diff --git a/.yamllint b/.yamllint index 4f16823..a1f6faa 100644 --- a/.yamllint +++ b/.yamllint @@ -13,3 +13,9 @@ rules: level: error line-length: disable truthy: disable + comments-indentation: false + comments: + min-spaces-from-content: 1 + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true diff --git a/defaults/main/argocd.yml b/defaults/main/argocd.yml index 512f787..f1f57b2 100644 --- a/defaults/main/argocd.yml +++ b/defaults/main/argocd.yml @@ -21,6 +21,10 @@ k8s_argocd_chart_values: replicas: 2 applicationSet: replicas: 2 + configs: + params: + application.namespaces: "*" +k8s_argocd_resource_tracking_method: label k8s_argocd_apps_namespace: "argocd" k8s_argocd_apps_wait_timeout: "{{ k8s_wait_timeout }}" k8s_argocd_apps_chart: diff --git a/molecule/common/create.yml b/molecule/common/create.yml index b446cde..1ddd8b3 100644 --- a/molecule/common/create.yml +++ b/molecule/common/create.yml @@ -24,7 +24,7 @@ ansible.builtin.get_url: url: https://get.k3s.io dest: "{{ tempdir.path }}/k3s" - mode: 0755 + mode: "u=rwx,go=rx" - name: Deploy k3s cluster ansible.builtin.command: "{{ tempdir.path }}/k3s --disable=traefik" @@ -50,7 +50,7 @@ remote_src: true owner: "{{ ansible_user }}" group: "{{ ansible_user }}" - mode: 0600 + mode: "u=rw,go-rwx" vars: ansible_user: "{{ lookup('ansible.builtin.env', 'USER') }}" become: true diff --git a/molecule/common/prepare.yml b/molecule/common/prepare.yml index 19b2b0e..48291c1 100644 --- a/molecule/common/prepare.yml +++ b/molecule/common/prepare.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: src: "{{ helm_bin_query.stdout }}" dest: "{{ k8s_helm_bin }}" - mode: '0755' + mode: "u=rwx,go=rx" when: helm_bin_query is succeeded - name: Download Helm binary @@ -61,7 +61,7 @@ ansible.builtin.copy: src: "{{ helm_bin.files[0].path }}" dest: "{{ k8s_helm_bin }}" - mode: '0755' + mode: "u=rwx,go=rx" always: - name: Cleanup temp files diff --git a/poetry.lock b/poetry.lock index 8723083..b0b6600 100644 --- a/poetry.lock +++ b/poetry.lock @@ -2,49 +2,49 @@ [[package]] name = "ansible" -version = "9.4.0" +version = "9.6.0" description = "Radically simple IT automation" optional = false python-versions = ">=3.10" files = [ - {file = "ansible-9.4.0-py3-none-any.whl", hash = "sha256:f1d67a2c21dbed3fee4fe579f750e5d20b5a5f13f4399f256a8a70f0505e62f7"}, - {file = "ansible-9.4.0.tar.gz", hash = "sha256:dd431c63380e18c3faca3288ebde8ce2f4f992363ab558a3c11c8f2032d90867"}, + {file = "ansible-9.6.0-py3-none-any.whl", hash = "sha256:8c0ffdc8dd58a22d709a5ac567bc62f17e689fb37bbf202788548c3d226631e0"}, + {file = "ansible-9.6.0.tar.gz", hash = "sha256:58732a4ad74a746d299ecfa48b7a91cb217e2c0bd3a44493f2d9f29af2f3ab61"}, ] [package.dependencies] -ansible-core = ">=2.16.5,<2.17.0" +ansible-core = ">=2.16.7,<2.17.0" [[package]] name = "ansible-compat" -version = "4.1.11" +version = "24.6.0" description = "Ansible compatibility goodies" optional = false python-versions = ">=3.9" files = [ - {file = "ansible-compat-4.1.11.tar.gz", hash = "sha256:b3e9f9d7c3a1ce6222de444e9dc6fece7eba70ac64f2a0befdc4e2d542018b4a"}, - {file = "ansible_compat-4.1.11-py3-none-any.whl", hash = "sha256:74a91807808a39af48ab6595811b9340d1458db26b138362f48bf39292190705"}, + {file = "ansible_compat-24.6.0-py3-none-any.whl", hash = "sha256:120843817479077db9460751026c2c9e43892c59a4f5fea1979d69eeb3fcec6d"}, + {file = "ansible_compat-24.6.0.tar.gz", hash = "sha256:7fd0090ece253b487cf956d9e1eea37b0c4c83adba0337794ae66328fa5b4aad"}, ] [package.dependencies] -ansible-core = ">=2.12" +ansible-core = ">=2.14" jsonschema = ">=4.6.0" packaging = "*" PyYAML = "*" subprocess-tee = ">=0.4.1" [package.extras] -docs = ["argparse-manpage", "black", "mkdocs-ansible[lock] (>=0.1.2)"] +docs = ["argparse-manpage", "black", "mkdocs-ansible (>=24.3.1)"] test = ["coverage", "pip-tools", "pytest (>=7.2.0)", "pytest-mock", "pytest-plus (>=0.6.1)"] [[package]] name = "ansible-core" -version = "2.16.6" +version = "2.16.7" description = "Radically simple IT automation" optional = false python-versions = ">=3.10" files = [ - {file = "ansible_core-2.16.6-py3-none-any.whl", hash = "sha256:f9dea5044a86fd95cc27099f4f5c3ae9beb23acf7c3b6331455726c47825922b"}, - {file = "ansible_core-2.16.6.tar.gz", hash = "sha256:111e55d358c2297ec0ce03ba98e6c5ce95947fdf50d878215eb8c183d0c275e4"}, + {file = "ansible_core-2.16.7-py3-none-any.whl", hash = "sha256:3e1b0ed76ff40d8722f1b5bf19348b95ff226ef5157f7afd720e3da1369a4a6e"}, + {file = "ansible_core-2.16.7.tar.gz", hash = "sha256:a8c8f4facba30514571d47abec5c62a5768b86fef3d80d724911c8f20b7b34b7"}, ] [package.dependencies] @@ -56,20 +56,21 @@ resolvelib = ">=0.5.3,<1.1.0" [[package]] name = "ansible-lint" -version = "24.2.2" +version = "24.5.0" description = "Checks playbooks for practices and behavior that could potentially be improved" optional = false python-versions = ">=3.10" files = [ - {file = "ansible-lint-24.2.2.tar.gz", hash = "sha256:e849476e1502e37e5a46c2628c993260ce464bdf79751963735dccb68305197e"}, - {file = "ansible_lint-24.2.2-py3-none-any.whl", hash = "sha256:21b66fc4e8c5ea4401dcc46523ae96076ff16d1c96437dd77480698500cc82e6"}, + {file = "ansible_lint-24.5.0-py3-none-any.whl", hash = "sha256:a0deb4d58ce267632a26f7e9daf91cd4cd8c2ed783ddbb588a95f86785df20cc"}, + {file = "ansible_lint-24.5.0.tar.gz", hash = "sha256:cf1d9876c63cb26f6677170d4c64b18d8d944b359f8772cba73a2145f8b7a7ac"}, ] [package.dependencies] -ansible-compat = ">=4.1.11" -ansible-core = ">=2.12.0" +ansible-compat = ">=24.5.0dev0" +ansible-core = ">=2.13.0" black = ">=24.3.0" filelock = ">=3.3.0" +importlib-metadata = "*" jsonschema = ">=4.10.0" packaging = ">=21.3" pathspec = ">=0.10.3" @@ -77,7 +78,10 @@ pyyaml = ">=5.4.1" rich = ">=12.0.0" "ruamel.yaml" = ">=0.18.5" subprocess-tee = ">=0.4.1" -wcmatch = ">=8.1.2" +wcmatch = [ + {version = ">=8.1.2", markers = "python_version < \"3.12\""}, + {version = ">=8.5.0", markers = "python_version >= \"3.12\""}, +] yamllint = ">=1.30.0" [package.extras] @@ -529,6 +533,25 @@ files = [ {file = "idna-3.6.tar.gz", hash = "sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca"}, ] +[[package]] +name = "importlib-metadata" +version = "7.1.0" +description = "Read metadata from Python packages" +optional = false +python-versions = ">=3.8" +files = [ + {file = "importlib_metadata-7.1.0-py3-none-any.whl", hash = "sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570"}, + {file = "importlib_metadata-7.1.0.tar.gz", hash = "sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2"}, +] + +[package.dependencies] +zipp = ">=0.5" + +[package.extras] +docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] +perf = ["ipython"] +testing = ["flufl.flake8", "importlib-resources (>=1.3)", "jaraco.test (>=5.4)", "packaging", "pyfakefs", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy", "pytest-perf (>=0.9.2)", "pytest-ruff (>=0.2.1)"] + [[package]] name = "jinja2" version = "3.1.3" @@ -765,13 +788,13 @@ files = [ [[package]] name = "netaddr" -version = "1.2.1" +version = "1.3.0" description = "A network address manipulation library for Python" optional = false python-versions = ">=3.7" files = [ - {file = "netaddr-1.2.1-py3-none-any.whl", hash = "sha256:bd9e9534b0d46af328cf64f0e5a23a5a43fca292df221c85580b27394793496e"}, - {file = "netaddr-1.2.1.tar.gz", hash = "sha256:6eb8fedf0412c6d294d06885c110de945cf4d22d2b510d0404f4e06950857987"}, + {file = "netaddr-1.3.0-py3-none-any.whl", hash = "sha256:c2c6a8ebe5554ce33b7d5b3a306b71bbb373e000bbbf2350dd5213cc56e3dbbe"}, + {file = "netaddr-1.3.0.tar.gz", hash = "sha256:5c3c3d9895b551b763779ba7db7a03487dc1f8e3b385af819af341ae9ef6e48a"}, ] [package.extras] @@ -1426,7 +1449,22 @@ pyyaml = "*" [package.extras] dev = ["doc8", "flake8", "flake8-import-order", "rstcheck[sphinx]", "sphinx"] +[[package]] +name = "zipp" +version = "3.19.0" +description = "Backport of pathlib-compatible object wrapper for zip files" +optional = false +python-versions = ">=3.8" +files = [ + {file = "zipp-3.19.0-py3-none-any.whl", hash = "sha256:96dc6ad62f1441bcaccef23b274ec471518daf4fbbc580341204936a5a3dddec"}, + {file = "zipp-3.19.0.tar.gz", hash = "sha256:952df858fb3164426c976d9338d3961e8e8b3758e2e059e0f754b8c4262625ee"}, +] + +[package.extras] +docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] +testing = ["big-O", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more-itertools", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ignore-flaky", "pytest-mypy", "pytest-ruff (>=0.2.1)"] + [metadata] lock-version = "2.0" python-versions = "^3.10" -content-hash = "0d09ba2809affe884cc545b1a47306fb80ecc927620a8fe000d71626fa029a19" +content-hash = "5c01fc400d35f3a87c215be73f8f85f74ac2167dc01b3f0681cda4417b1d90fa" diff --git a/pyproject.toml b/pyproject.toml index 15aba11..16e3d12 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,14 +8,14 @@ authors = ["nephelaiio"] python = "^3.10" [tool.poetry.group.dev.dependencies] -ansible = "^9.3.0" +ansible-lint = { version = "^24.5.0", markers = "platform_system != 'Windows'" } +ansible = "^9.6.0" molecule = "^24.2.1" -netaddr = "^1.2.1" +netaddr = "^1.3.0" kubernetes = "^29.0.0" openshift = "^0.13.2" github3-py = "^4.0.1" jmespath = "^1.0.1" -ansible-lint = { version = "^24.2.0", markers = "platform_system != 'Windows'" } yamllint = "^1.35.1" [build-system] diff --git a/tasks/deploy.yml b/tasks/deploy.yml index 50ab957..9addd2b 100644 --- a/tasks/deploy.yml +++ b/tasks/deploy.yml @@ -23,7 +23,7 @@ ansible.builtin.include_tasks: "deploy/longhorn.yml" when: k8s_longhorn_deploy | bool -- name: Include argocd deployment tasks +- name: Include ArgoCD deployment tasks ansible.builtin.include_tasks: "deploy/argocd.yml" when: k8s_argocd_deploy | bool diff --git a/tasks/deploy/argocd.yml b/tasks/deploy/argocd.yml index f85d9b3..7c2478c 100644 --- a/tasks/deploy/argocd.yml +++ b/tasks/deploy/argocd.yml @@ -6,7 +6,7 @@ _config: "{{ k8s_kubeconfig }}" _resource: 'argocd-repo-server' -- name: Install argocd chart +- name: Install ArgoCD chart kubernetes.core.helm: name: argocd chart_ref: "{{ k8s_argocd_chart.name }}" @@ -50,6 +50,17 @@ _reposerver_query: "{{ query(_query, kind='Deployment', namespace=_ns, resource_name=_resource, kubeconfig=_config) }}" changed_when: false +- name: Configure ArgoCD resource tracking method + kubernetes.core.k8s: + api_version: v1 + kind: ConfigMap + namespace: "{{ k8s_argocd_namespace }}" + name: argocd-cm + kubeconfig: "{{ k8s_kubeconfig | default(omit) }}" + definition: + data: + application.resourceTrackingMethod: "{{ k8s_argocd_resource_tracking_method }}" + - name: Deploy argocd ingress kubernetes.core.k8s: namespace: "{{ k8s_argocd_namespace }}" diff --git a/tasks/verify.yml b/tasks/verify.yml index 30efdcc..1e4221f 100644 --- a/tasks/verify.yml +++ b/tasks/verify.yml @@ -27,7 +27,7 @@ - name: Include Helm checks ansible.builtin.include_tasks: verify/helm.yml - - name: Include argocd checks + - name: Include ArgoCD checks ansible.builtin.include_tasks: verify/argocd.yml when: k8s_argocd_verify | bool diff --git a/tasks/verify/argocd.yml b/tasks/verify/argocd.yml index 7260dcc..d8256ba 100644 --- a/tasks/verify/argocd.yml +++ b/tasks/verify/argocd.yml @@ -11,7 +11,7 @@ vars: _reposerver_query: "{{ query(_query, kind='Deployment', namespace=_ns, resource_name='argocd-repo-server', kubeconfig=_config) }}" -- name: Query argocd ingress metadata +- name: Query ArgoCD ingress metadata ansible.builtin.set_fact: ingress_argocd_ip: "{{ ingress_query[0][_status][_lb][_ingress][0][_ip] }}" vars: @@ -32,26 +32,26 @@ - ingress_query[0][_status][_lb][_ingress] | length > 0 - _ip in ingress_query[0][_status][_lb][_ingress][0] -- name: Record argocd deployment env vars +- name: Record ArgoCD deployment env vars ansible.builtin.set_fact: argocd_env: "{{ _argocd_env }}" argocd_env_exec_item: "{{ _argocd_env | selectattr('name', 'equalto', 'ARGOCD_EXEC_TIMEOUT') }}" vars: _argocd_env: "{{ _reposerver_def.spec.template.spec.containers[0].env }}" -- name: Check argocd exec timeout parameter +- name: Check ArgoCD exec timeout parameter ansible.builtin.assert: that: argocd_env_exec_item | length > 0 fail_msg: "env var ARGOCD_EXEC_TIMEOUT is not set" -- name: Check argocd exec timeout value +- name: Check ArgoCD exec timeout value ansible.builtin.assert: that: argocd_env_exec_value == k8s_argocd_exec_timeout fail_msg: "env var ARGOCD_EXEC_TIMEOUT is not set correctly ({{ argocd_env_exec_value }})" vars: argocd_env_exec_value: "{{ argocd_env_exec_item[0].value }}" -- name: Query argocd access info +- name: Query ArgoCD access info ansible.builtin.set_fact: _argocd_secret_query: "{{ _secrets }}" vars: @@ -61,14 +61,14 @@ delay: "{{ k8s_retry_delay }}" until: _secrets | length > 0 -- name: Record argocd auth credentials +- name: Record ArgoCD auth credentials ansible.builtin.set_fact: argocd_admin_username: "admin" argocd_admin_password: "{{ _argocd_secret_data.data.password | b64decode }}" vars: _argocd_secret_data: "{{ _argocd_secret_query | first }}" -- name: Auth against argocd api +- name: Auth against ArgoCD API ansible.builtin.uri: url: "https://{{ ingress_argocd_ip }}/api/v1/session" method: POST @@ -81,13 +81,13 @@ validate_certs: false register: argocd_auth_data -- name: Record argocd auth token +- name: Record ArgoCD auth token ansible.builtin.set_fact: argocd_admin_token: "{{ argocd_auth_data.json.token }}" -- name: Verify argocd application status +- name: Verify ArgoCD application status block: - - name: Query argocd application status + - name: Query ArgoCD application status ansible.builtin.uri: url: "https://{{ ingress_argocd_ip }}/api/v1/applications?refresh=true" headers: diff --git a/tasks/verify/install.yml b/tasks/verify/install.yml index 3030e11..577bab5 100644 --- a/tasks/verify/install.yml +++ b/tasks/verify/install.yml @@ -41,7 +41,7 @@ ansible.builtin.copy: content: "{{ _cacert }}" dest: "{{ k8s_cacert_path }}" - mode: '0755' + mode: "u=rwx,go=rx" vars: _cacert: "{{ _cacert_data.data['ca.crt'] | b64decode }}" _cacert_data: "{{ _cacert_query | selectattr('metadata.name', 'equalto', 'cluster-issuer-secret') | first }}" @@ -79,7 +79,7 @@ set -euo pipefail {{ _cmd }} dest: "{{ k8s_verifier_path }}/bwrap" - mode: 0755 + mode: "u=rwx,go=rx" vars: _cmd: "bwrap {{ _bind_dev }} {{ _bind_hosts }} {{ _bind_ca }} {{ _bind_certs }} sh -c \"$CMD\"" _bind_dev: "--dev-bind / /"