nicolas
/
rhacs-gitops
mirror of https://github.com/nmasse-itix/rhacs-gitops.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Deploy Red Hat ACS, the GitOps way!
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
0 Tags
31 KiB
 
 
Branch: main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
rhacs-gitops/charts/rhacs/files/stackrox-configure-hook/configure.yaml

215 lines
6.4 KiB
Raw Permalink Blame History

- name: Configure RHACS
hosts: localhost
gather_facts: no
vars:
ansible_connection: local
acs_api: https://{{ central_hostname }}/v1
validate_certs: no
tasks:
- name: Get Stackrox central's Route
kubernetes.core.k8s_info:
api_version: route.openshift.io/v1
kind: Route
name: central
namespace: stackrox
register: central_route
failed_when: central_route.resources|length == 0
until: central_route is succeeded
retries: 60
delay: 5
- set_fact:
central_hostname: '{{ central_route.resources[0].spec.host }}:443'
- name: Get Stackrox central's admin password
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: central-admin
namespace: stackrox
register: admin_secret
failed_when: admin_secret.resources|length == 0
until: admin_secret is succeeded
retries: 60
delay: 5
- set_fact:
central_admin_password: '{{ admin_secret.resources[0].data.password | b64decode }}'
- name: Check if jmespath is available locally
debug: msg={{ dummy|json_query('@') }}
register: check_jmespath
ignore_errors: yes
vars:
dummy: Hello World
- name: Ensure JMESPath is installed
assert:
that:
- 'check_jmespath is success'
msg: >
The JMESPath library is required by this playbook.
Please install the JMESPath library with 'pip install jmespath'.
- name: Wait for the Central to be ready
uri:
url: 'https://{{ central_hostname }}'
validate_certs: '{{ validate_certs }}'
register: healthcheck
changed_when: false
until: healthcheck is succeeded
retries: 60
delay: 5
- name: Get K8s secret
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: stackrox-cicd-token
namespace: stackrox
register: cicd_token_secret
- name: Create the CI/CD API Token
uri:
url: '{{ acs_api }}/apitokens/generate'
method: POST
status_code: "200"
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
body: '{{ token_creation }}'
body_format: json
force_basic_auth: yes
register: create_apitoken_response
changed_when: create_apitoken_response.status == 200
when: cicd_token_secret.resources|length == 0
vars:
token_creation:
name: tekton-pipelines
role: Continuous Integration
- set_fact:
apitoken_value: '{{ create_apitoken_response.json.token }}'
when: cicd_token_secret.resources|length == 0
- name: Create the K8s Secret
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: stackrox-cicd-token
namespace: stackrox
stringData:
token: '{{ apitoken_value }}'
endpoint: '{{ central_hostname }}'
when: apitoken_value is defined
- name: Get secrets in the stackrox namespace
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
namespace: stackrox
register: stackrox_secrets
failed_when: stackrox_secrets.resources|length == 0
- set_fact:
registry_reader_token: '{{ stackrox_secrets.resources | json_query(query) | first | b64decode }}'
vars:
query: >
[?metadata.annotations."kubernetes.io/service-account.name" == `stackrox-registry-reader` && type == `kubernetes.io/service-account-token`].data.token
- name: Find image registry integrations
uri:
url: '{{ acs_api }}/imageintegrations'
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
force_basic_auth: yes
register: find_image_integrations_response
changed_when: false
- set_fact:
image_integration_id: '{{ (find_image_integrations_response.json | json_query(query) | first).id }}'
when: find_image_integrations_response.json | json_query(query) | count > 0
vars:
query: integrations[?type == `docker` && docker.endpoint == `image-registry.openshift-image-registry.svc:5000`]
- name: Create the image registry integration
uri:
url: '{{ acs_api }}/imageintegrations'
method: POST
status_code: "200"
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
body: '{{ integration }}'
body_format: json
force_basic_auth: yes
register: create_image_integration_response
changed_when: create_image_integration_response.status == 200
when: image_integration_id is not defined
vars:
integration:
name: OpenShift Internal Registry
autogenerated: false
categories:
- REGISTRY
clusterId: ""
docker:
endpoint: image-registry.openshift-image-registry.svc:5000
insecure: true
username: stackrox-registry-reader
password: '{{ registry_reader_token }}'
type: docker
- set_fact:
image_integration_id: '{{ create_image_integration_response.json.id }}'
when: image_integration_id is not defined
- debug:
var: image_integration_id
- name: Find auth providers
uri:
url: '{{ acs_api }}/authProviders'
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
force_basic_auth: yes
register: find_auth_providers_response
changed_when: false
- set_fact:
auth_provider_id: '{{ (find_auth_providers_response.json | json_query(query) | first).id }}'
when: find_auth_providers_response.json | json_query(query) | count > 0
vars:
query: authProviders[?name == `OpenShift`]
- name: Create the OpenShift auth provider
uri:
url: '{{ acs_api }}/authProviders'
method: POST
status_code: "200"
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
body: '{{ auth }}'
body_format: json
force_basic_auth: yes
register: create_auth_provider_response
changed_when: create_auth_provider_response.status == 200
when: auth_provider_id is not defined
vars:
auth:
name: OpenShift
type: openshift
validated: true
- set_fact:
auth_provider_id: '{{ create_auth_provider_response.json.id }}'
when: auth_provider_id is not defined
- debug:
var: auth_provider_id