613363396137
+30633165326533353662633963643266376532363332376232613266326334396433356635373264
+31303130643635343937653831373233376639373137356534353930366364366239653965336261
+30303630316561616564313231356234306535626264623162343131666162663864336661663265
+63366332363761623864343032656261643433626561663738663036333336313638393263653633
+38303566346632313435366562336330313437393663393432383235313638613130616161303038
+33623064613266633565353739636232363865343964306563626463326265656138356431663731
+32383362353934333931393264363937306263653164373332386437346237636638616331306530
+66616239633733633439313735343963633632663861623734626132663638333633633739323365
+36353966303930343132613663613138353538663537623833383939633264373766303063646464
+37613162653362336539323938383061613066663565343839393731303565353534633766643563
+37323134623738366131343139386330383532633464333634326334303033643839656466356134
+38333364393538323631396461323839396364346564653434316531393633316132346165613565
+66653865343138376430313466393135363030393662363834353632343966336161333364326533
+30363531383338333331383962343237633463623332366561343336363336373931353162626363
+37303061396239353163383766386332646464666637343362636536333333653939323435653461
+63666162333461633236313863313561363031616364356130636438636632326531353732396331
+38656566356331316162303065663035316634656563393132646134336634313531373136633366
+63333236313232646561346238313064623738313263303164663036396536643066333861636337
+62353033636134636131353334373633613131363336326531633433326238323635623338366635
+39313866333963346334623038343232323765623661633638646537393334396338376438323964
+38336236383638353336306362356363373763653562623639663037326237653238313634373830
+32666130373631393564386632396634303236336339346236366132633333333735373233363433
+35663264646462396634326535313937333838323665343564626336656535653063363533343433
+35636131636161643662656261663132386632643061623065366161386466383931653236316233
+30646333396639363436616162366436326634396636303964623637306531333037346531353337
+34353064373936323164313465303032313563636638326237666133353433323938376338643563
+32353336393431336232363064353638663930626638383438616565316161306530663165346431
+65636363396366633735346661376339333334393363366239646135383332633366333831646239
+37376338386538623865343061636163643936333134323930386533383335303638653761303430
+34313465393837366264633539303839633138383230613634306131633962316366343937356439
+36323566666162373763373564373938383539336636313636396630333033666564636466353931
+64643330636330343232646361623030636366323236373236663966346333633439396439366366
+63653537333261373938643637653539633163666137303130306166313734333433396361363932
+34376162613935653563623736353038616530366537623238636466343137346465333162346334
+33306539316635336433373334336462353165393839643664376633613162633462383537336463
+37653938373836333964396131356638326362316366303763336465653932633930336332613237
+64316134663764366232616438353038386562363962333731643065353839666536663131653632
+36383331366330653239633061323861356565656438383262333164336333356630663465656337
+65663037396530653566303936613364666265323935323664633962666430386361353632306565
+65396562396334623366636663636163323435396534653962346164613365653935383635323833
+62336264333563623133383061353565623438313336366565633330386161383061386432663365
+37373735346639323964646437613732646236396561633065336562353263633630343264646162
+33363964343336326636623265623237643839613530323366646266336433393134306230336536
+66616262386232336331373239333663643864346461343664663536643836363564663065663434
+63363733663635613530643832646661366530616536633333316563316630633732643438386264
+65616139663731633661316138633266333936646138313238336164663730343131316336366465
+39663131313131623964376265653832653134366532643631333234613631643762356136343161
+63663837363566363964376234353338353661663266383863386431636438663231303338626565
+66316439633430363731386663303334663330643234353065613132316538353963323466353438
+66326165356538653034336434636539636162333032306139323032323666313032313436633131
+37366632373236393231313938613530393763336434363733386236636331633531623266616664
+61333962343736393661656533356663653438316636643266303363393463323934343939333734
+35323664363363383830373537303137393932326266333634633937313233303536353537336432
+30663866633934353335313465303035333363626233663661663835313262336664643166326165
+63326237643935353539336433663363623831646232363338323935623535396531636630346363
+37343939646636323365336130666136646334386232316166313162323233646433316432366233
+34643565373638393036666466633039366232396431373637343662663831623231623062316432
+64373938623135613565393533366530363834633831313031346564396366336465663639303733
+34396338396665356631303938343632653638376233396665633434643530623030353464386531
+30353436383064663832346230333231613037323933626535633765373630323533656662643836
+65363965363561616336376339363865363562386664346564373231313737613937373035386633
+39643664396439323439373630643931663337393066323131356436393939333239666338303666
+38623939636630633161333038373931343030663964633966386133643235353938666139646239
+62623235333561303839316165306235383836336331376638326339386361656336646234373932
+63646361323665346530373135316230653461646333356461303133333561643432376532643765
+31656366396638366566366664383231323339366165383135363734373939303362333261336132
+63373364336265643739303364326339636162343730366433616233373665613963383061633862
+31393132333734393866326334656533663133643361386131373534343361396261373032376533
+62393836373164336630613436323230313938393033646465633239396534613561376365376665
+32313966396131623334376232313436353833326663313663303336313062633034653861663138
+36643464303735376535393833373439656237346537663438626166343065396363326463306665
+61616166376162333265373332663630386435313835336330303361666465633739646338646535
+34623435373763663434306262316334323331656334323831303564366431396238356232623365
+63323338636262303134396539656263303239643531343065393035373738383630646437653231
+65333733643432616633353238373630323161303664396531656663373031646231613735346538
+64633336363434316163623234646439396464306533343332386333316265353534316565333435
+33393266666561656432623738343465336337376366653465386334636636666466323162353830
+31313434353439323834646361383035613338376136633733623539663963636630643638386162
+33643665336465643632363134386430346465336361356436353831343134376131643133633065
+61303536363762333332616630333462656462353235626463643162616135356432343538363735
+30386634613732626331343330346265623636643734636638303937626565373332373762386534
+37386337376165656433633537343235636232383530316134633633363464373064656336633464
+33303662636565396532353830353565306566303231616662653533396364643832323335356234
+63346232626437643838373834343562376631646430643632363261613334646530383539623265
+63323534623262636437313530376165383036363134353432633935633139323832666566393063
+62656466633335363334646262323032646334393065363465353866303137656430616135396530
+31346166646165656665393335626664303136643735646664653037333263383437326463303333
+31393134323132346233666563333036353832376534326338633261303636666161393536303039
+61626633363065333433323331633431373764616332313565333634306532666461616533393436
+38663939326532333638663832373064633665313637663864636432636530616666313631653839
+37373935646231323332653339363038616133383463393530616239636665646562643431386339
+39663433366261653662313065376633633765323531336135386139613630343565396632316336
+31626465343564666537343761313064303235636563366133613434643961363437343433333939
+37653762623565666633333637393630396564623535373562366132633931653261626135663030
+62633937313738663334656366363137366232323037343639393166366665626366613633303565
+63303061343638636631373338663436656439353533306232386431623062373763356338393935
+30386432313436336336656465643134373063313634366336323564306237333039643266613230
+64643863383036393065313236303236336664353361306138323439616363323735316136623438
+65396433333436383263613363373431613663363032653939636436373437346665393664323433
+32663935653866346535316337376665343165373731373764643333333466383165313735646437
+36376239313162656134366139363432316162373035363432353963323437333764396364626636
+61646663346333353865663530626531386263396137303131626161376137643037373235653631
+37666139653736643635313861323433326136313762666338333235383938363032626164343835
+39383632323233333830623866616463346138313063633436353231613937643138343634653333
+37343939646333656231363236353832356165343364313030623832313965353631613039346461
+35363463626631316564393332643961373032316662316330363362383866303364373565653333
+30636230376461313136666462633235383031623232623966313839396639653930353661623035
+37323263666535306265353138393639366330366137323662323361353432636262383765653062
+35303565336236646538666634343262663634366332636663653632396261373236386134393561
+31623231663532306231656362333765653739613438333164343733656163333836656139373266
+65653666393366643164666539386338346233623438303931376333313065313135663262303262
+34333961666463363565346462613836383837613865336430336466666437646665323365386233
+31366661646531303836656233353565363138376130336265643733386331343264336534633235
+35353837343666623664343039346533353964313464646666626330353839303731366639313465
+64303866336461626161353531323163383962306162333061376439333064613937333331393863
+63313331383266323461376530663335313464636465653065613535643035326536323339393564
+31313032616435636364326336303661303565646537353337373166313265343331626364343861
+30343066396261316661333435613034336362343637353137306336636361303166386164393137
+39363038646332613235623664333562653234636533393334326463346430316463613134653739
+62313266653034643463633037316666386335393937396132616564356331346535303439373638
+33396234363433303638373030326663643031333032623136663330386532303835343361623863
+64346137616530633438376336306362356136376438396434643639376366366366643730306431
+64343931396333303261303566313831643936663263613036333262346631656234623533396134
+31373330333430323866306661663635343664623762386563343233366535653937326562633265
+38396561376263613039646536633866353830383837356464353937353030373030383430336131
+31366235336133333162373038393938663139303266313166663064613830313364623663343431
+37396137396139386566656635383134343231366161373538653466616663303738626434643738
+65626465666236616239316130346465633063323437303266626530313561616433366134366438
+32333437363631363731666666313466646635343765633133393630653764613038363233663332
+61633666383966306632363937383935653232376362373966376538363861316135333963356239
+30313262323831623031323631386466353831383033383961663661383434386237376331366664
+31636635393930303130663663346439303531653836643031356631623664613665386438306337
+31343963383830636637356165626662303739373439643237636164363634393863366437303135
+39373932663365663864626132396437616538333331363561396263383035663362373931666465
+34613464373265653963633463373635333333383762663164643636633838666161613863663131
+65326537613366333062363835336262376563323735323633636232356534333766346161663933
+65383763303663653034623837393066643935383036383163306331346162633234396561306465
+32396533613566383461393939646537333635376363633534323335326165346136636138336231
+35623337613335393238323138313631666439323763366337386230343732643337633934376631
+34633638336661633132613363386531393064353032626363323339663561623138373832363235
+35336530663934666433633635323462343130623033653837346165376631613837323137313033
+38313738396462616533393365353033373366666366643137306131316538653761313062383234
+38303863356539316639666163343332316666633361383133616239633063393835396339333932
+38386439323333326637383838633266353537663364363139386437376538326265313637376465
+62373430313932363138626537393938316633616635393062666537666239336365323430666637
+34663634623964653838316361386563336464616564616236636264383438613434386631333632
+36623035646130636161353636323839626666313431666464393336663838643032663735316238
+64663534656262343132656337653135653632653961633333373864326235363635613639323131
+64303036336161646431383135316564316230386264383862653264383037323930616637353335
+34363239616261383437626562306239636332393931326535666566353763393162353166363031
+61646461666639393561323561613132643163326330653230383861336164613433373763373464
+31616631663462353039616432626662613161306334646265373735643934323837336464626232
+64343766656639313066656239373631303331346330383764366531623934323233366432356333
+37643039306337386166303038353636393634363331373936306636663364366664363339376330
+32616361316630666338383463393239333137326165346230303566666333666232356530393238
+30313937326131633765613732326339316631653335633631313931333434323932323334393431
+35626437643439613838633063616562313362303133383164313933643533306163333364626338
+66376434333531393561663935643033656265376234616466656230376636393330346332383031
+62303732333535643233666131313362663564613434653366656335373434343938643638653934
+32376338663837363538653030633133643561326165333363333563386561623162363231386234
+35356237343166323733386437366661326464663061303061366430383866636236323738666564
+61306135383631306534616537643563663437653166353533656665346433636432656635663566
+33613534396561336339333335303861386533373436316632636661376438353731353030646161
+37666361396161633766633765633066303662663233616163643963356138613635636638313035
+61373062666361353439396438393234343731386434633538633631663661346161366465663962
+33626438313562636138656238303934373038636335363764313030316134666161396334396236
+61333262643764303066343065326135366530393337643434373335316639346337356166393633
+63653133396365366135623135623232636234343330353865616138653261333133303437633733
+61336130313039376562356561356132396164383365383632393335623132376630303161376566
+32626566613364646466383563333135343064626537333466356134303635313030353537663737
+33623464373536376330366164383139323664613739376238323334316138333264363637643135
+36316332393439313438333064643933396335386137636637393435623937373634616362626464
+61666539653237373864323435313362353466666237613631363538393362646534646166326261
+39636130303335313233313762393366636163646535653362663863663630366136616239653861
+33643630613364306562363962643039316237313964326130323736643331333561356665666131
+30626365366339663065363461633538323235616238633633313264306332316534303466623339
+61656431313035613665306435363933306634376263626334616137353436626537353662303364
+31306262333463393264626337326131616337653862376335306263356338333966626537353439
+36343635313965323164303066313865346264633637613161613661323963323236306133646635
+34333034653630663161333237393761623136623631396234373533633037626433666533303162
+31326630363431663366306330316330383863326236383632363363343761346165333139386335
+63376434326331653133623761323431326363326431313464653664643431303361313065323762
+30323063333931363836373262343431613733356631386161663466373561656462636331666661
+30646563303034353038346632353835663064653939353035323232383635343232666133623430
+39356339373235376261323964353532363139366563386230313337393962626434376539346431
+62643964373161336662336131616666626134643038643464646462323764393438626635356361
+33636531343239373163333763316535343832646231666136373163633737356633346635623437
+66656633656461356233393366353565363430666237313939663139666466333539643961346336
+35343365646132346337316461653631343839336537346238653032636362613339366634356336
+34373937303136323331303833303862303931336261303035613931343333303932353031616366
+39323439383663643930653635336133373566343334346435363037386534616231393737626333
+30323331646263663039393262633236393933656135626666366433396566646565303337666461
+64333838646164653934653431313233343133643865353165636339373961326565356661616639
+36393338666632316666303464343235343036393537643131353563373765643531303230353162
+38653137646561376537626436316133636564393562376164313337633436396439613233393539
+62353936303038373364306434393265623236623264366165646539373231366333626566353466
+39626666396634306631376262366465326333396664613837356232316663623566623266366336
+63643630336665663262336364646363313964653531323366306362393061623166616633346632
+66376331343364343139386561376663356638373832326435646130653665303734646163663538
+34666433643763333835303966353135363263653730373464346238666166383864336566303535
+30393861393637383433373832666161393938343164353838383832383433373264366434393662
+34393065333461613934336535323961663662623536663832313265653039356638303336633936
+34663365666231363138613366623863396330656238643764653366346131613162306433616464
+34376630373832616337643565333036653565353030613563636537393339393762653462613765
+39366135366162303164306261376437613434393535373130363335386563306363343465373534
+31666265613636333064303034656639373830333437373664353536343838323066643237326330
+36306364653762666335373630303262643739383037386565613739373664663335393033656662
+36356437323165366232646463663963323164616335626438303463356263666266636561376365
+62353161666533666164393933636562616366336138616366633632333736666336663337356564
+35346639353466633635356362316135663532393434636565306363653562383732616533656566
+33663162663839333462383863643863373638663938306265323830613331643465316236613732
+36393936326136393864353564663433326635386537353439333064333932626132336339613830
+31393635613832653630643865663531356536393564326465326630336563363430613161313436
+65326264343435396464353665303339666666333431323663616339646261326663376663343361
+65383634323332386332303536366134646462636463353338613363653864346636383764646533
+34333533303137636530663666366232626261323539363239613632363930653730356664643635
+37643737326230633639333330636135613938633464393964333431306432623362616530353364
+63663666626530303030653365383530343133366136353065346336356136363737316132646139
+65343336616562626364363637393836633461373266323031616334346232613231313337656163
+32663666623062353266326566666238626535663739336234316535346361346438303139613839
+33663035646563316564653137663833643730313934666530656431313833386465363566306334
+37316664666266383666353966353062376434386566653032343635396636356631613961373938
+62303736343836396433326236643963656138333265373137323734303963613636613534363434
+30653334633562666233306131313463383162303631353362633039363931313066643261656334
+62326262616438636266303731386461643966383733396139343233333138353936333933643139
+35313166323037623366396364343838323530656161373031363730613831383164636239366661
+65343131323532313133386236633638623933666133326338393463633635386235613436633730
+39616564666530373538633861376533333238366637663531383665643565656631326438656362
+37303866343637316462313939666131653635666539653864633566663662656662616338643863
+39666336313230346230396665396336623334643538323634306637646337623666633165656231
+65373930633133623466376330316332363236323733393461303831643737626362313735383030
+62643735316162326439623265326562666562323634316562393438303830616266613566336436
+30613931333339303964653264643332323836333836363566303635353565316331366230343133
+64313039376334383766

group_vars/stage_ext/plain.yml

@@ -12,3 +12,5 @@ node_exporter_enabled: false
 shared_service_network: "10.2.0.0/16"
 
 shared_service_hosts: []
+
+traefik_admin_username: "traefik-admin"

group_vars/stage_ext/vault.yml

@@ -1,18 +1,22 @@
 $ANSIBLE_VAULT;1.1;AES256
-34376237343736386538353235346231326462313534643130616532633535613331643236353764
-3737383533313861373030313237366131356438393333350a323230316663346634636634353239
-61326262653334646539626464646663383164666166306162646166333462383833333832353461
-3437663431653566650a383632653134343238393762333131613633313036636536343831333630
-34633361373264376263303364353531636434356263663965626639616666633861636463383637
-34333838663834666532366564396566313739386262633335313335386661646166363636323766
-35363535353664346463336566663163303333663065613532623265303262396531303831653636
-65353565353233626331356666343932333539356331303161303062316433633761623132333033
-65376632376266336361363832613064323861393366313763316434316264663562616134353766
-62643165633030363237636632386166396538666337616430323534313062333965336233333836
-36306637323764333233666239336331373763633737623666393466376163313738393036336232
-34613536336336663837353031323665323733313634313731326537333938396361373435366435
-32643338346635633962346537393338653464383431396432343932373439386230613537356134
-64386165363233636237656364396333336261613037323136363630613533353639646439303337
-31626663393335343962663033646135333366623738346436393764353438383264666666653635
-64643462656332653361313766656633616134373166333163346131616334343161616235633666
-3366
+38663233373062663161366637373233653833663531383237653432633832363036393236653231
+6136663865393830306533376665343733383565366333630a303664306465393566383663323666
+31663735623036363431346561616538623534636334633438366238653936383335303430613932
+6461346332313639340a626139353538326461633133396163393464393335373866356133333038
+30656133346362393635663566383938633663303662623136373537353462333239366331376462
+64633239373639356463363464376564663162393064623635623033633966653139303766383437
+63393832376561646330343637633761653232656238383636333963646332303734303539373730
+37613833313332393663656466316639326164306636663861363530636338633337633833343630
+36333636633164613130653732616236646663626332613234306530616565626666343335616565
+37303464396237323261643236633264633838626236373734396535643466373035346436376133
+63623765663134373261343431366261666565303631376533303465383161366135383263326663
+35323766306238396430343965653335323437663161326233623066356464316434633234303162
+35626634383366303436343038336336333963326530326161336462326535376264343564396231
+32323662323839353939653065306261636338643139613933323634666633313636353864396166
+35383633353735383430303930303437393563323264656439353730353839616561373639336664
+31663237343136353564636366643865363464656534393832383531393532646166643637326337
+38306139663863653131386263336138643831303031396537373835613731393834386261356435
+39333331353635363633396337643234396231323463306465323636343539353232353464333236
+31396139383137666536663365393362393832656336653535626430333033353737633661663366
+65633130663937373861616131353631326135396366623231366131333432326662653365373134
+37303734383038346530393866613965663262373638313536663863356563383732

group_vars/stage_prodnso/keycloak.yml

@@ -0,0 +1,4 @@
+keycloak_https_whitelisted_ips:
+  - 195.200.47.243/32 # DEV-230 - sparda berlin
+  - 195.200.47.244/32 # DEV-230 - sparda berlin
+  - 92.42.192.157/32 # MOB-28 - mobene

group_vars/stage_prodnso/plain.yml

@@ -145,6 +145,7 @@ shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01"
 shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02"
 shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03"
 shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01"
+shared_service_elastic_stack_kibana_01_hostname: "{{ stage }}-elastic-stack-kibana-01"
 
 kube_master_01_hostname: "{{ stage }}-kube-master-01.{{ domain }}"
 kube_master_02_hostname: "{{ stage }}-kube-master-02.{{ domain }}"
@@ -290,9 +291,8 @@ harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 harbor_oidc_admin_username: "harbor-admin"
 harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
 
-postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},{{ stage_private_server_ip }}'"
 
-connect_image_version: "8.5.47"
+connect_image_version: "8.6"
 iam_image_version: "latest"
 
 management_oidc_realm: "management"
@@ -356,6 +356,9 @@ argocd_admin_password: "{{ argocd_admin_password_vault }}"
 argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}"
 argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 
+awx_admin_username: "awx-admin"
+awx_admin_password: "{{ awx_admin_password_vault }}"
+
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
 

group_vars/stage_prodwork01/argocd.yml

@@ -0,0 +1,238 @@
+k8s_argocd_with_keycloak: False
+argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
+
+k8s_argocd_helm__name: "argo-cd"
+k8s_argocd_helm__release_namespace: "argo-cd"
+
+gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+
+# https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
+k8s_argocd_helm__release_values:
+  controller:
+    logLevel: info
+    logFormat: json
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: prometheus
+  repoServer:
+    logLevel: info
+    logFormat: json
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: prometheus
+    env:
+      - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
+        value: "0"
+      - name: ARGOCD_EXEC_TIMEOUT
+        value: "300s"
+      - name: XDG_CONFIG_HOME
+        value: /.config
+      - name: GNUPGHOME
+        value: /home/argocd/.gnupg
+    volumes:
+      - name: custom-tools
+        emptyDir: {}
+      - name: gnupg-home
+        emptyDir: {}
+      - name: sops-gpg
+        secret:
+          secretName: sops-gpg
+    volumeMounts:
+      - mountPath: /home/argocd/.gnupg
+        name: gnupg-home
+        subPath: .gnupg
+      - mountPath: /usr/local/bin/kustomize
+        name: custom-tools
+        subPath: kustomize
+        # Verify this matches a XDG_CONFIG_HOME=/.config env variable
+      - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
+        name: custom-tools
+        subPath: ksops
+    initContainers:
+      - name: 1-install-ksops
+        image: viaductoss/ksops:v3.0.1
+        command: ["/bin/sh", "-c"]
+        args:
+          - echo "Installing KSOPS...";
+            mv ksops /custom-tools/;
+            mv $GOPATH/bin/kustomize /custom-tools/;
+            echo "Done.";
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools
+      - name: 2-import-gpg-key
+        image: argoproj/argocd:v2.2.5
+        command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
+        env:
+          - name: GNUPGHOME
+            value: /gnupg-home/.gnupg
+        volumeMounts:
+          - mountPath: /sops-gpg
+            name: sops-gpg
+          - mountPath: /gnupg-home
+            name: gnupg-home
+  server:
+    logLevel: info
+    logFormat: json
+    config:
+      kustomize.buildOptions: "--enable-alpha-plugins"
+    rbacConfig:
+      policy.default: role:readonly
+      policy.csv: |
+        g, {{ argo_realm_group }}, role:admin
+        g, admin, role:admin
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: prometheus
+    service:
+      sessionAffinity: ClientIP
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        cert-manager.io/issue-temporary-certificate: "true"
+        kubernetes.io/ingress.class: nginx
+        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
+        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+      hosts:
+        - "{{ k8s_argocd_helm__domain }}"
+      tls:
+        - secretName: "{{ stage }}-kube-argocd-cert"
+          hosts:
+            - "{{ k8s_argocd_helm__domain }}"
+    additionalProjects:
+    - name: infrastructure
+      namespace: '{{ k8s_argocd_helm__release_namespace }}'
+      additionalLabels: {}
+      additionalAnnotations: {}
+      description: infrastructure applications
+      sourceRepos:
+      - '*'
+      destinations:
+      - namespace: '*'
+        server: https://kubernetes.default.svc
+      clusterResourceWhitelist:
+      - group: '*'
+        kind: '*'
+      orphanedResources:
+        warn: false
+    - name: bootstrap
+      namespace: '{{ k8s_argocd_helm__release_namespace }}'
+      additionalLabels: {}
+      additionalAnnotations: {}
+      description: application declarations for bootstraping k8s cluster with argo-cd
+      sourceRepos:
+      - '*'
+      destinations:
+      - namespace: '*'
+        server: https://kubernetes.default.svc
+      clusterResourceWhitelist:
+      - group: '*'
+        kind: '*'
+      orphanedResources:
+        warn: false
+    - name: cus-mobene
+      namespace: '{{ k8s_argocd_helm__release_namespace }}'
+      additionalLabels: {}
+      additionalAnnotations: {}
+      description: application declarations for customer mobene
+      sourceRepos:
+      - '*'
+      destinations:
+      # TODO all applications have to be in argo-cd namespace
+      - namespace: 'argo-cd'
+        server: https://kubernetes.default.svc
+      - namespace: 'cus-mobene'
+        server: https://kubernetes.default.svc
+      - namespace: 'cus-mobene-nsodev'
+        server: https://kubernetes.default.svc
+      - namespace: 'cus-mobene-cusqa'
+        server: https://kubernetes.default.svc
+      - namespace: 'cus-mobene-cusprod'
+        server: https://kubernetes.default.svc
+      clusterResourceWhitelist:
+      - group: '*'
+        kind: '*'
+      orphanedResources:
+        warn: false
+    additionalApplications:
+    -
+      name: keycloak
+      namespace: '{{ k8s_argocd_helm__release_namespace }}'
+      destination:
+        namespace: sma-ums
+        server: https://kubernetes.default.svc
+      project: bootstrap
+      source:
+        path: config/kustomize/prodwork01
+        repoURL: https://{{ shared_service_gitea_hostname }}/argocd/k8s_keycloak.git
+        targetRevision: prod
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+        - CreateNamespace=true
+    -
+      name: filebeat
+      namespace: '{{ k8s_argocd_helm__release_namespace }}'
+      destination:
+        namespace: kube-system
+        server: https://kubernetes.default.svc
+      project: bootstrap
+      source:
+        path: config/prodwork01
+        repoURL: https://{{ shared_service_gitea_hostname }}/argocd/kube-system-filebeat.git
+        targetRevision: main
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+        - CreateNamespace=true
+    -
+      name: cus-mobene
+      namespace: '{{ k8s_argocd_helm__release_namespace }}'
+      destination:
+        namespace: cus-mobene
+        server: https://kubernetes.default.svc
+      project: cus-mobene
+      source:
+        path: config/default
+        repoURL: https://{{ shared_service_gitea_hostname }}/argocd/smardigo-mobene.git
+        targetRevision: main
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+        - CreateNamespace=true
+  redis:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: "{{ k8s_argocd_helm__release_namespace }}"
+        additionalLabels:
+          release: "{{ k8s_prometheus_helm__name }}"
+  dex:
+    enabled: false
+  applicationSet:
+    enabled: false
+  configs:
+    secret:
+      argocdServerAdminPassword: '{{ argocd_server_admin_password | password_hash("bcrypt") }}'

group_vars/stage_prodwork01/mobene.yml

@@ -0,0 +1,500 @@
+$ANSIBLE_VAULT;1.1;AES256
+38393035306261346134383162356566326337666661653966396532303666663037663163396466
+3931326461323966316431316163323061636163653863390a643866376430356463303565366230
+37626438636366626162643833613035373532663530306461383932666638356633613166356363
+3234313739323864610a316136343030343464663066616632633561373730353334383337343439
+33346364376339316535633261323465646661626337383166353936393964333738613736303434
+64316237623236346631623333383835313866323035623364623531306335653334626339366636
+38303535313965613464383534636435646261356231353339653436323639336532383862363162
+35383535633665613464613238653330643666616436643130663666663631313762313733363064
+35316665366136356264666336376361336565313632386663383438626633633763643066636266
+62396435343236373963393565363165353566613830336639366433313635633736366637346236
+30643262656132313130306534366131363138396565366462306236366561346632373837323332
+35653561326530656438633836393133376435643430363633663866633364653034666232663034
+30363862653536306634366237383135636466363231633462363538363465323037333036326335
+66363964326563336135633266333732656130343336306534313334616134346661633133366262
+38326637613730616439316265666335363239616630363234363261636564383539343662393961
+39643338643066663663383736333062363436373962623538356236396364333064336164303033
+33313434643835616362366363346438326533393766393235353835346238316537343666373839
+32616631333236663162323363643333323535386230666166336365343262633362613961653930
+34656330323763373461346464663166343833613066353232633030623130393036383162306562
+66633139303861343965373463303261633633643665636262323461353134643765393930346431
+36353364616533313064613731336438386562626164656263356635303634336434346564626535
+62333132636433396565643836643762663762373637353739333631623434656463643739646633
+31386630663861303934323162363138316266663936386333373730336534653631366261333733
+34373437393964363131653630616330616431643362333431656135386632613034616635663366
+30623536333834353731373831353161343564373239623861656364646238363131386561643031
+32616234616133346637656161326337346163313131323735376362353363353261323239376264
+61626265373766633836643131323135356338353762363039306638346432333162373436343761
+65303437653134626365383562343639343231343265666637343163663232663535346564623661
+34303931343666643966316437306339663466323865386562626266343133356331346665623866
+31653364366662646666316161623237383431326335306661323536663637633938343736346434
+35373738303335376637623466336666346632343938336264663062653833366638303563396166
+33333065643935343964303734303465366465343832316365303231356337306132316563646264
+30363161363739323465646466393435636539663630323634633034336265333064356231356563
+62396236363337633230663634353566653230386366396331343262653762626666363932326333
+34343866353831616232336335663861623864613164333864323938353636366133663365656431
+66373162656434333236376337313830653035663738623564373961636337343637303631643436
+30396138396266663364346337373637623763653539376430613431396535313632313235666339
+39333765326536343034363464366239383935636464373232346239383631353666356533346331
+39663238663431653036656535613131636262663536363332663234363066383262623731386235
+36316133623566633836393630643966343261393532653835386437373937303631643635326337
+31663566316530313238626330383532653334383236346337333534613431646466633832313765
+63613937613537663137663935393337666333346466353466613138333861663064626434643637
+64666361373936393434346463366635613031623263343739303765306539363133353836396435
+64396464303139613736396361343231643937643861663163613736303466306432323762333865
+33383665663037303634376530343630646135623237643865653934313864363936316536303163
+65663964656632333764656464323837623138633964336435663133646234343037313065643531
+35643739653238363064613636373032646337363865306139643437373564303238623431643035
+66303561306333373534303630633461656265333231303731613634613533643264613830343733
+32643564376333363962396436313533666339373662343365653930643131313566623735623863
+33383837316433366562663966353261363639306435313261636165316566393964316438303761
+39386264323562646230616137366164663465363961613863386533376266303538316238373663
+66326438356464633065373139306630626165323664346165326136346335613935393632383164
+64326431656233313036346463303136653237623236383930353033636536653338613033623738
+64366431613363626563376331313736373762373863323563396335336631623732323330656566
+38643636653466616162643264643934373739383263646538323039636537393934626265653930
+39376262653533306163353663303635396666666337663337623039643464383965643234396635
+61613931326633656637363132396563613739323362393538373636373731376231303734633835
+30336538616632333539663932646465633039396133366136323637316163656136646339323266
+65626239666538313231323336386662633134353235663132616265646166666239636338356263
+61303437353930616437633465666534656434303530393766393932353235333532373339373834
+35303631373634636437396633626530316461323863356362356165316533656536623931656563
+61333330623439376137336464333561343961303835323632396265346533336532616135653731
+34396561343562303438376533623738383334646439636634383431316661306435633161666363
+39306336363464646137626165386665633738613932643563656463383031323039396331326266
+66396365346331303436353565616532323637363563653636643934303962386435653533373030
+65323531363830326262376236636236646163656139363430656534336332353262623330643631
+36646539383536393664653932666534653761353966373031656363366138386539326135383234
+32346163366432373163373437323039656161663238326563313530656566343138653238643564
+38396234336332653861623038306663363630623139303736306131643465653237316266336461
+39303932313663383965333434666362373763653637353064316661643939316431386561616238
+64393938306236323736313131616132393631663761623935643065633432306237346261313631
+61656230306236353964363035623961373638333131653562326163303633396539343461383065
+33343237343866393561653834363261353039643032633964373931666461653730613233666334
+30333734383536336635393461626130353735653566633435613332376637383031643935633736
+64353063386230393539643534643932326336343239323564356330323034626233623136383462
+63613066376638643030336463613836313135613732336334613337636161643936333632393065
+65616262343062316465386633636661616331343434386461393936666661636366383663376633
+65636332613937353262653766663239346334666336323164363734653961303262313662336165
+34646162303934643834663261373833666666383031633333613064306466626263646639623132
+39643737343461633536636331393135303132666431396565346530383731643365613461336664
+37373665396532353466663537333833643835383263316430306665323366353830396137343561
+37313032343866633635636135326566666566323436376234336364323330303033323230646635
+38356664316139383233633134396631346232366639316330313436306337306665663534303362
+37356235616465356532383337333530383466346638626563653138626538383761633261363266
+39646264386537656264343766313137313163363732336137313061366336373062333336363062
+35643632343264343530376135346530666531623261393133623435316366313465343561636535
+62646132366139653462656233363834363262646663646463666530383361646461633562616564
+35643632376237656364646662343866663131333266306639623538356361653635316564616239
+64613031353236663136303763653634323562343164353636313938626139366466653665383830
+65376335396531613166303130366437386166363034336337343833643037343835643230636536
+37343330373535633233383139356437383465653561616161653838353364643264643365313964
+34656261663962323639616166623561316130336562323333303665646230653537626435333537
+37393965303265373437623531396534323162633661613132633339316337376234333666363738
+65386632613965343534373733346535303461363130653665396263386337303534643461616465
+34613636366231303930326266663261623161373634306263376332653136636332306532346639
+64626666363634346639653835386366383138396665653234333539323536316664613332323161
+33396463303330333031623938353533373939346535393961366139613634363738366138356437
+30633733623564633134383366323161613064666238316565626362353935643363616338393562
+35383939306666373438663837383137316263313665666637376530383065356638386636343863
+61303635663434393538323639656132623562373062303030303030366636393261333865313636
+39646136313866313830346630643133656561356162616635366236396136373538306335373533
+66393034623535386537626636336531376138326232386238326635326638353734646563376665
+38386534643063313565363364393766383635376132613736323165326131396364346665323765
+61343137663365363365333534623338643263383733636661376632623938636132356231666537
+64353134613862323531353066333635613133656465326230346162303031386561666664343631
+65316531613863363735393664656536623236636465643737323939633839633833393364376138
+63363437653663633135653838323962626361663163326661616439653934666238613930386265
+38383732626333393235623638383764396665653230636431633361663531383561326562313133
+33626338376464636534346166626464363566343936323436333938653335396563363930336533
+61366461656434353532613363303438376639653935373266386465663434346635303563333435
+37656263376435333038333233646638396436663432303563323236393330616131643662653733
+34376639353939393838383435663934333064633132373363373065643939336633633461336631
+37343361306531336362643735343931613865346664323433656631363335643330353437343733
+36383130336233326335366132643534373764353930376530313934356530303632613539326665
+63663330346262376333613431613334656466393436353132373030333636363234363462623866
+33643136633437376364313539373736363962633938306663303564363836373031623133343832
+66636366366632666566353564633838393262353166323464383331366162633561623939373766
+30663034396539333236393130613534336238333761343164636231306661626264316331353432
+32366263363137313961363337626335366265663263303361396336333034346632353136386165
+30336564643335633264383362396230306635336362363464633631386265303562386261353066
+36303634333336373761343963353733633632633962393336306663633862613134396463656237
+64363464383337663133383965316232666561323864386331636232396138656364613062303266
+62303236313863346662336161306264336266636431623238306530636164313866313939346265
+36613564336263313938333030633431663564336438326438643333313865343738303637333436
+33633239346563323764386639313737383736316134643662396433353338663936633931313430
+37363733616534363264333437356635303935643431633335633538623631326465383864303237
+31353663306366653333623566663266663130623130393665363834643561653961346464333264
+61363631636436393236666362613130663037306330636363623436353861316363666364383264
+66383435353239376331393937343235366562343433306666306365646330396133313035323165
+32373831306337373236346361636465356363626138356161366466373734653465663230356532
+31376663313232333662346530396639363334353330333830356235303430646539316366323863
+33336436343066383564376132326531376266373730323535303066633532303663663638396630
+66653235643937383366633764653234353236623133346530326433303534363963356436353565
+35303332316464343866323361316438303538643935373263663131643237396463323137326466
+38313162653863303365363235623537356530393531633862356465326436663763316436313434
+63623763393532653934346264313039366461643238313336613639646665353030313830623435
+35376533613837343032623431343564343564343637343862656137396333356364363435346662
+38396534666663626131633835613637383434616431303833653334386435616463636562366164
+64333166616334336365376666303162386630653233656337336436653365306636656233393037
+38343161376466656563646463363664623363303035613661323361326635393232646430313534
+35303663323662373134633162646436636233333464393639343034616364323862366139303336
+35636533393137333632633262376263616338323638616164313838363865656164663861366431
+65343230343564656533616334656234306432353166323564653131306434376134303632386138
+30336131353437643663633864303439316232373861376565396664636266613966653334343732
+62623861643038623234393431333434363330346536303733643534643666393933353335613664
+37666537633061343035343731336665633330303930326263313231356238313964663134656338
+63653731333861666231666131643031346238373038373833613036623463396362336564633465
+31343565636236613432626237636433633830393934343662303232383431663764356634626230
+37326439646132376230363266633437396161313566316562626332326132323334636339343534
+35303561666239643434366637306165323463653264646462666636323361653635363834663464
+35323961383066376430613130313863303338333562396663623361353235336533313630373535
+65303863613932636164383764366330396431626138323966376234636265663734616336383334
+39376436643362343262616230326366303634626131646564343364386139626463623765653934
+66663930323137663061383539663738646334313138363861396337663366663361323833356231
+39376165333133626337303663303763366331306533666135313134646466343166383435663837
+38626136653430336266343339386238336635656266353866613831376561333832363936653138
+38323131373338313065336166393832343236343135623635353966643733613339323934376638
+30666430383066373930613237313239356564303061313430393032393933343561646635393465
+31353666623236613139346436613238396462636335363434393837303464333166353761333437
+31393438373063336161633032623430663539376334373066626163316635346666636136396264
+64343236343738636137613933373739396636396366626463613530646434646466633830393334
+66633435313732643831356639663961316266636535383735353131653834656433326561383934
+63366639356264626232373634626130613035633432356534316432653262626637636665346639
+30393936623762343663316237613465323565656336363264353363633662363165626539363238
+61313461323835336531316231616135363635303566616663613531623730323933623462333034
+63376435346465616661303662636265346465663065333263373530303234356134643238323864
+65613765323165333062386661303863373437633463353231333061396234623935323135383434
+33383533613530653235343565303562656165663237336162613935633061376236646564306665
+39653030373938653566393933313832343738383232666631613137356165306664383937346261
+62653565386337373966666438303566613065373737383937303031626266643933346335303234
+65363463393562316237663130383665613635393235383830656462353139646332663835313739
+30373535306265623230626137376561623063663037626439363834303531343839376130346233
+31663266666132333366366634333964366563623261633938653564366666326666333565613635
+61613135373466626465646637636666643363613432353165613834626561326433643863383966
+37366633363565656632333262363764363338613063636461663063353634373131636232656339
+37623030656562316464656464343337316138366336376436393830356434333731313366313435
+35366163366161633965363263626362366163396132383939613463373139306634386162366231
+62353563383466363833326264613731376464356336643066616562323732326630396665313364
+31346639333561376564353437323765336132373139663262373263373264633465666631366139
+63376466613466623131393038623039396330313333663939623663313762653561386530303165
+66333565653938353135353530326132643564336532626433633535653039306332633731366635
+63613738353163613535306464303336396165306638366561633833356365363432383163646166
+35613465653535656632666565636433666261313938373537623936336562653732376434636636
+65633761623939666138353964616537363837643263386666613163303039613737633265373265
+36663736636134623431316264383430643331333839306132643631643934303464303762336637
+32393263383833373865323439373837623035393633393131666664323566313633653233343361
+31616466366564303662396561646364313334356136333332343931653132383130333365663762
+38363336346664353766346665343962336139306432616536323336356431356662353164373436
+66613463326639316361336530373337303564313139323061363136353464336665396334646333
+39383937623839643539316139613663373832393139386231333164373961633834623635363735
+64616366303739363366653934396535633361626138383633633862633964306132316333666530
+66623135643033393538626639623737323331363664663563646464326439636335343037653165
+63646261303764396266346362616561393738386136643866316630373538646331643837303930
+31646538313961363064336166396166383938643335653862383166323532353461666461383737
+33653337353637393934333566356261323937336336653830666164373262343065333261313936
+30333362316137613962613666313938653533633833323564366332323866366635616166623762
+66326235313630663162333038623765633235636565303166373337383138666334363334386663
+32326333383132373966663530663130373263343662616237323435343566636230626639366163
+37313237386663653636643031303464386336306439633866306363353739333733663563663937
+64363062396565346230633331333039306466616264306630333032323566366431346632643263
+39323734393031326666313861663439383664343534306639616165313065613163393632323937
+34313939653038316436626139663566643837663838633866616637356231666161393263396161
+39386433313730323237653637623839303732366531383637643832633234313866333633303563
+34336334393630313862623536303035663532343137316266323931353462346634613464343761
+36396166353739313664666535306233623831313630396231396638623838373736623764643939
+32333838386535633039326462386535386637376437653138353834383266313432336332633034
+38633061376439383163356237316639653230323634383238333539396435613661626139643938
+64313132326633303266613138636436616337363263626438343832623064363634646636333131
+37306636333362363230356661363935623032313533313366663764636364363834373236653665
+34396266396334336435336637666631616166646164383032383861383464353531356439646331
+33633365663836663634636666393636373831343831323166316636363365393036396538646533
+66396438613266373266363035363338613130323734336538663564646537626662616135346334
+31656439343133643563653866393033636139623265333435373538373136343264666433623232
+63383738353736383530303561626439633634646239326436613937363038353030343239363062
+63643739626365653832643934623366373936343139363730633434303662316637616165666538
+39633563366365346439353130613937326530626231656638666561613933393338313266343961
+36303033376361663339363430653965623566326632636637373830366663643039363863396164
+61323765353263383862616238376135643235656130666564663065616538636335643939393862
+62363330383632666561333634666437306230333362356438363964376465383335383138656435
+35393139623262346162666364313434633061656539623931636636353364346361396134623737
+37643130663031616637633137373130376139666434316364393132666532666339643439636330
+64626639376338656333623132663335326132303065323865313132363136343434383734356564
+66633137623266633932303730393637613538333932306535623065353034373733346138386338
+31323435613139313162613635303337313732376535376131393735366334656465373831343865
+63626531653130396239636166363763383665353037376236333962306238353531646265373335
+61663439616436316563643533643165656262646162343462353966623734663031623636393235
+35646435633138363131376664373663396239626132343165393061366366343732653734343938
+35643465663835656434633862343861323431323164366665643832326263356334393366303337
+33393136326563353735343336616338343165663532623036656666353432373237356334326339
+35313732313135303963663733313261613236313732353262346266333566306262316437623666
+65306532383565313337386661323332613164313664323639383331663534616130616361633334
+31306432373363643733363038666233366333373432313336316636363966633739373838663537
+64386463626561363563393864613935306434653934386531323330373562616130613263633734
+66663539633732343665373534323438356232356238343434613163383233643163616138663336
+34626531656566383764663262363736306165333536633265353133333363363935353031356262
+63646530316162336232316333636634666165393865353462653338333834383764333539363231
+64623731333063656665623466633834313030333964643138623837666232626365623035346333
+30386233376662306539376631373234323233303633313462343564356430303432333864613731
+33386534633163386330376233313739633336373735383238643834643666633363653063386464
+39373133613633306537636332393236613231363466626662613537386530666665366263333366
+32653266363964643862386634313230323661373366366236376136656231366432623732623965
+63396232663439366261633165383161336431393866363238333137313361613736623936356164
+32623531353062343732356461616138393163306661336165396162636263666638643535306334
+62326130313034366431636130346134343039613637376162306431623163343263333432363561
+62623733386464363736663061653332366434643838363231396535623337663439623265623339
+66643731393137623163633633613431323136373865306537356565616530373366646134363733
+37343339393636386361643230336634636137366130333163663236623063376535326166336135
+64353163633137373761663365613138656638656132376563623334646639316432363765656434
+30353465353537393439353636326537636133653132626537353665356235376533653733363538
+30363636323831346663356161373032613430643833363762373662306334323933323262653539
+66376632313430663365666534383565636663363033373039356430336363323065396664323461
+31616137346530663163613239346363393730663564636261316335333431666664633338356562
+31323431376238326265616265336461323037376636613064343836666262626132373539636539
+31613263653665396161353738393161653163613939613963306234643339373134646565396335
+31336333636639336663663966383662326661303631646165326662383330306430353136383463
+30316634316162663430343037393236656332313134343134383262396265316634396531643738
+30666333383633396361323765323961636565306338653530356237626138663765306466333836
+33653762306163356163613163376164386633306635353439626166363331393535623434326464
+63303130316432363265613031303738643566633230383436313661353565616235323966646635
+37613965353432303966623234643363373135346364623335663633646232366532613135636430
+36346335366635656635336538386238366533656562623732623865383639353737343266363662
+31343038313730643464336239613966333934633936626662316131633738383237346232666635
+32386434343561343864623361616334616463316163333962386237633337346633626163646534
+32613034333433343236626133353265363962613861656532366537613837366332316531303362
+30326639636437376163346664323661656530646238633861666437656366356564666566656235
+62326536393963353733353336613839643431336134636664396462383763363237666533636165
+39363636363736313764633761326165316131303539373536386139383666633338633235623535
+39333731613330343130333663316530396630316339346332313131643531643032633235316638
+31383530366539316634656139303133383036383232323134663963386538636262343939353837
+39393666326264616434623462353561643938333433626531393466663230356531613635653434
+34353533653034343831383030653331326135333634373037353666623031383538376535353762
+38336262303665353038633638306638616364326564333239643437616531363663323235353935
+63373739316264653239326236333562656537376332333135663163636335643835356233636330
+33646330333632633939326534616163386264643630316333623134383736666432653835313965
+61366565373133633039343938306166636264383564353262343066613933363365323233666233
+36313234343865666634656362626466313631663237343463386265333338656531326665653235
+39393264663832363830346434386465636561323935633639383634633161643733663431363637
+36623738336136383365316334313835363333656465353065653131666537623866646336643166
+35373030646165383739326563383236353863376437323335613862626336623230626439613465
+35616633376135316464613765333132623761323161643639333731326535316663346562613733
+37656336383664326338316137333639393061386462646336303936643736663339663932626365
+30396465663938333336363461393636343435336536356664613734633135366666623861643064
+62396666666233366663326161353065636535366561666362653937306538623762353963613634
+65373364666363616263383166366130316339373338313231383637343238313731333735633031
+35646336633464613133613832343339636338376432646336343463323839313336393139636663
+35363931653165316330616336646230646166303966363634636637383736656439323032383132
+36626562363236663431353733626464643230343636326237323038393130613337376264386161
+63393563636532353833366539376539373837386566366261346338393964646264396232386439
+36333436646634666539643036616530613964616238326262383530386430373765363161346461
+64386365376131363139613334356138316533626366666137316166383636623963316662333464
+39613133366232656230623538343163323763333931303133656363666362376239633938663230
+34393032393631313937386336313065656638306237353435336332646163343330326332393136
+30363038386566613938346262656630653365383639343330353762306539636263393137363366
+30393136343032316164663631386163393639353937346637303565643665653038653664346466
+66303762623837336538313130396638333238653737643439383662396239313338386132613835
+38346336316635623030633863633431303462663563306632323930633731623937663761623335
+66353733633236613432353031353462356163343364393563373236386338393736346438383865
+62343735393861393463363064643337326136346664396430313839616438333337616236666136
+37626636346163666639346435373036333962326137646139336530393436633335306235626132
+33313930313531643931333331343664346131663433313834333033396361653064396439346262
+34616635366237376434633937653865616136653463646339646137363365313530663033316464
+37613133383861366164373464326335386432653563663562316635353533626562393532616631
+38666338643135343735346232656561313638656537393231383635343262643530353438376566
+63613062396234313639393863633765393966383838326562643539316336653937643238356633
+61366235313964346262383365313366383564613732383064393665386133323538353032613662
+65376637646263306431376235336163373931336635343633333432383832393932323463366363
+39393830666161613939626237666361323362356332396332393765643964336433356261363930
+34643131316437303634653565386633656362636663336263373362366265646133366561353433
+34616562353030373535326265353537363438353930636135303037333566363030343935303134
+32316231363538633662666337343564373465623739303839373139313734343831333164303439
+39326433643861393330643530636530356531363331663934646332623535393066323639643038
+61623664363966396536643330653636633733333536646666386135663739373538336262666661
+33643161623132623632373363353536303762613361666361303164383363306533323539626239
+66643133343864626634363062373365333238326265376330643932313533666564616266343730
+32646637316364373433373236646334333964353664653133616233663062333864353636633063
+66643464636466333635316635333865643635646331343438623734613865663338316336386536
+37633337313266303461653661356564333861373732613730653036636331303462376363663737
+36633438393034643932626533643330363765336537333562643035333866396539636234386663
+33313632323737313536366133356635323631636131306335616137643435363433653633323264
+39633839376366623466643838393334663565303632343433623562323834326132613665373162
+66313061303465613062353238623962303132636231616530633832303634346335313566363964
+34323866653862306261626531383363313438616265313532613965613139663262336135656631
+32393662323661633233326164363131303163393463366533373334633864633862663463343832
+34316261396533663733346437623837313538653236646162383161346261346563383534356561
+34663336376465303561666232353232333234373163333635376237613234623836323035393461
+36643634303337633033633730396262376164633639353963333034633962636637313538623262
+33613461353331336430376537623839323764633666306236356538326164323737633865613663
+66393132363562653666303134643263653165333939383831336232393838303966613133346135
+30376464373431303963383832663364316130366531373637653834643437313637656662343834
+32623932626164323239313132383562383933353430353330316434643865346662633864363335
+35633163333236343137636534313964666463656663333232303639336163386336633764386431
+61313566303131633162333539376333376563343436323362623661343164346562353234306138
+30343937353331623436356234323430386262636635346131366462363334636661303962646364
+62613066346163363766646531323239636136386664636562393564643261326263386138376661
+62323261393264383136366330353435623139616432333061323430616462313034356232323664
+61623532643330653530323735636532356335303637626139303464663734613233653037343533
+30616237363163613838393262386236323565646636353563373339333534373833613762326132
+34346230303032366339306430346437326536303139396238383165326530613061643563343265
+32326534346631303062313465633232343465393937303262366131633839346465613233333436
+36626663356461326338616637656336383332353665396133383666343664333535653634333037
+36323138613438626530313565313733613166373563386132663639323539393366623338323663
+38636137663732353739393136313338663764313338396634343332306430333831353235626565
+64663938643964623439376261346665653062613735663431653233373037646132636262346561
+37333962323231363466636532303639643031653733663464336433646163316637653430386339
+37373037633564353563633762303263623634376238306361636263373462626431383730626631
+62303438613437336462373437643631373039653534346265326266666632356237306538396634
+30353033393163636239393663303431333335343436323563656239396132626136373961613435
+66633539643638363734616162393934643061323261333962386531323933353463333433643932
+33656563333761653662373335613839356634333532303633386237366234613138623965306335
+38376635633332376137643366356339623561336361656563356265343133343034633536383035
+62653864366330616365623930363666356634333461373235303364326264666362333462626137
+35396436333533343138343239363435613061313065613838383966373939643836653062303965
+66623634316131333735666432343830313937323864663330643436616537623132376162633837
+65626631653962343166303338646138666564653261633631363531353263386337613836363064
+30396635626566623235643063313735656534646533333836633933633235383163313166613635
+38616531376534363562316665643764313830346336613530343632386133343039643064633764
+61336133366232383539653466386665373666356131623165616166393536333935326631343862
+38653938336464376639636664363034646134313762613930666261363332623837366630376230
+32313963373738323639646661306235666437306330633465393234613339313064346661386661
+38613437303936343537613163393837643166343636326335656536396335656564366437623535
+66666332323161373430333735336230396234326230303336366561613965633163336336643266
+66633766353831626439643161393835643636653564613238323333636265643564366237353335
+39656262656237353864653338663334303436323066373839663365626563383066363634396238
+31376662663066303364323639633634633136653134653666623234653239373064653262646130
+34366565366666323037633738303237363465333232346536363466326238373136393363343166
+65626466336639386139323166616336346537353862376536643562636662643531353165386133
+37376332343333326366303761346639393261323534643965376564353032663861353437313330
+63633961653730333863633034613338666335306261333762333132393236353331633338356539
+39306533336265646133373065643238386538313238303830643837386137316461323363666433
+33633562346465373463383264613163643630363862376566613035643961343232333331613938
+34643662353965336364656531303839313266663061356338333963323661376464623134356530
+66383732643265643366623265633331366135623934383133303938373131326163643761336135
+34626466346634666164393038663736616234303362343065636239356531616534636161653364
+62656631666534333739303231633862303330333165353736316366636461623932623138633564
+35626165656234626666666330323837383433613266656236643731386333616636623733613831
+33326262613161356638346664393230353635396234363033656632346434386261346262626335
+61323265303737386563353335633131336230336266353932333761306435616362343335613939
+33373431633261373135356337393838626661656433643338623361643362366561306338343336
+38376466613034366633373233326562373832343232636362313630323861363034393362396165
+31356539656462376530373362333263343561383834643265383261376233323534366133323762
+32383038333038386433366334346431333435643064663566356266623237393533626431623361
+30306534366530363865303039643032353731343334303435363639326632626239633062633562
+38323539633932323332646463396165633333393738663730396237373864396634643035333734
+66366237623330663335653162373634613565633033663566643964373436313533656566313934
+32613736366235396237326233393532653433616563633364656365303364623931613561626238
+37306537373330366231613231353835303834643066666132343332613361656365626432636263
+64636237353766663833366339316631343939626137633138616335633139336438303038306339
+35623666353939316539346333366631626433303332356465656330323964336463373737303638
+34356464303437656364326266623134346237643061623365346361363564366134323164353835
+65396232363931316339393737616264333765323432383833383065333838343331363934666334
+64333164376430343734373362376130613433323465653132313665666365306663323166306239
+31333961613839646466626663356235383361656462393238346566646637323438326335386165
+35363631333332663332363434366530616134663663346537346434343666636336646665663438
+39396235333434613932313539313833333666353366336263653137366363666530303632323865
+61636261353564396230623261613965353530326533336634393338393438343863396266396234
+36653731663035373466346131633038666165616633623566383336366264613061353934653737
+31383734636231633335373465633236373236633133316364656462396566653539656130306133
+33363266653766656530376433393738313331316565653930646266386262383431663236323161
+34666633653064303835313864343736653738356333346164653433613333336434663666656235
+32663131346435383037653335373061633437353464306164623938613737366337373133643336
+33363335356134303561303763323635666637653639636435303162366562326337666139396463
+38623531363136363132613630373036633431393433626432326439376565323634653531383036
+33333030663032306132383661316661633463633163616266343335363061363434376436356339
+36623834613663393566326132336361663330333836613633663239306636613032613039633763
+30303530313539666137396332303437393735333037663461313863666235623039323638396138
+63353264386530646231326530633562353737653762393538363232653439653264363162383362
+61316564353733653463306564333931306462373037346338363863333736363532623932343262
+36653365373438666530313162386338646338633364396636663137336338633735396636633034
+34356638363633343537623565353562643335613361643737356264363535363662373032613865
+65666335343163373134376233316331343336383334613130373739343161663361323039353330
+39663939386431383134383263656434303464313639663438663237666463643063383130616564
+32313266393831396130363664336438623939633261613138626135643739346165363336653637
+30396461643131656135353131636462376365333564386563356230393939316530623134653336
+61306363396334633035383962306262633836336165653639356266323434636634363932336634
+32656462306665393031373539316531353733306134636363383237653261633265363339646631
+61643764643235666339353963623630666339623365363939613639343262306666653033343064
+62383264393762666165333937663164643861303661396264363333376635353834303266313533
+31323132343333303630653033396563303938386332393732323736666337306233653136626662
+63333435616239343662366530353566666231663232626266356536303137303464643464646465
+33363461393064666564323761346334643134643933373739333863373964336536303766663932
+61346132333261343661393138623939626236376230396131626665636562623739356433663165
+38616265316538656363353933383762623761323564376465376533666136363931613035613137
+65373034383236376531616162313566656634323564633639316330373362313034646431323738
+61653331616536623538313830383533643361356435643861383533376436366431313032306664
+36373038336439343666303536336264353838383530663132653434373132333130643035616134
+30383530626337393030613734383231326566646166336166393134333965373563313430326463
+64656239366437323261663563653265343862303462653362313435303263663631333964336534
+63386133386639353666633765636161636538343432633133616162356438656162393565323636
+37633137316239363464353732333765353831646364653466366437323633656262313930626639
+32346536343432343837373635363263313032656333633631613461393366326566386436353837
+62323331396636653432303734643966623162353336346362343862353537613764323265663164
+34303138383237623234353364373030353261663237656431653637653861343532396165366136
+38366138353936306132343765656163663863363561336430373736623538396135313039616538
+62323363336539623433366661393936346161353366366235326635383764333666613135626339
+66643561396663656562336665353135616563393361646332666632616336373061316532616465
+34323966353031613631363734316230633266383638356239383262343136663030623830343263
+62666339626135396338613033343562623737386363333566313466333432626433303339613433
+62393530653536633333326335353831356439386537383039623965336262383431616239623230
+63326430326533643834383233626539396236306339616262383631363765626632396630663763
+38306330323663636136626534643637303066643866393033336436636563613964343835643633
+32353263376333303537616363643630386632646537613063633162663637356131313436613431
+62306133383333666532636437306264363961663261643133386530623564313366363237626137
+33306635386564643562353466343136303130663234653938653539306134336363393430613635
+65346263323734323234653832333066303236396634366361336630306231386431306438333264
+64643030613739626363663064343066363634656233313232383564363166343766313961336635
+61353361653330333239343761663764353731613938643138396337326330303939646233316136
+33623561613366656532353932313835323339373565633864333538333036303566393537366134
+31353737376439386130643066353364356363626566626537343038643465613734326237656535
+66376365656433666164353836393230633864326535363239666530663061306161326361343532
+64633366323539316532633839343066643934613363373530613463656366346138666131333236
+32653636663463633632666234386139633461336539326261626463613633656665653334663162
+36643231613333323232373639623334303033326533313663613739363730353863353934336637
+63326634343332383939356562373636646535666432646664313266353532663637613539643364
+33623463333536613566333136646339663761643066303736643239663439323439626534306439
+32356338363163343463646565613539356562356566383861353033383961613233663635666139
+64333231623030313161393264316462346264613933653737636439376563303765396533383265
+66383631353931383830313234326461383265356561616563643638353332396236343031383234
+31386438666361303932383435643461623734313163633632373937366137333939376133653064
+65336364323264646437363236626233376365306537323766613931616339396665323563343661
+35613337393334363931303537396637316137343137393963653637383763383830323762383062
+39343031303730613035383633323634323833316335653336343165636264363536303462356263
+37646438396232333661626539333738343732396139346334396135396234633161386264303038
+32666636626137313564383635623761363931323261346331636632623731336166646262633666
+32393534383561656438393161326661383939663835633930383635653236636136663665646163
+33393533653363356163373461616135616630653866343139643137363436346138376530363135
+35356536343863643834346666613831653161323039653637626662343433366363393831343038
+33313162643730626539663961636434386533356631643062333434383762653136323266613561
+64626138363466373662386162323865653738393065373063346334393431613132343663303336
+64633461636432303433396562656164313933356261363364656331623038393430376437393236
+63653031336465646536643464326136386666373037633137666539393634383432623631643962
+63323063363537643437643835626562623466373830623136333761636538376235643633333939
+31653963373234343762643234656332623561323334386139383461353461656236346361366565
+39383864396264386639626631613036666632623764646637313563376536313665373330363662
+39356261616632316163636533376637336537643332663336643831623334373731623032613961
+34656236346237353237653737386131343166303030313263366231376366653338663030343235
+38643533613732313562303133616165316431363562643530316635633464663236363339323533
+38316562396533626633636630333365653731626366356335333136396136613232633138393861
+38326436323433363838396363373334333064393731663733353439373662623839616666303833
+32356139383735373832643632383931646261623830636238353963373933643739346463616534
+66656663343962383131646564646163656466356438653732303062343166633463346131313635
+65613232633161313435626466326538333364313764373963353766633839626164396134323938
+35633164666333396536323566663036626134376432656565336237356130643236313133663137
+39633036346433653636656134313036666633393766353662313830663936366534626661356533
+39343832653535653461363839616433376431393833613731353539346464333663373739333663
+34303531303435363966333965373632386362383439303062316539646539396438306630316332
+33613963656364626130633836366331336536323965613266616564376362643033353830646266
+39323963393530663133633238643530356566636564336631306364316431373164306262373132
+63346135386235353962333331396263663637376364343330303163663432643765653966326338
+39613561356663653338653430616564366138383366356435366430316432346533653766383232
+39663638313637323966616664303230303933633937313062613230303930616135323464343536
+32386564363938373630306539323639363833393834313963336630623839383935323733343566
+32656266306134393461303338323361613139373931623039383231633964663863623537656132
+66663062633636616638386337383664636634636161616535356539646236373461323039316238
+37303535656331336662663566653133336465636466613631373364393935363561343937303030
+37343631396539373937336135653066376535356162623261353237626265643035333737326461
+63343130376465353331616164643836353266396265663839353331633830366438373866396334
+62626330656338393035636163616361383432353536623231373031376230663834393036653237
+35383134376361646464373632353664326134366232313539623733373630653334613338336233
+303733343761396532386366313439393063

group_vars/stage_prodwork01/plain.yml

@@ -0,0 +1,218 @@
+---
+
+stage: "prodwork01"
+
+hcloud_firewall_app_specific_stuff: False
+
+# TODO read configuration with hetzner rest api
+shared_service_network: "10.3.0.0/16"
+shared_service_elastic_01: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-elastic-stack-elastic-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_elastic_02: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-elastic-stack-elastic-02' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_elastic_03: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-elastic-stack-elastic-03' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_logstash_01: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-elastic-stack-logstash-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_harbor_ip: 188.34.196.240 #server in prodnso!!!
+shared_service_gitea_ip: 157.90.169.198 #server in prodnso!!!
+shared_service_pdns_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-pdns-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_mail_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-mail-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_pg_master_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-postgres-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_pg_slave_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-postgres-02' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_maria_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-maria-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_cpl_01: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-cpl-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_cpl_02: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-cpl-02' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_cpl_03: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-cpl-03' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_node_01: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-node-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_node_02: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-node-02' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_kube_node_03: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-kube-node-03' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+
+shared_service_kube_ip: "{{ stage_private_ingress_loadbalancer_ip | default('-') }}"
+
+shared_service_maria_hostname: "{{ stage }}-maria-01"
+shared_service_postgres_01_hostname: "{{ stage }}-postgres-01"
+shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01"
+shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02"
+shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03"
+shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01"
+shared_service_elastic_stack_kibana_01_hostname: "{{ stage }}-elastic-stack-kibana-01"
+
+kube_cpl_01_hostname: "{{ stage }}-kube-cpl-01.{{ domain }}"
+kube_cpl_02_hostname: "{{ stage }}-kube-cpl-02.{{ domain }}"
+kube_cpl_03_hostname: "{{ stage }}-kube-cpl-03.{{ domain }}"
+kube_node_01_hostname: "{{ stage }}-kube-node-01.{{ domain }}"
+kube_node_02_hostname: "{{ stage }}-kube-node-02.{{ domain }}"
+kube_node_03_hostname: "{{ stage }}-kube-node-03.{{ domain }}"
+
+shared_service_gitea_hostname: "prodnso-gitea-01.{{ domain }}"
+shared_service_harbor_hostname: "prodnso-harbor-01.{{ domain }}"
+shared_service_kube_prometheus_hostname: "{{ stage }}-kube-prometheus.{{ domain }}"
+shared_service_kube_jaeger_collector_hostname: "{{ stage }}-kube-jaeger-collector.{{ domain }}"
+
+shared_service_hosts: [
+  {
+    ip: "127.0.1.1",
+    name: "{{ inventory_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_elastic_01 }}",
+    name: "{{ shared_service_elastic_stack_01_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_elastic_02 }}",
+    name: "{{ shared_service_elastic_stack_02_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_elastic_03 }}",
+    name: "{{ shared_service_elastic_stack_03_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_logstash_01 }}",
+    name: "{{ shared_service_elastic_stack_logstash_01_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_maria_ip }}",
+    name: "{{ shared_service_maria_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_pg_master_ip }}",
+    name: "{{ shared_service_postgres_01_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_harbor_ip }}",
+    name: "{{ shared_service_harbor_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_cpl_01 }}",
+    name: "{{ kube_cpl_01_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_cpl_02 }}",
+    name: "{{ kube_cpl_02_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_gitea_ip }}",
+    name: "{{ shared_service_gitea_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_cpl_03 }}",
+    name: "{{ kube_cpl_03_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_node_01 }}",
+    name: "{{ kube_node_01_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_node_02 }}",
+    name: "{{ kube_node_02_hostname }}"
+  },
+  {
+    ip: "{{ shared_service_kube_node_03 }}",
+    name: "{{ kube_node_03_hostname }}"
+  },
+]
+
+# TODO read configuration with hetzner rest api
+elastic_stack_network: {
+  prodwork01-elastic-stack-elastic-01: "{{ shared_service_elastic_01 }}",
+  prodwork01-elastic-stack-elastic-02: "{{ shared_service_elastic_02 }}",
+  prodwork01-elastic-stack-elastic-03: "{{ shared_service_elastic_03 }}",
+}
+
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+# TODO should be part of the automation (htpasswd -nb traefik-admin traefik-admin)
+traefik_admin_username: "traefik-admin"
+traefik_admin_password: "{{ traefik_admin_password_vault }}"
+
+grafana_admin_username: "grafana-admin"
+grafana_admin_password: "{{ grafana_admin_password_vault }}"
+grafana_user_smardigo_login: "smardigo"
+grafana_user_smardigo_password: "{{ grafana_user_smardigo_password_vault }}"
+harbor_username: "{{ docker_registry_username_vault }}"
+harbor_token: "{{ docker_registry_token_vault }}"
+elastic_admin_username: "{{ elastic_admin_username_vault }}"
+elastic_admin_password: "{{ elastic_admin_password_vault }}"
+
+postgres_replicator_user_password: "{{ postgres_replicator_user_password_vault }}"
+
+mysql_root_username: "{{ mysql_root_username_vault }}"
+mysql_root_password: "{{ mysql_root_password_vault }}"
+
+netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
+netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
+
+kubernetes_with_awx: False

group_vars/stage_prodwork01/vault.yml

@@ -0,0 +1,467 @@
+$ANSIBLE_VAULT;1.1;AES256
+31376136303461393238366661306362376566633162656530663632323931383566356430323862
+6238646639646538623030323539343539373536643932320a386165346361316362386234613435
+37663364393734356361383138393335616134633832376661303961326135363238343437303562
+3138613734323033340a356665333063666231643238316239353436353062633061306634346463
+37373334643530623030303062633862353431666433346266656664306561663565303337663834
+62646331626163643136343066383465393265383634313632306264386334666235336133393731
+35373836633462353964383265363634326264646435383461363362643162356466613331306362
+35333764323363383961373664363566346632653534373763333561633336393830323961666632
+65386536353632373766626434323338356632393635663736623333353033376161373234373664
+30353133366233636439343166323332366561633262383835363663366132633130346331376663
+65343166316464636363343331383734393062653230626435356430356238663634393333383864
+39623831363962363161613834373434386565636137323361643730356164393365376662303764
+38653163303734363333623165383037346466646231633464363131323963363734326162393736
+66343639383161663734613439613736306334623962663765313166383262346661626630313364
+65343865363938613730616336323965653762656636323363316139323466613832373165616136
+64643838633239623762636531666537636435336331376137323562306666313637663461343232
+63656632376237396233363532643334666563326136653435353136653963633761396638633266
+38643262313138663263323164373064636364646431643462303036643033653566663835383435
+34653137323365376466373833663238353537666463623762373837316164633030366138376165
+30336532343961376430326662613434663932633361366434383136623731326366326439323138
+37663630346631663565363831663735366432326335376566383232303562363537376339376262
+62336331653439356537323138323162623230616666343663643961356262663839626266363130
+39356164663733366662393935393164373661333263663933373439353263303036643033313361
+63333862393136633861316662353030353662633638643330343234383565373232633161353561
+64363164633261386239626539363933353332396636613235353533393833626565633739313230
+37363534653363353633653765353263343832633764643937643366326261323063633965353536
+30373137303534633832646166623639656664633032356135336163373134323337343261633965
+39653264653036386463313539363634623531653064306635373432653464306532613165613463
+33623261386439353437636666326430656437346639663236643338393735346261633230376538
+36313637613539326662366236653661623565376137373065353232636563666230363562333365
+38666137613266653461353739376136316430643931333462323432393263666630656236383937
+38363131663062343830363835323033663036356266646534613038303166383534393465653430
+31323161633438663833313737373664643236646635393964393262316331386461333263646330
+38333366373537326264663333633334303935353535663038343938613831653333346365323836
+31356163393432396466323065303337633537633132636438353932303563393063396230393263
+31306335643565343432643961383833333761383731633064613564656364363436633537323938
+61383430393930383438373433383335343266363062616564383865396665626434376337656563
+30353636653330643963613965343237623536346332363533353530353064343065393361393164
+30343435393035353832313638656339613266356464373566613030616539376665636333386261
+32353733376362316134636564373635316462303236346339303637636365346563303437663039
+30383966396262366638393861326166363761643830613861653238373561613866373564353336
+33343564333361643137343262626365366462373666623863303662346165653239323732646130
+37633963343833613135313663643438356132623165373539323166663330303264616466353539
+61386433656663383532386332643131346466623131333739313832646532663961376537393439
+62616536313965623839353331663939393439666235333038653734633535623862623630633935
+30313561633234306234636430303961353930626237353632633233306539383365396266386234
+62653966646235353865393539633130343735303233646137353831633433356165396162633131
+38653231626162623036613861666135643065313333636239376432326430636236616431613566
+61626661663236373636356661623136333939626564636366663532313062613265383432646364
+66313637333338386336363739353235626139386263343265653865663362306330666261656435
+64303966373333313736656565343862666166373465356438666564653666653062636436303164
+34366162333137323437396663643538383730313234303661353239326638396435383864626466
+33373232323662356562316435636339393466633031326463333032363930353065646464613735
+31306132396137363562663736366131653430643431653634363362663266623532626230396562
+38386162383331393462383766633635373038353561303462643133393336313135623232386233
+62613462366462373537333862653963303765303565313663343833653236343933376635663765
+34393238636238356234303237623732616362303032323831366338316462333637366165313435
+65343861343361663864653739386531323639643832316264373139396234636535343866653966
+30643061393437653461613134623833666432303563613738613865383933386138383536353332
+39353431383933356536613639613339666538306632643561373833363437626466613262626361
+64653365666661353632656635336464333433373832653535396633316364363937353134353035
+66303037643532323330303433633730626437316630353637636236663235376636303839346361
+32306538623763393533376566633630663530643965386566653764303638373761666533396563
+62396230396266626131626463313762356333646530396133366538643965633863313766333332
+37363637343335626462333666643362653735336432343635393364613865363663386366623164
+30376430313761623236366336363661656634323430666665653739336138363932393836653762
+38346431656464653161363239323834393338376264373934663261386565353031323966363361
+30363735363132373963643661323030346365333532396665393661323066343563393933643033
+32656230373266366137663239333162323732663163636337353438366438366266613163376335
+35623732303235343365643533393135643132656330366135353063613165666563303839326636
+66353339323133313662393331396536666233643861316634613830346435303237656130373136
+36366137386261306335616338333737663139323061626466326136643239346466393961353331
+61616538656538353539363737333138343361636634303436376536323435353838303830663161
+37346635383061303039656230336336616439633936613135333438353235326666646236393863
+33306637343764643334663962626164393734356265303165623032356133366637373130646136
+63663532613537396265643837616364616530306631333232313466623465653534353831373033
+38633839313863393032646238373162643866303065343236323265336533663732316433666432
+38646535383831306165303435303764343238613230306139373432333534333562383963376238
+62393664393761623839396161313265343630343435636662626563353932393363363733316538
+63666563656462623563393435626165346237356663343132383938626433653063636133396461
+66386331643032626562343366653961656631613433396430323630333239636530303238646464
+64666464323336663732333861666331613037376232333264336230333965376334333665333537
+32653730376561663038396664623237383536636461633032656634383561343438393233643237
+30333536373864663537383932323136363830366638346435653331663836613232363561343630
+61363435383838633861343838333865616330393661313465373737303737313438623334666332
+30363737623362313435383231383333393733333563346166373130633231666130363535393835
+62613337343765396134636462623039396665653936393238333430323136666536313233396462
+65333565616533376161343633343364393538643963343237326232663362383961613466623432
+63363561393132663763373532333761663764313064663838663266396231393365633334356133
+37636230633561333863363765383965616537356437613439643136666363656237333333633962
+35356366656366623164643536363563646535623465636163613264396436613863366663313530
+33336130623032323932613238366166633833623265376234616636356339363938323238616665
+37313361343865333138653035306664383461373834643263643363626630326532303162393230
+34336330306637636637633536333633376361373161383038633661646130303439373565636465
+30333230316166383439653235653464353165616265643961373431623933623432306636313463
+61643937306266626132396164353361336437623434653339663630306135373532343839613661
+38616330363066346135343433643462613931343361633262636539303737353334303536376463
+33373065643231653236333939333564313039316238613831393163636639653237336163353663
+62316634323933343330633436643033616365363230306262653637346538663038643863323562
+30333662326138363934306264313534343732653734313763356438326632383737393662356264
+33343034343335663030313032363533393136336135633863303561656634316437366236616466
+63353062363537356633663033633136383664623161363466653730373631363261313630646336
+66313762306466656230646338383737376461663135366532313533376130613732336535363436
+31636537376661386233316161323031343830623734633163396234643635666434383261623635
+38633264383939303630313235373261626535323261323464633134643135663033643366336639
+30653239366537313564623131313636336535373663643836323461363634306637663539323365
+65393337393435666337646231333437316637643934663337666666393930386333616231646664
+65356338386163626166613632626666343635313062393233633033653966376566336139633937
+30663438633032356463616435663562343865333035396436633034623037653563626536326465
+66303466313536373562303833386334646233313161666637353163383830643636363432633562
+65333337343066393733393631653732613139393031343866306239333661376234623333646233
+31626537356166373938643438653262643236393238303562393538376331613162346235396633
+66623731643261613363363962383563353232373933643339323262626236333439343439633636
+30346562323331633061623035323236383136616635343865656564356463326563653264653734
+33356163613361383835323537326630336630666232353232383334646334333762636231616266
+32633565376466323162393931383236363061306361326663373738373166303239333030326530
+61323331373765363839623261633261656261633563343864613635616537633630663737623762
+64373032613962653763316234396431383131333963306666613336656162343566306163353565
+32643038333033616139303737623337626366323964656261643831313334356332656339396536
+33656563613463383236343037303963343264656234393237336261356638326262616237333866
+30656365333865353032646239393930656564373335623734643961356435333761383566653737
+36616164313635363134666161313832343961366162373933373738316230636539616435353435
+38313962383066376432633235623665376430616364653766646537636336303435313231613631
+38343262333233353363646361306435313030653133653861343765313261313730396564633337
+61663037633737646433386333643362303337303538366137623139313462383736373363316632
+32326364653936643639396636323565313864396163353334616238643964626633386234633662
+32356533373362646632623431393436373630376335373465613232396536376438323039346666
+66346362393234383332633736653466363434343833313764663066633136373238316230613561
+39346461323433623238656263623834306235383761363435663663666266383766333061616262
+66393730616632636531333165383235633132306266363766363534653339393834616639653832
+36613530636430643062303637613339646535373562356437336530393665316130626362366538
+39363730383330613638636437613334323530353037316132336461333039366638626139323363
+38613630663834323163373163633664363633653530663037336565366433396333616363636130
+38646131323061616164626532636266373366366564326639323536643638333764653266383737
+32363636663561343033383865373636643032643938333465393364663962303366343835616330
+36343132303262393233343231356331633762623261386166373632346237396633353430346335
+31663737666164653539386435386335636439373338313262666534333737326535636466646462
+35383838353466303635373730303232623834616462303462396634313734643861376262366463
+37313438663235363439663737373866393764613663643130366531393337383734336638373637
+33666436646161366331656239326535353466316632343331383863623430613063386132636132
+30663036613133346632323233356563626236663435323165616630383330303933633232336231
+62626233363032333465356436303063626535333233336166633334346665393037666533373334
+65333138393961356665363232626632303734626364653633613334663937316639383566346131
+64663937383939623266306338373963363466363337623632336636633134623631636438613935
+35376536313230323263656534376162623063353037633264356162373961623836633634373366
+63313736393466353066333939663936313730636137386562653831373433663236333530663362
+37333634633134666464316336643661643664363631626631623537393033623964613861326330
+36346238313538376565323037383263356630626266643964663161636465343733373837653635
+32616263323361383337313434353530363038303635633763343738623838336637333163366130
+62316362326237383133303862323934396332643864313166383661303862656466383362363133
+63663966653861643266663866383963333663346332356439323030306230633164623863333135
+30356335393033663139633531633937386364353166313963333436656238663431323964323735
+36306533633832393538303363623239316263343031323336313735333133373766313665623261
+61633164326238316536323933396466383165306234646662656661353962653032386339366236
+30616336646262323139396165386336373262633639353130613932656434653632336135373664
+34343036373233353538616562656166333236353133353761313838656461303764396630653765
+35663238623038323931653734663062623434366465306233633435633266383030373434303962
+62326230326539383533343036633366386239623464653338393338666163636630376662313636
+63393763626237313539303563323139343332343933313530376666633238323635366136323265
+39356564643863313765666465343466356165353065393964663238656464613738663931336366
+66353164353836353836363736356663363761366466383538396331346166356466333634353933
+65326539653264376432356261343965313665646166363139373132333334353530653034383530
+32323434316436636461646632623635323735656332346439613533643031326261383535656165
+62386632633438376639623362623532333036333136633332393061633831393564616164386333
+36323036666666303931666137356131353339626234316361373432346661303232396265623336
+36363137613562663865393135643639396361373361393566356336336432666466643831653239
+61363662363733383664666535303430323336313930663361666533353936353337636664356638
+38316438343364626462623237326164333636336333313930626266316132353762653537346537
+38363064316530643839343062333636643830646239616435396433613836613835653537336139
+36363033386662653039393539623436666162613562616531656430386561393731346162396461
+64646534633132656533363734643063653033326563333131373338313833356634656334363266
+62376330336365626137363232336331366161373231373133643335373263616630333465383234
+63663065336165386635363631343666316365643963306531366261626161656331373236636637
+62303032663137363363306564333864316535326564636464396430326439633436356336323665
+62666535626265323833396137633735633631333631633638343433323031343439633734303364
+33646664353733313738366662363132343133643939383733323134363062343237616330323866
+37343932346137663339346334313930663734363539303933356534643437643161303134383163
+31313465396439306130363534303733643834343234643837303462303866616638643937353830
+39346136663166343333316565653039363833386361636465663333636534663066653966303635
+37613931623332393031396538373634656139363666353061336634346134303834376264623530
+31376432346437323566303761333266626264336232636131656133383763366439323064313263
+36363330656537356262353933323733393565336461316230613732336438666432346530323465
+65613036383830616335306163633536306562613637633934353062356165303935653636653762
+36383164643635666563386466663039383339616533643139303664396531373735363661623766
+65323738303430653637303566323335343836333466353930623830346365336565313035383131
+39386633663832316635373066613466633930613034303530313035366237346631393864393132
+62313662633030363235343437353537336432336361376166386435363635396130666639353166
+35386535313066656234316331323731616630636635616561653236646466336165363434346131
+31333632643364663331383336343136366363633537663365386534653463366561313234363636
+30656332663064353937373333626436613934653834643265343431393563363932396538303930
+64653839666137616631656363313464636531383065623566626665656234373534653330613962
+30326138623630396264316634646636343262613638666634333134636638643631313237323964
+63363134363435333662386139653564613761366533323036633462636236376237346663613039
+34303339326136633366306338373362356136613732663666326133343562323638303661666436
+34396561313930363934363936393839383432383538636464303232333266303863633137663235
+63303939333931373934313764363263343431386234323734313563313539616238386434343336
+63303433386337666331643862343563666235636132623033636335613663373363333032636135
+64333664373961346361336163373864316437656163383336326366326565333434386465306565
+39346334656266313735346539613365353565313234333164643732343735613935636137363862
+36303635343966613163373336313238373133396461313962333465623566643237613264633235
+30623161303435323439376638363930376637316631633064366430353231643934623732663236
+63613262333866393137626430386232336230663262356333643861393765623865353136383036
+36626562366134356331643032363633613834316563363163666131666261616165336464396135
+63343066363563623861636462376134623832373230386331376135313463643232306634313038
+63623337333465313264653137643366393934646661393931343966306235323966626235633063
+35616634343433323730386235343863343333646333386664623365633331373832353661396230
+37643333373966353238363631626366316664343030663766663265383262363161613337383537
+34663261313564643763363734343736656466373862366163376138613031656530373134626337
+38633364323330343236303634313139623231396137326534613039393064643565373764626563
+65653830316261663837326363333034343438653965666561386631663066313134326235343239
+38663739356337393664656566346163386533663761666636393235366539363039613333653664
+63306638386561393362373762623637326465303234616238313931353261356366393166376562
+34636466353137353630306433636330316631653237663630666337313266373730636533393036
+32376363333761303238363136323933653432383138303363343732393661616633306463336566
+65316566633630363963353939343261303338363534393537633133333236303837343062346435
+63613566386663383034373766366361336131333364393761623336363132386537383432656335
+66653466343262343266333862303232633661373561613235316136336536353534346461643134
+30623561666438316136313030363433633066393438356461363161346564323738613336643932
+65333162313966643232343163323231313530383533663465633031656464323866306239396661
+36643739386131636633376538623831343538396636626262376564393363326363643133613065
+36636562643139393135303135343737393466333533386333666332363437333933333131636463
+31346638303036326433633539613934633933313232363735313565353462646237626462363636
+31326261336232396539336161663239393034663665396331363636383534353933653033656337
+62643963636439383166333362323965653938346465396430356130333734653537313363303462
+37323961323232303865373332646631323466356632616161326138656664656632333630326535
+64663733323336663531653964303831353264663863616232396337646337346166353238363965
+39346262643333326666323863643033646430373230303535353564626536666634663135653365
+64636233633761373037323431316436383862633062333332343137386330333932633538303732
+33653737643366393561363531626235373761333836663063613063343730323037363839643333
+39613631346364353139323661366538346136333034633165653330616434613736666131626137
+33336332393432616135656134323936373362616331393937376338393037643539663934653361
+61626362623139363532623062343831373932633766303366303738656235653666333431333234
+38343934363037663363326631333230313466306636653432313736363435383963343662323332
+36316637396661653665663535623333326634393966306336393336343536366438386662333431
+64653732616664663566386361373636353865333238313032353533373661623164633530326131
+31366565336435643938393461643431636634303932633831383261306636626234333366366563
+64386636326535393462306639636537306161613530386238316638386263653630396262626165
+61653338616530356534613537636566643265646431303734326334326232363462646631353739
+34343939393662393635346361366166666139333765653866356238633964653739396365613234
+38383666336430383334313265373233646166616230636363626264363961643362383063653132
+66643765623366623438343061346435323936373635633130306535333661396232396434326562
+32383562633533316132346565373832353365306463626362613066653433316133386562373039
+63373432663364653561326332316563323363373937303664343166383263616230623030393362
+32373532656636333061653963383262663339663562393962303336333433373136393564316665
+32306262306330393933626335616263343964633938303238386437366332306166353533363966
+39376663363734373238343363393239666535353963346633656338303336353935363930323333
+65653261363536613436306135313236623537333539616530343639366638356561663364363366
+33626666333164633030353563353836646665633561323038316334343736376137393933623731
+32313237653839616263306232373861643266303364373962636534303065613438313062336466
+34613762363232613962313364616632353233623836363638353464643136356638643330373538
+32366230393131376234383438303938363363333434643534616566353635306265346239323763
+34616339616538336264643765626631313035383839396232663631636634653137396533313933
+30646134303332663135623538663637396133316531306538333465646165396537653133386132
+62613830363163643532373261613134366536636365376238323631346166393437656131366435
+34306263303938643963393961616134376163326639356165343332663835376239643463303032
+39353635333732613964653033643036306166303139383937326361363131333532363532633834
+64336238663932643832383462636130623766363835643834623531323738613863313838316561
+32613664616334373133633037643236663637333565353961393535613636336436643766636533
+38393531653338353563386462306534626238346262643161363934636339396135323937353135
+35613131383564666263363763393339346239636538333464623361666236653235313836373237
+38323038653233646539383562396332363161333263383632336638663766636439643834303132
+63623335313239616138383633323036646131626433646664613762653764373063393531353239
+66313534396333623837323934353830396232663235393866346664393864393535323233623262
+32336661353635326633346236653265366637633335383066316261363032316231643133646563
+36656365353938646234626562303461333166323231333964393262396363323138363464316136
+36643331343432643266313939623838356332313262333530386665323934613131313330656461
+37643961343334386137316563306565376438373165343863346638333531363438623235633861
+38373363353031313937346364326534393031646533333362363633396539643030353862643364
+33626634373435383061396666343337346633393366343331323664393335393431326164326137
+34336361623062653636336566656438353639343334326263393666326133663863323032633061
+61393466383039396364343237383331313138383465343630343766396563316137623662653439
+31376530353532656262316232376564666362353631626339653162616530303561373932366563
+35393465643161323134613237363264353235663066376461343036313131303837313562333332
+34626132363439333963653531336265666435333636366133316261623536343834336136386361
+66353031316437333765633532396233626437633937316430393765646566316164626132613837
+36363037633239643030383163396631343932613834353338643765393364306332656630653364
+33626637653830343866653335626464663135393266646365383562643762643966633631383665
+64383836323765646165363032333466306363636631613266303738663465393837633734373535
+34366439383762386661333730333666343239356135353234376636316465323337306436643335
+38343932303336626439303337646566646534313832353835303164363061366138653633343064
+37326461616630373533376562643038333433643061363432373739343434663461646363633237
+38343431653730613661616365663762316134636237623233643166353763633263393330346461
+36303039313065643438656237396234616435333431316661343539326638633134336666396461
+32306331346236383165383961376166656461653734656231323130626639313164376666306235
+36653263353232666261613735653161366634373766303466333463353462353835646162316365
+63333939636630343332376331303831386562646333323738623037626562373664643631653364
+32656438313231386362643538393134623361636163343763653038626564343431666639373334
+62353436383938633733366635663238356164316563396366323863646565366436303165306534
+66366139306334373238303036353839326436653332313962623439386433383231656263333265
+38613162383830346330323561306535346330653835393536353961303535396361356532303438
+32373331636238326263326366656338666562643839323834353666333363333561643838663266
+33636135653238303535636637333833323461373435373361656132343430623566383534393931
+34393534366331313939633162333662666264306634643066333061653439383961656566653039
+66356138643734346237643139383830653933366334313137656439353765326238343138396435
+61306234353563376335343661363363323239613531643532383530373666346630616131386338
+37663531323536353833383431376336623631323963653065633636613263663238326235636438
+62656563363634616535363761626165383234373431333662393635653831313539613137633666
+32653763356632666462633538353938633261663235313862393239383462646665616165636439
+61326263646136613739626336316531383137313566323730356439653735623336636437393462
+63353930396239663731333463356337353136306630633764316162633764303265643039663963
+35353664613532326466636365643861616437333432326461336365646366633537626132613235
+66366531306364373534393233363632323563316166663933633233353165386430333938386465
+65623038373139353633353034313132306266373962373633646133656462353337383235373433
+36643665366533373635613833383962396136613836623135653331346666353064636438373932
+37313166356436336333323038343734663538313265333030636363356633646433363561663862
+61663635643761613166396331653761386165663038323438313861383637303363366364326630
+39386461393832633338373264346335633266303765336639643833613265636133363739366161
+37366235623637336165636565326232303633653733353635383833363564613238323835313030
+35643566623635616532363130653262653135366566366638653263643464346337356363303738
+36636638643036333135383262373839356331373062623830663835653833343439303937346138
+38616536326564643933363965626335393430633062333830656561633566636432653663663036
+66313837393364316631306334653439633232626330623834313935643366633662316263343033
+36316562323963633463386366616537613734643631323163346536643636333163333430646662
+36633563363338663238613163396338383362633831333439633933363964346138626134353766
+35616434633639333061333364336465336533396636376634303736306535313563616565653135
+62353038616135636139393335333662643765653465393239323231666563653165383039313834
+34313966363162386539316238343632313234313931346335656136623434326132316536373732
+36363261666430336662643665346532323361356134336364663431653666363765346130323430
+61386631343962363935363538346536363837363764663664396163376466303663343137383832
+62353933323261313261376532303837306232336263386162613565313966336564303436313639
+61396133333661626138323232636439616234336434633134316662343334663166353032636463
+63616238356138306164346666346235396533653635653031653964313839353435353963396332
+65323735386461313134363137333732356138643335313737623330366265383861313564373066
+35393966363132346431323963386631623532663338343334383930373433343631323732323031
+33373936336462363933306261646263313165383936643335626362333263383035336636323666
+35323531636635303936376664643730623333633634373931653137616130343462316132326361
+64626664383562386165346235323038613734666235386463653133613836633335613866653532
+33373930356662616434323030636231333966643866653265663265303430643639313330616539
+31323239343938376239303630653636613565336361336332623966623431303231313666656161
+30333233616639336636313436663361306135313132636631663865636663636431663536633732
+61303764663531373261333938343966633162313137386231643937653634616635303562316331
+39643862353965323337313232613030386434383237653061343634333062376166353662336431
+39653730393762613466663466656139346366393137336263646234353337363136346533343638
+63393265363430383431343233366333363433616362653438383663353436356464383632653863
+39623730393331333761386136623866623663333737316331316337353962616533383632366562
+66313566343932363266613466646632316538323766303232343336643036663930346466376633
+32653831623363646539333633346538303131396630396664303134623061363061613538633836
+33613630613335326137306131346135333633353832373238653030353737356164663937336363
+37383864643164353862333437643138383631363238316664643535386238333932353634643933
+64643134366264353734316532396235623139656231356463343765383762373666643464343965
+61363562373930333061363731313066396661643732636462323535383636623337353331393139
+39373561636134373733613733633566643261383934346535376261313662373932393436316266
+33333562313862336537353633663837383762663238613664663034643134653632333065353063
+66633832623335633634326130346634656631626339313936336234393464306462333764326232
+62616363613533323862313363346134323639633066636565623031613939633065316133656437
+36376563653763636566613533346331303366613863666138616335313838656331353134313133
+38393966643637303835353162646131363865396535356461366466616137333162396566303666
+33386431663333356137623337366430356463353866376638376262393738636537353738623130
+31633438313238653035393861653062656539326534343139663461303964623937646435303861
+31656634383934373261306664333465313833616362396635616365343662383261653131373962
+31316662393161323765313336623234653165653133393830363561653539656665653630336538
+66373037376365366134653232386431393334316333376465633462623763383130383931323133
+61613262653434656562346265353663623937386336343337303166386334626561303863376539
+36373636356338326537393935333730366364336239633035633561363563666134633161666430
+66633263643164396566643561626633326532393434643164366465626561636437343861653962
+62656134383038363032346435333762663564666264383866623865303832376136623266663363
+64393931303066663733303161653137386432346562356164306162313266336334613233633965
+30336135303935626434333036343765666433313938643337353138633736373564343261613966
+33336537396633613933663232666663663135393063323136666536383161323061333263396131
+66376362353039613431343366316639323438313866636334633261343630316263313431316664
+31363939393835346437366635383537393438623536396637343930633461326530383462356139
+63306334306637633065613365326139353932636336376534393962323764633931393633376163
+38616131343661323038646538653037386437626539383233663138323262643162633634303930
+66313031663234356539386666336263356366653438653134323334333932623263313632313136
+32613238336137316331363135393339303332636262643561653030333133336265656134323064
+62663761666162616534303333643235363762666539623666323135303639383461633564366432
+34326435653730613462363635313664656139306663633836393264626233623035336164333463
+64363738313761326432353336396633333430303236653930643035336533613532626331373565
+35393361363536316431313661366633396365383134356232383030333538383930373533336137
+35303033386464643061396238363235373634633430346461363331343263323130343637343963
+30393539633261326139383332613036353938613930383162346466393930366331326133373438
+34363436313331366138356239326336663537393139333530613564653936396335393236356439
+61633561353962353665326361643638333134653631383762656561363664303839353266306264
+63306135313030363664373534636464313264623366616465373738323663306666653532613765
+30656533656462346234646462626534306135633036653666633737613532663466383334633063
+32333565636632393930663966613962626237626135303963613434323232386136303635333766
+37313038306439616265363435356362313261663237353934373763376439326364666137623630
+32316563303065613564353636646333313931373263373334383264336239336632653763313833
+63623633323061346131653664343239333061363235313839353762346533393462376139353135
+35333034333364393763336530353532666331346263396334313934353539313333613864646138
+66356439386533613036643830656236636630303336616532633438353734376561326335643366
+66613061396630343264313361333365343638343865666530323761343666363536386364313333
+34663436386363613338656363346665396432666261313066376262346662306135383934633262
+37613232306130323764303331343161616162643466383038303630366637616266376539346361
+32316234386232653365313862353037316331663139643463623561656638336164373964653032
+32316537353831346663613832646662643338653737336439333566656233373166333934643266
+32313939363165356531353861343366626364346436366632666537393538373737316561623331
+37623761363661366339393232643137306438346631386237326437323234316234393634373233
+31366563313036393963316264343061353330623437633131353562623063656230306133336663
+33353161366137373061623232633933373064626335663639663932303730666338393933636636
+38303265323139333263393338316637663138616333363165313166386630346133306138393761
+37353566643338663963663638653831666335343865383965326531343533356534313039306331
+65633166366361373961633131663830643936386539623830316230333661633965336233333537
+65623038336464373334626430623438353034663935623866323539313965373166393739663830
+63646137656135333064343161393734343532393237656164343535656564633335633038383739
+64356432666264353865383633363037376161326464656433383631323761613134356665633138
+37636664623635303661313930363564376132626663316162613339323935633239303530633331
+35343261383430666635626637386135656464653366333631633763666164353665373235373832
+32636336666261616532303530626239313239366333643035326132333966333133306135393439
+61663661366632363431626531363534366236393361343839613962623637316164623639653765
+35353266646339326230366161666431376365383530343039616262633166616631623537396137
+31333665366636333961363962383639333762313066373633306532343066333534376232313263
+30386661633136326332623032623139653562633564616561616636373932386165623461346465
+35646664633131333633643863663066323263393838376434326461373535343337396466646432
+36656630353364643033363962666565393239616461386663643539353336663935633966626263
+64356438626238333937386139386138333739363436313031656165623537653932353037393537
+62303431663735303937656630336630386332616265316532376461376466666663333962323666
+62393365663339353536626662303338653830613537646365613530653066363837623631633731
+30366438333339373534326632373830636363343338643233663934326539343433316134336131
+64323530643737633064663031313765656565613931313166643434353838383134313965666464
+64373665336332353265373261653030373164316233646439336365336136303931643034313738
+35333535613631353935343561313234383763316564656665356162613763376137383533326338
+33336638643062653033633331666263643964313263376363616330363038383530663138653536
+66376335316438353362626436633831666334386230643566393463343164393331336332393738
+66643133626230303831623430663636626132313435636264376465353664626338333466396535
+36643032336431343132313337326165316436363263646465313163356530316136363362306631
+63633564376331343031313730613331393864633634316462626164633839393432383130373430
+30633532666563303039343366346433353738626237666166653930346533306662366365356339
+63306161663262323538633133383664353561343664363731633334356234316132376261643761
+64646332326537383563663039373261313933656539336164643438373763303261326135653463
+64656236623166613132616535306630366261316434303234333139313938316135393766386233
+36313134663764323530333736306465343066383137353835383130303230623037646634616666
+34303438653530386336303237633934383938373333373535356165663566646537656536336466
+66616462333435666536613934363633316664326462623635366531386332366239653963383437
+30633563613262643330323237663664643533623531613665306135363463656163376134376632
+65323263646137623639613861643838346665653139623164386265613165333531373831363631
+65643734396339633264323966356131393166626530646561366138313131666630353739643165
+31333437643461356330653135333036663363313666323736613231393030353834343465366562
+30653565303464316632633237396662323463626463353262343234343730333331333638616663
+63316563613266303762303236386663623166393035333233353666666630366266343466663939
+31393336653133393537336334333163613165376163663931383930336532303030663738666438
+65616330353063656566386634323936343034323938303562366632306338613338636266623732
+65663564343635353635333939646330666565333939336664356464633232393362326631333832
+32313765383963323963306362613036663566363861376232643033366636643566376631353661
+36323865623237303966373732363161323064363662636364366564633235343131623265663035
+38343862613039363936336265383034633138333164613434653766666131623737666536623761
+38613963636162393239323034653561333234643331626163643363316264333365633066333136
+32313635386664343134663632613333643331646131636663643162333231343563316336613332
+36363962343763346161663664663333613636653733623965663662326435393134613364376233
+63306439373536656332313233626637393037323133666138623662353132653166366161373263
+66626131643133373665356361326236656165343339353030656663353230613931366261396363
+61663636323133346362333630666634393530323133346435653735343134373237363034333635
+35303663363837633139633038653932376139396239326134336236653263306662353639326630
+39346637356639303265326234333866356431373439313065366634663963613961353231363138
+39323137653433346638653836393032613263303430653936653330363566623866396634326664
+34353833303566313635346138373365663133363030653861643361363831333633363933663337
+63363165343661363964363263623936393466613465623366313565343464376566356437326463
+33623861616134343835336533383235363139336132663936346537393030653462656461653261
+35306561383433383439393736646531646162313734383630373763383161393463313734346161
+34303961373239623463333933333165336164623964343739623935623832623436383139333137
+34653734663430653062353566663133323634333932353933643262346139376135646162383034
+35613537313861383835373733396637373235366264373766333231616531333733633332396432
+63323462363437313366313632333133656166383238313464636238663638343831383635363764
+32323366396663376635653664623062346535653465646634646432643938383533653039653661
+32303031333332383638353831386362346634613062323530306432353437343634646362623566
+35313934323439393437633834343162616633663733353032396136313766333031643538613439
+63383035626161356232333430643438656433306330303138613833303934393466343666343238
+38343835656265306330366535376430356333636262616535626564363831383034656464393165
+30653635646164653963303930626437633937393838663165303763376632636132373264653935
+34626430313634303534356236316662383539393239346234636537303661633331373734363264
+65386563353737636130343061636364663836663030383838623731396662303663656161376665
+39666336393861383962393064316263666331363234336331633834666230653661306361333663
+32313333356433303939623563396664366536343566343535366161346135356263313932363535
+30306632336239313733313138373839313334663034396438613365653136353534366134393865
+65363533303938636262303166663438643063643062396633663364646437306235366164306332
+3663316534333861663435383939393134643738323661373839

group_vars/stage_qa/plain.yml

@@ -145,6 +145,7 @@ shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01"
 shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02"
 shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03"
 shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01"
+shared_service_elastic_stack_kibana_01_hostname: "{{ stage }}-elastic-stack-kibana-01"
 
 kube_master_01_hostname: "{{ stage }}-kube-master-01.{{ domain }}"
 kube_master_02_hostname: "{{ stage }}-kube-master-02.{{ domain }}"
@@ -290,9 +291,8 @@ harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
 harbor_oidc_admin_username: "harbor-admin"
 harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
 
-postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},{{ stage_private_server_ip }}'"
 
-connect_image_version: "8.5.47"
+connect_image_version: "8.6"
 iam_image_version: "latest"
 
 management_oidc_realm: "management"
@@ -356,6 +356,9 @@ argocd_admin_password: "{{ argocd_admin_password_vault }}"
 argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}"
 argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 
+awx_admin_username: "awx-admin"
+awx_admin_password: "{{ awx_admin_password_vault }}"
+
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
 

hcloud_firewall.yml

@@ -38,7 +38,6 @@
   serial: "{{ serial_number | default(1) }}"
   gather_facts: false
   connection: local
-
   tasks:
     - name: "Setup base hcloud firewall rules"
       include_role:
@@ -47,11 +46,6 @@
       loop: "{{ hcloud_firewall_objects }}"
       loop_control:
         loop_var: firewall_object
-
-# set ENVvar awx_related=True to trigger playbook part
-#
-# needs to be implemented via switch due to potentially missing nodes at first time
-# when playbook was executed
 #
     - name: "Generate awx-related hcloud firewall rules"
       block:
@@ -76,21 +70,59 @@
           name: hcloud
           tasks_from: configure-firewall2
         vars:
-          src_ips: '{{ k8s_worker_node_ips }}'
+          awx_source_ips: '{{ k8s_worker_node_ips }}'
         loop: "{{ hcloud_firewall_objects_awx }}"
         loop_control:
           loop_var: firewall_object
-      when:
-        - awx_related is defined
-        - awx_related
 
-    - name: "Setup hcloud firewalls for database backup stuff..."
+      - name: "Setup hcloud firewalls for database backup..."
         include_role:
           name: hcloud
           tasks_from: configure-firewall2
+        vars:
+          awx_source_ips: '{{ k8s_worker_node_ips }}'
         loop: "{{ hcloud_firewall_objects_backup }}"
         loop_control:
           loop_var: firewall_object
-      when:
-          - backup_related is defined
-          - backup_related
+  
+      - name: "Setup hcloud firewalls for gitea..."
+        include_role:
+          name: hcloud
+          tasks_from: configure-firewall2
+        vars:
+          awx_source_ips: '{{ k8s_worker_node_ips }}'
+        loop: "{{ hcloud_firewall_objects_gitea }}"
+        loop_control:
+          loop_var: firewall_object
+  
+      - name: "Setup hcloud firewalls for keycloak..."
+        include_role:
+          name: hcloud
+          tasks_from: configure-firewall2
+        vars:
+          awx_source_ips: '{{ k8s_worker_node_ips }}'
+        loop: "{{ hcloud_firewall_objects_keycloak }}"
+        loop_control:
+          loop_var: firewall_object
+  
+      - name: "Setup hcloud firewalls for kibana..."
+        include_role:
+          name: hcloud
+          tasks_from: configure-firewall2
+        vars:
+          awx_source_ips: '{{ k8s_worker_node_ips }}'
+        loop: "{{ hcloud_firewall_objects_kibana }}"
+        loop_control:
+          loop_var: firewall_object
+  
+      - name: "Setup hcloud firewalls for management..."
+        include_role:
+          name: hcloud
+          tasks_from: configure-firewall2
+        vars:
+          awx_source_ips: '{{ k8s_worker_node_ips }}'
+        loop: "{{ hcloud_firewall_objects_management }}"
+        loop_control:
+          loop_var: firewall_object
+      # end of BLOCK
+      when: hcloud_firewall_app_specific_stuff | default(True)

hcloud_loadbalancer.yml

@@ -0,0 +1,58 @@
+---
+
+# updates loadbalancer config
+
+# Parameters:
+#   playbook inventory
+#     stage := the name of the stage (e.g. dev, int, qa, prod)
+
+#############################################################
+#   Creating inventory dynamically for given parameters
+#############################################################
+
+- hosts: localhost
+  gather_facts: false
+  connection: local
+
+  pre_tasks:
+    - name: "Check if ansible version is at least 2.10.x"
+      assert:
+        that:
+          - ansible_version.major >= 2
+          - ansible_version.minor >= 10
+        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
+
+#     add virtual server to load stage specific variables as context
+    - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts"
+      add_host:
+        name: "{{ stage }}-virtual-host-to-read-groups-vars"
+        groups:
+        - "stage_{{ stage }}"
+      changed_when: False
+
+#############################################################
+#   Creating inventory dynamically for given parameters
+#############################################################
+
+- hosts: "{{ stage }}-virtual-host-to-read-groups-vars"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  connection: local
+  module_defaults:
+    hetzner.hcloud.hcloud_load_balancer:
+      api_token: "{{ hetzner_authentication_ansible }}" 
+    hetzner.hcloud.hcloud_load_balancer_network:
+      api_token: "{{ hetzner_authentication_ansible }}" 
+    hetzner.hcloud.hcloud_load_balancer_service:
+      api_token: "{{ hetzner_authentication_ansible }}" 
+    hetzner.hcloud.hcloud_load_balancer_target:
+      api_token: "{{ hetzner_authentication_ansible }}" 
+
+  tasks:
+    - name: "Setup base hcloud firewall rules"
+      include_role:
+        name: hcloud
+        tasks_from: _create_loadbalancer.yml 
+      loop: "{{ hcloud_lb_objects }}"
+      loop_control:
+        loop_var: lb_object

host_vars/dev-blackbox-01.yml

@@ -0,0 +1,7 @@
+---
+docker_enabled: false
+traefik_enabled: false
+filebeat_enabled: false
+metricbeat_enabled: false
+
+monitor_port_system: 9100

host_vars/devscr-kube-node-04.yml

@@ -0,0 +1,2 @@
+---
+hetzner_server_type: cpx41

host_vars/devscr-kube-node-05.yml

@@ -0,0 +1,2 @@
+---
+hetzner_server_type: cpx41

host_vars/devscr-kube-node-06.yml

@@ -0,0 +1,2 @@
+---
+hetzner_server_type: cpx41

host_vars/ext-bdev-demo01-01.yml

@@ -2,4 +2,4 @@
 
 hetzner_server_labels: "stage={{ stage }} service=connect tenant=bdev"
 
-hetzner_server_type: cx31
+hetzner_server_type: cpx21

host_vars/ext-bdev-mpmexec-01.yml

@@ -0,0 +1,5 @@
+---
+
+hetzner_server_labels: "stage={{ stage }} service=connect tenant=bdev"
+
+hetzner_server_type: cpx21

host_vars/prodnso-mobene-cusprod-01/plain.yml

@@ -0,0 +1,14 @@
+---
+
+wordpress_image_version: latest
+
+connect_mail_protocol: "smtp"
+connect_mail_host: "smtp.office365.com"
+connect_mail_port: "587"
+connect_mail_user: "{{ connect_mail_user_vault }}"
+connect_mail_password: "{{ connect_mail_password_vault }}"
+connect_mail_properties_sender: "Info@egeld24.de"
+connect_mail_properties_sender_alias: "noreply"
+connect_mail_properties_smtp_auth: "true"
+connect_mail_properties_smtp_starttls_enable: "true"
+connect_mail_properties_smtp_starttls_required: "true"

host_vars/prodnso-mobene-cusprod-01/vault.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+63313634313235623162373139646237316436336364376237333463303339636135303036323135
+3339326265343539663634353235306436383963666162370a313862376337663239663162396163
+38636336646465636339353032636161613034363434346436326364653165323632303666323464
+3162336233343635380a626664376232653734316334383561333963343266616163356430653361
+32353934613365303464653938626536656337363039326237633835643662653032363633653263
+62333935353365653039383638353266633632656638346332633563323566306532336538336462
+62386634323937626662313964313933616336323935616231623637363663626231356533303063
+30326266363334643431336233376462303637303863656138333763633361346335643533336134
+36363231376638376433353061343334356238313464343266396537663630363430

host_vars/prodnso-mobene-cusqa-01/plain.yml

@@ -0,0 +1,14 @@
+---
+
+wordpress_image_version: latest
+
+connect_mail_protocol: "smtp"
+connect_mail_host: "smtp.office365.com"
+connect_mail_port: "587"
+connect_mail_user: "{{ connect_mail_user_vault }}"
+connect_mail_password: "{{ connect_mail_password_vault }}"
+connect_mail_properties_sender: "Info@egeld24.de"
+connect_mail_properties_sender_alias: "noreply"
+connect_mail_properties_smtp_auth: "true"
+connect_mail_properties_smtp_starttls_enable: "true"
+connect_mail_properties_smtp_starttls_required: "true"

host_vars/prodnso-mobene-cusqa-01/vault.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+34656337303930343532386532646463353864653937633637303733346462666333303034323037
+6633333162376661313838366334313034336162623164630a336132396361353431386135303439
+38383366616163363865366137316238666638383263326430653236383532303232636531323431
+3563623830303665610a356336363438373938373863663738633661616366323334323661346666
+61343632663635376264356263346430383236663363373331613639323065396533613635386531
+30646135333638343461386436663763393663313266363434623837373562636166393033396163
+65356633383732313034363965353162323230353263373537656539336364383935633436633334
+64633461336431353532323939303761653534313134326335363732623032306161653437353330
+38306561643033373033313963336164383235653639386261646134353237313639

host_vars/prodnso-mobene-nsodev-01.yml

@@ -0,0 +1,3 @@
+---
+
+wordpress_image_version: latest

host_vars/prodnso-postgres-01.yml

@@ -1,3 +1,4 @@
 ---
 
+hetzner_server_type: cpx21
 server_type: "master"

host_vars/prodnso-postgres-02.yml

@@ -1,3 +1,4 @@
 ---
 
+hetzner_server_type: cpx21
 server_type: "slave"

host_vars/prodnso-prometheus-01.yml

@@ -0,0 +1,3 @@
+---
+
+hetzner_server_type: cpx21

host_vars/prodwork01-postgres-01.yml

@@ -0,0 +1,4 @@
+---
+
+hetzner_server_type: cpx21
+server_type: "master"

host_vars/prodwork01-postgres-02.yml

@@ -0,0 +1,4 @@
+---
+
+hetzner_server_type: cpx21
+server_type: "slave"

kubernetes.yml

@@ -22,11 +22,26 @@
   roles:
     - { role: kubernetes/base }
     - { role: kubernetes/namespace }
-    - { role: kubernetes/cloud_controller_manager }
+    - role: kubernetes/cloud_controller_manager
+      when: kubernetes_with_ccm | default(True)
+      tags:
+        - ccm
     - { role: kubernetes/container_storage_interface }
-    - { role: kubernetes/prometheus }
+    - role: kubernetes/prometheus
+      tags:
+        - prometheus
     - { role: kubernetes/cert_manager }
-    - { role: kubernetes/external_dns }
+    - role: kubernetes/external_dns
+      tags:
+        - external-dns
     - { role: kubernetes/ingress_controller }
-    - { role: kubernetes/argocd }
-    - { role: kubernetes/awx }
+    - role: kubernetes/argocd
+      when: kubernetes_with_argocd | default(True)
+      tags:
+        - argocd
+    - role: kubernetes/awx
+      when: kubernetes_with_awx | default(True)
+    - role: kubernetes/gitea
+      when: kubernetes_with_gitea | default(False)
+      tags:
+        - gitea

kubespray

@@ -1 +1 @@
-Subproject commit 92f25bf267ffd3393f6caffa588169d3a44a799c
+Subproject commit 00550ba832aa5d4f59bce03ead09d9e940e3a672

mobene.yml

@@ -0,0 +1,128 @@
+---
+
+# creates kubernetes namespace with secrets for usage with mobene
+# Parameters:
+#   secrets for mobene/namespaces read from group_vars
+
+- name: 'apply mobene setup to {{ host | default("kube_control_plane") }}'
+  hosts: '{{ host | default("kube_control_plane") }}'
+  serial: "{{ serial_number | default(10) }}"
+
+  pre_tasks:
+    - name: "Check if ansible version is at least 2.10.x"
+      assert:
+        that:
+          - ansible_version.major >= 2
+          - ansible_version.minor >= 10
+        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
+      tags:
+        - always
+
+    - name: "Import autodiscover pre-tasks"
+      import_tasks: tasks/autodiscover_pre_tasks.yml
+      tags:
+        - always
+
+  roles:
+    - role: kubernetes/namespace
+      vars:
+        k8s_namespace: cus-mobene-nsodev
+        k8s_secrets:
+          - name: connect-secrets
+            data:
+              JWT_SECRET: "{{ mobene.nsodev.connect.secrets.JWT_SECRET | string | b64encode }}"
+              ADMIN_PASSWORD: "{{ mobene.nsodev.connect.secrets.ADMIN_PASSWORD | string | b64encode }}"
+              ELASTIC_USERNAME: "{{ mobene.nsodev.connect.secrets.ELASTIC_USERNAME | string | b64encode }}"
+              ELASTIC_PASSWORD: "{{ mobene.nsodev.connect.secrets.ELASTIC_PASSWORD | string | b64encode }}"
+              DATASOURCE_USERNAME: "{{ mobene.nsodev.connect.secrets.DATASOURCE_USERNAME | string | b64encode }}"
+              DATASOURCE_PASSWORD: "{{ mobene.nsodev.connect.secrets.DATASOURCE_PASSWORD | string | b64encode }}"
+              MAIL_USER: "{{ mobene.nsodev.connect.secrets.MAIL_USER | string | b64encode }}"
+              MAIL_PASSWORD: "{{ mobene.nsodev.connect.secrets.MAIL_PASSWORD | string | b64encode }}"
+              OIDC_CLIENT_SECRET: "{{ mobene.nsodev.connect.secrets.OIDC_CLIENT_SECRET | string | b64encode }}"
+          - name: iam-secrets
+            data:
+              JWT_SECRET: "{{ mobene.nsodev.iam.secrets.JWT_SECRET | string | b64encode }}"
+              KEYCLOAK_ADMIN_PASSWORD: "{{ mobene.nsodev.iam.secrets.KEYCLOAK_ADMIN_PASSWORD | string | b64encode }}"
+              KEYCLOAK_ADMIN_USERNAME: "{{ mobene.nsodev.iam.secrets.KEYCLOAK_ADMIN_USERNAME | string | b64encode }}"
+          - name: sepa-exporter-secrets
+            data:
+              SMA_DOCUMENT_AUTH_TOKEN: "{{ mobene.nsodev.sepaExporter.secrets.SMA_DOCUMENT_AUTH_TOKEN | string | b64encode }}"
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.nsodev.sepaExporter.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: uba-exporter-secrets
+            data:
+              SMA_DOCUMENT_AUTH_TOKEN: "{{ mobene.nsodev.ubaExporter.secrets.SMA_DOCUMENT_AUTH_TOKEN | string | b64encode }}"
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.nsodev.ubaExporter.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: wordpress-secrets
+            data:
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.nsodev.wordpress.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: elastic-client-cert
+            data:
+              ca.crt: "{{ mobene.nsodev.elastic.secrets.caCrt | string | b64encode }}"
+    - role: kubernetes/namespace
+      vars:
+        k8s_namespace: cus-mobene-cusqa
+        k8s_secrets:
+          - name: connect-secrets
+            data:
+              JWT_SECRET: "{{ mobene.cusqa.connect.secrets.JWT_SECRET | string | b64encode }}"
+              ADMIN_PASSWORD: "{{ mobene.cusqa.connect.secrets.ADMIN_PASSWORD | string | b64encode }}"
+              ELASTIC_USERNAME: "{{ mobene.cusqa.connect.secrets.ELASTIC_USERNAME | string | b64encode }}"
+              ELASTIC_PASSWORD: "{{ mobene.cusqa.connect.secrets.ELASTIC_PASSWORD | string | b64encode }}"
+              DATASOURCE_USERNAME: "{{ mobene.cusqa.connect.secrets.DATASOURCE_USERNAME | string | b64encode }}"
+              DATASOURCE_PASSWORD: "{{ mobene.cusqa.connect.secrets.DATASOURCE_PASSWORD | string | b64encode }}"
+              MAIL_USER: "{{ mobene.cusqa.connect.secrets.MAIL_USER | string | b64encode }}"
+              MAIL_PASSWORD: "{{ mobene.cusqa.connect.secrets.MAIL_USER | string | b64encode }}"
+              OIDC_CLIENT_SECRET: "{{ mobene.cusqa.connect.secrets.OIDC_CLIENT_SECRET | string | b64encode }}"
+          - name: iam-secrets
+            data:
+              JWT_SECRET: "{{ mobene.cusqa.iam.secrets.JWT_SECRET | string | b64encode }}"
+              KEYCLOAK_ADMIN_PASSWORD: "{{ mobene.cusqa.iam.secrets.KEYCLOAK_ADMIN_PASSWORD | string | b64encode }}"
+              KEYCLOAK_ADMIN_USERNAME: "{{ mobene.cusqa.iam.secrets.KEYCLOAK_ADMIN_USERNAME | string | b64encode }}"
+          - name: sepa-exporter-secrets
+            data:
+              SMA_DOCUMENT_AUTH_TOKEN: "{{ mobene.cusqa.sepaExporter.secrets.SMA_DOCUMENT_AUTH_TOKEN | string | b64encode }}"
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.cusqa.sepaExporter.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: uba-exporter-secrets
+            data:
+              SMA_DOCUMENT_AUTH_TOKEN: "{{ mobene.cusqa.ubaExporter.secrets.SMA_DOCUMENT_AUTH_TOKEN | string | b64encode }}"
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.cusqa.ubaExporter.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: wordpress-secrets
+            data:
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.cusqa.wordpress.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: elastic-client-cert
+            data:
+              ca.crt: "{{ mobene.cusqa.elastic.secrets.caCrt | string | b64encode }}"
+    - role: kubernetes/namespace
+      vars:
+        k8s_namespace: cus-mobene-cusprod
+        k8s_secrets:
+          - name: connect-secrets
+            data:
+              JWT_SECRET: "{{ mobene.cusprod.connect.secrets.JWT_SECRET | string | b64encode }}"
+              ADMIN_PASSWORD: "{{ mobene.cusprod.connect.secrets.ADMIN_PASSWORD | string | b64encode }}"
+              ELASTIC_USERNAME: "{{ mobene.cusprod.connect.secrets.ELASTIC_USERNAME | string | b64encode }}"
+              ELASTIC_PASSWORD: "{{ mobene.cusprod.connect.secrets.ELASTIC_PASSWORD | string | b64encode }}"
+              DATASOURCE_USERNAME: "{{ mobene.cusprod.connect.secrets.DATASOURCE_USERNAME | string | b64encode }}"
+              DATASOURCE_PASSWORD: "{{ mobene.cusprod.connect.secrets.DATASOURCE_PASSWORD | string | b64encode }}"
+              MAIL_USER: "{{ mobene.cusprod.connect.secrets.MAIL_USER | string | b64encode }}"
+              MAIL_PASSWORD: "{{ mobene.cusprod.connect.secrets.MAIL_USER | string | b64encode }}"
+              OIDC_CLIENT_SECRET: "{{ mobene.cusprod.connect.secrets.OIDC_CLIENT_SECRET | string | b64encode }}"
+          - name: iam-secrets
+            data:
+              JWT_SECRET: "{{ mobene.cusprod.iam.secrets.JWT_SECRET | string | b64encode }}"
+              KEYCLOAK_ADMIN_PASSWORD: "{{ mobene.cusprod.iam.secrets.KEYCLOAK_ADMIN_PASSWORD | string | b64encode }}"
+              KEYCLOAK_ADMIN_USERNAME: "{{ mobene.cusprod.iam.secrets.KEYCLOAK_ADMIN_USERNAME | string | b64encode }}"
+          - name: sepa-exporter-secrets
+            data:
+              SMA_DOCUMENT_AUTH_TOKEN: "{{ mobene.cusprod.sepaExporter.secrets.SMA_DOCUMENT_AUTH_TOKEN | string | b64encode }}"
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.cusprod.sepaExporter.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: uba-exporter-secrets
+            data:
+              SMA_DOCUMENT_AUTH_TOKEN: "{{ mobene.cusprod.ubaExporter.secrets.SMA_DOCUMENT_AUTH_TOKEN | string | b64encode }}"
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.cusprod.ubaExporter.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: wordpress-secrets
+            data:
+              SMA_WORKFLOW_AUTH_TOKEN: "{{ mobene.cusprod.wordpress.secrets.SMA_WORKFLOW_AUTH_TOKEN | string | b64encode }}"
+          - name: elastic-client-cert
+            data:
+              ca.crt: "{{ mobene.cusprod.elastic.secrets.caCrt | string | b64encode }}"

patchday.yml

@@ -3,6 +3,40 @@
 ### tags:
 ###   check_elastic_cluster
 
+
+- hosts: prometheus
+  vars:
+    start: '{{ ansible_date_time.epoch }}'
+
+  tasks:
+    - set_fact:
+        startsAt: "{{ '%Y-%m-%d %H:%M:%S' | strftime(start) }}"
+        endsAt: "{{ '%Y-%m-%d %H:%M:%S' | strftime( ( start | int ) + 3600 |int ) }}"
+
+    - name: "set fact"
+      set_fact:
+        silence:
+          matchers:
+          - name: job
+            value: .+
+            isRegex: true
+          startsAt: '{{ startsAt }}'
+          endsAt: '{{ endsAt }}'
+          createdBy: patchday-automatism
+          comment: patchday
+          id:
+
+    - name: "Schedule silences for stage..."
+      uri:
+        url: "https://{{ stage }}-prometheus-01-alertmanager.smardigo.digital/api/v2/silences"
+        method: POST
+        status_code: [200]
+        headers:
+          Content-Type: application/json
+        body_format: json
+        body: '{{ silence | to_json }}'
+      ignore_errors: yes
+
 - hosts: elastic
   serial: 1
   become: yes
@@ -102,33 +136,55 @@
         name: postgresql
         state: started
 
+    # wait_for cannot be used anymore due to enabled SSL encryption for postgres connections in DEV-382
     - name: "Smardigo Patchday: check if postgres is listing on net internal ip address"
-      ansible.builtin.wait_for:
-        delay: 15
-        timeout: 180
+      become: no
+      community.postgresql.postgresql_ping:
         port: 5432
-        host: '{{ stage_server_ip }}'
+        ssl_mode: require
+        login_host: '{{ stage_private_server_ip }}'
       register: check_postgres
+      ignore_errors: yes
 
-    - name: "Smardigo Patchday: restart postgres and check listing on net internal ip address again"
+    - name: "Smardigo Patchday: error-handling - ensure postgres started and check listing on net internal ip address"
       block:
 
-      - name: "Smardigo Patchday: stop service(s)"
+      - name: "Smardigo Patchday: error-handling - ensure service(s) started"
         ansible.builtin.systemd:
           name: postgresql
-          state: restarted
+          state: started
 
-      - name: "Smardigo Patchday: check if postgres is listing on net internal ip address"
-        ansible.builtin.wait_for:
-          delay: 15
-          timeout: 180
+      - name: "Smardigo Patchday: error-handling - check if postgres is listing on net internal ip address"
+        become: no
+        community.postgresql.postgresql_ping:
           port: 5432
-          host: '{{ stage_server_ip }}'
-          register: check_postgres
-        failed_when: check_postgres_again.failed
+          ssl_mode: require
+          login_host: '{{ stage_private_server_ip }}'
+        register: check_postgres_again
+        retries: 5
+        failed_when: not check_postgres_again.is_available
+
+      rescue:
+        - name: "Smardigo Patchday: error-handling - send mail to DEVOPS-DL"
+          delegate_to: '{{ stage }}-mail-01'
+          community.general.mail:
+            host: localhost
+            port: 25
+            to: '{{ devops_email_address }}'
+            subject: "patchday( {{ lookup('pipe','date +%Y-%m-%d_%H:%M') }} ) problem report for {{ inventory_hostname }}"
+            body: |
+              Dear Sir or Madam,
+
+              I have to inform you that {{ inventory_hostname }} isn'n listening on {{ stage_private_server_ip }} anymore.
+
+              Plz check what happened/ fix it little padawan ;)
+
+              kind regards,
+
+              your automation-bofh
 
       when:
-        - check_postgres.failed
+        - not check_postgres.is_available
 
 - hosts: all,!elastic,!postgres,!k8s_cluster
   serial: 10

provisioning.yml

@@ -2,7 +2,7 @@
 
 - name: 'apply setup to {{ host | default("all") }}'
   hosts: '{{ host | default("all") }}'
-  serial: "{{ serial_number | default(1) }}"
+  serial: "{{ serial_number | default(5) }}"
   gather_facts: no
   become: no
 

remove-database.yml

@@ -84,18 +84,27 @@
     - role: connect_postgres
       when: "'connect' in group_names"
 
-    - role: pdns_admin_postgres
-      when: "'pdns' in group_names"
-
-    - role: pdns_postgres
-      when: "'pdns' in group_names"
+    - role: gitea_postgres
+      when: "'gitea' in group_names"
 
     - role: keycloak_postgres
       when: "'keycloak' in group_names"
 
+#    - role: pdns_admin_postgres
+#      when: "'pdns' in group_names"
+
+#    - role: pdns_postgres
+#      when: "'pdns' in group_names"
+
     - role: webdav_postgres
       when: "'webdav' in group_names"
 
+    - role: workflow_index_postgres
+      when: "'workflow_index' in group_names"
+
+    - role: workflow_proxy_postgres
+      when: "'workflow_proxy' in group_names"
+
     - role: connect_wordpress_maria
       when: "'connect_wordpress' in group_names"
 

restore-database-backup.yml

@@ -61,7 +61,7 @@
   serial: "{{ serial_number | default(1) }}"
   remote_user: root
   vars:
-    postgres_backup_state: restore
+    database_backup_state: restore
     ansible_ssh_host: "{{ stage_server_domain }}"
 
   roles:

restore-remote-database-backup.yml

@@ -0,0 +1,251 @@
+---
+
+# restores remote database backup
+#   - postgres
+#     - executed on stage specific server: {{ stage }}-restore-postgres-01
+#     - restores a server from full-backup
+#   - mariadb
+#     - executed on stage specific server: {{ stage }}-restore-maria-01
+#     - restores a server from full-backup
+
+# Parameters:
+#   playbook inventory
+#     stage := the name of the stage (e.g. dev, int, qa, prod)
+#     database_engine := the database engine to restore a backup for (e.g. postgres, maria)
+#   smardigo message callback
+#     scope_id := (scope id of the management process)
+#     process_instance_id := (process instance id of the management process)
+#     smardigo_management_action := (smardigo management action anme of the management process)
+
+#############################################################
+#   Creating inventory dynamically for given parameters
+#############################################################
+
+- hosts: localhost
+  connection: local
+  gather_facts: false
+
+  pre_tasks:
+    - name: "Check if ansible version is at least 2.10.x"
+      assert:
+        that:
+          - ansible_version.major >= 2
+          - ansible_version.minor >= 10
+        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
+
+#     add virtual server to load stage specific variables as context
+    - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts"
+      add_host:
+        name: "{{ stage }}-virtual-host-to-read-groups-vars"
+        groups:
+        - "stage_{{ stage }}"
+      changed_when: False
+
+  tasks:
+    - name: "Add {{ database_engine }} servers to hosts if necessary"
+      add_host:
+        name: "{{ stage }}-restore-{{ database_engine }}-01"
+        groups:
+        - "stage_{{ stage }}"
+        - 'restore'
+      changed_when: False
+    - name: "Add 'backup' servers to hosts if necessary"
+      add_host:
+        name: "{{ stage }}-backup-01"
+        groups:
+        - "stage_{{ stage }}"
+        - backup
+      changed_when: False
+
+#############################################################
+#   Create restore server(s)
+#############################################################
+
+- hosts: "restore"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  remote_user: root
+
+  roles:
+    - role: hcloud
+      vars:
+        sma_digitalocean_ttl: 60 # set it to 60sec to reduce DNS caching problems with internal IT in case of debugging ansible problems ;)
+
+#############################################################
+#   Provisioning server(s) for created inventory
+#############################################################
+
+- hosts: "restore"
+  serial: "{{ serial_number | default(1) }}"
+  remote_user: root
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+
+  pre_tasks:
+    - name: "Import autodiscover pre-tasks"
+      import_tasks: tasks/autodiscover_pre_tasks.yml
+      become: false
+      tags:
+        - always
+
+  roles:
+    - role: common
+
+    - role: filebeat
+      when: filebeat_enabled | default(True)
+
+    - role: node_exporter
+      when: node_exporter_enabled | default(True)
+
+    - role: restore_{{ database_engine }}
+
+#############################################################
+#   add restore specific firewall rule
+#############################################################
+
+- hosts: "{{ stage }}-virtual-host-to-read-groups-vars"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  connection: local
+  vars:
+    hcloud_firewall_objects_backup:
+       -
+         name: "{{ stage }}-restore-ssh-access"
+         state: present
+         rules:
+         -
+            direction: in
+            protocol: tcp
+            port: '22'
+            source_ips:
+              - "{{ lookup('community.general.dig', groups['backup'][0] + '.' + domain ) }}/32"
+            destination_ips: []
+            description: null
+         apply_to:
+         -
+           type: label_selector
+           label_selector:
+             selector: 'service=restore'
+
+  tasks:
+    - name: "Add hcloud firewall rule(s)"
+      include_role:
+        name: hcloud
+        tasks_from: configure-firewall2
+      loop: "{{ hcloud_firewall_objects_backup }}"
+      loop_control:
+        loop_var: firewall_object
+
+#############################################################
+#   Syncing backups from backup server to restore server
+#############################################################
+
+- hosts: "backup"
+  serial: "{{ serial_number | default(5) }}"
+  gather_facts: false
+  vars:
+    backupserver_system_user: 'backuphamster'
+    ansible_ssh_host: "{{ stage_server_domain }}"
+  tasks:
+    # I could not get it up and running with <synchronize> module
+    # to sync data from remote server A to remote server B
+    - name: "Syncing remote backups"
+      become: yes
+      become_user: '{{ backupserver_system_user }}'
+      vars:
+        database_server_ip: "{{ groups['restore'][0] }}.{{ domain }}"
+      shell: '/home/{{ backupserver_system_user }}/push_backups_to_restore_server.sh {{ database_server_ip }} {{ stage }} {{ database_engine }}'
+
+#############################################################
+#   Restoring from backup
+#############################################################
+
+- hosts: "restore"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+  tasks:
+    - name: "Triggering restore"
+      become: yes
+      shell: '/root/restore.sh {{ stage }}'
+
+    - name: "Check for test data on postgres"
+      block:
+
+      - name: "Querying postgres ..."
+        become: yes
+        become_user: postgres
+        community.postgresql.postgresql_query:
+          db: dummytestdb
+          query: SELECT movie FROM movie_quotes WHERE quote = %(quote_val)s
+          named_args:
+            quote_val: 'Shall we play'
+        register: query_output
+
+      - assert:
+          that:
+          - 'query_output.query_all_results | first | selectattr("movie","match","wargames") | length == 1'
+
+      when:
+        - database_engine == 'postgres'
+
+    - name: "Check for test data on mariadb"
+      block:
+
+      - name: "Querying mariadb ..."
+        become: yes
+        become_user: root
+        community.mysql.mysql_query:
+          login_unix_socket: /run/mysqld/mysqld.sock
+          login_db: dummytestdb
+          query: SELECT movie FROM movie_quotes WHERE quote = %s
+          positional_args:
+            - 'Shall we play'
+        register: query_output
+
+      - assert:
+          that:
+          - 'query_output.query_result | first | selectattr("movie","match","wargames") | length == 1'
+
+      when:
+        - database_engine == 'maria'
+
+#############################################################
+#   Deleting servers/domains for created inventory
+#############################################################
+
+- hosts: "restore"
+  serial: "{{ serial_number | default(5) }}"
+  gather_facts: false
+
+  tasks:
+    - name: "Delete server <{{ inventory_hostname }}>"
+      include_role:
+        name: hcloud
+        tasks_from: _set_server_state
+      vars:
+        - server_state: "absent"
+
+    - name: "Delete DNS entry <{{ inventory_hostname }}> for <{{ domain }}>"
+      include_role:
+        name: sma_digitalocean
+        tasks_from: _remove_dns
+      vars:
+        record_to_remove: '{{ inventory_hostname }}'
+
+#############################################################
+#   Sending smardigo management message to process
+#############################################################
+
+- hosts: "{{ stage }}-virtual-host-to-read-groups-vars"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  connection: local
+  run_once: true
+  vars:
+    connect_jwt_username: "{{ management_admin_username }}"
+
+  tasks:
+    - name: "Sending smardigo management message to <{{ smardigo_management_url }}>"
+      include_tasks: tasks/smardigo_management_message.yml

roles/backup/files/pull_remote_backups.sh

@@ -12,3 +12,5 @@ DEST_DIR=${HOME}/backups/${STAGE}/${DATABASE_ENGINE}/
 mkdir -p ${DEST_DIR}
 rsync -av --remove-source-files -e "ssh -o StrictHostKeyChecking=no" ${REMOTE_SYSTEM_USER}@${DATABASE_SERVER_IP}:/backups/${DATABASE_ENGINE}/* ${DEST_DIR}/
 
+# remove files oder than XX in backup-DIR
+find ${DEST_DIR} -ctime +7 -delete

roles/backup/files/push_backups_to_restore_server.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+#
+#
+
+REMOTE_SYSTEM_USER=backupuser
+DATABASE_SERVER_IP=$1
+STAGE=$2
+DATABASE_ENGINE=$3
+
+# currently it defaults to todays date
+DATE=$(date +%F)
+
+LOCAL_BACKUP_DIR="${HOME}/backups/${STAGE}/${DATABASE_ENGINE}"
+BACKUP_FILE_FOR_TRANSFER=$(find "${LOCAL_BACKUP_DIR}/${DATE}/" -name *.gz.gpg | tail -n 1)
+
+REMOTE_BACKUP_DIR="/home/${REMOTE_SYSTEM_USER}/backups/${STAGE}/${DATABASE_ENGINE}"
+DEST_DIR="${REMOTE_BACKUP_DIR}/${DATE}/"
+
+# avoid "REMOTE HOST IDENTIFICATION HAS CHANGED" - errors due to dynamic created server on restore process
+ssh-keygen -f "/home/backuphamster/.ssh/known_hosts" -R ${DATABASE_SERVER_IP}
+
+SSH_OPTIONS='-o StrictHostKeyChecking=no'
+
+# needed due to unknown rsync option --mkpath in rsync version 3.1.3
+ssh ${SSH_OPTIONS} ${REMOTE_SYSTEM_USER}@${DATABASE_SERVER_IP} "mkdir -p ${DEST_DIR}"
+
+rsync -v -e "ssh ${SSH_OPTIONS}" $BACKUP_FILE_FOR_TRANSFER ${REMOTE_SYSTEM_USER}@${DATABASE_SERVER_IP}:${DEST_DIR}
+
+BKP_FILE_TRANSFERRED=$(echo $BACKUP_FILE_FOR_TRANSFER | awk -F / '{ print $NF}')
+
+ssh ${SSH_OPTIONS} ${REMOTE_SYSTEM_USER}@${DATABASE_SERVER_IP} "test -f ${DEST_DIR}${BKP_FILE_TRANSFERRED}"

roles/backup/tasks/main.yml

@@ -29,8 +29,26 @@
 - name: "Providing rsync script"
   become: yes
   copy:
-    src: pull_remote_backups.sh
-    dest: '/home/{{ system_user }}/pull_remote_backups.sh'
+    src: '{{ item }}'
+    dest: '/home/{{ system_user }}/{{ item }}'
     mode: '0755'
     owner: '{{ system_user }}'
     group: '{{ system_user }}'
+  with_items:
+    - pull_remote_backups.sh
+    - push_backups_to_restore_server.sh
+
+- name: Touch metrics.prom is not exists
+  file:
+    path: "/home/{{ system_user }}/metrics.prom"
+    state: touch
+    mode: '0744'
+    owner: '{{ system_user }}'
+    group: '{{ system_user }}'
+
+- name: Create symbolic link for node_exporter text metrics
+  file:
+    src: "/home/{{ system_user }}/metrics.prom"
+    dest: "/var/lib/prometheus/node-exporter/offsite-metrics.prom"
+    state: link
+

roles/common/tasks/main.yml

@@ -23,6 +23,8 @@
       {% for host in shared_service_hosts %}
       {{ host.ip }} {{ host.name }}
       {% endfor %}
+  when:
+    - "'hcloud' in group_names"
   tags:
     - update_etc_hosts
 
@@ -59,7 +61,7 @@
 - name: "Remove outdated users"
   user: name={{ item }} state=absent remove=yes
   with_items: "{{ current_users.stdout_lines }}"
-  when: not ((item in default_plattform_users) or (item in smardigo_plattform_users))
+  when: not ((item in default_users) or (item in smardigo_plattform_users))
   tags:
     - users
 
@@ -97,24 +99,13 @@
   tags:
     - users
 
-- name: "Create stuff for backups on database servers"
-  block:
-  - name: "Create system user for remote_backup"
-    become: yes
-    ansible.builtin.user:
-      name: '{{ backupuser_username }}'
-      comment: "user for backup"
-      shell: /bin/bash
-
-  - name: "Add SSH pub key to auth_keys"
-    authorized_key:
-      user: '{{ backupuser_username }}'
-      key: '{{ backupuser_ssh_pubkey }}'
-  when:
-    - inventory_hostname in groups['postgres'] or
-      inventory_hostname in groups['maria']
+- name: "Update available package list"
+  apt:
+    update_cache: yes
   tags:
-    - users
+    - install
+    - upgrade
+  when: ansible_distribution == "Ubuntu"
 
 - name: "Ensure docker configuration directory exists"
   file:
@@ -279,3 +270,13 @@
     state: present
   tags:
     - config
+
+- name: "configure ssh_hardening"
+  include_role:
+    # include role from collection called 'devsec'
+    name: devsec.hardening.ssh_hardening
+    apply:
+      tags:
+        - ssh_hardening
+  tags:
+    - ssh_hardening

roles/confirm_postgres/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+confirm_postgres_database: '{{ stage }}_{{ tenant_id }}_{{ cluster_name }}_confirm'
+confirm_postgres_password: 'confirm-postgres-admin'
+
+postgres_acls:
+  - name: "{{ confirm_postgres_database }}"
+    password: "{{ confirm_postgres_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"

roles/confirm_postgres/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+
+### tags:
+
+- name: "Updating <confirm> database on {{ inventory_hostname }}"
+  include_role:
+    name: postgres
+    tasks_from: _update_database_state
+  when:
+  - database_backup_state is not defined
+
+- name: "Creating/Restoring <confirm> database backup on {{ inventory_hostname }}"
+  include_role:
+    name: postgres
+    tasks_from: _create_database_backup.yml
+  when:
+  - database_backup_state is defined
+  - database_backup_state in ['dump', 'restore']

roles/connect/defaults/main.yml

@@ -2,10 +2,6 @@
 
 connect_image_name: "{{ shared_service_harbor_hostname }}/smardigo/connect-whitelabel-app"
 
-# TODO inject by management portal
-connect_admin_username: "connect-admin"
-connect_admin_password: "connect-admin"
-
 connect_mail_host: "{{ shared_service_mail_hostname }}"
 connect_mail_properties_base_url: "{{ http_s }}://{{ connect_base_url }}"
 connect_mail_properties_base_url_extern: "{{ http_s }}://{{ connect_base_url }}"

roles/connect/tasks/main.yml

@@ -66,6 +66,14 @@
   tags:
     - update_certs
 
+- name: "Restart {{ connect_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ connect_id }}'
+    restarted: yes
+    build: no
+  tags:
+    - update_certs
+
 - name: "Update {{ connect_id }}"
   community.docker.docker_compose:
     project_src: '{{ service_base_path }}/{{ connect_id }}'
@@ -73,10 +81,3 @@
     pull: yes
   tags:
     - update_deployment
-
-- name: "Configure connect connections"
-  include_tasks: connections.yml
-  when:
-    smardigo_auth_token_value is defined
-  tags:
-    - always

roles/connect/vars/main.yml

@@ -20,8 +20,8 @@ connect_labels: [
 connect_environment: [
   "TENANT_ID: \"{{ connect_client_id }}\"",
 
-  "ADMIN_LOGIN: \"{{ connect_admin_username }}\"",
-  "ADMIN_PASSWORD: \"{{ connect_admin_password }}\"",
+  "ADMIN_LOGIN: \"{{ connect_client_admin_username }}\"",
+  "ADMIN_PASSWORD: \"{{ connect_client_admin_password }}\"",
   "SMA_JWT_ENABLED: \"{{ connect_jwt_enabled | default('false') }}\"",
   "SMA_JWT_SECRET: \"{{ connect_jwt_secret | default('') }}\"",
   "SMA_CSRF_TOKEN_NAME: \"{{ connect_csrf_token_name | default('') }}\"",
@@ -29,7 +29,7 @@ connect_environment: [
   "SPRING_PROFILES_INCLUDE: \"{{ spring_profiles_include | default('swagger') }}\"",
   "RIBBON_DISPLAY_ON_ACTIVE_PROFILES: \"{{ ribbon_display_on_active_profiles | default('dev') }}\"",
 
-  "DATASOURCE_URL: \"jdbc:postgresql://{{ connect_postgres_host }}:{{ service_port_postgres }}/{{ connect_postgres_database }}\"",
+  "DATASOURCE_URL: \"jdbc:postgresql://{{ connect_postgres_host }}:{{ service_port_postgres }}/{{ connect_postgres_database }}?sslmode=require\"",
   "DATASOURCE_USERNAME: \"{{ connect_postgres_username }}\"",
   "DATASOURCE_PASSWORD: \"{{ connect_postgres_password }}\"",
   "FILE_WHITELIST_URL: \"{{ connect_whitelist_url | default('') }}\"",
@@ -44,6 +44,9 @@ connect_environment: [
   "MAIL_PROPERTIES_BASE_URL_EXTERN: \"{{ connect_mail_properties_base_url_extern }}\"",
   "MAIL_PROPERTIES_SENDER: \"{{ connect_mail_properties_sender | default('noreply-connect@netgo.de') }}\"",
   "MAIL_PROPERTIES_SENDER_ALIAS: \"{{ connect_mail_properties_sender_alias | default('noreply-connect') }}\"",
+  "MAIL_PROPERTIES_SMTP_AUTH: \"{{ connect_mail_properties_smtp_auth | default('false') }}\"",
+  "MAIL_PROPERTIES_SMTP_STARTTLS_ENABLE: \"{{ connect_mail_properties_smtp_starttls_enable | default('false') }}\"",
+  "MAIL_PROPERTIES_SMTP_STARTTLS_REQUIRED: \"{{ connect_mail_properties_smtp_starttls_required | default('false') }}\"",
 
   "AUTH_MODULE: \"{{ connect_auth_module | default('preauth') }}\"",
   "OIDC_CLIENT_ID: \"{{ connect_oidc_client_id | default('oidc_config_not_found') }}\"",
@@ -99,6 +102,10 @@ connect_environment: [
   "OPENTRACING_JAEGER_LOG_SPANS: \"{{ connect_opentracing_jaeger_log_spans | default(false) }}\"",
   "OPENTRACING_JAEGER_SERVICE_NAME: \"{{ connect_opentracing_jaeger_service_name | default(connect_id) }}\"",
   "OPENTRACING_JAEGER_HTTP_SENDER_URL: \"{{ connect_opentracing_jaeger_http_sender_url | default() }}\"",
+
+  "CONFIG_DELETE_SCOPE_ENABLED: \"{{ connect_config_delete_scope_enabled | default(false) }}\"",
+  "CONFIG_LOCAL_IMPORT_ENABLED: \"{{ connect_config_local_import_enabled | default(false) }}\"",
+  "SMA_WORKFLOW_HEATMAP_ENABLED: \"{{ connect_workflow_heatmap_enabled | default(false) }}\"",
 ]
 
 connect_docker: {

roles/connect_postgres/tasks/main.yml

@@ -1,19 +1,18 @@
 ---
 
 ### tags:
-###     - remove-data
 
-- name: "Setup postgres for {{ inventory_hostname }}"
+- name: "Updating <connect> database on {{ inventory_hostname }}"
   include_role:
     name: postgres
-    tasks_from: _postgres-acls
+    tasks_from: _update_database_state
   when:
-  - postgres_backup_state is not defined
+  - database_backup_state is not defined
 
-- name: "Creating/restoring postgres backup"
+- name: "Creating/Restoring <connect> database backup on {{ inventory_hostname }}"
   include_role:
     name: postgres
     tasks_from: _create_database_backup.yml
   when:
-  - postgres_backup_state is defined
-  - postgres_backup_state in ['dump', 'restore']
+  - database_backup_state is defined
+  - database_backup_state in ['dump', 'restore']

roles/connect_realm/defaults/main.yml

@@ -1,10 +1,6 @@
 ---
 
-# TODO inject by management portal
-connect_client_admin_username: "connect-admin"
 connect_client_admin_password: "C0nnect-Admin!"
-# TODO inject by management portal
-connect_realm_admin_username: "connect-realm-admin"
 connect_realm_admin_password: "C0nnect-Realm-Admin!"
 
 current_realm_clients: [
@@ -44,6 +40,9 @@ current_realm_users: >-
   [{{ current_realm_users_base }}]
   {%- endif -%}
 
-current_realm_admin_user:
-  username: "{{ connect_realm_admin_username }}"
-  password: "{{ connect_realm_admin_password }}"
+current_realm_admin_users: [
+  {
+    "username": "{{ connect_realm_admin_username }}",
+    "password": "{{ connect_realm_admin_password }}",
+  }
+]

roles/connect_realm/tasks/main.yml

@@ -17,7 +17,7 @@
     name: keycloak
     tasks_from: _create_realm_users
 
-- name: "Create realm admin"
+- name: "Create realm admin users"
   include_role:
     name: keycloak
     tasks_from: _create_realm_admin

roles/connect_wordpress/tasks/main.yml

@@ -6,7 +6,7 @@
 - name: "Creating smardigo user token"
   smardigo_user_token:
     secret:  "{{ connect_jwt_secret }}"
-    user_id: "{{ connect_admin_username }}"
+    user_id: "{{ connect_wordpress_buergerportal_username }}"
   register: smardigo_user_token_result
   delegate_to: 127.0.0.1
   become: false

roles/connect_wordpress/vars/main.yml

@@ -42,6 +42,7 @@ wordpress_docker: {
         "WORDPRESS_CONFIG_EXTRA: |",
         "  define( 'WP_HOME', 'https://{{ wordpress_base_url }}' );",
         "  define( 'WP_SITEURL', 'https://{{ wordpress_base_url }}' );",
+        "  define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT );",
         "AUTH_API: \"https://{{ shared_service_keycloak_hostname }}\"",
         "RESOURCE_API: \"https://{{ connect_base_url }}\"",
         "REALM_ID: \"{{ current_realm_name }}\"",

roles/connect_wordpress_maria/tasks/main.yml

@@ -2,7 +2,17 @@
 
 ### tags:
 
-- name: "Setup maria for {{ inventory_hostname }}"
+- name: "Updating <wordpress> database on {{ inventory_hostname }}"
   include_role:
     name: maria
-    tasks_from: _create-database
+    tasks_from: _update_database_state
+  when:
+  - database_backup_state is not defined
+
+- name: "Creating/Restoring <wordpress> database backup on {{ inventory_hostname }}"
+  include_role:
+    name: maria
+    tasks_from: _create_database_backup.yml
+  when:
+  - database_backup_state is defined
+  - database_backup_state in ['dump', 'restore']

roles/elastic/tasks/main.yaml

@@ -64,12 +64,19 @@
     - update_certs
     - update_config
 
+- name: "Restart {{ elastic_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ elastic_id }}'
+    restarted: yes
+    build: no
+  tags:
+    - update_certs
+
 - name: "Update {{ elastic_id }}"
   community.docker.docker_compose:
     project_src: '{{ service_base_path }}/{{ elastic_id }}'
     state: present
     pull: yes
   tags:
-    - update_certs
     - update_config
     - update_deployment

roles/export_maria_database/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+upload_directory: "{{ backup_directory }}"

roles/export_maria_database/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+### tags:
+
+- name: "Export database  <{{ target_database }}> to <{{ upload_directory }}/{{ database_backup_file }}>"
+  community.mysql.mysql_db:
+    name: "{{ target_database }}"
+    state: dump
+    target: "/{{ upload_directory }}/{{ database_backup_file }}"
+    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
+    login_password: "{{ mysql_root_password }}"

roles/gitea/vars/main.yml

@@ -31,6 +31,7 @@ gitea_environment: [
   "GITEA__database__NAME: \"{{ gitea_postgres_database }}\"",
   "GITEA__database__USER: \"{{ gitea_postgres_database }}\"",
   "GITEA__database__PASSWD: \"{{ gitea_postgres_password }}\"",
+  "GITEA__database__SSL_MODE: \"require\"",
 
   "GITEA__server__DOMAIN: \"{{ stage_server_domain }}\"",
   "GITEA__server__SSH_DOMAIN: \"{{ stage_server_domain }}\"",

roles/gitea_postgres/tasks/main.yml

@@ -1,19 +1,18 @@
 ---
 
 ### tags:
-###     - remove-data
 
-- name: "Setup postgres for {{ inventory_hostname }}"
+- name: "Updating <gitea> database on {{ inventory_hostname }}"
   include_role:
     name: postgres
-    tasks_from: _postgres-acls
+    tasks_from: _update_database_state
   when:
-  - postgres_backup_state is not defined
+  - database_backup_state is not defined
 
-- name: "Creating/restoring postgres backup"
+- name: "Creating/Restoring <gitea> database backup on {{ inventory_hostname }}"
   include_role:
     name: postgres
     tasks_from: _create_database_backup.yml
   when:
-  - postgres_backup_state is defined
-  - postgres_backup_state in ['dump', 'restore']
+  - database_backup_state is defined
+  - database_backup_state in ['dump', 'restore']

roles/harbor/tasks/install.yml

@@ -162,3 +162,4 @@
   systemd:
     name: harbor
     state: started
+    enabled: yes

roles/harbor_realm/defaults/main.yml

@@ -37,6 +37,15 @@ current_realm_users: [
   }
 ]
 
+current_realm_admin_users: [
+  {
+    "username": "{{ harbor_oidc_admin_username }}",
+    "password": "{{ harbor_oidc_admin_password }}",
+    "email": "{{ harbor_oidc_admin_email }}",
+    "requiredActions": []
+  }
+]
+
 current_realm_admin_user: 
   username: "{{ harbor_oidc_admin_username }}"
   password: "{{ harbor_oidc_admin_password }}"

roles/hcloud/defaults/main.yml

@@ -1,3 +1,5 @@
 ---
 
 server_state: "present"
+max_retries: 15
+retry_delay: 60

roles/hcloud/tasks/_create_loadbalancer.yml

@@ -0,0 +1,26 @@
+---
+- name: "Create a hetzner LB"
+  hetzner.hcloud.hcloud_load_balancer:
+    name: '{{ lb_object.name }}' 
+    load_balancer_type: '{{ lb_object.lb_type | default("lb11") }}'
+    delete_protection: '{{ lb_object.delete_protection | default("no") }}'
+    disable_public_interface: '{{ lb_object.disable_public_interface | default("no") }}'
+    labels: '{{ lb_object.labels | default({}) }}'
+    location: '{{ lb_object.location | default("nbg1") }}'
+    state: '{{ lb_object.status | default("present") }}'
+
+- name: Create a basic Load Balancer network
+  hetzner.hcloud.hcloud_load_balancer_network:
+    load_balancer: '{{ lb_object.name }}'
+    state: '{{ lb_object.status | default("present") }}'
+    network: '{{ lb_object.network }}'
+    
+- name: "Add Services to LB"
+  hetzner.hcloud.hcloud_load_balancer_service:
+  args: '{{ item }}'
+  loop: '{{ lb_object.services }}'
+
+- name: "Add servers by label|server to LB"
+  hetzner.hcloud.hcloud_load_balancer_target:
+  args: '{{ item }}'
+  loop: '{{ lb_object.targets }}'

roles/hcloud/tasks/_set_server_state.yml

@@ -1,4 +1,9 @@
 ---
+- name: "Block to handle hetzner server state in case of problems"
+  block:
+  - name: "Increment the retry count"
+    set_fact:
+      retry_count: "{{ retry_count | default(0) | int + 1 }}"
 
   - name: "Checking state for server <{{ inventory_hostname }}> is <{{ server_state }}>"
     hetzner.hcloud.hcloud_server:
@@ -12,3 +17,45 @@
       state: "{{ server_state }}"
     delegate_to: 127.0.0.1
     become: false
+    async: 300
+    poll: 5
+    register: hcloud_response
+    ignore_errors: yes
+
+  - name: "Block - DEBUG: hcloud_response"
+    debug:
+      msg: '{{ hcloud_response.msg }}'
+    when:
+      - hcloud_response.msg is defined
+
+  - name: "Ensure Server is STARTED when server_state=present"
+    hetzner.hcloud.hcloud_server:
+      api_token: "{{ hetzner_authentication_ansible }}"
+      name: "{{ inventory_hostname }}"
+      state: "started"
+    delegate_to: 127.0.0.1
+    become: false
+    async: 150
+    poll: 15
+    register: hcloud_response
+    when:
+      - server_state == 'present'
+
+  rescue:
+    - name: "RESCUE - fail: Maximum retries reached"
+      fail:
+        msg: "max_retries of {{ max_retries }} reached. Plz check."
+      when: retry_count | int == max_retries | int
+
+    - name: "RESCUE-fail DEBUG: hcloud_response"
+      debug:
+        msg: '{{ hcloud_response.msg }}'
+
+    - name: "RESCUE: wait_for {{ retry_delay }} sec. between retries"
+      wait_for:
+        timeout: "{{ retry_delay }}"
+      delegate_to: localhost
+      become: false
+
+    - name: "Include _set_server one time again => increase retry_count"
+      include_tasks: _set_server_state.yml