158 lines
5 KiB
YAML
158 lines
5 KiB
YAML
---
|
|
version: "3"
|
|
|
|
vars:
|
|
PYTHON_BIN: python3
|
|
ANSIBLE_DIR: "{{.ROOT_DIR}}/ansible"
|
|
KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes"
|
|
TERRAFORM_DIR: "{{.ROOT_DIR}}/terraform"
|
|
CLUSTER_SECRETS_FILE: "{{.CLUSTER_DIR}}/flux/vars/cluster-secrets.sops.env"
|
|
CLUSTER_SETTINGS_FILE: "{{.CLUSTER_DIR}}/flux/vars/cluster-settings.env"
|
|
|
|
env:
|
|
KUBECONFIG: "{{.ROOT_DIR}}/kubeconfig"
|
|
SOPS_AGE_KEY_FILE: "{{.ROOT_DIR}}/age.key"
|
|
PATH: "{{.ROOT_DIR}}/.venv/bin:$PATH"
|
|
VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv"
|
|
ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy"
|
|
ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles"
|
|
ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops"
|
|
K8S_AUTH_KUBECONFIG: "{{.ROOT_DIR}}/kubeconfig"
|
|
|
|
includes:
|
|
ansible: .taskfiles/Ansible/Taskfile.yaml
|
|
volsync: .taskfiles/VolSync/Tasks.yaml
|
|
precommit: .taskfiles/PreCommit/Tasks.yaml
|
|
k8s: .taskfiles/k8s/Taskfile.yaml
|
|
rook:
|
|
taskfile: ".taskfiles/rook"
|
|
dir: .taskfiles/rook
|
|
flux:
|
|
dir: .taskfiles/flux
|
|
taskfile: .taskfiles/flux
|
|
|
|
tasks:
|
|
|
|
default:
|
|
silent: true
|
|
cmds: ["task -l"]
|
|
|
|
init:
|
|
desc: Initialize workstation dependencies with Brew
|
|
cmds:
|
|
- brew install {{.DEPS}} {{.CLI_ARGS}}
|
|
preconditions:
|
|
- sh: command -v brew
|
|
msg: |
|
|
Homebrew is not installed. Using MacOS, Linux or WSL?
|
|
Head over to https://brew.sh to get up and running.
|
|
vars:
|
|
DEPS: >-
|
|
age
|
|
ansible
|
|
direnv
|
|
derailed/k9s/k9s
|
|
fluxcd/tap/flux
|
|
go-task/tap/go-task
|
|
helm
|
|
ipcalc
|
|
jq
|
|
kubernetes-cli
|
|
kustomize
|
|
pre-commit
|
|
prettier
|
|
sops
|
|
stern
|
|
terraform
|
|
tflint
|
|
weaveworks/tap/gitops
|
|
yamllint
|
|
yq
|
|
|
|
configure-venv:
|
|
desc: Install or upgrade the Python virtual env
|
|
cmds:
|
|
- "{{.PYTHON_BIN}} -m venv {{.ROOT_DIR}}/.venv"
|
|
- .venv/bin/python3 -m pip install --upgrade pip setuptools wheel
|
|
- .venv/bin/python3 -m pip install --upgrade --requirement "{{.ROOT_DIR}}/requirements.txt"
|
|
- .venv/bin/ansible-galaxy install --role-file "{{.ANSIBLE_DIR}}/requirements.yaml" --force
|
|
|
|
flux-apply:
|
|
desc: Apply a resource path that contains Flux substitution variables
|
|
dotenv: ['{{.CLUSTER_SETTINGS_FILE}}']
|
|
vars:
|
|
ks: '{{ or .ks (fail "Missing path (`ks` var)") }}'
|
|
cmd: |
|
|
sops exec-env {{.CLUSTER_SECRETS_FILE}} \
|
|
"kustomize build --load-restrictor=LoadRestrictionsNone {{.ks}} | \
|
|
envsubst | kubectl apply --server-side --field-manager=kustomize-controller -f -"
|
|
preconditions:
|
|
- sh: test -f {{.CLUSTER_SECRETS_FILE}}
|
|
- sh: test -f {{.CLUSTER_SETTINGS_FILE}}
|
|
|
|
sync-secrets:
|
|
desc: Sync ExternalSecret resources
|
|
vars:
|
|
secret: '{{ .secret | default ""}}'
|
|
namespace: '{{.namespace | default "default"}}'
|
|
cmd: |
|
|
{{if eq .secret ""}}
|
|
kubectl get externalsecret.external-secrets.io --all-namespaces --no-headers -A | awk '{print $1, $2}' \
|
|
| xargs --max-procs=4 -l bash -c 'kubectl -n $0 annotate externalsecret.external-secrets.io $1 force-sync=$(date +%s) --overwrite'
|
|
{{else}}
|
|
kubectl -n {{.namespace}} annotate externalsecret.external-secrets.io {{.secret}} force-sync=$(date +%s) --overwrite
|
|
{{end}}
|
|
preconditions:
|
|
- kubectl -n {{.namespace}} get externalsecret {{.secret}}
|
|
|
|
mount-volume:
|
|
desc: Mount a PersistentVolumeClaim to a temporary pod
|
|
interactive: true
|
|
vars:
|
|
claim: '{{ or .claim (fail "PersistentVolumeClaim `claim` is required") }}'
|
|
namespace: '{{.namespace | default "default"}}'
|
|
cmd: |
|
|
kubectl run -n {{.namespace}} debug-{{.claim}} -i --tty --rm --image=null --privileged --overrides='
|
|
{
|
|
"apiVersion": "v1",
|
|
"spec": {
|
|
"containers": [
|
|
{
|
|
"name": "debug",
|
|
"image": "ghcr.io/onedr0p/alpine:rolling",
|
|
"command": ["/bin/bash"],
|
|
"stdin": true,
|
|
"stdinOnce": true,
|
|
"tty": true,
|
|
"volumeMounts": [
|
|
{
|
|
"name": "config",
|
|
"mountPath": "/config"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"volumes": [
|
|
{
|
|
"name": "config",
|
|
"persistentVolumeClaim": {
|
|
"claimName": "{{.claim}}"
|
|
}
|
|
}
|
|
],
|
|
"restartPolicy": "Never"
|
|
}
|
|
}'
|
|
preconditions:
|
|
- kubectl -n {{.namespace}} get pvc {{.claim}}
|
|
|
|
# https://github.com/fluxcd/helm-controller/issues/644
|
|
"644":
|
|
cmds:
|
|
- kubectl -n {{.namespace}} delete secret -l owner=helm,name={{.release}},status=pending-upgrade
|
|
- flux -n {{.namespace}} reconcile hr {{.release}}
|
|
vars:
|
|
release: '{{ or .release (fail "HelmRelease `release` is required") }}'
|
|
namespace: '{{.namespace | default "default"}}'
|
|
preconditions:
|
|
- flux -n {{.namespace}} get hr {{.release}}
|