Unverified Commit 186852eb authored by Dmitriy Safronov's avatar Dmitriy Safronov Committed by GitHub
Browse files

Initial (#1) 



Signed-off-by: default avatarDmitriy Safronov <zimniy@cyberbrain.pw>
parent 63b96e65

README.md

+3 −1
Original line number Diff line number Diff line 
# ansible_role-template
 
# ansible_role-flux2_sops_age



Bootstrap FluxCD2 with Mozilla SOPS and AGE key into Kubernetes.

defaults/main.yml

0 → 100644
+4 −0
Original line number Diff line number Diff line 
---



flux_namespace: flux-system

flux_branch: main

requirements.yml

0 → 100644
+3 −0
Original line number Diff line number Diff line 
---

collections:

  - name: kubernetes.core

tasks/main.yml

0 → 100644
+127 −0
Original line number Diff line number Diff line 
---



- name: Install pip3 system package

  become: true

  ansible.builtin.package:

    name: python3-pip

    state: present



- name: Unprivileged tasks

  become: false

  block:



    - name: Install kubernetes support python user package

      ansible.builtin.pip:

        name: kubernetes

        state: present

        extra_args: --user



    - name: Download flux x64

      when: ansible_facts.architecture == "x86_64"

      ansible.builtin.get_url:

        url: https://github.com/fluxcd/flux2/releases/download/v{{ flux_version | mandatory }}/flux_{{ flux_version | mandatory }}_linux_amd64.tar.gz

        checksum: sha256:https://github.com/fluxcd/flux2/releases/download/v{{ flux_version | mandatory }}/flux_{{ flux_version | mandatory }}_checksums.txt

        dest: "/tmp/flux_linux.tar.gz"

        mode: "0644"



    - name: Download flux arm64

      when:

        - ( ansible_facts.architecture is search("arm") and

            ansible_facts.userspace_bits == "64" ) or

          ansible_facts.architecture is search("aarch64")

      ansible.builtin.get_url:

        url: https://github.com/fluxcd/flux2/releases/download/v{{ flux_version | mandatory }}/flux_{{ flux_version | mandatory }}_linux_arm64.tar.gz

        checksum: sha256:https://github.com/fluxcd/flux2/releases/download/v{{ flux_version | mandatory }}/flux_{{ flux_version | mandatory }}_checksums.txt

        dest: "/tmp/flux_linux.tar.gz"

        mode: "0644"



    - name: Download flux armhf

      when:

        - ansible_facts.architecture is search("arm")

        - ansible_facts.userspace_bits == "32"

      ansible.builtin.get_url:

        url: https://github.com/fluxcd/flux2/releases/download/v{{ flux_version | mandatory }}/flux_{{ flux_version | mandatory }}_linux_arm.tar.gz

        checksum: sha256:https://github.com/fluxcd/flux2/releases/download/v{{ flux_version | mandatory }}/flux_{{ flux_version | mandatory }}_checksums.txt

        dest: "/tmp/flux_linux.tar.gz"

        mode: "0644"



    - name: Create flux namespace

      kubernetes.core.k8s:

        api_version: v1

        kind: Namespace

        name: "{{ flux_namespace }}"

        state: present



    - name: Apply secret manifest in flux namespace

      kubernetes.core.k8s:

        definition:

          apiVersion: v1

          kind: Secret

          metadata:

            name: sops-age

            namespace: "{{ flux_namespace }}"

          type: Opaque

          stringData:

            age.agekey: |

              {{ age_key }}

        state: present

        apply: true



    - name: Create temporary directory for operations

      ansible.builtin.tempfile:

        state: directory

        suffix: -flux

      register: tempdir_1



    - name: Unarchive flux binary to temporary directory

      ansible.builtin.unarchive:

        src: "/tmp/flux_linux.tar.gz"

        dest: "{{ tempdir_1.path }}"

        remote_src: true

        mode: "0755"



    - name: Template SSH private key to temporary directory

      ansible.builtin.copy:

        content: |

          # SSH private key

          {{ flux_ssh }}

        dest: "{{ tempdir_1.path }}/ssh_key"

        mode: "0600"



    - name: Clean previous runs of flux-init 1

      ansible.legacy.systemd:

        name: flux-init

        state: stopped

        scope: user

      failed_when: false



    - name: Clean previous runs of flux-init 2

      ansible.legacy.command: systemctl --user reset-failed flux-init

      failed_when: false

      changed_when: false



    - name: Bootstrap flux inside the transient flux-init service

      ansible.legacy.command:

        cmd: >

          systemd-run

            --user

            --service-type=oneshot

            --unit=flux-init

            --working-directory={{ tempdir_1.path }}

            {{ tempdir_1.path }}/flux

              bootstrap

              git

              --url="{{ flux_repository | mandatory }}"

              --branch "{{ flux_branch }}"

              --path="{{ flux_path | mandatory }}"

              --private-key-file="{{ tempdir_1.path }}/ssh_key"

              --namespace "{{ flux_namespace }}"

              --author-email "{{ flux_email | mandatory }}"

              --components-extra=image-reflector-controller,image-automation-controller

              --silent

      changed_when: false



    - name: Remove temporary directory for operations

      ansible.builtin.file:

        path: "{{ tempdir_1.path }}"

        state: absent