commit fc686f458b03c08a67ca7e4e77c2cfd51734ce53 Author: Olivier Navas Date: Sun Aug 4 19:25:21 2024 +0200 Commit initial diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..59f2dc7 --- /dev/null +++ b/.envrc @@ -0,0 +1,8 @@ +# [ansible] devenir root apres s'être connecté avec un compte de service +export ANSIBLE_BECOME=true + +# [ansible] url du serveur depuis lequel récupérer les ressources nécessaires +export AAP_RESSOURCES_URL="https://ansible-ressources.libretic.fr" + +# [novops] chargement des secrets depuis vaultwarden +source <(novops load) diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9eccb62 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +collections/ansible_collections +roles/* +!roles/requirements.yml +!roles/awx diff --git a/.novops.yml b/.novops.yml new file mode 100644 index 0000000..a7c4557 --- /dev/null +++ b/.novops.yml @@ -0,0 +1,58 @@ +environments: + prod: + files: + # [ansible] clé privée pour connexion aux machines pilotées avec ANSIBLE_REMOTE_USER + - variable: ANSIBLE_PRIVATE_KEY_FILE + content: + bitwarden: + entry: aap_ansible_remote_user + field: notes + # [ansible] secret pour déchiffrer les vault + - variable: ANSIBLE_VAULT_PASSWORD_FILE + content: + bitwarden: + entry: aap_ansible_vault_password + field: login.password + variables: + # [ansible] identifiant de connexion aux machines pilotées + - name: ANSIBLE_REMOTE_USER + value: + bitwarden: + entry: "aap_ansible_remote_user" + field: login.username + + # [awx] secret pour l'accès à git + - name: GIT_TOKEN_NAME + value: + bitwarden: + entry: "aap_svc_git_awx" + field: login.username + - name: GIT_TOKEN_SECRET + value: + bitwarden: + entry: "aap_svc_git_awx" + field: notes + + # [awx] secret de connexion à awx pour setup-awx.yml + - name: TOWER_USERNAME + value: + bitwarden: + entry: "aap_awx_user" + field: login.username + - name: TOWER_PASSWORD + value: + bitwarden: + entry: "aap_awx_user" + field: login.password + + # [ansible] secret pour la connexion au serveur de ressources + - name: AAP_RESSOURCES_USER + value: + bitwarden: + entry: "aap_ressources_user" + field: login.username + - name: AAP_RESSOURCES_PASSWORD + value: + bitwarden: + entry: "aap_ressources_user" + field: login.password diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..72f1c94 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,15 @@ +# **Registre des modifications** 📜📝 + +Les changements notables apportés au projet sont notés ici. + +Document au format basé sur [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +Les versions de ce projet suivent les préconisations de [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +--- + +## [**0.1.0**] - 2024-08-04 + +* Première version + + diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4c2263b --- /dev/null +++ b/LICENSE @@ -0,0 +1,7 @@ +Copyright (c) 2023 Libretic + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..75171c0 --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +# AAP - Ansible Automation Platform + +Installe un environnement ansible et AWX sur la base de k3s. + +Inspiration : + - https://ansible.readthedocs.io/projects/awx-operator/en/latest/index.html + - https://github.com/kurokobo/awx-on-k3s/tree/main + + +## Prérequis + +* [Environnement de développement préparé](https://wiki.libretic.fr/fr/technique/ansible/environnement_developpement) +* Installer les roles et collections nécessaires : + +```bash +ansible-galaxy role install -f -r roles/requirements.yml -p roles/ +ansible-galaxy collection install -f -r collections/requirements.yml -p collections/ +``` + +## Composition d'un environnement + +Un environnement est composé d'une machine ansible et d'une machine awx. + +La machine ansible est utilisée : +- pour le développement des projets ansible jusqu'à leur mise en production dans AWX +- pour la mise à disposition auprès des playbooks ansible (de la machine ansible ou awx) des ressources internes nécessaires à la bonne exécution des playbooks et qui ne doivent pas être inclus dans les projets git, par exemple : + - les binaires + - les certificats (renouvelables indépendamment des versions de projet) + + +La machine awx est utilisée pour l'exécution des playbooks de production et leur orchestration. + + +### Création / configuration d'un environnement + +* Création préalable des machines virtuelles mentionnées dans l'inventaire +* Poursuivre avec la configuration de l'environnement +```bash +ansible-playbook -i setup-env.yml +``` + +## Préparation de l'instance AWX + +Le playbook configure-awx.yml permet de configurer dans AWX les bases de configuration nécessaires pour la bonne mise en service des autres projets qui y seront configurés. + +Les paramétrages par défaut des droits implantés l'instance awx sont définis dans vars/awx.yml. + +L'instance awx à configurer et la version de l'environnement d'exécution awx qui y sera configuré sont définies par environnement, dans inventory//group_vars/awx.yml. + +Pour finir la configuration de l'instance awx, lancer le playbook : + +```bash +ansible-playbook -i configure-awx.yml +``` diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..f232676 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,13 @@ +[defaults] +host_key_checking = False +ansible_managed = FICHIER SOUS CONTROLE D'ANSIBLE, ne pas editer directement +retry_files_enabled = False +stdout_callback = yaml + +[privilege_escalation] +become = True + +[ssh_connection] +pipelining = True +ssh_args = -o ControlMaster=auto -o ControlPersist=1800 + diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..f0552cb --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,10 @@ +## +# installer avec : +# ansible-galaxy collection install -f -r collections/requirements.yml -p collections/ +# une exclusion doit être ajoutée au .gitignore pour chaque dependance +### + +collections: + - community.general + - ansible.posix + - community.docker diff --git a/configure-awx.yml b/configure-awx.yml new file mode 100644 index 0000000..cda7921 --- /dev/null +++ b/configure-awx.yml @@ -0,0 +1,216 @@ +# code: language=ansible + +- name: Setup awx configuration + hosts: localhost + gather_facts: false + vars_files: + - awx.yml + + tasks: + + # Configuration d'awx - préparatifs + + - name: Définit _state + ansible.builtin.set_fact: + _state: "{{ awx_state | default('present') }}" + + - name: Définition des organisations de base + awx.awx.organization: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ awx_organization }}" + state: "{{ _state }}" + galaxy_credentials: + - "Ansible Galaxy" + + - name: Définition du secret pour récuperer les projets depuis git + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ item.name }}" + organization: "{{ awx_organization }}" + credential_type: "Source Control" + description: "Secret d'accès d'AWX au repo git" + inputs: + username: "{{ item.username }}" + password: "{{ item.password }}" + with_items: "{{ awx_git_credentials }}" + no_log: true + when: _state == "present" + + - name: Définition du secret ansible-vault utilisé dans les projets git + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ item.name }}" + organization: "{{ awx_organization }}" + credential_type: "Vault" + description: "Secret du ansible-vault pour le chiffrement dans les projets git" + inputs: + vault_password: "{{ item.password }}" + with_items: "{{ awx_vault_credentials }}" + no_log: true + when: _state == "present" + + - name: Définition du secret de connexion aux machines + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ item.name }}" + description: "Clé d'accès pour se connecter aux machines" + organization: "{{ awx_organization }}" + credential_type: "Machine" + inputs: + username: "{{ item.username }}" + ssh_key_data: "{{ item.ssh_key_data }}" + with_items: "{{ awx_machine_credentials }}" + no_log: true + when: _state == "present" + + - name: Définition du type de secret aap_ressources + awx.awx.credential_type: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "aap_ressources" + description: "Secrets pour se connecter à un serveur de ressources ansible" + state: "{{ _state }}" + kind: net + inputs: "{{ lookup('file', 'files/aap_ressources_credential_type_inputs.json') }}" + injectors: "{{ lookup('file', 'files/aap_ressources_credential_type_injectors.json') }}" + + - name: Définition du secret de connexion au serveur de ressources Ansible + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ awx_aap_ressources_credential_name }}" + description: "Secrets pour se connecter au serveur de ressources ansible" + organization: "{{ awx_organization }}" + credential_type: "aap_ressources" + inputs: + url: "{{ awx_aap_ressources_url }}" + username: "{{ awx_aap_ressources_username }}" + password: "{{ awx_aap_ressources_password }}" + no_log: true + when: _state == "present" + + + # - name: Définition des environnements d'exécution + # awx.awx.execution_environment: + # controller_host: "{{ awx_controller_host }}" + # controller_username: "{{ awx_controller_username }}" + # controller_password: "{{ awx_controller_username }}" + # name: "{{ item.name }}-{{ item.version }}" + # image: "{{ item.image }}:{{ item.version }}" + # state: "{{ _state }}" + # with_items: + # - name: awx-ee-libretic + # image: "{{ awx_ee_image }}" + # version: "{{ awx_ee_version }}" + + - name: Creation des équipes pour application des droits + awx.awx.team: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ item.team }}" + organization: "{{ item.organization }}" + with_items: + - "{{ awx_team_list }}" + when: _state == "present" + + - name: Affectation des droits aux équipes + awx.awx.role: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + organizations: "{{ item.organization }}" + teams: "{{ item.team }}" + role: "{{ item.role }}" + with_items: + - "{{ awx_team_roles_list }}" + when: _state == "present" + + # on vérifie ici car no_log de la tâche qui utilise empêche d'avoir une explication en cas d'oubli + - name: Vérifie que awx_custom_settings est défini (besoin que l'environnement soit précisé) + ansible.builtin.assert: + that: + - awx_custom_settings is defined + + - name: Définition de paramètres spécifiques + awx.awx.settings: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + settings: "{{ awx_custom_settings }}" + no_log: true + + + # Configuration d'awx - projet + + - name: Définition du projet + awx.awx.project: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ awx_project_name }}" + scm_type: git + scm_url: "{{ awx_project_url }}" + scm_update_on_launch: true + scm_update_cache_timeout: 60 + scm_credential: "{{ awx_git_credential_name }}" + state: "{{ _state }}" + allow_override: true + organization: "{{ awx_organization }}" + default_environment: "{{ awx_ee }}" + + - name: Définition de l'inventaire + awx.awx.inventory: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ awx_project_name }}_{{ environnement }}" + state: "{{ _state }}" + organization: "{{ awx_organization }}" + + - name: Définition de la source d'inventaire + awx.awx.inventory_source: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ awx_project_name }}_{{ environnement }}" + inventory: "{{ awx_project_name }}_{{ environnement }}" + state: "{{ _state }}" + organization: "{{ awx_organization }}" + source: scm + source_project: "{{ awx_project_name }}" + source_path: "inventory/{{ environnement }}/hosts" + overwrite: true + update_on_launch: true + # les sources disparaissent avec l'inventaire qui les contient + when: _state == "present" + + - name: Définition du playbook setup-env + awx.awx.job_template: + controller_host: "{{ awx_controller_host }}" + controller_username: "{{ awx_controller_username }}" + controller_password: "{{ awx_controller_password }}" + name: "{{ awx_project_name }}_{{ environnement }}_{{ item }}" + project: "{{ awx_project_name }}" + inventory: "{{ awx_project_name }}_{{ environnement }}" + state: "{{ _state }}" + organization: "{{ awx_organization }}" + job_type: run + playbook: "{{ item }}" + become_enabled: true + credentials: + - "{{ awx_vault_credential_name }}" + - "{{ awx_machine_credential_name }}" + - "{{ awx_aap_ressources_credential_name }}" + with_items: + - setup-env.yml diff --git a/files/aap_ressources_credential_type_injectors.json b/files/aap_ressources_credential_type_injectors.json new file mode 100644 index 0000000..ed8aa9a --- /dev/null +++ b/files/aap_ressources_credential_type_injectors.json @@ -0,0 +1,7 @@ +{ + "env": { + "AAP_RESSOURCES_URL": "{{ url }}", + "AAP_RESSOURCES_USER": "{{ username }}", + "AAP_RESSOURCES_PASSWORD": "{{ password }}" + } +} diff --git a/files/aap_ressources_credential_type_inputs.json b/files/aap_ressources_credential_type_inputs.json new file mode 100644 index 0000000..e1142ef --- /dev/null +++ b/files/aap_ressources_credential_type_inputs.json @@ -0,0 +1,25 @@ +{ + "fields": [ + { + "id": "url", + "type": "string", + "label": "Ansible resources server URL" + }, + { + "id": "username", + "type": "string", + "label": "Ansible resources user" + }, + { + "id": "password", + "type": "string", + "label": "Ansible resources password", + "secret": true + } + ], + "required": [ + "url", + "username", + "password" + ] +} diff --git a/inventory/prod/group_vars/all.yml b/inventory/prod/group_vars/all.yml new file mode 100644 index 0000000..873c5f3 --- /dev/null +++ b/inventory/prod/group_vars/all.yml @@ -0,0 +1,13 @@ +environnement: prod + +awx_fqdn: awx.libretic.fr +ressources_fqdn: ansible-ressources.libretic.fr + +awx_url: "https://{{ awx_fqdn }}" + +# version d'awx-ee à configurer dans cet environnement +# awx_ee_version: "v0.1.3" +# awx_ee_image: "onavas/awx-ee-libretic" + +awx_custom_settings: + TOWER_URL_BASE: "{{ awx_url }}" diff --git a/inventory/prod/group_vars/awx.yml b/inventory/prod/group_vars/awx.yml new file mode 100644 index 0000000..1640370 --- /dev/null +++ b/inventory/prod/group_vars/awx.yml @@ -0,0 +1,4 @@ +k3s_release_version: v1.29.2+k3s1 +k3s_build_cluster: false +k3s_become: true + diff --git a/inventory/prod/group_vars/ressources.yml b/inventory/prod/group_vars/ressources.yml new file mode 100644 index 0000000..054a1fd --- /dev/null +++ b/inventory/prod/group_vars/ressources.yml @@ -0,0 +1,26 @@ +# ansible-role-apache +apache_listen_ip: "*" +apache_listen_port: 80 +apache_listen_port_ssl: 443 +apache_create_vhosts: true + +apache_vhosts: + - servername: "{{ ressources_fqdn }}" + documentroot: "/data1/httpd/ansible" + extra_parameters: | + Redirect permanent / https://"{{ ressources_fqdn }}" + +apache_vhosts_ssl: + - servername: "{{ ressources_fqdn }}" + documentroot: "/data1/httpd/ansible" + certificate_file: "/etc/ssl/certs/libretic.fr.crt" + certificate_key_file: "/etc/ssl/private/libretic.fr.key" + options: +Indexes +FollowSymLinks + allow_override: "All" + extra_parameters: | + + Require valid-user + AuthType Basic + AuthName "Please authenticate" + AuthUserFile /data1/httpd/ansible.htpasswd + diff --git a/inventory/prod/group_vars/rp_awx.yml b/inventory/prod/group_vars/rp_awx.yml new file mode 100644 index 0000000..787cef4 --- /dev/null +++ b/inventory/prod/group_vars/rp_awx.yml @@ -0,0 +1,10 @@ +rp_vhost_fqdn: "{{ awx_fqdn }}" +rp_vhost_backend_proto: https +rp_vhost_backend_host: "{{ hostvars[groups['awx'][0]].ansible_host }}" +rp_vhost_access_policy: OpenAccessPolicy +rp_vhost_indexing: BlockCrawlerIndexing +rp_vhost_waf: "Off" +rp_vhost_cert: LIBRETICFR +rp_vhost_additional_conf: | + SSLProxyEngine On + ProxyErrorOverride Off diff --git a/inventory/prod/group_vars/rp_ressources.yml b/inventory/prod/group_vars/rp_ressources.yml new file mode 100644 index 0000000..fec3d70 --- /dev/null +++ b/inventory/prod/group_vars/rp_ressources.yml @@ -0,0 +1,9 @@ +rp_vhost_fqdn: "{{ ressources_fqdn }}" +rp_vhost_backend_proto: https +rp_vhost_backend_host: "{{ hostvars[groups['ressources'][0]].ansible_host }}" +rp_vhost_access_policy: OpenAccessPolicy +rp_vhost_indexing: BlockCrawlerIndexing +rp_vhost_waf: "Off" +rp_vhost_cert: LIBRETICFR +rp_vhost_additional_conf: | + SSLProxyEngine On diff --git a/inventory/prod/hosts b/inventory/prod/hosts new file mode 100644 index 0000000..bf9e14a --- /dev/null +++ b/inventory/prod/hosts @@ -0,0 +1,20 @@ +[all] +lib-ansible ansible_host=lib-ansible.mgmt.libretic.fr +lib-awx ansible_host=lib-awx.mgmt.libretic.fr +lib-rp1-ressources ansible_host=lib-rp1.lan.libretic.fr +lib-rp1-awx ansible_host=lib-rp1.lan.libretic.fr + +[awx] +lib-awx + +[ansible] +lib-ansible + +[ressources] +lib-ansible + +[rp_ressources] +lib-rp1-ressources + +[rp_awx] +lib-rp1-awx diff --git a/roles/awx/defaults/main.yml b/roles/awx/defaults/main.yml new file mode 100644 index 0000000..cc81598 --- /dev/null +++ b/roles/awx/defaults/main.yml @@ -0,0 +1,2 @@ +awx_operator_version: 2.19.1 +awx_namespace: awx diff --git a/roles/awx/handlers/main.yml b/roles/awx/handlers/main.yml new file mode 100644 index 0000000..713ca41 --- /dev/null +++ b/roles/awx/handlers/main.yml @@ -0,0 +1,18 @@ +- name: Deploie kustomization + listen: update-kustomization-operator + ansible.builtin.command: kubectl apply -k operator + changed_when: true + args: + chdir: /opt/awx + +- name: Deploie kustomization + listen: update-kustomization-base + ansible.builtin.command: kubectl apply -k base + changed_when: true + args: + chdir: /opt/awx + +- name: Pause 2 minutes + listen: pause2 + ansible.builtin.pause: + minutes: 2 diff --git a/roles/awx/tasks/main.yml b/roles/awx/tasks/main.yml new file mode 100644 index 0000000..476a55b --- /dev/null +++ b/roles/awx/tasks/main.yml @@ -0,0 +1,89 @@ +- name: Paquets prérequis + ansible.builtin.package: + name: + - build-essential + - apparmor + - apparmor-utils + - curl + - jq + - git + +- name: Configure bash completion pour kubectl + ansible.builtin.shell: | + kubectl completion bash > /etc/bash_completion.d/kubectl + args: + creates: /etc/bash_completion.d/kubectl + +- name: Répertoire awx + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: "{{ item.mode }}" + with_items: + - path: /opt/awx + mode: u=rwx,g=rwx,o= + - path: /opt/awx/operator + mode: u=rwx,g=rwx,o= + - path: /opt/awx/base + mode: u=rwx,g=rwx,o= + - path: /data1/awx + mode: u=rwx,g=rwx,o=rx + - path: /data1/awx/postgres-15 + mode: u=rwx,g=rwx,o=rx + - path: /data1/awx/projects + mode: u=rwx,g=rwx,o=rx + +- name: Kustomization operator + ansible.builtin.template: + src: operator/kustomization.yaml + dest: "/opt/awx/operator/" + mode: u=rwx,g=rwx,o= + notify: + - update-kustomization-operator + - pause2 + +- name: Force exécution des handlers maintenant + ansible.builtin.meta: flush_handlers + +- name: Kustomization base + ansible.builtin.template: + src: base/{{ item }} + dest: "/opt/awx/base/" + mode: u=rwx,g=rwx,o= + with_items: + - kustomization.yaml + - pv.yaml + - pvc.yaml + - awx.yaml + notify: + - update-kustomization-base + +- name: Copie le certificat + ansible.builtin.get_url: + url: "{{ lookup('env', 'AAP_RESSOURCES_URL') }}/libretic/cert/libretic.fr/{{ item.src }}" + dest: "/opt/awx/base/{{ item.dest }}" + username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}" + password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}" + mode: u=rw,g=r,o= + owner: root + group: root + with_items: + - src: fullchain1.pem + dest: tls.crt + - src: privkey1.pem + dest: tls.key + notify: + - update-kustomization-base + +- name: Force exécution des handlers maintenant + ansible.builtin.meta: flush_handlers + +- name: Affiche message deploiement + ansible.builtin.debug: + msg: | + Le deploiement des pods kubernetes est en cours et peut prendre jusqu'à 15 minutes suivant l'environnement déployé. + Pour voir l'état des pods, exécuter : + kubectl -n awx get pods + + Pour consulter les logs des tâches de déploiement, exécuter : + kubectl -n awx logs -f deployments/awx-operator-controller-manager diff --git a/roles/awx/templates/base/awx.yaml b/roles/awx/templates/base/awx.yaml new file mode 100644 index 0000000..1c686c1 --- /dev/null +++ b/roles/awx/templates/base/awx.yaml @@ -0,0 +1,39 @@ +# {{ ansible_managed }} +--- +apiVersion: awx.ansible.com/v1beta1 +kind: AWX +metadata: + name: awx +spec: + admin_user: {{ awx_controller_username }} + admin_password_secret: awx-admin-password + + ingress_type: ingress + ingress_hosts: + - hostname: {{ awx_fqdn }} + tls_secret: awx-secret-tls + + postgres_configuration_secret: awx-postgres-configuration + + postgres_data_volume_init: true + postgres_storage_class: awx-postgres-volume + postgres_storage_requirements: + requests: + storage: 3Gi + + projects_persistence: true + projects_existing_claim: awx-projects-claim + + web_replicas: 1 + task_replicas: 1 + + web_resource_requirements: {} + task_resource_requirements: {} + ee_resource_requirements: {} + init_container_resource_requirements: {} + postgres_resource_requirements: {} + redis_resource_requirements: {} + rsyslog_resource_requirements: {} + + # Uncomment to reveal "censored" logs + #no_log: false diff --git a/roles/awx/templates/base/kustomization.yaml b/roles/awx/templates/base/kustomization.yaml new file mode 100644 index 0000000..8e9c2e2 --- /dev/null +++ b/roles/awx/templates/base/kustomization.yaml @@ -0,0 +1,35 @@ +# {{ ansible_managed }} +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: awx + +generatorOptions: + disableNameSuffixHash: true + +secretGenerator: + - name: awx-secret-tls + type: kubernetes.io/tls + files: + - tls.crt + - tls.key + + - name: awx-postgres-configuration + type: Opaque + literals: + - host=awx-postgres-15 + - port=5432 + - database=awx + - username=awx + - password={{ awx_controller_password }} + - type=managed + + - name: awx-admin-password + type: Opaque + literals: + - password={{ awx_controller_password }} + +resources: + - pv.yaml + - pvc.yaml + - awx.yaml diff --git a/roles/awx/templates/base/pv.yaml b/roles/awx/templates/base/pv.yaml new file mode 100644 index 0000000..aef5b13 --- /dev/null +++ b/roles/awx/templates/base/pv.yaml @@ -0,0 +1,30 @@ +# {{ ansible_managed }} +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: awx-postgres-15-volume +spec: + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + capacity: + storage: 3Gi + storageClassName: awx-postgres-volume + hostPath: + path: /data1/awx/postgres-15 + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: awx-projects-volume +spec: + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + capacity: + storage: 3Gi + storageClassName: awx-projects-volume + hostPath: + path: /data1/awx/projects diff --git a/roles/awx/templates/base/pvc.yaml b/roles/awx/templates/base/pvc.yaml new file mode 100644 index 0000000..1032c70 --- /dev/null +++ b/roles/awx/templates/base/pvc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: awx-projects-claim +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 3Gi + storageClassName: awx-projects-volume diff --git a/roles/awx/templates/operator/kustomization.yaml b/roles/awx/templates/operator/kustomization.yaml new file mode 100644 index 0000000..83d6314 --- /dev/null +++ b/roles/awx/templates/operator/kustomization.yaml @@ -0,0 +1,23 @@ +# {{ ansible_managed }} +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +# Le namespace pour l'installation d'AWX +namespace: {{ awx_namespace }} + +generatorOptions: + disableNameSuffixHash: true + +secretGenerator: + - name: redhat-operators-pull-secret + literals: + - operator=awx + +# Les tags possibles d'awx-operator sont ici : https://github.com/ansible/awx-operator/releases +resources: + - github.com/ansible/awx-operator/config/default?ref={{ awx_operator_version }} + +# Il faut mentionner la même version d'awx-operator qu'au dessus +images: + - name: quay.io/ansible/awx-operator + newTag: {{ awx_operator_version }} diff --git a/roles/requirements.yml b/roles/requirements.yml new file mode 100644 index 0000000..e9fa6ae --- /dev/null +++ b/roles/requirements.yml @@ -0,0 +1,14 @@ +### +# installer avec ansible-galaxy install -f -r roles/requirements.yml -p roles/ +# une exclusion doit être ajoutée au .gitignore pour chaque dependance +### +- name: rp_vhost + src: git+https://git.libretic.fr/libretic/ansible-role-rp_vhost.git + +- name: ansible-role-k3s + src: git+https://git.libretic.fr/libretic/ansible-role-k3s.git + version: v3.4.4 + +- name: ansible-role-apache + src: git+https://git.libretic.fr/libretic/ansible-role-apache.git + version: 4.0.0 \ No newline at end of file diff --git a/setup-env.yml b/setup-env.yml new file mode 100644 index 0000000..1be8cd7 --- /dev/null +++ b/setup-env.yml @@ -0,0 +1,116 @@ +# code: language=ansible +- name: Setup ansible + hosts: ansible + tasks: + - name: Paquets prérequis + ansible.builtin.package: + name: + - python3-passlib # pour htpasswd + - direnv + - git + - unzip + + - name: Installation de novops - executable + ansible.builtin.unarchive: + src: https://github.com/PierreBeucher/novops/releases/download/v0.15.0/novops_linux_x86_64.zip + dest: /usr/local/bin + creates: /usr/local/bin/novops + remote_src: true + tags: novops + + - name: Installation de novops - chmod + ansible.builtin.file: + path: /usr/local/bin/novops + owner: root + group: root + mode: u=rwx,g=rx,o=rx + tags: novops + + - name: Installation de bw cli - executable + ansible.builtin.unarchive: + src: https://github.com/bitwarden/cli/releases/download/v1.22.1/bw-linux-1.22.1.zip + dest: /usr/local/bin + creates: /usr/local/bin/bw + remote_src: true + tags: bwcli + + - name: Installation de bw cli - chmod + ansible.builtin.file: + path: /usr/local/bin/bw + owner: root + group: root + mode: u=rwx,g=rx,o=rx + tags: bwcli + + +- name: Setup ressources + hosts: ressources + pre_tasks: + # Installation serveur de ressources apache + - name: Création du répertoire des ressources + ansible.builtin.file: + path: /data1/httpd/ansible + state: directory + owner: root + group: www-data + mode: u=rwx,g=rx,o= + tags: apache + + - name: Définition du compte de service de lecture des ressources + community.general.htpasswd: + path: /data1/httpd/ansible.htpasswd + name: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}" + password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}" + owner: root + group: www-data + mode: u=rw,g=r,o= + tags: apache + + - name: Copie du certificat wildcard libretic + ansible.builtin.copy: + src: "/data1/httpd/ansible/libretic/cert/libretic.fr/cert1.pem" + dest: "/etc/ssl/certs/libretic.fr.crt" + remote_src: true + mode: u=rw,g=r,o= + tags: apache + + - name: Copie de la clé wildcard libretic + ansible.builtin.copy: + src: "/data1/httpd/ansible/libretic/cert/libretic.fr/privkey1.pem" + dest: "/etc/ssl/private/libretic.fr.key" + mode: u=rw,g=r,o= + remote_src: true + tags: apache + + roles: + - role: ansible-role-apache + tags: apache + + +- name: Setup rp pour ressources + hosts: rp_ressources + roles: + - role: rp_vhost + tags: rp_vhost_ressources + + +- name: Setup rp pour awx + hosts: rp_awx + roles: + - role: rp_vhost + tags: rp_vhost_awx + +- name: Setup k3s + hosts: awx + become: false + roles: + - role: ansible-role-k3s + tags: k3s + +- name: Setup awx + hosts: awx + vars_files: + - awx.yml + roles: + - role: awx + tags: awx diff --git a/vars/awx.yml b/vars/awx.yml new file mode 100644 index 0000000..6797d46 --- /dev/null +++ b/vars/awx.yml @@ -0,0 +1,63 @@ +# Credentials de connexion à awx +awx_controller_host: "{{ awx_url }}" # ici on prend l'url de l'environnement désigné +awx_controller_username: "{{ controller_username | default(lookup('env', 'TOWER_USERNAME')) }}" +awx_controller_password: "{{ controller_password | default(lookup('env', 'TOWER_PASSWORD')) }}" + +# Credentials git à définir dans awx +awx_git_credentials: + - name: "aap-git-token@git.libretic.fr" + username: "{{ lookup('env', 'GIT_TOKEN_NAME') }}" + password: "{{ lookup('env', 'GIT_TOKEN_SECRET') }}" + +# Credentials vault à définir dans awx +awx_vault_credentials: + - name: "aap_ansible_vault_password" + password: "{{ lookup('file', lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE')) }}" + +# Credentials ssh à définir dans awx +awx_machine_credentials: + - name: "aap_ansible_remote_user" + username: "{{ lookup('env', 'ANSIBLE_REMOTE_USER') }}" + ssh_key_data: "{{ lookup('file', lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE')) }}" + +# Credentials ssh à définir dans awx +awx_organization: "Libretic" + +# Equipes qui doivent être créées dans AWX +awx_team_list: + - team: Libretic-Admins + organization: Libretic + +# Roles à donner : lire : "team" peut "role" sur "organization" +awx_team_roles_list: + - team: Libretic-Admins + role: read + organization: Libretic + - team: Libretic-Admins + role: execute + organization: Libretic + - team: Libretic-Admins + role: approval + organization: Libretic + - team: Libretic-Admins + role: auditor + organization: Libretic + +# pour connexion au serveur de ressources +awx_aap_ressources_credential_name: aap_ressources +awx_aap_ressources_url: "{{ lookup('env', 'AAP_RESSOURCES_URL') }}" +awx_aap_ressources_username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}" +awx_aap_ressources_password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}" + +# Quel environnement d'exécution utiliser +awx_ee: "AWX EE (latest)" + + +##### +# Pour la mise en place du projet dans awx +##### +awx_git_credential_name: "aap-git-token@git.libretic.fr" +awx_vault_credential_name: "aap_ansible_vault_password" +awx_machine_credential_name: "aap_ansible_remote_user" +awx_project_name: libretic-aap +awx_project_url: https://git.libretic.fr/libretic/ansible-libretic-aap.git