add ansible ci pipeline

soerenschneider · soerenschneider · commit 0b1c895d56b6 · 2025-01-02T21:11:06.000+01:00
diff --git a/clusters/common/cicd/ansible/ansible.cfg b/clusters/common/cicd/ansible/ansible.cfg
@@ -0,0 +1,5 @@
+[defaults]
+vars_plugins_enabled = host_group_vars,community.sops.sops
+pipelining = True
+roles_path = /workspace/source/ansible/roles
+executable = /bin/bash
diff --git a/clusters/common/cicd/ansible/external-secret-github-ssh.yaml b/clusters/common/cicd/ansible/external-secret-github-ssh.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: "github-ssh"
+spec:
+  refreshInterval: 12h
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "github-ssh"
+    creationPolicy: "Owner"
+  data:
+    - secretKey: "id_rsa" # NOTE: Make sure the private key has a newline at the end: https://github.com/tektoncd/catalog/issues/1220
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/cicd-ansible/github-ssh"
+        property: "id_rsa"
+    - secretKey: "known_hosts"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/cicd-ansible/github-ssh"
+        property: "known_hosts"
diff --git a/clusters/common/cicd/ansible/known_hosts b/clusters/common/cicd/ansible/known_hosts
@@ -0,0 +1,3 @@
+@cert-authority *.soeren.cloud  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3gtj+hdYmrOlHd3CEbk9GWkgE/wVvub2jBTCCX7OWEQAtl6y8g24v45h/sWpOd3jteb7Wi6iZzw5j0GSxzshcdfzgZX1HrOk0f8hE5RDjmpdEPHMOHKZIqjLKhf3cI5ugZ8gxI9Jlou/DBJIHkSPT55Ybo8nr/TzyfnsejynEU7Y9g2krz4zKQHuVNndn9iRQlCTj3kGKz39/QZVsyb3qAUEhLenAn/1dulfHXe+GgN3mHCq6iuYX6JYLXKA5GPUtpf6hEiEOqcrEqMaERgDtCr43SnbNrq88k/1GZk+D3MhTGFo9Z+SXyLvb14Kdb2aeKGWLhJ0lV/SzqiTpK2sgiexX5PSDqlwcGQ7w1XS3n5uRIKXfvkhue00PYBNczKFTeq6eqtTmTKlpY9vFUDkKdLGvP5XOcdVIjvJ1MMHZOblieoFkz6jMnlDV88WIYwRuT+sQgcow98gUI9plriPhBZx0Gg9zPIsO9GD3xQZ403Zaaf1CzbsgkWA2+2DfrwERLlq6ReA3zpz8cZR5pcbCzrAVrh+Y1TlzrpAcV1JBUFqyRZHp12zl79guqVolcE6kjnAR3aDlWBUCzG0+46abNMP14DdqaDNIPcqm/TwYtl8NFBNqlElXvzVa/Uy5CDQhZHg0800VdADetP38mIFKHT0A4czffZ3SDr2NER5xSw==
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
diff --git a/clusters/common/cicd/ansible/kustomization.yaml b/clusters/common/cicd/ansible/kustomization.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../cicd/ansible
+  - external-secret-github-ssh.yaml
+configMapGenerator:
+  - name: ansible-config
+    options:
+      disableNameSuffixHash: true
+    files:
+      - ansible.cfg
+  - name: ssh-config
+    options:
+      disableNameSuffixHash: true
+    files:
+      - known_hosts
diff --git a/clusters/common/cicd/ansible/tekton-pipelinerun.yaml b/clusters/common/cicd/ansible/tekton-pipelinerun.yaml
@@ -0,0 +1,54 @@
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: "ansible-"
+spec:
+  pipelineRef:
+    name: ansible
+  taskRunTemplate:
+    serviceAccountName: ansible
+    podTemplate:
+      securityContext:
+        runAsUser: 12563
+        runAsGroup: 12563
+        fsGroup: 12563
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+  workspaces:
+    - name: "ssh-creds"
+      secret:
+        secretName: github-ssh
+    - name: "ansible-config"
+      configMap:
+        name: "ansible-config"
+    - name: "ansible-ssh-config"
+      configMap:
+        name: "ssh-config"
+    - name: shared-data
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          storageClassName: openebs-hostpath
+          resources:
+            requests:
+              storage: 1Gi
+  params:
+    - name: "ansible-repo-clone-url"
+      value: "https://github.com/soerenschneider/ansible.git"
+    - name: "ansible-inventory-repo-clone-url"
+      value: "git@github.com:soerenschneider/ansible-inventory-prod.git"
+    - name: "vault-address"
+      value: "https://vault.ha.soeren.cloud"
+    - name: "vault-ssh-role"
+      value: "user"
+    - name: "vault-ssh-mount"
+      value: "ssh/clients"
+    - name: "vault-kubernetes-auth-role"
+      value: "cicd-ansible"
+    - name: "vault-kubernetes-auth-mount"
+      value: "svc.ez.soeren.cloud"
+    - name: "playbook"
+      value: "jukebox/playbook.yml"
diff --git a/clusters/common/cicd/github-releases/kustomization.yaml b/clusters/common/cicd/github-releases/kustomization.yaml
@@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: cicd
 resources:
-  - ../../../cicd/github-release
+  - ../../../../cicd/github-release
   - namespace.yaml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+@cert-authority *.soeren.cloud ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3gtj+hdYmrOlHd3CEbk9GWkgE/wVvub2jBTCCX7OWEQAtl6y8g24v45h/sWpOd3jteb7Wi6iZzw5j0GSxzshcdfzgZX1HrOk0f8hE5RDjmpdEPHMOHKZIqjLKhf3cI5ugZ8gxI9Jlou/DBJIHkSPT55Ybo8nr/TzyfnsejynEU7Y9g2krz4zKQHuVNndn9iRQlCTj3kGKz39/QZVsyb3qAUEhLenAn/1dulfHXe+GgN3mHCq6iuYX6JYLXKA5GPUtpf6hEiEOqcrEqMaERgDtCr43SnbNrq88k/1GZk+D3MhTGFo9Z+SXyLvb14Kdb2aeKGWLhJ0lV/SzqiTpK2sgiexX5PSDqlwcGQ7w1XS3n5uRIKXfvkhue00PYBNczKFTeq6eqtTmTKlpY9vFUDkKdLGvP5XOcdVIjvJ1MMHZOblieoFkz6jMnlDV88WIYwRuT+sQgcow98gUI9plriPhBZx0Gg9zPIsO9GD3xQZ403Zaaf1CzbsgkWA2+2DfrwERLlq6ReA3zpz8cZR5pcbCzrAVrh+Y1TlzrpAcV1JBUFqyRZHp12zl79guqVolcE6kjnAR3aDlWBUCzG0+46abNMP14DdqaDNIPcqm/TwYtl8NFBNqlElXvzVa/Uy5CDQhZHg0800VdADetP38mIFKHT0A4czffZ3SDr2NER5xSw==
	`2`	`+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=`
	`3`	`+gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf`