gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
prodnso
main
qa
feature/DEV-655
feature/SC-124
feature/SC-55
feature/DEV-470_2nd
feature/DEV-380_2nd
feature/DEV-380
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5d604700dd'
${ noResults }
hetzner-ansible/roles/kubernetes/apps/tasks/argocd.yml

263 lines
8.8 KiB
YAML
Raw Blame History

---
- name: "Login with keycloak-admin"
include_role:
name: keycloak
tasks_from: _authenticate
- name: "Setup keycloak-realm for argocd"
include_role:
name: keycloak
tasks_from: _configure_realm
vars:
current_realm_name: '{{ argo_realm_name }}'
current_realm_display_name: '{{ argo_realm_display_name }}'
create_client: False
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "Create a Keycloak group, authentication with credentials"
include_role:
name: keycloak
tasks_from: _create_realm_groups
vars:
current_realm_name: '{{ argo_realm_name }}'
current_realm_display_name: '{{ argo_realm_display_name }}'
current_realm_groups:
- name: "{{ argo_realm_group }}"
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "Create keycloak user(s)"
include_role:
name: keycloak
tasks_from: _create_realm_users
vars:
current_realm_name: '{{ argo_realm_name }}'
current_realm_users: '{{ argo_realm_users }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "ADD user group mapping"
include_role:
name: keycloak
tasks_from: _configure_user_groupmembership_crud
vars:
username: '{{ argocd_admin_username }}'
destination_group: '{{ argo_realm_group }}'
realm_name: '{{ argo_realm_name }}'
bearer_token: '{{ access_token }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "Create keycloak clientscope"
delegate_to: localhost
become: False
community.general.keycloak_clientscope:
auth_client_id: admin-cli
auth_keycloak_url: "{{ keycloak_server_url }}/auth"
auth_realm: 'master'
auth_username: "{{ keycloak_admin_username }}"
auth_password: "{{ keycloak_admin_password }}"
name: '{{ argo_keycloak_clientscope_name }}'
realm: '{{ argo_realm_name }}'
protocol: '{{ argo_keycloak_clientscope_protocol }}'
protocol_mappers:
- config:
access.token.claim: True
claim.name: '{{ argo_keycloak_clientscope_name }}'
full.path: False # set it to true and you will be DAMNED => groupname for argo k8s configmap argocd-rbac-cm will be "/{{ group_name }}" !!!! instead of "{{ group_name }}"
id.token.claim: True
userinfo.token.claim: True
name: '{{ argo_keycloak_clientscope_name }}'
protocol: openid-connect
protocolMapper: oidc-group-membership-mapper
when:
- inventory_hostname == groups['kube_control_plane'][0]
# using template from exported keycloak client object
# due to needed params but missing in community.general.keycloak_client
# e.g. defaultClientScopes
- name: "Create json object as VAR from template"
set_fact:
keycloak_realm_create_client: "{{ lookup('template','keycloak-realm-create-client-argocd.json.j2') }}"
vars:
client_redirect_uri: '{{ argo_client_redirect_uris }}'
client_web_origins: '{{ argo_client_web_origins }}'
client_id: '{{ argo_client_id }}'
realm_name: '{{ argo_realm_name }}'
client_root_url: '{{ argo_client_root_url }}'
client_admin_url: '{{ argo_client_admin_url }}'
client_base_url: '{{ argo_client_base_url }}'
keycloak_clientscope_name: '{{ argo_keycloak_clientscope_name }}'
keycloak_clientscope_protocol: '{{ argo_keycloak_clientscope_protocol }}'
keycloak_client_secret: '{{ argo_keycloak_client_secret }}'
# throw needed VARs against keycloak API
# to CRUD
- name: "Create client"
include_role:
name: keycloak
tasks_from: _configure_client_crud
vars:
client_id: '{{ argo_client_id }}'
realm_name: '{{ argo_realm_name }}'
keycloak_client_object: '{{ keycloak_realm_create_client }}'
bearer_token: '{{ access_token }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "GET available clients from <<{{ argo_realm_name }}>>-realm"
delegate_to: localhost
become: False
uri:
url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients"
method: GET
headers:
Content-Type: "application/json"
Authorization: "Bearer {{ access_token }}"
status_code: [200]
register: argo_realm_clients
when:
- inventory_hostname == groups['kube_control_plane'][0]
# available clients: get needed ID
- name: "Get ID of client by paring argo_realm_clients object"
set_fact:
id_of_client: '{{ ( argo_realm_clients.json | selectattr("clientId","equalto",argo_client_id ) | first ).id }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "GET client-secret for client <<{{ argo_client_id }}>> in realm <<{{ argo_realm_name }}>>"
delegate_to: localhost
become: False
uri:
url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients/{{ id_of_client }}/client-secret"
method: GET
headers:
Content-Type: "application/json"
Authorization: "Bearer {{ access_token }}"
status_code: [200]
register: client_secret
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "DEBUG"
debug:
msg: "DEBUGGING: {{ client_secret.json.value }}"
when:
- debug
- inventory_hostname == groups['kube_control_plane'][0]
- name: "Create namespace <{{ k8s_argocd_helm__release_namespace }}>"
kubernetes.core.k8s:
name: "{{ k8s_argocd_helm__release_namespace }}"
api_version: v1
kind: Namespace
state: present
- name: "Create a k8s Secret containing GPG key"
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
data:
gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private | string | b64encode }}'
kind: Secret
metadata:
name: sops-gpg
namespace: '{{ k8s_argocd_helm__release_namespace }}'
type: Opaque
- name: "Create VAR to overwrite specific helm value - prepare combining dicts"
set_fact:
additional_helm_values:
configs:
secret:
extra:
oidc.keycloak.clientSecret: '{{ client_secret.json.value }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "Combining helm release values"
set_fact:
combined_helm__release_values: '{{ k8s_argocd_helm__release_values | combine(additional_helm_values, recursive=True) }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: "DEBUG"
debug:
msg: "DEBUGGING: {{ combined_helm__release_values }}"
when:
- debug
- inventory_hostname == groups['kube_control_plane'][0]
- name: Deploy argo-cd inside argo-cd namespace
kubernetes.core.helm:
name: "{{ k8s_argocd_helm__name }}"
chart_ref: "{{ k8s_argocd_helm__chart_ref | default('argo-cd') }}"
chart_repo_url: "{{ k8s_argocd_helm__chart_repo_url | default('https://argoproj.github.io/argo-helm') }}"
release_namespace: "{{ k8s_argocd_helm__release_namespace }}"
create_namespace: yes
release_values: "{{ combined_helm__release_values }}"
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Download argo-cd ApplicationSet CRD
get_url:
url: 'https://raw.githubusercontent.com/argoproj/applicationset/{{ k8s_argocd__crd_applicationset_version }}/manifests/install.yaml'
dest: '/tmp/argocd_ApplicationSet_install_{{ k8s_argocd__crd_applicationset_version }}.yml'
mode: '0440'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Deploy argo-cd ApplicationSet CRD
kubernetes.core.k8s:
state: present
namespace: '{{ k8s_argocd_helm__release_namespace }}'
src: '/tmp/argocd_ApplicationSet_install_{{ k8s_argocd__crd_applicationset_version }}.yml'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Checkout defined argocd-related objects
ansible.builtin.git:
repo: 'https://{{ gitea_admin_username }}:{{ gitea_admin_password }}@{{ shared_service_gitea_hostname }}/gitea-admin/argocd.git'
dest: '/tmp/gitrepo'
version: master
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Find file with definition of argocd-AppProjects
find:
paths: '/tmp/gitrepo/AppProjects'
pattern: '*.yml'
register: appprojects
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Find file with definition of argocd-ApplicationSets
find:
paths: '/tmp/gitrepo/ApplicationSets'
pattern: '*.yml'
register: applicationsets
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Apply defined AppProjects defined in checked out repo
kubernetes.core.k8s:
state: present
namespace: '{{ k8s_argocd_helm__release_namespace }}'
src: '{{ item.path }}'
loop: '{{ appprojects.files }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Apply defined ApplicationSets defined in checked out repo
kubernetes.core.k8s:
state: present
namespace: '{{ k8s_argocd_helm__release_namespace }}'
src: '{{ item.path }}'
loop: '{{ applicationsets.files }}'
when:
- inventory_hostname == groups['kube_control_plane'][0]
Reference in New Issue View Git Blame Copy Permalink