-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathinit-data-gzipper.yaml
More file actions
87 lines (77 loc) · 3.68 KB
/
init-data-gzipper.yaml
File metadata and controls
87 lines (77 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
- name: Gzip initdata and register init data
become: false
connection: local
hosts: localhost
gather_facts: false
vars:
kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}"
hub_domain: "{{ global.hubClusterDomain | default('none') | lower}}"
security_policy_flavour: "{{ global.coco.securityPolicyFlavour | default('insecure') }}"
template_src: "initdata-default.toml.tpl"
tasks:
- name: Create temporary working directory
ansible.builtin.tempfile:
state: directory
suffix: initdata
register: tmpdir
- name: Read KBS TLS secret from Kubernetes
kubernetes.core.k8s_info:
kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
api_version: v1
kind: Secret
name: kbs-tls-self-signed
namespace: imperative
register: kbs_secret_result
- name: Extract and decode certificate from secret
ansible.builtin.set_fact:
trustee_cert: "{{ kbs_secret_result.resources[0].data['tls.crt'] | b64decode }}"
when: kbs_secret_result.resources | length > 0
- name: Fail if certificate not found
ansible.builtin.fail:
msg: "KBS TLS certificate not found in secret 'kbs-tls-self-signed' in namespace 'imperative'"
when: kbs_secret_result.resources | length == 0
- name: Define temp file paths
ansible.builtin.set_fact:
rendered_path: "{{ tmpdir.path }}/rendered.toml"
gz_path: "{{ tmpdir.path }}/rendered.toml.gz"
- name: Render template to temp file
ansible.builtin.template:
src: "{{ template_src }}"
dest: "{{ rendered_path }}"
mode: "0600"
- name: Gzip the rendered content
ansible.builtin.shell: |
gzip -c "{{ rendered_path }}" > "{{ gz_path }}"
changed_when: true
- name: Read gzip as base64
ansible.builtin.slurp:
path: "{{ gz_path }}"
register: gz_slurped
# This block runs a shell script that calculates a hash value (PCR8_HASH) derived from the contents of 'initdata.toml'.
# The script performs the following steps:
# 1. hash=$(sha256sum initdata.toml | cut -d' ' -f1): Computes the sha256 hash of 'initdata.toml' and assigns it to $hash.
# 2. initial_pcr=000000000000000000000000000000000000000000000000000000000000000: Initializes a string of zeros as the initial PCR value.
# 3. PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1): Concatenates initial_pcr and $hash, converts from hex to binary, computes its sha256 hash, and stores the result as PCR8_HASH.
# 4. echo $PCR8_HASH: Outputs the PCR hash value.
# The important part: The 'register: pcr8_hash' registers the **stdout of the command**, which is the value output by 'echo $PCR8_HASH', as 'pcr8_hash.stdout' in Ansible.
# It does NOT register an environment variable, but rather the value actually printed by 'echo'.
- name: Register init data pcr into a var
ansible.builtin.shell: |
hash=$(sha256sum initdata.toml | cut -d' ' -f1)
initial_pcr=000000000000000000000000000000000000000000000000000000000000000
PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
register: pcr8_hash
- name: Create/update ConfigMap with gzipped+base64 content
kubernetes.core.k8s:
kubeconfig: "{{ kubeconfig | default(omit) }}"
state: present
definition:
apiVersion: v1
kind: ConfigMap
metadata:
name: "initdata"
namespace: "imperative"
data:
INITDATA: "{{ gz_slurped.content }}"
PCR8_HASH: "{{ pcr8_hash.stdout }}"