update ci pipeline for ansible

soerenschneider · soerenschneider · commit f1647303299a · 2025-01-02T21:10:07.000+01:00
diff --git a/cicd/ansible/kustomization.yaml b/cicd/ansible/kustomization.yaml
@@ -4,9 +4,10 @@ kind: Kustomization
 namespace: "cicd-ansible"
 resources:
   - https://api.hub.tekton.dev/v1/resource/tekton/task/git-clone/0.9/raw
-  - task-ssh-key-generate.yaml
-  - task-ssh-key-sign.yaml
-  - task-ansible-run-playbook.yaml
-  - pipeline.yaml
   - namespace.yaml
   - rbac.yaml
+  - tekton-task-vault-login.yaml
+  - tekton-task-ssh-key-generate.yaml
+  - tekton-task-ssh-key-sign.yaml
+  - tekton-task-ansible-run-playbook.yaml
+  - tekton-pipeline.yaml
diff --git a/cicd/ansible/task-ansible-run-playbook.yaml b/cicd/ansible/task-ansible-run-playbook.yaml
diff --git a/cicd/ansible/task-ssh-key-generate.yaml b/cicd/ansible/task-ssh-key-generate.yaml
diff --git a/cicd/ansible/tekton-pipeline.yaml b/cicd/ansible/tekton-pipeline.yaml
@@ -4,7 +4,9 @@ kind: Pipeline
 metadata:
   name: "ansible"
 spec:
-  description: "This pipeline clones a github repo, builds it and uploads assets."
+  description: |
+    Clones Ansible playbooks, roles and inventory repositories, authenticates against Vault, generates SSH
+    key pair, signs them and finally runs Ansible playbooks.
   params:
     - name: "ansible-repo-clone-url"
       type: "string"
@@ -30,12 +32,27 @@ spec:
     - description: "Vault Kubernetes auth mount"
       name: "vault-kubernetes-auth-mount"
       type: "string"
+    - description: "The playbook to run"
+      name: "playbook"
+      type: "string"
   workspaces:
     - name: "shared-data"
       description: "This workspace contains the cloned repo files, so they can be read by the next task."
     - name: "ssh-creds"
       description: "Workspace containing the SSH keys to clone from GitHub"
+    - name: "ansible-config"
+    - name: "ansible-ssh-config"
   tasks:
+    - name: "vault-login"
+      taskRef:
+        name: "vault-login"
+      params:
+        - name: "vault-address"
+          value: $(params.vault-address)
+        - name: "auth-role"
+          value: $(params.vault-kubernetes-auth-role)
+        - name: "auth-mount"
+          value: $(params.vault-kubernetes-auth-mount)
     - name: "git-clone-ansible"
       taskRef:
         name: "git-clone"
@@ -80,20 +97,27 @@ spec:
       params:
         - name: "vault-address"
           value: $(params.vault-address)
+        - name: "vault-token"
+          value: $(tasks.vault-login.results.vault_token)
         - name: "vault-ssh-role"
           value: $(params.vault-ssh-role)
         - name: "vault-ssh-mount"
           value: $(params.vault-ssh-mount)
-        - name: "vault-kubernetes-auth-role"
-          value: $(params.vault-kubernetes-auth-role)
-        - name: "vault-kubernetes-auth-mount"
-          value: $(params.vault-kubernetes-auth-mount)
     - name: "ansible-run-playbook"
-      runAfter: ["git-clone-ansible", "git-clone-ansible-inventory", "ssh-key-sign"]
+      runAfter: ["vault-login", "git-clone-ansible", "git-clone-ansible-inventory", "ssh-key-sign"]
       taskRef:
         name: "ansible-run-playbook"
       workspaces:
         - name: "source"
           workspace: "shared-data"
         - name: "keypair"
           workspace: "shared-data"
+        - name: "ansible-config"
+          workspace: "ansible-config"
+        - name: "ansible-ssh-config"
+          workspace: "ansible-ssh-config"
+      params:
+        - name: "vault-token"
+          value: $(tasks.vault-login.results.vault_token)
+        - name: "playbook"
+          value: $(params.playbook)
diff --git a/cicd/ansible/tekton-task-ansible-run-playbook.yaml b/cicd/ansible/tekton-task-ansible-run-playbook.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: "ansible-run-playbook"
+spec:
+  description: "Runs an Ansible playbook"
+  workspaces:
+    - name: "source"
+    - name: "keypair"
+    - name: "ansible-config"
+      mountPath: "/etc/ansible"
+    - name: "ansible-ssh-config"
+  params:
+    - name: "vault-token"
+      description: "Vault token to use for KMS decryption of SOPS secrets"
+      type: "string"
+      default: ""
+    - name: "playbook"
+      description: "Path of playbook to run"
+      type: "string"
+    - name: "tags"
+      description: "Run only tasks with the given tags"
+      type: "string"
+      default: "all"
+    - name: "skip-tags"
+      description: "Run only tasks that don't contain the given tags"
+      type: "string"
+      default: ""
+  steps:
+    - name: "ansible"
+      image: "cr.svc.ez.soeren.cloud/ansible"
+      imagePullPolicy: "IfNotPresent"
+      env:
+        - name: "VAULT_TOKEN"
+          value: $(params.vault-token)
+        - name: "ANSIBLE_INVENTORY"
+          value: $(workspaces.source.path)/inventory/inventory.yml
+      script: |
+        set -e
+        if [ "$(workspaces.ansible-ssh-config.bound)" == "true" ] ; then
+          mkdir /home/ansible/.ssh
+          cp -v $(workspaces.ansible-ssh-config.path)/* /home/ansible/.ssh/
+        fi
+
+        ansible-playbook --tags=$(params.tags) --skip-tags=$(params.skip-tags) -e ansible_ssh_private_key_file=$(workspaces.keypair.path)/key $(workspaces.source.path)/ansible/playbooks/$(params.playbook)
diff --git a/cicd/ansible/tekton-task-ssh-key-generate.yaml b/cicd/ansible/tekton-task-ssh-key-generate.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: "ssh-key-generate"
+spec:
+  description: "Generates a ssh public key pair"
+  workspaces:
+    - name: "keypair"
+  params:
+    - name: "key-type"
+      description: "The type of the SSH key"
+      type: "string"
+      default: "ed25519"
+  steps:
+    - name: "generate-ssh-key"
+      image: "cr.svc.ez.soeren.cloud/ansible"
+      imagePullPolicy: IfNotPresent
+      env:
+        - name: "HOME"
+          value: "/tmp"
+      script: |-
+        ssh-keygen -t $(params.key-type) -f $(workspaces.keypair.path)/key -N ""
diff --git a/cicd/ansible/tekton-task-ssh-key-sign.yaml b/cicd/ansible/tekton-task-ssh-key-sign.yaml
@@ -11,33 +11,47 @@ spec:
     - description: "Endpoint of Vault API"
       name: "vault-address"
       type: "string"
+    - name: "vault-token"
+      type: string
+      default: ""
+      description: "The Vault token"
     - description: "Vault SSH role"
       name: "vault-ssh-role"
       type: "string"
     - description: "Vault SSH mount"
       name: "vault-ssh-mount"
       type: "string"
       default: "ssh"
+    - name: "vault-ssh-ttl"
+      description: "Desired TTL of the Vault signature"
+      type: "string"
+      default: "30m"
     - description: "Vault Kubernetes auth role"
       name: "vault-kubernetes-auth-role"
       type: "string"
+      default: ""
     - description: "Vault Kubernetes auth mount"
       name: "vault-kubernetes-auth-mount"
       type: "string"
       default: "kubernetes"
   steps:
     - name: "sign-ssh-key"
-      image: "ghcr.io/soerenschneider/vault-ssh-cli:1.9.1"
-      imagePullPolicy: IfNotPresent
+      image: "cr.svc.ez.soeren.cloud/vault-ssh-cli"
+      #image: "ghcr.io/soerenschneider/vault-ssh-cli:1.9.1"
+      imagePullPolicy: Always
       env:
         - name: "HOME"
           value: "/tmp"
+        - name: "VAULT_TOKEN"
+          value: $(params.vault-token)
       args:
         - "--vault-address=$(params.vault-address)"
+        - "--vault-auth-token=$(params.vault-token)"
         - "sign-user-key"
         - "--pub-key-file=$(workspaces.keypair.path)/key.pub"
         - "--signed-key-file=$(workspaces.keypair.path)/key-cert.pub"
         - "--vault-ssh-role=$(params.vault-ssh-role)"
         - "--vault-ssh-mount=$(params.vault-ssh-mount)"
-        - "--vault-auth-kubernetes-role=$(params.vault-kubernetes-auth-role)"
-        - "--vault-auth-kubernetes-mount=$(params.vault-kubernetes-auth-mount)"
+        - "--ttl=$(params.vault-ssh-ttl)"
+#        - "--vault-auth-kubernetes-role=$(params.vault-kubernetes-auth-role)"
+#        - "--vault-auth-kubernetes-mount=$(params.vault-kubernetes-auth-mount)"
diff --git a/cicd/ansible/tekton-task-vault-login.yaml b/cicd/ansible/tekton-task-vault-login.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: "vault-login"
+spec:
+  description: "Authenticates against Vault and saves the Vault token"
+  params:
+    - description: "Endpoint of Vault API"
+      name: "vault-address"
+      type: "string"
+    - description: "Method of Vault authentication"
+      name: "auth-method"
+      type: "string"
+      default: "kubernetes"
+    - description: "Mount point of Vault authentication method"
+      name: "auth-mount"
+      type: "string"
+      default: "kubernetes"
+    - description: "Mount point of Vault authentication method"
+      name: "auth-role"
+      type: "string"
+  results:
+    - description: "Vault token"
+      name: "vault_token"
+      type: "string"
+  steps:
+    - name: "vault-login"
+      image: "cr.svc.ez.soeren.cloud/vault-login"
+      imagePullPolicy: Always
+      env:
+        - name: "HOME"
+          value: "/tmp"
+        - name: "VAULT_ADDR"
+          value: $(params.vault-address)
+        - name: "VAULT_AUTH_TYPE"
+          value: $(params.auth-method)
+        - name: "VAULT_AUTH_MOUNT"
+          value: $(params.auth-mount)
+        - name: "VAULT_AUTH_ROLE"
+          value: $(params.auth-role)
+        - name: "VAULT_AUTH_OUTPUT_TYPE"
+          value: "file"
+        - name: "VAULT_AUTH_OUTPUT_SECRET_NAME"
+          value: $(results.vault_token.path)
diff --git a/clusters/common/cicd/github-releases/kustomization.yaml b/clusters/common/cicd/github-releases/kustomization.yaml
@@ -4,5 +4,4 @@ kind: Kustomization
 namespace: cicd
 resources:
   - ../../../cicd/github-release
-  - external-secret-github.yaml
   - namespace.yaml
diff --git a/clusters/common/cicd/github-releases/namespace.yaml b/clusters/common/cicd/github-releases/namespace.yaml
