Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / roles / kube_prometheus_stack / tasks / main.yml
blob: 87775c4be263a30d27475233e017fd1160470ba1 [file] [log] [blame]
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
Mohammed Naser72708702024-06-20 00:07:56 -0400[diff] [blame]15- name: Wait until Keycloak service is ready
16 kubernetes.core.k8s_info:
17 api_version: apps/v1
18 kind: StatefulSet
19 name: keycloak
20 namespace: auth-system
21 register: kube_prometheus_stack_keycloak_service
22 retries: 120
23 delay: 5
24 until:
25 - kube_prometheus_stack_keycloak_service.resources[0].status.replicas == kube_prometheus_stack_keycloak_service.resources[0].status.readyReplicas # noqa: yaml[line-length]
26
Mohammed Naser91e2fa02024-02-23 01:46:39 -0500[diff] [blame]27- name: Create Keycloak realm
28 no_log: true
29 run_once: true
30 changed_when: false
31 community.general.keycloak_realm:
32 # Keycloak settings
33 auth_keycloak_url: "{{ kube_prometheus_stack_keycloak_server_url }}"
34 auth_realm: "{{ kube_prometheus_stack_keycloak_admin_realm_name }}"
35 auth_client_id: "{{ kube_prometheus_stack_keycloak_admin_client_id }}"
36 auth_username: "{{ kube_prometheus_stack_keycloak_admin_user }}"
37 auth_password: "{{ kube_prometheus_stack_keycloak_admin_password }}"
38 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
39 # Realm settings
40 id: "{{ kube_prometheus_stack_keycloak_realm }}"
41 realm: "{{ kube_prometheus_stack_keycloak_realm }}"
42 display_name: "{{ kube_prometheus_stack_keycloak_realm_name }}"
43 enabled: true
44
45- name: Add client roles in "id_token"
46 no_log: true
47 run_once: true
48 changed_when: false
49 community.general.keycloak_clientscope:
50 # Keycloak settings
51 auth_keycloak_url: "{{ kube_prometheus_stack_keycloak_server_url }}"
52 auth_realm: "{{ kube_prometheus_stack_keycloak_admin_realm_name }}"
53 auth_client_id: "{{ kube_prometheus_stack_keycloak_admin_client_id }}"
54 auth_username: "{{ kube_prometheus_stack_keycloak_admin_user }}"
55 auth_password: "{{ kube_prometheus_stack_keycloak_admin_password }}"
56 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
57 # Client scope settings
58 name: roles
59 realm: "{{ kube_prometheus_stack_keycloak_realm }}"
60 protocol_mappers:
61 - name: client roles
62 protocol: openid-connect
63 protocolMapper: oidc-usermodel-client-role-mapper
64 config:
65 claim.name: "resource_access.${client_id}.roles"
66 access.token.claim: true
67 id.token.claim: true
68 multivalued: true
69
70- name: Retrieve "etcd" CA certificate
71 run_once: true
72 ansible.builtin.slurp:
73 src: /etc/kubernetes/pki/etcd/ca.crt
74 register: _etcd_ca_crt
75
76- name: Retrieve "etcd" client certificate
77 run_once: true
78 ansible.builtin.slurp:
79 src: /etc/kubernetes/pki/etcd/healthcheck-client.crt
80 register: _etcd_healthcheck_client_crt
81
82- name: Retrieve "etcd" client key
83 run_once: true
84 ansible.builtin.slurp:
85 src: /etc/kubernetes/pki/etcd/healthcheck-client.key
86 register: _etcd_healthcheck_client_key
87
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]88- name: Create secrets for monitoring
Mohammed Naser91e2fa02024-02-23 01:46:39 -0500[diff] [blame]89 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]90 kubernetes.core.k8s:
91 state: present
92 definition:
93 - apiVersion: v1
94 kind: Namespace
95 metadata:
96 name: "{{ kube_prometheus_stack_helm_release_namespace }}"
97
98 - apiVersion: v1
99 kind: Secret
100 metadata:
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]101 name: kube-prometheus-stack-etcd-client-cert
102 namespace: monitoring
103 data:
104 ca.crt: "{{ _etcd_ca_crt.content }}"
105 healthcheck-client.crt: "{{ _etcd_healthcheck_client_crt.content }}"
106 healthcheck-client.key: "{{ _etcd_healthcheck_client_key.content }}"
107
Mohammed Naser91e2fa02024-02-23 01:46:39 -0500[diff] [blame]108- name: Generate client secret passwords
109 run_once: true
110 kubernetes.core.k8s:
111 state: present
112 definition:
113 apiVersion: secretgen.k14s.io/v1alpha1
114 kind: Password
115 metadata:
116 name: "{{ kube_prometheus_stack_helm_release_name }}-{{ item.id }}-client-secret"
117 namespace: "{{ kube_prometheus_stack_helm_release_namespace }}"
118 spec:
119 length: 64
120 wait: true
121 wait_timeout: 60
122 wait_condition:
123 type: ReconcileSucceeded
124 status: true
125 register: kube_prometheus_stack_client_secret_passwords
126 loop: "{{ kube_prometheus_stack_keycloak_clients }}"
127 loop_control:
128 label: "{{ item.id }}"
129
130- name: Collect all client secrets
131 run_once: true
132 kubernetes.core.k8s_info:
133 kind: Secret
134 namespace: "{{ kube_prometheus_stack_helm_release_namespace }}"
135 name: "{{ password.result.metadata.name }}"
136 register: kube_prometheus_stack_client_secrets
137 loop: "{{ kube_prometheus_stack_client_secret_passwords.results }}"
138 loop_control:
139 label: "{{ password.item.id }}"
140 loop_var: password
141
142- name: Create Keycloak clients
143 no_log: true
144 run_once: true
145 community.general.keycloak_client:
146 # Keycloak settings
147 auth_keycloak_url: "{{ kube_prometheus_stack_keycloak_server_url }}"
148 auth_realm: "{{ kube_prometheus_stack_keycloak_admin_realm_name }}"
149 auth_client_id: "{{ kube_prometheus_stack_keycloak_admin_client_id }}"
150 auth_username: "{{ kube_prometheus_stack_keycloak_admin_user }}"
151 auth_password: "{{ kube_prometheus_stack_keycloak_admin_password }}"
152 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
153 # Realm settings
154 realm: "{{ kube_prometheus_stack_keycloak_realm }}"
155 client_id: "{{ secret.password.item.id }}"
156 secret: "{{ secret.resources[0].data.password | b64decode }}"
157 redirect_uris: "{{ secret.password.item.redirect_uris }}"
158 protocol_mappers:
159 - name: "aud-mapper-{{ secret.password.item.id }}"
160 protocol: openid-connect
161 protocolMapper: oidc-audience-mapper
162 config:
163 included.client.audience: "{{ secret.password.item.id }}"
164 access.token.claim: true
165
166 loop: "{{ kube_prometheus_stack_client_secrets.results }}"
167 loop_control:
168 label: "{{ secret.password.item.id }}"
169 loop_var: secret
170
171- name: Create Keycloak roles
172 no_log: true
173 run_once: true
174 community.general.keycloak_role:
175 # Keycloak settings
176 auth_keycloak_url: "{{ kube_prometheus_stack_keycloak_server_url }}"
177 auth_realm: "{{ kube_prometheus_stack_keycloak_admin_realm_name }}"
178 auth_client_id: "{{ kube_prometheus_stack_keycloak_admin_client_id }}"
179 auth_username: "{{ kube_prometheus_stack_keycloak_admin_user }}"
180 auth_password: "{{ kube_prometheus_stack_keycloak_admin_password }}"
181 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
182 # Realm settings
183 realm: "{{ kube_prometheus_stack_keycloak_realm }}"
184 client_id: "{{ item.0.id }}"
185 name: "{{ item.1 }}"
186 loop: "{{ kube_prometheus_stack_keycloak_clients | subelements('roles') }}"
187 loop_control:
188 label: "{{ item.0.id }}-{{ item.1 }}"
189
190- name: Generate cookie secrets
191 run_once: true
192 kubernetes.core.k8s:
193 state: present
194 definition:
195 apiVersion: secretgen.k14s.io/v1alpha1
196 kind: Password
197 metadata:
198 name: "{{ kube_prometheus_stack_helm_release_name }}-{{ item.id }}-cookie-secret"
199 namespace: "{{ kube_prometheus_stack_helm_release_namespace }}"
200 spec:
201 length: 32
202 wait: true
203 wait_timeout: 60
204 wait_condition:
205 type: ReconcileSucceeded
206 status: true
207 loop: "{{ kube_prometheus_stack_keycloak_clients | selectattr('oauth2_proxy', 'equalto', true) }}"
208 loop_control:
209 label: "{{ item.id }}"
210
211- name: Generate OAuth2 proxy configuration
212 run_once: true
213 kubernetes.core.k8s:
214 state: present
215 definition:
216 apiVersion: secretgen.carvel.dev/v1alpha1
217 kind: SecretTemplate
218 metadata:
219 name: "{{ kube_prometheus_stack_helm_release_name }}-{{ item.id }}-oauth2-proxy"
220 namespace: "{{ kube_prometheus_stack_helm_release_namespace }}"
221 spec:
222 inputResources:
223 - name: client-secret
224 ref:
225 apiVersion: v1
226 kind: Secret
227 name: "{{ kube_prometheus_stack_helm_release_name }}-{{ item.id }}-client-secret"
228 - name: cookie-secret
229 ref:
230 apiVersion: v1
231 kind: Secret
232 name: "{{ kube_prometheus_stack_helm_release_name }}-{{ item.id }}-cookie-secret"
233 template:
234 stringData:
235 OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:{{ item.port }}"
236 OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8081"
237 OAUTH2_PROXY_METRICS_ADDRESS: "0.0.0.0:8082"
238 OAUTH2_PROXY_EMAIL_DOMAINS: "*"
239 OAUTH2_PROXY_REVERSE_PROXY: "true"
240 OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"
241 OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "{{ (cluster_issuer_type == 'self-signed') | string }}"
242 OAUTH2_PROXY_PROVIDER: "keycloak-oidc"
243 OAUTH2_PROXY_CLIENT_ID: "{{ item.id }}"
244 OAUTH2_PROXY_REDIRECT_URL: "{{ item.redirect_uris.0 }}"
245 OAUTH2_PROXY_OIDC_ISSUER_URL: "{{ kube_prometheus_stack_keycloak_server_url }}/realms/{{ kube_prometheus_stack_keycloak_realm }}"
246 OAUTH2_PROXY_ALLOWED_ROLE: "{{ item.id }}:{{ item.roles[0] }}"
247 OAUTH2_PROXY_CODE_CHALLENGE_METHOD: "S256"
248 data:
249 OAUTH2_PROXY_COOKIE_SECRET: "$(.cookie-secret.data.password)"
250 OAUTH2_PROXY_CLIENT_SECRET: "$(.client-secret.data.password)"
251 wait: true
252 wait_timeout: 60
253 wait_condition:
254 type: ReconcileSucceeded
255 status: true
256 loop: "{{ kube_prometheus_stack_keycloak_clients | selectattr('oauth2_proxy', 'equalto', true) }}"
257 loop_control:
258 label: "{{ item.id }}"
259
Mohammed Naser2a165d32024-08-11 20:04:36 -0700[diff] [blame]260- name: Create certificate issuer
261 kubernetes.core.k8s:
262 state: present
263 definition:
264 - apiVersion: cert-manager.io/v1
265 kind: Certificate
266 metadata:
267 name: kube-prometheus-stack-ca
268 namespace: cert-manager
269 spec:
270 commonName: kube-prometheus-stack
271 duration: 87600h0m0s
272 isCA: true
273 issuerRef:
274 group: cert-manager.io
275 kind: ClusterIssuer
276 name: self-signed
277 privateKey:
278 algorithm: ECDSA
279 size: 256
280 renewBefore: 720h0m0s
281 secretName: kube-prometheus-stack-ca
282
283 - apiVersion: cert-manager.io/v1
284 kind: ClusterIssuer
285 metadata:
286 name: kube-prometheus-stack
287 spec:
288 ca:
289 secretName: kube-prometheus-stack-ca
290
Mohammed Naser5b49cbb2023-08-30 16:16:37 -0400[diff] [blame]291- name: Install all CRDs
292 run_once: true
293 changed_when: false
294 kubernetes.core.k8s:
295 state: present
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]296 definition: "{{ lookup('pipe', 'cat ' + role_path + '/../../charts/kube-prometheus-stack/charts/crds/crds/crd-*.yaml') | regex_replace('- =$', '- \"=\"', multiline=True) | from_yaml_all }}" # noqa: yaml[line-length]
Mohammed Naser5b49cbb2023-08-30 16:16:37 -0400[diff] [blame]297 apply: true
298 server_side_apply:
299 field_manager: atmosphere
300 force_conflicts: true
301 tags:
302 - kube-prometheus-stack-crds
303
Mohammed Naser4569e9b2024-07-19 01:08:18 -0400[diff] [blame]304- name: Deploy additional dashboards
305 run_once: true
306 kubernetes.core.k8s:
307 state: "{{ item.state }}"
308 template: configmap-dashboard.yaml.j2
309 loop:
310 - name: goldpinger
311 state: present
312 - name: node-exporter-full
313 state: present
Yaguang Tang19bcfbf2024-07-30 00:16:29 +0800[diff] [blame]314 - name: ceph-cluster
315 state: present
316 - name: ceph-cluster-advanced
317 state: present
318 - name: hosts-overview
319 state: present
320 - name: host-details
321 state: present
322 - name: pool-overview
323 state: present
324 - name: pool-detail
325 state: present
326 - name: osds-overview
327 state: present
328 - name: osd-device-details
329 state: present
330 - name: rbd-overview
331 state: present
332 - name: rbd-details
333 state: present
Mohammed Naser4569e9b2024-07-19 01:08:18 -0400[diff] [blame]334 tags:
335 - kube-prometheus-stack-dashboards
336
Mohammed Naser273d3ca2023-01-29 22:28:54 +0000[diff] [blame]337- name: Deploy Helm chart
338 run_once: true
339 kubernetes.core.helm:
340 name: "{{ kube_prometheus_stack_helm_release_name }}"
341 chart_ref: "{{ kube_prometheus_stack_helm_chart_ref }}"
342 release_namespace: "{{ kube_prometheus_stack_helm_release_namespace }}"
343 create_namespace: true
Austin Talbot78a774a2024-09-25 10:15:36 -0600[diff] [blame]344 kubeconfig: "{{ kube_prometheus_stack_helm_kubeconfig }}"
Mohammed Naser273d3ca2023-01-29 22:28:54 +0000[diff] [blame]345 values: "{{ _kube_prometheus_stack_helm_values | combine(kube_prometheus_stack_helm_values, recursive=True) }}"