libretic/ansible-libretic-aap
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Commit initial

Browse source
This commit is contained in:
Navas 2024-08-04 19:25:21 +02:00
commit fc686f458b
28 changed files with 941 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.envrc Normal file
View file

@ -0,0 +1,8 @@
# [ansible] devenir root apres s'être connecté avec un compte de service
export ANSIBLE_BECOME=true
# [ansible] url du serveur depuis lequel récupérer les ressources nécessaires
export AAP_RESSOURCES_URL="https://ansible-ressources.libretic.fr"
# [novops] chargement des secrets depuis vaultwarden
source <(novops load)

4
.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
collections/ansible_collections
roles/*
!roles/requirements.yml
!roles/awx

58
.novops.yml Normal file
View file

@ -0,0 +1,58 @@
environments:
prod:
files:
# [ansible] clé privée pour connexion aux machines pilotées avec ANSIBLE_REMOTE_USER
- variable: ANSIBLE_PRIVATE_KEY_FILE
content:
bitwarden:
entry: aap_ansible_remote_user
field: notes
# [ansible] secret pour déchiffrer les vault
- variable: ANSIBLE_VAULT_PASSWORD_FILE
content:
bitwarden:
entry: aap_ansible_vault_password
field: login.password
variables:
# [ansible] identifiant de connexion aux machines pilotées
- name: ANSIBLE_REMOTE_USER
value:
bitwarden:
entry: "aap_ansible_remote_user"
field: login.username
# [awx] secret pour l'accès à git
- name: GIT_TOKEN_NAME
value:
bitwarden:
entry: "aap_svc_git_awx"
field: login.username
- name: GIT_TOKEN_SECRET
value:
bitwarden:
entry: "aap_svc_git_awx"
field: notes
# [awx] secret de connexion à awx pour setup-awx.yml
- name: TOWER_USERNAME
value:
bitwarden:
entry: "aap_awx_user"
field: login.username
- name: TOWER_PASSWORD
value:
bitwarden:
entry: "aap_awx_user"
field: login.password
# [ansible] secret pour la connexion au serveur de ressources
- name: AAP_RESSOURCES_USER
value:
bitwarden:
entry: "aap_ressources_user"
field: login.username
- name: AAP_RESSOURCES_PASSWORD
value:
bitwarden:
entry: "aap_ressources_user"
field: login.password

15
CHANGELOG.md Normal file
View file

@ -0,0 +1,15 @@
# **Registre des modifications** 📜📝
Les changements notables apportés au projet sont notés ici.
Document au format basé sur [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
Les versions de ce projet suivent les préconisations de [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
---
## [**0.1.0**] - 2024-08-04
* Première version

7
LICENSE Normal file
View file

@ -0,0 +1,7 @@
Copyright (c) 2023 Libretic
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

54
README.md Normal file
View file

@ -0,0 +1,54 @@
# AAP - Ansible Automation Platform
Installe un environnement ansible et AWX sur la base de k3s.
Inspiration :
- https://ansible.readthedocs.io/projects/awx-operator/en/latest/index.html
- https://github.com/kurokobo/awx-on-k3s/tree/main
## Prérequis
* [Environnement de développement préparé](https://wiki.libretic.fr/fr/technique/ansible/environnement_developpement)
* Installer les roles et collections nécessaires :
```bash
ansible-galaxy role install -f -r roles/requirements.yml -p roles/
ansible-galaxy collection install -f -r collections/requirements.yml -p collections/
```
## Composition d'un environnement
Un environnement est composé d'une machine ansible et d'une machine awx.
La machine ansible est utilisée :
- pour le développement des projets ansible jusqu'à leur mise en production dans AWX
- pour la mise à disposition auprès des playbooks ansible (de la machine ansible ou awx) des ressources internes nécessaires à la bonne exécution des playbooks et qui ne doivent pas être inclus dans les projets git, par exemple :
- les binaires
- les certificats (renouvelables indépendamment des versions de projet)
La machine awx est utilisée pour l'exécution des playbooks de production et leur orchestration.
### Création / configuration d'un environnement
* Création préalable des machines virtuelles mentionnées dans l'inventaire
* Poursuivre avec la configuration de l'environnement
```bash
ansible-playbook -i <environnement> setup-env.yml
```
## Préparation de l'instance AWX
Le playbook configure-awx.yml permet de configurer dans AWX les bases de configuration nécessaires pour la bonne mise en service des autres projets qui y seront configurés.
Les paramétrages par défaut des droits implantés l'instance awx sont définis dans vars/awx.yml.
L'instance awx à configurer et la version de l'environnement d'exécution awx qui y sera configuré sont définies par environnement, dans inventory/<environnement>/group_vars/awx.yml.
Pour finir la configuration de l'instance awx, lancer le playbook :
```bash
ansible-playbook -i <environnement> configure-awx.yml
```

13
ansible.cfg Normal file
View file

@ -0,0 +1,13 @@
[defaults]
host_key_checking = False
ansible_managed = FICHIER SOUS CONTROLE D'ANSIBLE, ne pas editer directement
retry_files_enabled = False
stdout_callback = yaml
[privilege_escalation]
become = True
[ssh_connection]
pipelining = True
ssh_args = -o ControlMaster=auto -o ControlPersist=1800

10
collections/requirements.yml Normal file
View file

@ -0,0 +1,10 @@
##
# installer avec :
# ansible-galaxy collection install -f -r collections/requirements.yml -p collections/
# une exclusion doit être ajoutée au .gitignore pour chaque dependance
###
collections:
- community.general
- ansible.posix
- community.docker

216
configure-awx.yml Normal file
View file

@ -0,0 +1,216 @@
# code: language=ansible
- name: Setup awx configuration
hosts: localhost
gather_facts: false
vars_files:
- awx.yml
tasks:
# Configuration d'awx - préparatifs
- name: Définit _state
ansible.builtin.set_fact:
_state: "{{ awx_state | default('present') }}"
- name: Définition des organisations de base
awx.awx.organization:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ awx_organization }}"
state: "{{ _state }}"
galaxy_credentials:
- "Ansible Galaxy"
- name: Définition du secret pour récuperer les projets depuis git
awx.awx.credential:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ item.name }}"
organization: "{{ awx_organization }}"
credential_type: "Source Control"
description: "Secret d'accès d'AWX au repo git"
inputs:
username: "{{ item.username }}"
password: "{{ item.password }}"
with_items: "{{ awx_git_credentials }}"
no_log: true
when: _state == "present"
- name: Définition du secret ansible-vault utilisé dans les projets git
awx.awx.credential:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ item.name }}"
organization: "{{ awx_organization }}"
credential_type: "Vault"
description: "Secret du ansible-vault pour le chiffrement dans les projets git"
inputs:
vault_password: "{{ item.password }}"
with_items: "{{ awx_vault_credentials }}"
no_log: true
when: _state == "present"
- name: Définition du secret de connexion aux machines
awx.awx.credential:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ item.name }}"
description: "Clé d'accès pour se connecter aux machines"
organization: "{{ awx_organization }}"
credential_type: "Machine"
inputs:
username: "{{ item.username }}"
ssh_key_data: "{{ item.ssh_key_data }}"
with_items: "{{ awx_machine_credentials }}"
no_log: true
when: _state == "present"
- name: Définition du type de secret aap_ressources
awx.awx.credential_type:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "aap_ressources"
description: "Secrets pour se connecter à un serveur de ressources ansible"
state: "{{ _state }}"
kind: net
inputs: "{{ lookup('file', 'files/aap_ressources_credential_type_inputs.json') }}"
injectors: "{{ lookup('file', 'files/aap_ressources_credential_type_injectors.json') }}"
- name: Définition du secret de connexion au serveur de ressources Ansible
awx.awx.credential:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ awx_aap_ressources_credential_name }}"
description: "Secrets pour se connecter au serveur de ressources ansible"
organization: "{{ awx_organization }}"
credential_type: "aap_ressources"
inputs:
url: "{{ awx_aap_ressources_url }}"
username: "{{ awx_aap_ressources_username }}"
password: "{{ awx_aap_ressources_password }}"
no_log: true
when: _state == "present"
# - name: Définition des environnements d'exécution
# awx.awx.execution_environment:
# controller_host: "{{ awx_controller_host }}"
# controller_username: "{{ awx_controller_username }}"
# controller_password: "{{ awx_controller_username }}"
# name: "{{ item.name }}-{{ item.version }}"
# image: "{{ item.image }}:{{ item.version }}"
# state: "{{ _state }}"
# with_items:
# - name: awx-ee-libretic
# image: "{{ awx_ee_image }}"
# version: "{{ awx_ee_version }}"
- name: Creation des équipes pour application des droits
awx.awx.team:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ item.team }}"
organization: "{{ item.organization }}"
with_items:
- "{{ awx_team_list }}"
when: _state == "present"
- name: Affectation des droits aux équipes
awx.awx.role:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
organizations: "{{ item.organization }}"
teams: "{{ item.team }}"
role: "{{ item.role }}"
with_items:
- "{{ awx_team_roles_list }}"
when: _state == "present"
# on vérifie ici car no_log de la tâche qui utilise empêche d'avoir une explication en cas d'oubli
- name: Vérifie que awx_custom_settings est défini (besoin que l'environnement soit précisé)
ansible.builtin.assert:
that:
- awx_custom_settings is defined
- name: Définition de paramètres spécifiques
awx.awx.settings:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
settings: "{{ awx_custom_settings }}"
no_log: true
# Configuration d'awx - projet
- name: Définition du projet
awx.awx.project:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ awx_project_name }}"
scm_type: git
scm_url: "{{ awx_project_url }}"
scm_update_on_launch: true
scm_update_cache_timeout: 60
scm_credential: "{{ awx_git_credential_name }}"
state: "{{ _state }}"
allow_override: true
organization: "{{ awx_organization }}"
default_environment: "{{ awx_ee }}"
- name: Définition de l'inventaire
awx.awx.inventory:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ awx_project_name }}_{{ environnement }}"
state: "{{ _state }}"
organization: "{{ awx_organization }}"
- name: Définition de la source d'inventaire
awx.awx.inventory_source:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ awx_project_name }}_{{ environnement }}"
inventory: "{{ awx_project_name }}_{{ environnement }}"
state: "{{ _state }}"
organization: "{{ awx_organization }}"
source: scm
source_project: "{{ awx_project_name }}"
source_path: "inventory/{{ environnement }}/hosts"
overwrite: true
update_on_launch: true
# les sources disparaissent avec l'inventaire qui les contient
when: _state == "present"
- name: Définition du playbook setup-env
awx.awx.job_template:
controller_host: "{{ awx_controller_host }}"
controller_username: "{{ awx_controller_username }}"
controller_password: "{{ awx_controller_password }}"
name: "{{ awx_project_name }}_{{ environnement }}_{{ item }}"
project: "{{ awx_project_name }}"
inventory: "{{ awx_project_name }}_{{ environnement }}"
state: "{{ _state }}"
organization: "{{ awx_organization }}"
job_type: run
playbook: "{{ item }}"
become_enabled: true
credentials:
- "{{ awx_vault_credential_name }}"
- "{{ awx_machine_credential_name }}"
- "{{ awx_aap_ressources_credential_name }}"
with_items:
- setup-env.yml

7
files/aap_ressources_credential_type_injectors.json Normal file
View file

@ -0,0 +1,7 @@
{
"env": {
"AAP_RESSOURCES_URL": "{{ url }}",
"AAP_RESSOURCES_USER": "{{ username }}",
"AAP_RESSOURCES_PASSWORD": "{{ password }}"
}
}

25
files/aap_ressources_credential_type_inputs.json Normal file
View file

@ -0,0 +1,25 @@
{
"fields": [
{
"id": "url",
"type": "string",
"label": "Ansible resources server URL"
},
{
"id": "username",
"type": "string",
"label": "Ansible resources user"
},
{
"id": "password",
"type": "string",
"label": "Ansible resources password",
"secret": true
}
],
"required": [
"url",
"username",
"password"
]
}

13
inventory/prod/group_vars/all.yml Normal file
View file

@ -0,0 +1,13 @@
environnement: prod
awx_fqdn: awx.libretic.fr
ressources_fqdn: ansible-ressources.libretic.fr
awx_url: "https://{{ awx_fqdn }}"
# version d'awx-ee à configurer dans cet environnement
# awx_ee_version: "v0.1.3"
# awx_ee_image: "onavas/awx-ee-libretic"
awx_custom_settings:
TOWER_URL_BASE: "{{ awx_url }}"

4
inventory/prod/group_vars/awx.yml Normal file
View file

@ -0,0 +1,4 @@
k3s_release_version: v1.29.2+k3s1
k3s_build_cluster: false
k3s_become: true

26
inventory/prod/group_vars/ressources.yml Normal file
View file

@ -0,0 +1,26 @@
# ansible-role-apache
apache_listen_ip: "*"
apache_listen_port: 80
apache_listen_port_ssl: 443
apache_create_vhosts: true
apache_vhosts:
- servername: "{{ ressources_fqdn }}"
documentroot: "/data1/httpd/ansible"
extra_parameters: |
Redirect permanent / https://"{{ ressources_fqdn }}"
apache_vhosts_ssl:
- servername: "{{ ressources_fqdn }}"
documentroot: "/data1/httpd/ansible"
certificate_file: "/etc/ssl/certs/libretic.fr.crt"
certificate_key_file: "/etc/ssl/private/libretic.fr.key"
options: +Indexes +FollowSymLinks
allow_override: "All"
extra_parameters: |
<Directory "/data1/httpd/ansible">
Require valid-user
AuthType Basic
AuthName "Please authenticate"
AuthUserFile /data1/httpd/ansible.htpasswd
</Directory>

10
inventory/prod/group_vars/rp_awx.yml Normal file
View file

@ -0,0 +1,10 @@
rp_vhost_fqdn: "{{ awx_fqdn }}"
rp_vhost_backend_proto: https
rp_vhost_backend_host: "{{ hostvars[groups['awx'][0]].ansible_host }}"
rp_vhost_access_policy: OpenAccessPolicy
rp_vhost_indexing: BlockCrawlerIndexing
rp_vhost_waf: "Off"
rp_vhost_cert: LIBRETICFR
rp_vhost_additional_conf: |
SSLProxyEngine On
ProxyErrorOverride Off

9
inventory/prod/group_vars/rp_ressources.yml Normal file
View file

@ -0,0 +1,9 @@
rp_vhost_fqdn: "{{ ressources_fqdn }}"
rp_vhost_backend_proto: https
rp_vhost_backend_host: "{{ hostvars[groups['ressources'][0]].ansible_host }}"
rp_vhost_access_policy: OpenAccessPolicy
rp_vhost_indexing: BlockCrawlerIndexing
rp_vhost_waf: "Off"
rp_vhost_cert: LIBRETICFR
rp_vhost_additional_conf: |
SSLProxyEngine On

20
inventory/prod/hosts Normal file
View file

@ -0,0 +1,20 @@
[all]
lib-ansible ansible_host=lib-ansible.mgmt.libretic.fr
lib-awx ansible_host=lib-awx.mgmt.libretic.fr
lib-rp1-ressources ansible_host=lib-rp1.lan.libretic.fr
lib-rp1-awx ansible_host=lib-rp1.lan.libretic.fr
[awx]
lib-awx
[ansible]
lib-ansible
[ressources]
lib-ansible
[rp_ressources]
lib-rp1-ressources
[rp_awx]
lib-rp1-awx

2
roles/awx/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
awx_operator_version: 2.19.1
awx_namespace: awx

18
roles/awx/handlers/main.yml Normal file
View file

@ -0,0 +1,18 @@
- name: Deploie kustomization
listen: update-kustomization-operator
ansible.builtin.command: kubectl apply -k operator
changed_when: true
args:
chdir: /opt/awx
- name: Deploie kustomization
listen: update-kustomization-base
ansible.builtin.command: kubectl apply -k base
changed_when: true
args:
chdir: /opt/awx
- name: Pause 2 minutes
listen: pause2
ansible.builtin.pause:
minutes: 2

89
roles/awx/tasks/main.yml Normal file
View file

@ -0,0 +1,89 @@
- name: Paquets prérequis
ansible.builtin.package:
name:
- build-essential
- apparmor
- apparmor-utils
- curl
- jq
- git
- name: Configure bash completion pour kubectl
ansible.builtin.shell: |
kubectl completion bash > /etc/bash_completion.d/kubectl
args:
creates: /etc/bash_completion.d/kubectl
- name: Répertoire awx
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: "{{ item.mode }}"
with_items:
- path: /opt/awx
mode: u=rwx,g=rwx,o=
- path: /opt/awx/operator
mode: u=rwx,g=rwx,o=
- path: /opt/awx/base
mode: u=rwx,g=rwx,o=
- path: /data1/awx
mode: u=rwx,g=rwx,o=rx
- path: /data1/awx/postgres-15
mode: u=rwx,g=rwx,o=rx
- path: /data1/awx/projects
mode: u=rwx,g=rwx,o=rx
- name: Kustomization operator
ansible.builtin.template:
src: operator/kustomization.yaml
dest: "/opt/awx/operator/"
mode: u=rwx,g=rwx,o=
notify:
- update-kustomization-operator
- pause2
- name: Force exécution des handlers maintenant
ansible.builtin.meta: flush_handlers
- name: Kustomization base
ansible.builtin.template:
src: base/{{ item }}
dest: "/opt/awx/base/"
mode: u=rwx,g=rwx,o=
with_items:
- kustomization.yaml
- pv.yaml
- pvc.yaml
- awx.yaml
notify:
- update-kustomization-base
- name: Copie le certificat
ansible.builtin.get_url:
url: "{{ lookup('env', 'AAP_RESSOURCES_URL') }}/libretic/cert/libretic.fr/{{ item.src }}"
dest: "/opt/awx/base/{{ item.dest }}"
username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
mode: u=rw,g=r,o=
owner: root
group: root
with_items:
- src: fullchain1.pem
dest: tls.crt
- src: privkey1.pem
dest: tls.key
notify:
- update-kustomization-base
- name: Force exécution des handlers maintenant
ansible.builtin.meta: flush_handlers
- name: Affiche message deploiement
ansible.builtin.debug:
msg: |
Le deploiement des pods kubernetes est en cours et peut prendre jusqu'à 15 minutes suivant l'environnement déployé.
Pour voir l'état des pods, exécuter :
kubectl -n awx get pods
Pour consulter les logs des tâches de déploiement, exécuter :
kubectl -n awx logs -f deployments/awx-operator-controller-manager

39
roles/awx/templates/base/awx.yaml Normal file
View file

@ -0,0 +1,39 @@
# {{ ansible_managed }}
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
spec:
admin_user: {{ awx_controller_username }}
admin_password_secret: awx-admin-password
ingress_type: ingress
ingress_hosts:
- hostname: {{ awx_fqdn }}
tls_secret: awx-secret-tls
postgres_configuration_secret: awx-postgres-configuration
postgres_data_volume_init: true
postgres_storage_class: awx-postgres-volume
postgres_storage_requirements:
requests:
storage: 3Gi
projects_persistence: true
projects_existing_claim: awx-projects-claim
web_replicas: 1
task_replicas: 1
web_resource_requirements: {}
task_resource_requirements: {}
ee_resource_requirements: {}
init_container_resource_requirements: {}
postgres_resource_requirements: {}
redis_resource_requirements: {}
rsyslog_resource_requirements: {}
# Uncomment to reveal "censored" logs
#no_log: false

35
roles/awx/templates/base/kustomization.yaml Normal file
View file

@ -0,0 +1,35 @@
# {{ ansible_managed }}
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: awx
generatorOptions:
disableNameSuffixHash: true
secretGenerator:
- name: awx-secret-tls
type: kubernetes.io/tls
files:
- tls.crt
- tls.key
- name: awx-postgres-configuration
type: Opaque
literals:
- host=awx-postgres-15
- port=5432
- database=awx
- username=awx
- password={{ awx_controller_password }}
- type=managed
- name: awx-admin-password
type: Opaque
literals:
- password={{ awx_controller_password }}
resources:
- pv.yaml
- pvc.yaml
- awx.yaml

30
roles/awx/templates/base/pv.yaml Normal file
View file

@ -0,0 +1,30 @@
# {{ ansible_managed }}
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: awx-postgres-15-volume
spec:
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 3Gi
storageClassName: awx-postgres-volume
hostPath:
path: /data1/awx/postgres-15
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: awx-projects-volume
spec:
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 3Gi
storageClassName: awx-projects-volume
hostPath:
path: /data1/awx/projects

13
roles/awx/templates/base/pvc.yaml Normal file
View file

@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: awx-projects-claim
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 3Gi
storageClassName: awx-projects-volume

23
roles/awx/templates/operator/kustomization.yaml Normal file
View file

@ -0,0 +1,23 @@
# {{ ansible_managed }}
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Le namespace pour l'installation d'AWX
namespace: {{ awx_namespace }}
generatorOptions:
disableNameSuffixHash: true
secretGenerator:
- name: redhat-operators-pull-secret
literals:
- operator=awx
# Les tags possibles d'awx-operator sont ici : https://github.com/ansible/awx-operator/releases
resources:
- github.com/ansible/awx-operator/config/default?ref={{ awx_operator_version }}
# Il faut mentionner la même version d'awx-operator qu'au dessus
images:
- name: quay.io/ansible/awx-operator
newTag: {{ awx_operator_version }}

14
roles/requirements.yml Normal file
View file

@ -0,0 +1,14 @@
###
# installer avec ansible-galaxy install -f -r roles/requirements.yml -p roles/
# une exclusion doit être ajoutée au .gitignore pour chaque dependance
###
- name: rp_vhost
src: git+https://git.libretic.fr/libretic/ansible-role-rp_vhost.git
- name: ansible-role-k3s
src: git+https://git.libretic.fr/libretic/ansible-role-k3s.git
version: v3.4.4
- name: ansible-role-apache
src: git+https://git.libretic.fr/libretic/ansible-role-apache.git
version: 4.0.0

116
setup-env.yml Normal file
View file

@ -0,0 +1,116 @@
# code: language=ansible
- name: Setup ansible
hosts: ansible
tasks:
- name: Paquets prérequis
ansible.builtin.package:
name:
- python3-passlib # pour htpasswd
- direnv
- git
- unzip
- name: Installation de novops - executable
ansible.builtin.unarchive:
src: https://github.com/PierreBeucher/novops/releases/download/v0.15.0/novops_linux_x86_64.zip
dest: /usr/local/bin
creates: /usr/local/bin/novops
remote_src: true
tags: novops
- name: Installation de novops - chmod
ansible.builtin.file:
path: /usr/local/bin/novops
owner: root
group: root
mode: u=rwx,g=rx,o=rx
tags: novops
- name: Installation de bw cli - executable
ansible.builtin.unarchive:
src: https://github.com/bitwarden/cli/releases/download/v1.22.1/bw-linux-1.22.1.zip
dest: /usr/local/bin
creates: /usr/local/bin/bw
remote_src: true
tags: bwcli
- name: Installation de bw cli - chmod
ansible.builtin.file:
path: /usr/local/bin/bw
owner: root
group: root
mode: u=rwx,g=rx,o=rx
tags: bwcli
- name: Setup ressources
hosts: ressources
pre_tasks:
# Installation serveur de ressources apache
- name: Création du répertoire des ressources
ansible.builtin.file:
path: /data1/httpd/ansible
state: directory
owner: root
group: www-data
mode: u=rwx,g=rx,o=
tags: apache
- name: Définition du compte de service de lecture des ressources
community.general.htpasswd:
path: /data1/httpd/ansible.htpasswd
name: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
owner: root
group: www-data
mode: u=rw,g=r,o=
tags: apache
- name: Copie du certificat wildcard libretic
ansible.builtin.copy:
src: "/data1/httpd/ansible/libretic/cert/libretic.fr/cert1.pem"
dest: "/etc/ssl/certs/libretic.fr.crt"
remote_src: true
mode: u=rw,g=r,o=
tags: apache
- name: Copie de la clé wildcard libretic
ansible.builtin.copy:
src: "/data1/httpd/ansible/libretic/cert/libretic.fr/privkey1.pem"
dest: "/etc/ssl/private/libretic.fr.key"
mode: u=rw,g=r,o=
remote_src: true
tags: apache
roles:
- role: ansible-role-apache
tags: apache
- name: Setup rp pour ressources
hosts: rp_ressources
roles:
- role: rp_vhost
tags: rp_vhost_ressources
- name: Setup rp pour awx
hosts: rp_awx
roles:
- role: rp_vhost
tags: rp_vhost_awx
- name: Setup k3s
hosts: awx
become: false
roles:
- role: ansible-role-k3s
tags: k3s
- name: Setup awx
hosts: awx
vars_files:
- awx.yml
roles:
- role: awx
tags: awx

63
vars/awx.yml Normal file
View file

@ -0,0 +1,63 @@
# Credentials de connexion à awx
awx_controller_host: "{{ awx_url }}" # ici on prend l'url de l'environnement désigné
awx_controller_username: "{{ controller_username | default(lookup('env', 'TOWER_USERNAME')) }}"
awx_controller_password: "{{ controller_password | default(lookup('env', 'TOWER_PASSWORD')) }}"
# Credentials git à définir dans awx
awx_git_credentials:
- name: "aap-git-token@git.libretic.fr"
username: "{{ lookup('env', 'GIT_TOKEN_NAME') }}"
password: "{{ lookup('env', 'GIT_TOKEN_SECRET') }}"
# Credentials vault à définir dans awx
awx_vault_credentials:
- name: "aap_ansible_vault_password"
password: "{{ lookup('file', lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE')) }}"
# Credentials ssh à définir dans awx
awx_machine_credentials:
- name: "aap_ansible_remote_user"
username: "{{ lookup('env', 'ANSIBLE_REMOTE_USER') }}"
ssh_key_data: "{{ lookup('file', lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE')) }}"
# Credentials ssh à définir dans awx
awx_organization: "Libretic"
# Equipes qui doivent être créées dans AWX
awx_team_list:
- team: Libretic-Admins
organization: Libretic
# Roles à donner : lire : "team" peut "role" sur "organization"
awx_team_roles_list:
- team: Libretic-Admins
role: read
organization: Libretic
- team: Libretic-Admins
role: execute
organization: Libretic
- team: Libretic-Admins
role: approval
organization: Libretic
- team: Libretic-Admins
role: auditor
organization: Libretic
# pour connexion au serveur de ressources
awx_aap_ressources_credential_name: aap_ressources
awx_aap_ressources_url: "{{ lookup('env', 'AAP_RESSOURCES_URL') }}"
awx_aap_ressources_username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
awx_aap_ressources_password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
# Quel environnement d'exécution utiliser
awx_ee: "AWX EE (latest)"
#####
# Pour la mise en place du projet dans awx
#####
awx_git_credential_name: "aap-git-token@git.libretic.fr"
awx_vault_credential_name: "aap_ansible_vault_password"
awx_machine_credential_name: "aap_ansible_remote_user"
awx_project_name: libretic-aap
awx_project_url: https://git.libretic.fr/libretic/ansible-libretic-aap.git