Change the way binaries are installed

Now binaries are installed to the workdir, so they do not affect the
system. I want to have this role more or less containerized

Also some minor refactoring has been done as well
This commit is contained in:
Nikolai Rodionov 2023-08-11 09:34:21 +02:00
parent 9928b63672
commit 3806fe53b5
No known key found for this signature in database
GPG Key ID: 19DB54039EBF8F10
3 changed files with 70 additions and 55 deletions

View File

@ -3,7 +3,7 @@
# -- yq version # -- yq version
# -------------------------------------- # --------------------------------------
yq: yq:
version: v4.31.2 version: v4.35.2
binary: yq_linux_amd64 binary: yq_linux_amd64
# -------------------------------------- # --------------------------------------
# -- kubectl version # -- kubectl version
@ -58,6 +58,10 @@ role: cluster-admin
# binding_type: ClusterRoleBinding # binding_type: ClusterRoleBinding
# role_type: ClusterRole # role_type: ClusterRole
# role: cluster-admin # role: cluster-admin
# k8s_config_path: /etc/kubernetes/admin.conf
# k8s_cert_path: /etc/kubernetes/pki
# k8s_cert_crt_file: ca.crt
# k8s_cert_key_file: ca.key
# -------------------------------------- # --------------------------------------
users: [] users: []
# -------------------------------------- # --------------------------------------
@ -65,3 +69,10 @@ users: []
# -------------------------------------- # --------------------------------------
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config # k8s_config_path: /var/snap/microk8s/current/credentials/client.config
# k8s_cert_path: /var/snap/microk8s/current/certs # k8s_cert_path: /var/snap/microk8s/current/certs
# --------------------------------------
# -- Use with k3s
# --------------------------------------
# k8s_config_path: /etc/rancher/k3s/k3s.yaml
# k8s_cert_path: /var/lib/rancher/k3s/server/tls
# k8s_cert_crt_file: server-ca.crt
# k8s_cert_key_file: server-ca.key

View File

@ -41,14 +41,14 @@
# -- Get k8s server from admin.conf # -- Get k8s server from admin.conf
# -------------------------------------- # --------------------------------------
- name: Get k8s server - name: Get k8s server
shell: yq e '.clusters[0] | select(.name == "{{ cluster }}").cluster.server' "{{ k8s_config_path }}" shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.server' {{ k8s_config_path }}"
register: kubernetes_server_output register: kubernetes_server_output
# -------------------------------------- # --------------------------------------
# -- Get k8s certificate authority data # -- Get k8s certificate authority data
# -- from admin-conf # -- from admin-conf
# -------------------------------------- # --------------------------------------
- name: Get k8s certificate authority data - name: Get k8s certificate authority data
shell: yq e '.clusters[0] | select(.name == "{{ cluster }}").cluster.certificate-authority-data' "{{ k8s_config_path }}" shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.certificate-authority-data' {{ k8s_config_path }}"
register: kubernetes_cad_output register: kubernetes_cad_output
- name: Get user cert data - name: Get user cert data
@ -67,15 +67,15 @@
user_key_data: " {{ user_key_data_output.stdout }}" user_key_data: " {{ user_key_data_output.stdout }}"
- name: Create k8s user - name: Create k8s user
ansible.builtin.shell: | ansible.builtin.shell: >-
kubectl config set-credentials "{{ username }}"\ {{ working_dir }}/bin/kubectl config set-credentials {{ username }} \
--client-certificate="{{ cert_dir }}/{{ username }}.crt" \ --client-certificate="{{ cert_dir }}/{{ username }}.crt" \
--client-key="{{ cert_dir }}/{{ username }}.key" --client-key="{{ cert_dir }}/{{ username }}.key"
notify: remove certificates notify: remove certificates
- name: Set user context - name: Set user context
ansible.builtin.shell: | ansible.builtin.shell: >-
kubectl config set-context "{{ username }}@{{ cluster }}" \ {{ working_dir }}/bin/kubectl config set-context {{ username }}@{{ cluster }} \
--cluster={{ cluster }} --user="{{ username }}" --cluster={{ cluster }} --user="{{ username }}"
- name: Create config file from template - name: Create config file from template
@ -95,5 +95,5 @@
- name: Apply role binding manifest - name: Apply role binding manifest
environment: environment:
KUBECONFIG: "{{ k8s_config_path }}" KUBECONFIG: "{{ k8s_config_path }}"
shell: kubectl apply -f "{{ cert_dir }}/{{ username }}.yaml" shell: "{{ working_dir }}/bin/kubectl apply -f {{ cert_dir }}/{{ username }}.yaml"
tags: add_user tags: add_user

View File

@ -10,37 +10,43 @@
- name: Ensure required packages are installed - name: Ensure required packages are installed
tags: packages tags: packages
block: block:
# ------------------------- - name: Create a directory if it does not exist
# -- Prepare kubectl repo ansible.builtin.file:
# ------------------------- path: "{{ working_dir }}"
- name: Add an apt signing key for Kubernetes state: directory
become: true mode: "0775"
apt_key: - name: Prepare bin directory
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg block:
state: present - name: Set workdir as fact
set_fact:
bin_dir: "{{ working_dir }}/bin"
- name: Adding apt repository for Kubernetes - name: Create a directory if it does not exist
become: true ansible.builtin.file:
apt_repository: path: "{{ bin_dir }}"
repo: deb https://apt.kubernetes.io/ kubernetes-xenial main state: directory
state: present mode: "0775"
filename: kubernetes.list
# -------------------------------------- # --------------------------------------
# -- Install yq # -- Install yq
# -------------------------------------- # --------------------------------------
- name: Install yq
block:
- name: Ensure yq is installed - name: Ensure yq is installed
become: true become: true
get_url: get_url:
url: "https://github.com/mikefarah/yq/releases/download/{{ yq.version }}/{{ yq.binary }}" url: "https://github.com/mikefarah/yq/releases/download/{{ yq.version }}/{{ yq.binary }}"
dest: /usr/bin/yq dest: "{{ bin_dir }}/yq"
mode: "0777" mode: "0777"
- block: - name: Install kubectl
block:
- name: Download kubectl release - name: Download kubectl release
uri: become: true
get_url:
url: https://dl.k8s.io/release/{{ kubectl.version }}/bin/linux/{{ kubectl.arch }}/kubectl url: https://dl.k8s.io/release/{{ kubectl.version }}/bin/linux/{{ kubectl.arch }}/kubectl
dest: /tmp dest: "{{ bin_dir }}/kubectl"
mode: "0777"
- name: Download the kubectl checksum file - name: Download the kubectl checksum file
uri: uri:
@ -48,12 +54,12 @@
dest: /tmp dest: /tmp
- name: Validate the kubectl binary against the checksum file - name: Validate the kubectl binary against the checksum file
shell: echo "$(cat /tmp/kubectl.sha256) /tmp/kubectl" | sha256sum --check shell: echo "$(cat /tmp/kubectl.sha256) {{ bin_dir }}/kubectl" | sha256sum --check
register: result register: result
- name: Assert that the kubectl binary is OK - name: Assert that the kubectl binary is OK
vars: vars:
expected: "/tmp/kubectl: OK" expected: "{{ bin_dir }}/kubectl: OK"
assert: assert:
that: that:
- result.stdout == expected - result.stdout == expected
@ -66,12 +72,6 @@
name: "openssl" name: "openssl"
state: present state: present
- name: Create a directory if it does not exist
ansible.builtin.file:
path: "{{ working_dir }}"
state: directory
mode: "0775"
- name: Create kubernetes user - name: Create kubernetes user
loop: "{{ users }}" loop: "{{ users }}"
include_tasks: create-user.yaml include_tasks: create-user.yaml
@ -82,3 +82,7 @@
binding_type: "{{ item.binding_type | default('ClusterRoleBinding') }}" binding_type: "{{ item.binding_type | default('ClusterRoleBinding') }}"
role_type: "{{ item.role_type | default('ClusterRole') }}" role_type: "{{ item.role_type | default('ClusterRole') }}"
role: "{{ item.role | default('cluster-admin') }}" role: "{{ item.role | default('cluster-admin') }}"
user_k8s_config_path: "{{ item.k8s_config_path | default(k8s_config_path) }}"
user_k8s_cert_path: "{{ item.k8s_cert_path | default(k8s_cert_path) }}"
user_k8s_cert_crt_file: "{{ item.k8s_cert_crt_file | default(k8s_cert_crt_file) }}"
user_k8s_cert_key_file: "{{ item.k8s_cert_key_file | default(k8s_cert_key_file) }}"