From ab83e71a20e17eb43382bcc97a5fc55c94994479 Mon Sep 17 00:00:00 2001 From: Teodoro Cook Date: Sat, 3 Feb 2024 20:51:30 -0600 Subject: [PATCH] Add sealedsecrets deployment (#45) --- .talismanrc | 12 ++++-------- defaults/main/argocd.yml | 8 ++++---- defaults/main/certmanager.yml | 4 ++-- defaults/main/keel.yml | 2 +- defaults/main/longhorn.yml | 4 ++-- defaults/main/metallb.yml | 4 ++-- defaults/main/mysql.yml | 2 +- defaults/main/nginx.yml | 4 ++-- defaults/main/opensearch.yml | 2 +- defaults/main/reflector.yml | 2 +- defaults/main/sealedsecrets.yml | 9 +++++++++ defaults/main/strimzi.yml | 2 +- defaults/main/zalando.yml | 2 +- tasks/deploy.yml | 4 ++++ tasks/deploy/sealedsecrets.yml | 14 ++++++++++++++ tasks/verify/reflector.yml | 14 ++++++++++++++ tasks/verify/sealedsecrets.yml | 14 ++++++++++++++ 17 files changed, 77 insertions(+), 26 deletions(-) create mode 100644 defaults/main/sealedsecrets.yml create mode 100644 tasks/deploy/sealedsecrets.yml create mode 100644 tasks/verify/reflector.yml create mode 100644 tasks/verify/sealedsecrets.yml diff --git a/.talismanrc b/.talismanrc index ab8f0e3..22ad1d5 100644 --- a/.talismanrc +++ b/.talismanrc @@ -1,17 +1,13 @@ fileignoreconfig: - filename: defaults/main/mysql.yml ignore_detectors: [ filename ] + - filename: defaults/main/sealedsecrets.yml + ignore_detectors: [ filecontent ] - filename: poetry.lock ignore_detectors: [ filecontent ] - filename: tasks/deploy/mysql.yml ignore_detectors: [ filename ] - - filename: tasks/verify/mysql.yml - ignore_detectors: [ filename ] - - filename: tasks/verify/argocd.yml - ignore_detectors: [ filecontent ] - - filename: tasks/verify/install.yml - ignore_detectors: [ filecontent ] - - filename: tasks/verify/secrets.yml - ignore_detectors: [ filecontent ] + - filename: tasks/verify/*.yml + ignore_detectors: [ filename, filecontent ] - filename: .github/workflows/release.yml ignore_detectors: [ filecontent ] diff --git a/defaults/main/argocd.yml b/defaults/main/argocd.yml index 6d808f2..ba085ea 100644 --- a/defaults/main/argocd.yml +++ b/defaults/main/argocd.yml @@ -8,8 +8,8 @@ k8s_argocd_exec_timeout: "3m" k8s_argocd_chart: name: "argo-cd" repo: "https://argoproj.github.io/argo-helm" - release: "5.53.6" - last_checked: "2024-01-22T16:18:49-06:00" + release: "5.53.13" + last_checked: "2024-02-02T22:37:26-06:00" k8s_argocd_chart_values: redis-ha: enabled: false @@ -26,8 +26,8 @@ k8s_argocd_apps_wait_timeout: "{{ k8s_wait_timeout }}" k8s_argocd_apps_chart: name: "argocd-apps" repo: "https://argoproj.github.io/argo-helm" - release: "1.4.1" - last_checked: "2024-01-22T16:18:59-06:00" + release: "1.6.1" + last_checked: "2024-02-02T22:37:49-06:00" k8s_argocd_apps_chart_values: applications: [] applicationsets: [] diff --git a/defaults/main/certmanager.yml b/defaults/main/certmanager.yml index 9566e81..688e266 100644 --- a/defaults/main/certmanager.yml +++ b/defaults/main/certmanager.yml @@ -4,7 +4,7 @@ k8s_certmanager_namespace: "cert-manager" k8s_certmanager_chart: name: "cert-manager" repo: "https://charts.jetstack.io" - release: "v1.13.3" - last_checked: "2024-01-22T16:18:28-06:00" + release: "v1.14.1" + last_checked: "2024-02-02T22:35:38-06:00" k8s_certmanager_wait_timeout: "{{ k8s_wait_timeout }}" k8s_certmanager_cacert: "/usr/share/ca-certificates/{{ k8s_cluster_name }}.crt" diff --git a/defaults/main/keel.yml b/defaults/main/keel.yml index 0dd982e..7ec8fd2 100644 --- a/defaults/main/keel.yml +++ b/defaults/main/keel.yml @@ -5,5 +5,5 @@ k8s_keel_chart: name: "keel" repo: "https://charts.keel.sh " release: "1.0.3" - last_checked: "2024-01-22T16:18:35-06:00" + last_checked: "2024-02-02T22:36:18-06:00" k8s_keel_wait_timeout: "{{ k8s_wait_timeout }}" diff --git a/defaults/main/longhorn.yml b/defaults/main/longhorn.yml index 671151d..3a03858 100644 --- a/defaults/main/longhorn.yml +++ b/defaults/main/longhorn.yml @@ -6,8 +6,8 @@ k8s_longhorn_wait_timeout: "{{ k8s_wait_timeout }}" k8s_longhorn_chart: name: longhorn repo: "https://charts.longhorn.io" - release: "1.5.3" - last_checked: "2024-01-22T16:19:07-06:00" + release: "1.6.0" + last_checked: "2024-02-02T22:37:02-06:00" k8s_longhorn_chart_values: persistence: defaultClass: false diff --git a/defaults/main/metallb.yml b/defaults/main/metallb.yml index ad44a88..96d6321 100644 --- a/defaults/main/metallb.yml +++ b/defaults/main/metallb.yml @@ -3,6 +3,6 @@ k8s_metallb_namespace: "metallb-system" k8s_metallb_chart: name: "metallb" repo: "https://charts.bitnami.com/bitnami" - release: "4.11.0" - last_checked: "2024-01-22T16:18:43-06:00" + release: "4.11.1" + last_checked: "2024-02-02T22:38:36-06:00" k8s_metallb_wait_timeout: "{{ k8s_wait_timeout }}" diff --git a/defaults/main/mysql.yml b/defaults/main/mysql.yml index a9eb309..0e58204 100644 --- a/defaults/main/mysql.yml +++ b/defaults/main/mysql.yml @@ -7,4 +7,4 @@ k8s_mysql_chart: name: "mysql-operator" repo: "https://mysql.github.io/mysql-operator" release: "2.1.2" - last_checked: "2024-01-22T16:19:34-06:00" + last_checked: "2024-02-02T22:38:14-06:00" diff --git a/defaults/main/nginx.yml b/defaults/main/nginx.yml index 3c1fd95..2a979e0 100644 --- a/defaults/main/nginx.yml +++ b/defaults/main/nginx.yml @@ -5,6 +5,6 @@ k8s_nginx_namespace: "nginx" k8s_nginx_chart: name: "ingress-nginx" repo: "https://kubernetes.github.io/ingress-nginx" - release: "4.9.0" - last_checked: "2024-01-22T16:19:49-06:00" + release: "4.9.1" + last_checked: "2024-02-02T22:36:40-06:00" k8s_nginx_wait_timeout: "{{ k8s_wait_timeout }}" diff --git a/defaults/main/opensearch.yml b/defaults/main/opensearch.yml index 700d457..451f924 100644 --- a/defaults/main/opensearch.yml +++ b/defaults/main/opensearch.yml @@ -5,6 +5,6 @@ k8s_opensearch_chart: name: "opensearch-operator" repo: "https://opensearch-project.github.io/opensearch-k8s-operator" release: "2.4.0" - last_checked: "2024-01-22T16:19:41-06:00" + last_checked: "2024-02-02T22:35:57-06:00" k8s_opensearch_namespace: opensearch k8s_opensearch_wait_timeout: "{{ k8s_wait_timeout }}" diff --git a/defaults/main/reflector.yml b/defaults/main/reflector.yml index 783953d..decc77f 100644 --- a/defaults/main/reflector.yml +++ b/defaults/main/reflector.yml @@ -5,5 +5,5 @@ k8s_reflector_chart: name: "reflector" repo: "https://emberstack.github.io/helm-charts" release: "7.1.238" - last_checked: "2024-01-22T16:19:27-06:00" + last_checked: "2024-02-02T22:35:12-06:00" k8s_reflector_wait_timeout: "{{ k8s_wait_timeout }}" diff --git a/defaults/main/sealedsecrets.yml b/defaults/main/sealedsecrets.yml new file mode 100644 index 0000000..3bd5bde --- /dev/null +++ b/defaults/main/sealedsecrets.yml @@ -0,0 +1,9 @@ +--- +k8s_sealedsecrets_deploy: true +k8s_sealedsecrets_namespace: "kube-system" +k8s_sealedsecrets_chart: + name: "sealed-secrets" + repo: "https://bitnami-labs.github.io/sealed-secrets" + release: "2.14.2" + last_checked: "2024-02-02T22:34:36-06:00" +k8s_sealedsecrets_wait_timeout: "{{ k8s_wait_timeout }}" diff --git a/defaults/main/strimzi.yml b/defaults/main/strimzi.yml index 8125267..a232f25 100644 --- a/defaults/main/strimzi.yml +++ b/defaults/main/strimzi.yml @@ -5,6 +5,6 @@ k8s_strimzi_chart: name: "strimzi-kafka-operator" repo: "https://strimzi.io/charts/" release: "0.39.0" - last_checked: "2024-01-22T16:19:19-06:00" + last_checked: "2024-02-02T22:34:11-06:00" k8s_strimzi_namespace: strimzi k8s_strimzi_wait_timeout: "{{ k8s_wait_timeout }}" diff --git a/defaults/main/zalando.yml b/defaults/main/zalando.yml index 2abcb51..3e60322 100644 --- a/defaults/main/zalando.yml +++ b/defaults/main/zalando.yml @@ -9,4 +9,4 @@ k8s_zalando_chart: name: "postgres-operator" repo: "https://opensource.zalando.com/postgres-operator/charts/postgres-operator" release: "1.10.1" - last_checked: "2024-01-22T16:19:13-06:00" + last_checked: "2024-02-02T22:34:47-06:00" diff --git a/tasks/deploy.yml b/tasks/deploy.yml index bef0f6c..c952dbb 100644 --- a/tasks/deploy.yml +++ b/tasks/deploy.yml @@ -54,3 +54,7 @@ - name: Include reflector deployment tasks ansible.builtin.include_tasks: "deploy/reflector.yml" when: k8s_reflector_deploy | bool + +- name: Include sealedsecrets deployment tasks + ansible.builtin.include_tasks: "deploy/sealedsecrets.yml" + when: k8s_sealedsecrets_deploy | bool diff --git a/tasks/deploy/sealedsecrets.yml b/tasks/deploy/sealedsecrets.yml new file mode 100644 index 0000000..8a0d8f2 --- /dev/null +++ b/tasks/deploy/sealedsecrets.yml @@ -0,0 +1,14 @@ +--- +- name: Manage sealed-secrets Helm chart + kubernetes.core.helm: + name: sealedsecrets + chart_ref: "{{ k8s_sealedsecrets_chart.name }}" + chart_repo_url: "{{ k8s_sealedsecrets_chart.repo }}" + chart_version: "{{ k8s_sealedsecrets_chart.release }}" + release_namespace: "{{ k8s_sealedsecrets_namespace }}" + create_namespace: true + state: present + wait: true + wait_timeout: "{{ k8s_sealedsecrets_wait_timeout }}s" + kubeconfig: "{{ k8s_kubeconfig | default(omit) }}" + binary_path: "{{ lookup('ansible.builtin.env', 'HELM_BIN', default=k8s_helm_bin) }}" diff --git a/tasks/verify/reflector.yml b/tasks/verify/reflector.yml new file mode 100644 index 0000000..4ddf3a8 --- /dev/null +++ b/tasks/verify/reflector.yml @@ -0,0 +1,14 @@ +--- +- name: Query Helm deployments + ansible.builtin.command: "{{ k8s_helm_bin }} list -A -o json" + environment: + KUBECONFIG: "{{ k8s_kubeconfig }}" + register: helm_query + changed_when: false + +- name: Verify reflector deployment + ansible.builtin.assert: + that: _helm_reflector | length == 1 + fail_msg: "reflector deployment not found" + vars: + _helm_reflector: "{{ helm_query.stdout | from_json | selectattr('name', 'equalto', 'reflector') }}" diff --git a/tasks/verify/sealedsecrets.yml b/tasks/verify/sealedsecrets.yml new file mode 100644 index 0000000..ce93c53 --- /dev/null +++ b/tasks/verify/sealedsecrets.yml @@ -0,0 +1,14 @@ +--- +- name: Query Helm deployments + ansible.builtin.command: "{{ k8s_helm_bin }} list -A -o json" + environment: + KUBECONFIG: "{{ k8s_kubeconfig }}" + register: helm_query + changed_when: false + +- name: Verify sealedsecrets deployment + ansible.builtin.assert: + that: _helm_sealedsecrets | length == 1 + fail_msg: "sealedsecrets deployment not found" + vars: + _helm_sealedsecrets: "{{ helm_query.stdout | from_json | selectattr('name', 'equalto', 'sealed-secrets') }}"