diff --git a/actions/apply-all.sh b/actions/apply-all.sh index 9f5fbc5c75bd73dd44d404047d8f558765351f36..536c409214ef8ed16c00d2ea7d9a6e6b09256a0e 100755 --- a/actions/apply-all.sh +++ b/actions/apply-all.sh @@ -6,7 +6,7 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars diff --git a/actions/apply-custom.sh b/actions/apply-custom.sh index f26cff0d9219d2d26cedbd8c1a647c9aea07b306..a3ec051e1e6fc72510e5057d02a7f18a80c34d0e 100755 --- a/actions/apply-custom.sh +++ b/actions/apply-custom.sh @@ -6,14 +6,12 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars check_venv -check_conf_sanity - require_vault_token install_prerequisites @@ -27,6 +25,8 @@ set_kubeconfig ANSIBLE_ROLES_PATH="$ansible_k8s_core_dir/roles:$ansible_k8s_supplements_dir/roles:$ansible_k8s_custom_playbook_dir/roles" export ANSIBLE_ROLES_PATH +"$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_custom_dispatch_dir" ansible_playbook \ -i "$ansible_inventory_host_file" \ diff --git a/actions/apply-k8s-core.sh b/actions/apply-k8s-core.sh index 22a180796e43a6cd03551184ffc7a80360b35418..ea511cb0e4e8a52e5d240addbfcadfb4844dd2b2 100755 --- a/actions/apply-k8s-core.sh +++ b/actions/apply-k8s-core.sh @@ -26,17 +26,18 @@ execute_playbook() { notef "Executing playbook $playbook\n" # Ensure that the latest config is deployed to the inventory - "$actions_dir/update-inventory.sh" + "$actions_dir/update-inventory.sh" conf_vars load_conf_vars check_venv - check_conf_sanity require_vault_token install_prerequisites # Bring the wireguard interface up if configured so "$actions_dir/wg-up.sh" + "$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_core_dir" # Include k8s-core roles ANSIBLE_ROLES_PATH="$ansible_k8s_core_dir/roles" \ diff --git a/actions/apply-k8s-supplements.sh b/actions/apply-k8s-supplements.sh index 0c9ba84f2e79e9d861527d5b4ea4985a24b758fb..7b7d7242da341394752ea276f016bb20b7b469c9 100755 --- a/actions/apply-k8s-supplements.sh +++ b/actions/apply-k8s-supplements.sh @@ -26,10 +26,9 @@ execute_playbook() { notef "Executing playbook $playbook\n" # Ensure that the latest config is deployed to the inventory - "$actions_dir/update-inventory.sh" + "$actions_dir/update-inventory.sh" conf_vars load_conf_vars - check_conf_sanity check_venv require_vault_token install_prerequisites @@ -39,6 +38,8 @@ execute_playbook() { set_kubeconfig + "$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_supplements_dir" # Include k8s-core roles ANSIBLE_ROLES_PATH="$ansible_k8s_core_dir/roles:$ansible_k8s_supplements_dir/roles" \ diff --git a/actions/apply-prepare-gw.sh b/actions/apply-prepare-gw.sh index 10ed7ec119cd950d5cb45e69bf6acbadfab5b62b..a8f4aa32a0bdb102fe67172e98d117da1ed05d6a 100755 --- a/actions/apply-prepare-gw.sh +++ b/actions/apply-prepare-gw.sh @@ -6,13 +6,12 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars check_venv -check_conf_sanity require_vault_token @@ -26,6 +25,8 @@ if [ "${tf_usage:-true}" == 'false' ]; then exit 1 fi +"$actions_dir/update-inventory.sh" ansible + # Prepare Gateways, if configured pushd "$ansible_k8s_supplements_dir" # Include k8s-core common roles diff --git a/actions/apply-terraform.sh b/actions/apply-terraform.sh index 4593527df090acb6674323f8846d9577c37450c2..6663414097e8c1a828dec046ccb8d79192c50c9e 100755 --- a/actions/apply-terraform.sh +++ b/actions/apply-terraform.sh @@ -6,7 +6,7 @@ actions_dir="$(realpath "$(dirname "$0")")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars @@ -17,6 +17,8 @@ if [ "$("$actions_dir/helpers/semver2.sh" "$(terraform -v -json | jq -r '.terraf exit 5 fi +"$actions_dir/update-inventory.sh" terraform + var_file="$terraform_state_dir/config.tfvars.json" cd "$terraform_state_dir" diff --git a/actions/destroy.sh b/actions/destroy.sh index 5a16b96fa14d493dbe6d568febe540fbde0f8bfa..c076bdd8b98446beeb492c7e612a775bfbb7c848 100755 --- a/actions/destroy.sh +++ b/actions/destroy.sh @@ -6,7 +6,7 @@ actions_dir="$(realpath "$(dirname "$0")")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars @@ -66,6 +66,8 @@ if [ "${#port_ids[@]}" != 0 ]; then run openstack port delete "${port_ids[@]}" fi +"$actions_dir/update-inventory.sh" terraform + cd "$terraform_state_dir" export TF_DATA_DIR="$terraform_state_dir/.terraform" run terraform -chdir="$terraform_module" init diff --git a/actions/k8s-login.sh b/actions/k8s-login.sh index 52e32892a696b80c48863d2bc160936b682419fb..6fee679bc91cc7391dcfd266c4d3f63e7d7ced85 100755 --- a/actions/k8s-login.sh +++ b/actions/k8s-login.sh @@ -6,11 +6,10 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars -check_conf_sanity require_vault_token @@ -41,6 +40,8 @@ fi check_vault_token_policy +"$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_core_dir" # Include k8s-core roles ANSIBLE_ROLES_PATH="$ansible_k8s_core_dir/roles" \ diff --git a/actions/lib.sh b/actions/lib.sh index b3b87691e6a32eaad1ee0b44eb739a9e18cae4d1..f2c6d855dbbbba3360d65b003d819215edd9c223 100644 --- a/actions/lib.sh +++ b/actions/lib.sh @@ -4,6 +4,7 @@ cluster_repository="$(realpath ".")" code_repository="$(realpath "$actions_dir/../")" etc_directory="$(realpath "etc")" group_vars_dir="${cluster_repository}/inventory/yaook-k8s/group_vars" +conf_vars_file="${cluster_repository}/inventory/conf_vars/main.yaml" state_dir="$cluster_repository/state" release_migration_lock="$state_dir/release-migration-in-progress" @@ -72,23 +73,16 @@ function load_conf_vars() { # All the things with side-effects should go here terraform_prevent_disruption="$(if [ -e "$terraform_disruption_lock" ]; then echo "true"; else echo "false"; fi)" - tf_usage=${tf_usage:-"$(yq '. | if has ("enabled") then .enabled else true end' "$group_vars_dir/all/terraform.yaml")"} - wg_usage=${wg_usage:-"$(yq '. | if has("enabled") then .enabled else true end' "$group_vars_dir/gateways/wireguard.yaml")"} + tf_usage="$(yq '.tf_usage' "$conf_vars_file")" + wg_usage="$(yq '.wg_usage' "$conf_vars_file")" if [ "${wg_usage:-true}" == "true" ]; then wg_conf="${wg_conf:-$cluster_repository/${wg_conf_name}.conf}" wg_interface="$(basename "$wg_conf" | cut -d'.' -f1)" wg_endpoint="${wg_endpoint:-0}" ansible_wg_template="$etc_directory/wireguard/wg${wg_endpoint}/wg${wg_endpoint}_${wg_user}.conf" - fi -} - -function check_conf_sanity() { - out=$(ansible-inventory -i "${ansible_inventory_base}" --host localhost) - if ! (jq --exit-status '.ipv4_enabled or .ipv6_enabled' <<<"${out}" &> /dev/null); then - errorf "Neither IPv4 nor IPv6 are enabled." - errorf "Enable at least one in your hosts file $ansible_inventory_host_file." - exit 2 + wg_subnet="$(yq -r .wg_subnet "$conf_vars_file")" + wg_subnet_v6="$(yq -r .wg_subnet_v6 "$conf_vars_file")" fi } diff --git a/actions/manual-terraform.sh b/actions/manual-terraform.sh index 7a525790359f0cc1c552847765cca9d2839c2459..586c23b16a759228df1757e3b11a7afca00f78fe 100755 --- a/actions/manual-terraform.sh +++ b/actions/manual-terraform.sh @@ -6,7 +6,7 @@ actions_dir="$(realpath "$(dirname "$0")")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" terraform cd "$terraform_state_dir" export TF_DATA_DIR="$terraform_state_dir/.terraform" diff --git a/actions/rotate-root-ca.sh b/actions/rotate-root-ca.sh index 6786e9e783e43e0baa334ef25c6f6157934123de..fc0ab0440e01b6df2953207e3f51783b12fee70c 100755 --- a/actions/rotate-root-ca.sh +++ b/actions/rotate-root-ca.sh @@ -43,13 +43,12 @@ fi . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars check_venv -check_conf_sanity require_ansible_disruption @@ -69,6 +68,8 @@ if [ "${complete_rotation:-false}" == "false" ]; then run "$actions_dir/k8s-login.sh" fi +"$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_core_dir" ansible_playbook -i "$ansible_inventory_host_file" \ -e "append_next_issuer=${next_issuer:-false}" \ diff --git a/actions/test.sh b/actions/test.sh index 70bb3c5d1b2d7478804f70620e8e5698b04d9f75..e559d0f6df14f79fa455e2e372537b8078aaad5e 100755 --- a/actions/test.sh +++ b/actions/test.sh @@ -7,11 +7,10 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars -check_conf_sanity check_venv @@ -20,6 +19,8 @@ check_venv set_kubeconfig +"$actions_dir/update-inventory.sh" ansible + # Test all pushd "$ansible_k8s_supplements_dir" ANSIBLE_ROLES_PATH="$ansible_k8s_core_dir/roles/:$ansible_k8s_supplements_dir/test-roles:$ansible_k8s_supplements_dir/roles/" \ diff --git a/actions/update-frontend-nodes.sh b/actions/update-frontend-nodes.sh index f6c98df727a44fa21d204127eed37406f027f26d..97d6b05b2e97b0dc0eb0084c20e6889efd980edf 100755 --- a/actions/update-frontend-nodes.sh +++ b/actions/update-frontend-nodes.sh @@ -6,11 +6,10 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars -check_conf_sanity check_venv @@ -38,6 +37,8 @@ install_prerequisites set_kubeconfig +"$actions_dir/update-inventory.sh" ansible + # Trigger whole LCM pushd "$ansible_k8s_core_dir" # Include k8s-core roles diff --git a/actions/update-inventory.sh b/actions/update-inventory.sh index d5c1fe6c733524bba1009e445a5881451a8df0bd..0d467af71480ec285588b01c692b68d18a47b18f 100755 --- a/actions/update-inventory.sh +++ b/actions/update-inventory.sh @@ -2,6 +2,26 @@ set -euo pipefail actions_dir="$(dirname "$0")" +function usage() { + echo "usage: $0 target" >&2 + echo >&2 + echo "Arguments:" >&2 + echo " target" >&2 + echo " Possible values include: conf_vars, vault, terraform, ansible" >&2 +} + +arg_num=1 +if [ "$#" -lt "$arg_num" ]; then + echo "ERROR: Expecting $arg_num argument(s), but $# were given" >&2 + echo + usage + echo >&2 + exit 2 +fi + +target="$1" +shift + # shellcheck source=actions/lib.sh . "$actions_dir/lib.sh" @@ -17,13 +37,18 @@ if [[ -e "inventory/yaook-k8s/hosts" ]] && [[ ! -L "inventory/yaook-k8s/hosts" ] fi if [[ -e "state" ]]; then git add state; fi if [ -z "${TAROOK_NIX_FLAGS:-}" ]; then - out=$(nix build --override-input yk8s "$code_repository" --print-out-paths --no-link "$@" .#yk8s-outputs) + out=$(nix build --override-input yk8s "$code_repository" --print-out-paths --no-link "$@" ".#yk8s-outputs-$target") else - out=$(nix build --override-input yk8s "$code_repository" --print-out-paths --no-link "${TAROOK_NIX_FLAGS}" "$@" .#yk8s-outputs) + out=$(nix build --override-input yk8s "$code_repository" --print-out-paths --no-link "${TAROOK_NIX_FLAGS}" "$@" ".#yk8s-outputs-$target") fi - -rsync -rL --chmod 664 "$out/state" . -rm -rf inventory -mkdir -p inventory/yaook-k8s/ -rsync -rl --chmod 664 "$out/inventory/yaook-k8s/" inventory/yaook-k8s/ +# shellcheck disable=SC1091 +. "$out/.path-info" +# shellcheck disable=SC2154 +rsync -rL --chmod 664 "$out/$state" . git add state +# shellcheck disable=SC2154 +if [ "$inventory" != "" ]; then + rm -rf "$inventory" + mkdir -p "$inventory" + rsync -rl --chmod 664 "$out/$inventory/" "$inventory" +fi diff --git a/actions/update-kubernetes-nodes.sh b/actions/update-kubernetes-nodes.sh index 89db811e61564d9c806cc79df7a8152ede6c8b8e..ae51e72d702c2311f1883f86707197ad2836b2ed 100755 --- a/actions/update-kubernetes-nodes.sh +++ b/actions/update-kubernetes-nodes.sh @@ -6,11 +6,10 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars -check_conf_sanity check_venv @@ -38,6 +37,8 @@ install_prerequisites set_kubeconfig +"$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_core_dir" # Include k8s-core roles ansible_playbook -i "$ansible_inventory_host_file" \ diff --git a/actions/upgrade.sh b/actions/upgrade.sh index 1e6897a4006359ff5e31126e139574e3c008d93d..7834a247d14f2569ee10e795680b7c32d9853b0b 100755 --- a/actions/upgrade.sh +++ b/actions/upgrade.sh @@ -6,11 +6,10 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars -check_conf_sanity check_venv @@ -65,6 +64,8 @@ require_ansible_disruption set_kubeconfig +"$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_supplements_dir" ANSIBLE_ROLES_PATH="$ansible_k8s_core_dir/roles:$ansible_k8s_supplements_dir/roles" \ ansible_playbook -i "$ansible_inventory_host_file" "$playbook" \ diff --git a/actions/verify-cluster-health.sh b/actions/verify-cluster-health.sh index c1c19f71e158cb255679d3f8c74013d73dd88181..913bbc2d23b144fb75648e1e204c1332c4171f38 100755 --- a/actions/verify-cluster-health.sh +++ b/actions/verify-cluster-health.sh @@ -6,11 +6,10 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars -check_conf_sanity while getopts s flag do @@ -31,6 +30,8 @@ check_venv set_kubeconfig +"$actions_dir/update-inventory.sh" ansible + pushd "$ansible_k8s_supplements_dir" # Include k8s-core roles ANSIBLE_ROLES_PATH="$ansible_k8s_core_dir/roles:$ansible_k8s_supplements_dir/roles" \ diff --git a/actions/wg-up.sh b/actions/wg-up.sh index a3529551a582a29a47c29b4f910f8a4390aa6544..6a63acd7fc81d167f8f17c500e3f450cf537402b 100755 --- a/actions/wg-up.sh +++ b/actions/wg-up.sh @@ -7,15 +7,13 @@ actions_dir="$(dirname "$0")" . "$actions_dir/lib.sh" # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" conf_vars load_conf_vars if [ "${wg_usage:-true}" == "true" ]; then validate_wireguard - wg_subnet="$(yq -r .subnet_cidr "$group_vars_dir/all/infra.yaml")" - wg_subnet_v6="$(yq -r .subnet_v6_cidr "$group_vars_dir/all/infra.yaml")" # the grep is there to ignore any routes going via the interface we're going to # take down later either way wg_existing_route="$(ip route show to "$wg_subnet" 2>/dev/null | grep -v "dev $wg_interface" || true)" diff --git a/docs/_releasenotes/1840.change.1.split-inventory-targets b/docs/_releasenotes/1840.change.1.split-inventory-targets new file mode 100644 index 0000000000000000000000000000000000000000..c3047b2edf719b16ff1cfe7f954fb76b9761e45b --- /dev/null +++ b/docs/_releasenotes/1840.change.1.split-inventory-targets @@ -0,0 +1 @@ +update-inventory.sh now differentiates between multiple targets. Run without arguments to see possible targets. If you don't directly use update-inventory.sh in your automation, you don't need to care, as its handled by the other action scripts. diff --git a/nix/templates/module/example.nix b/nix/templates/module/example.nix index 43843da12a856049a9c54c283385e9ea39638312..109c7f53755c8134148147e77efcb5dcd07c5698 100644 --- a/nix/templates/module/example.nix +++ b/nix/templates/module/example.nix @@ -41,7 +41,7 @@ in { example = ["some value" "some other value"]; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; inventory_path = "all/example.yaml"; # this is where the values will end up under inventory/group_vars diff --git a/nix/yk8s/conf-vars.nix b/nix/yk8s/conf-vars.nix new file mode 100644 index 0000000000000000000000000000000000000000..4ec5d2946daad9cf1a62aa539d9b93764075d3bc --- /dev/null +++ b/nix/yk8s/conf-vars.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + yk8s-lib, + ... +}: let + inherit (lib) mkOption types; + inherit (yk8s-lib) mkTopSection mkGroupVarsFile; +in { + config.yk8s._targets.conf_vars = { + inventory_subdir = "conf_vars"; + inventory_packages = [ + (yk8s-lib.mkYamlAtPath "main.yaml" { + tf_usage = config.yk8s.terraform.enabled; + wg_usage = config.yk8s.wireguard.enabled; + wg_subnet = config.yk8s.infra.subnet_cidr; + wg_subnet_v6 = config.yk8s.infra.subnet_v6_cidr; + }) + ]; + }; +} diff --git a/nix/yk8s/containerd.nix b/nix/yk8s/containerd.nix index d620f51938ae3faddafebf667f4eac53d805066c..e0cee5d7dfcb6bc491e15aa93f47c91d9b991a52 100644 --- a/nix/yk8s/containerd.nix +++ b/nix/yk8s/containerd.nix @@ -60,7 +60,7 @@ in { ]; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "containerd_"; diff --git a/nix/yk8s/custom.nix b/nix/yk8s/custom.nix index 4fa687dca5b473fa9df328b556cbcd6358efebf6..0cf54197329693920bd8ac547caea2aafaf855a7 100644 --- a/nix/yk8s/custom.nix +++ b/nix/yk8s/custom.nix @@ -23,7 +23,7 @@ in { }; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; inventory_path = "all/custom.yaml"; diff --git a/nix/yk8s/default.nix b/nix/yk8s/default.nix index 5d2bccba9dd2cd795d5051f7359bafe864f3b3ef..6e3515a6f354a77e44e0c8117f0e9dcd8a2f442c 100644 --- a/nix/yk8s/default.nix +++ b/nix/yk8s/default.nix @@ -36,6 +36,7 @@ }; imports = [ ./assertions.nix + ./conf-vars.nix ./infra.nix ./terraform.nix ./openstack.nix @@ -70,7 +71,7 @@ Base path to the Ansible inventory. Files will get written here. ''; type = relativePosixPath; - default = "inventory/yaook-k8s"; + default = "inventory"; }; _state_base_path = mkOption { description = '' @@ -79,38 +80,76 @@ type = relativePosixPath; default = "state"; }; - _inventory_packages = mkInternalOption { - description = '' - Inventory packages from all sections that are then merged into the inventory directory - ''; - type = with types; listOf package; - default = []; - }; - _state_packages = mkInternalOption { - description = '' - State packages from all sections that are then merged into the state directory - ''; - type = with types; listOf package; - default = []; + _targets = mkInternalOption { + type = with types; + attrsOf (submodule { + options = { + inventory_subdir = mkInternalOption { + description = '' + The directory inside _inventory_base_path in which inventory packages are to be created. + ''; + type = with types; nullOr nonEmptyStr; + }; + inventory_packages = mkInternalOption { + description = '' + Inventory packages from all sections that are then merged into the inventory directory + ''; + type = with types; listOf package; + default = []; + }; + state_packages = mkInternalOption { + description = '' + State packages from all sections that are then merged into the state directory + ''; + type = with types; listOf package; + default = []; + }; + }; + }); }; }; - config.packages = rec { - yk8s-inventory = pkgs.buildEnv { - name = "yaook-k8s-inventory"; - paths = cfg._inventory_packages; - }; - yk8s-state-dir = pkgs.buildEnv { - name = "yaook-k8s-state-dir"; - paths = cfg._state_packages; + config.yk8s._targets.ansible.inventory_subdir = "yaook-k8s"; + config.yk8s.assertions = + lib.mapAttrsToList (targetName: targetOptions: { + assertion = (targetOptions.inventory_packages != []) -> targetOptions.inventory_subdir != null; + message = "Target ${targetName} has inventory_packages, but inventory_subdir is not defined."; + }) + cfg._targets; + config.packages = lib.foldlAttrs (acc: targetName: targetOptions: let + hasInventory = targetOptions.inventory_packages != []; + inventory = pkgs.buildEnv { + name = "yk8s-outputs-${targetName}-inventory"; + paths = targetOptions.inventory_packages; }; - yk8s-outputs = builtins.seq (baseSystemAssertWarn config.yk8s) pkgs.buildEnv { - name = "yaook-k8s-outputs"; - paths = [ - (linkToPath yk8s-inventory cfg._inventory_base_path) - (linkToPath yk8s-state-dir cfg._state_base_path) - ]; + state-dir = pkgs.buildEnv { + name = "yk8s-outputs-${targetName}-state-dir"; + paths = targetOptions.state_packages; }; - }; + in + acc + // { + "yk8s-outputs-${targetName}" = builtins.seq (baseSystemAssertWarn config.yk8s) pkgs.buildEnv { + name = "yk8s-outputs-${targetName}"; + paths = let + inventoryPath = "${cfg._inventory_base_path}/${targetOptions.inventory_subdir}"; + in + [ + (pkgs.writeTextDir ".path-info" + '' + inventory=${ + if hasInventory + then inventoryPath + else "" + } + state=${cfg._state_base_path} + '') + (linkToPath state-dir cfg._state_base_path) + ] + ++ lib.optional hasInventory + (linkToPath inventory inventoryPath); + }; + }) {} + cfg._targets; }); }; } diff --git a/nix/yk8s/infra.nix b/nix/yk8s/infra.nix index eb60117bbe91eaea2c860278dc4255915201e65c..49fd9d1d45695cfa8e85404fbe262ea5d46f0bfb 100644 --- a/nix/yk8s/infra.nix +++ b/nix/yk8s/infra.nix @@ -75,8 +75,10 @@ in { type = types.nullOr ipv4Addr; default = null; apply = v: - if cfg.ipv4_enabled && v == null && config.yk8s.terraform.enabled - then builtins.trace "INFO: config.yk8s.infra.networking_fixed_ip is not yet set. Terraform stage needs to be run first." v + if cfg.ipv4_enabled && v == null + then + throw + "config.yk8s.infra.networking_fixed_ip must be set if ipv4 is enabled" else v; }; @@ -84,8 +86,10 @@ in { type = with types; nullOr ipv6Addr; default = null; apply = v: - if cfg.ipv6_enabled && v == null && config.yk8s.terraform.enabled - then builtins.trace "INFO: config.yk8s.infra.networking_fixed_ip_v6 is not yet set. Terraform stage needs to be run first." v + if cfg.ipv6_enabled && v == null + then + throw + "config.yk8s.infra.networking_fixed_ip_v6 must be set if ipv6 is enabled" else v; }; @@ -96,10 +100,6 @@ in { ''; type = types.nullOr ipv4Addr; default = null; - apply = v: - if v == null && config.yk8s.terraform.enabled - then builtins.trace "INFO: config.yk8s.infra.networking_floating_ip is not yet set. Terraform stage needs to be run first." v - else v; }; hosts_file = mkOption { @@ -157,10 +157,7 @@ in { Check the parts regarding YAML in the Ansible documentation: https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html ''; default = null; - apply = v: - if v == null && config.yk8s.terraform.enabled - then builtins.trace "INFO: infra.ansible_hosts is not yet set. Terraform stage needs to be run first." v - else applyGroupSubmoduleAttrs v; + apply = applyGroupSubmoduleAttrs; type = types.nullOr (types.submodule { freeformType = types.attrsOf groupSubmodule; options = { @@ -289,14 +286,6 @@ in { -> (cfg.ansible_hosts.orchestrator.children or {}) == {} && (builtins.length (builtins.attrNames cfg.ansible_hosts.orchestrator.hosts)) == 1; message = "config.yk8s.infra.ansible_hosts.orchestrator must contain exactly one host and no children"; } - { - assertion = cfg.ipv4_enabled -> config.yk8s.terraform.enabled || cfg.networking_fixed_ip != null; - message = "config.yk8s.infra.networking_fixed_ip must be set if Terraform is not used"; - } - { - assertion = cfg.ipv6_enabled -> config.yk8s.terraform.enabled || cfg.networking_fixed_ip_v6 != null; - message = "config.yk8s.infra.networking_fixed_ip_v6 must be set if Terraform is not used"; - } { assertion = (config.yk8s.wireguard.enabled || config.yk8s.ipsec.enabled) -> config.yk8s.terraform.enabled || cfg.networking_floating_ip != null; message = "config.yk8s.infra.networking_floating_ip must be set if Wireguard or IPsec is used."; @@ -329,7 +318,7 @@ in { } ]; config.yk8s.warnings = lib.optional (cfg.hosts_file != null) "config.yk8s.infra.hosts_file is deprecated. Use config.yk8s.infra.ansible_hosts instead."; - config.yk8s._inventory_packages = + config.yk8s._targets.ansible.inventory_packages = (lib.optional (cfg.ansible_hosts != null) (mkYamlAtPath "hosts" (filterNull cfg.ansible_hosts))) ++ (lib.optional (cfg.hosts_file != null) (linkToPath cfg.hosts_file "hosts")) ++ [ diff --git a/nix/yk8s/k8s-supplements/cert-manager.nix b/nix/yk8s/k8s-supplements/cert-manager.nix index d94d4af6cbf0ba8d925f2771361e02554c3f33d8..f16b12d1e8e7375d7c93bb6ed2ddcfee84742c78 100644 --- a/nix/yk8s/k8s-supplements/cert-manager.nix +++ b/nix/yk8s/k8s-supplements/cert-manager.nix @@ -112,7 +112,7 @@ in { example = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ ( mkGroupVarsFile { inherit cfg; diff --git a/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix b/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix index 28e9dce9e0d641d0abde679d1e41d06895dc9c62..37844758fe33acb0ea41c15da9b636d9a83d386e 100644 --- a/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix +++ b/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix @@ -161,17 +161,20 @@ in { subnet_id = mkInternalOption { type = with types; nullOr nonEmptyStr; default = null; + apply = v: - if v == null && config.yk8s.terraform.enabled - then builtins.trace "INFO: ch-k8s-lbaas.subnet_id is not yet set. Terraform stage needs to be run first." v + if config.yk8s.openstack.enabled && v == null + then throw "ch-k8s-lbaas.subnet_id must be set if openstack is enabled" else v; }; floating_ip_network_id = mkInternalOption { type = with types; nullOr nonEmptyStr; default = null; apply = v: - if v == null && config.yk8s.terraform.enabled - then builtins.trace "INFO: ch-k8s-lbaas.floating_ip_network_id is not yet set. Terraform stage needs to be run first." v + if config.yk8s.openstack.enabled && v == null + then + throw + "ch-k8s-lbaas.floating_ip_network_id must be set if openstack is enabled" else v; }; }; @@ -224,7 +227,7 @@ in { message = "config.yk8s.ch-k8s-lbaas.subnet_id and config.yk8s.ch-k8s-lbaas.floating_ip_network_id must be null if config.yk8s.openstack.enabled==false"; } ]; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "ch_k8s_lbaas_"; diff --git a/nix/yk8s/k8s-supplements/etcd-backup.nix b/nix/yk8s/k8s-supplements/etcd-backup.nix index 7569459572050bc8a1e0af188bb381be2413d016..2e30a9567049c0a2ffa69ec53f9a757c4eb8fdca 100644 --- a/nix/yk8s/k8s-supplements/etcd-backup.nix +++ b/nix/yk8s/k8s-supplements/etcd-backup.nix @@ -263,7 +263,7 @@ in { }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; unflat = [ diff --git a/nix/yk8s/k8s-supplements/fluxcd.nix b/nix/yk8s/k8s-supplements/fluxcd.nix index e9252b3075721fe26aa3d6237c7f7f6daeeade45..4bd4257550bf443e6fc538ada17a15aa44abea47 100644 --- a/nix/yk8s/k8s-supplements/fluxcd.nix +++ b/nix/yk8s/k8s-supplements/fluxcd.nix @@ -66,7 +66,7 @@ in { default = null; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "fluxcd_"; diff --git a/nix/yk8s/k8s-supplements/ingress.nix b/nix/yk8s/k8s-supplements/ingress.nix index 9e1c845d1a6945d896885fce31f095d2dd343d81..383d1c573e345774528d089c905e172e26e5dcb7 100644 --- a/nix/yk8s/k8s-supplements/ingress.nix +++ b/nix/yk8s/k8s-supplements/ingress.nix @@ -169,7 +169,7 @@ in { }; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; unflat = [["helm" "values"]]; diff --git a/nix/yk8s/k8s-supplements/ipsec.nix b/nix/yk8s/k8s-supplements/ipsec.nix index 35be06baed301b74b0e53bf320738ee51ab9e99c..df8ecceb0b03eb2db4281d9555a0f89feac47a78 100644 --- a/nix/yk8s/k8s-supplements/ipsec.nix +++ b/nix/yk8s/k8s-supplements/ipsec.nix @@ -160,7 +160,7 @@ in { } ]; config.yk8s.warnings = lib.optional (cfg.enabled) "config.yk8s.ipsec: is deprecated. Support for it will be dropped in a release after v11.0.0"; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "ipsec_"; diff --git a/nix/yk8s/k8s-supplements/monitoring.nix b/nix/yk8s/k8s-supplements/monitoring.nix index cc14623689a6376f079b01081140459a4b850ecb..9b836984b6ae1fc2248f169f3706edc640e58013 100644 --- a/nix/yk8s/k8s-supplements/monitoring.nix +++ b/nix/yk8s/k8s-supplements/monitoring.nix @@ -582,7 +582,7 @@ in { message = "config.yk8s.k8s-service-layer.prometheus.internet_probe_targets[${idx}].module: ${x.module} is an IPv6-specific module but config.yk8s.infra.ipv6_enabled=false"; }) cfg.internet_probe_targets; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "monitoring_"; diff --git a/nix/yk8s/k8s-supplements/rook.nix b/nix/yk8s/k8s-supplements/rook.nix index 156665711420302edc4dbafeeb4fb47baababdd0..6973b06c14e8d0c981cd575658e655a62738dc92 100644 --- a/nix/yk8s/k8s-supplements/rook.nix +++ b/nix/yk8s/k8s-supplements/rook.nix @@ -422,7 +422,7 @@ in { }); }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "rook_"; diff --git a/nix/yk8s/k8s-supplements/vault.nix b/nix/yk8s/k8s-supplements/vault.nix index 9fd459304afa559300ddb14f920aae74c07c0612..45aaaa932eb44877f1ac5fec37a7b356d51f6a87 100644 --- a/nix/yk8s/k8s-supplements/vault.nix +++ b/nix/yk8s/k8s-supplements/vault.nix @@ -264,7 +264,7 @@ in { ]; } ]; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "yaook_vault_"; diff --git a/nix/yk8s/k8s-supplements/wireguard/default.nix b/nix/yk8s/k8s-supplements/wireguard/default.nix index 9be70d16a871d4da9746902e10de230092624077..3bb606d6f97519908f7c44b9d2887eaa5b7e2267 100644 --- a/nix/yk8s/k8s-supplements/wireguard/default.nix +++ b/nix/yk8s/k8s-supplements/wireguard/default.nix @@ -246,7 +246,7 @@ in { ${wireguard_helper}/bin/wireguard_helper ${varsFile} $out/${inventory_path} ''; in { - _inventory_packages = + _targets.ansible.inventory_packages = if cfg.enabled then [(linkToPath "${wireguard_helper_output}/${inventory_path}" "group_vars/${inventory_path}")] else [ @@ -255,7 +255,7 @@ in { inherit inventory_path; }) ]; - _state_packages = lib.lists.optional cfg.enabled (linkToPath "${wireguard_helper_output}/${ipam_path}" ipam_path); + _targets.ansible.state_packages = lib.lists.optional cfg.enabled (linkToPath "${wireguard_helper_output}/${ipam_path}" ipam_path); warnings = lib.optional (cfg.enabled && (builtins.length cfg.peers) == 0) "config.yk8s.wireguard.peers: is empty"; assertions = let inherit (builtins) length; diff --git a/nix/yk8s/kubernetes/default.nix b/nix/yk8s/kubernetes/default.nix index 5541617378e0b3878ced5567f86bf4b9b4f6c69b..b439513acbe3bb7e47ca3a324cda93ac972c4776 100644 --- a/nix/yk8s/kubernetes/default.nix +++ b/nix/yk8s/kubernetes/default.nix @@ -173,7 +173,7 @@ in { message = "config.yk8s.kubernetes.is_gpu_cluster: is mutually exlusive with config.yk8s.kubernetes.virtualize_gpu"; } ]; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "k8s_"; diff --git a/nix/yk8s/load-balancing.nix b/nix/yk8s/load-balancing.nix index 3057ee23eb7d11389486e745afa7a8097760d817..78b324070c0e4e26923d90f1b438ef65b891d6d5 100644 --- a/nix/yk8s/load-balancing.nix +++ b/nix/yk8s/load-balancing.nix @@ -140,7 +140,7 @@ in { default = 2000; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; inventory_path = "all/load-balancing.yaml"; diff --git a/nix/yk8s/miscellaneous.nix b/nix/yk8s/miscellaneous.nix index 9776f441031e854d37a8d3ef7166e7e3baeed820..e0b900ef005dceaa468d6edc3abe5f84bf2d7682 100644 --- a/nix/yk8s/miscellaneous.nix +++ b/nix/yk8s/miscellaneous.nix @@ -178,7 +178,7 @@ in { message = "config.yk8s.miscellaneous.no_proxy: must be set because config.yk8s.miscellaneous.cluster_behind_proxy=true"; } ]; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; inventory_path = "all/miscellaneous.yaml"; diff --git a/nix/yk8s/node-scheduling.nix b/nix/yk8s/node-scheduling.nix index 6037ea55b8f69c641b9119ed19d05062310a587f..9ecaf9adddae13c017422aeb0da52abafda9b27e 100644 --- a/nix/yk8s/node-scheduling.nix +++ b/nix/yk8s/node-scheduling.nix @@ -100,7 +100,7 @@ in { acc ++ lib.optional (config.yk8s.infra.final_hosts != null && ! builtins.hasAttr e (config.yk8s.infra.final_hosts.all.hosts or {})) "config.yk8s.node-scheduling.taints: taint defined for ${e}, but node not found in config.yk8s.infra.ansible_hosts") [] (builtins.attrNames cfg.taints)); - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; inventory_path = "all/node-scheduling.yaml"; diff --git a/nix/yk8s/nvidia.nix b/nix/yk8s/nvidia.nix index b347ffb784a85960e32c2fbdba683f51fcf2c5b9..9c1bfb2f5a815b9946593697fc636656f81007c2 100644 --- a/nix/yk8s/nvidia.nix +++ b/nix/yk8s/nvidia.nix @@ -69,7 +69,7 @@ in { }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "nvidia_"; diff --git a/nix/yk8s/openstack.nix b/nix/yk8s/openstack.nix index a480c4c887b00403ec745349129160ab8a5e99a7..41635b5be7cad23f78207058693d5ff2da9f893c 100644 --- a/nix/yk8s/openstack.nix +++ b/nix/yk8s/openstack.nix @@ -351,7 +351,7 @@ in { }; config.yk8s = lib.mkMerge [ { - _inventory_packages = [ + _targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; inventory_path = "all/openstack.yaml"; @@ -393,11 +393,11 @@ in { else pathExists current_config_file; current_cluster_name = current_config.cluster_name - or - # hard-coding this value here as it was the default at the time of writing this module. This ensures that - # old clusters that have been set up with an empty value (and hence have been using the old default) will - # be compared to the old default value - "managed-k8s"; + or + # hard-coding this value here as it was the default at the time of writing this module. This ensures that + # old clusters that have been set up with an empty value (and hence have been using the old default) will + # be compared to the old default value + "managed-k8s"; in { assertion = cluster_exists -> (config.yk8s.infra.cluster_name == current_cluster_name); message = '' @@ -421,64 +421,62 @@ in { ]; infra = { - networking_floating_ip = config.yk8s.terraform.outputs.networking_floating_ip.value or null; + networking_floating_ip = config.yk8s.terraform.outputs.networking_floating_ip.value; networking_fixed_ip = config.yk8s.terraform.outputs.networking_fixed_ip.value or null; networking_fixed_ip_v6 = config.yk8s.terraform.outputs.networking_fixed_ip_v6.value or null; - ansible_hosts = - if config.yk8s.terraform.outputs == null - then null - else { - all.vars = {}; - - frontend.children = { - gateways = {}; - }; + ansible_hosts = { + all.vars = { + }; - gateways.hosts = - lib.mapAttrs ( - name: _: - { - ansible_host = config.yk8s.terraform.outputs.gateway_fips.value.${name}.address; - port_id = config.yk8s.terraform.outputs.gateway_ports.value.${name}.id; - local_ipv4_address = builtins.head config.yk8s.terraform.outputs.gateway_ports.value.${name}.all_fixed_ips; - } - // lib.optionalAttrs config.yk8s.infra.ipv6_enabled { - local_ipv6_address = builtins.elemAt config.yk8s.terraform.outputs.gateway_ports.value.${name}.all_fixed_ips 1; - } - ) - config.yk8s.terraform.outputs.gateways.value; - - masters.hosts = - lib.mapAttrs ( - name: _: - { - ansible_host = builtins.head config.yk8s.terraform.outputs.master_ports.value.${name}.all_fixed_ips; - port_id = config.yk8s.terraform.outputs.master_ports.value.${name}.id; - local_ipv4_address = builtins.head config.yk8s.terraform.outputs.master_ports.value.${name}.all_fixed_ips; - } - // lib.optionalAttrs config.yk8s.infra.ipv6_enabled { - local_ipv6_address = builtins.elemAt config.yk8s.terraform.outputs.master_ports.value.${name}.all_fixed_ips 1; - } - ) - config.yk8s.terraform.outputs.masters.value; - workers.hosts = - lib.mapAttrs ( - name: _: - { - ansible_host = builtins.head config.yk8s.terraform.outputs.worker_ports.value.${name}.all_fixed_ips; - port_id = config.yk8s.terraform.outputs.worker_ports.value.${name}.id; - local_ipv4_address = builtins.head config.yk8s.terraform.outputs.worker_ports.value.${name}.all_fixed_ips; - } - // lib.optionalAttrs config.yk8s.infra.ipv6_enabled { - local_ipv6_address = builtins.elemAt config.yk8s.terraform.outputs.worker_ports.value.${name}.all_fixed_ips 1; - } - ) - config.yk8s.terraform.outputs.workers.value; + frontend.children = { + gateways = {}; }; + + gateways.hosts = + lib.mapAttrs ( + name: _: + { + ansible_host = config.yk8s.terraform.outputs.gateway_fips.value.${name}.address; + port_id = config.yk8s.terraform.outputs.gateway_ports.value.${name}.id; + local_ipv4_address = builtins.head config.yk8s.terraform.outputs.gateway_ports.value.${name}.all_fixed_ips; + } + // lib.optionalAttrs config.yk8s.infra.ipv6_enabled { + local_ipv6_address = builtins.elemAt config.yk8s.terraform.outputs.gateway_ports.value.${name}.all_fixed_ips 1; + } + ) + config.yk8s.terraform.outputs.gateways.value; + + masters.hosts = + lib.mapAttrs ( + name: _: + { + ansible_host = builtins.head config.yk8s.terraform.outputs.master_ports.value.${name}.all_fixed_ips; + port_id = config.yk8s.terraform.outputs.master_ports.value.${name}.id; + local_ipv4_address = builtins.head config.yk8s.terraform.outputs.master_ports.value.${name}.all_fixed_ips; + } + // lib.optionalAttrs config.yk8s.infra.ipv6_enabled { + local_ipv6_address = builtins.elemAt config.yk8s.terraform.outputs.master_ports.value.${name}.all_fixed_ips 1; + } + ) + config.yk8s.terraform.outputs.masters.value; + workers.hosts = + lib.mapAttrs ( + name: _: + { + ansible_host = builtins.head config.yk8s.terraform.outputs.worker_ports.value.${name}.all_fixed_ips; + port_id = config.yk8s.terraform.outputs.worker_ports.value.${name}.id; + local_ipv4_address = builtins.head config.yk8s.terraform.outputs.worker_ports.value.${name}.all_fixed_ips; + } + // lib.optionalAttrs config.yk8s.infra.ipv6_enabled { + local_ipv6_address = builtins.elemAt config.yk8s.terraform.outputs.worker_ports.value.${name}.all_fixed_ips 1; + } + ) + config.yk8s.terraform.outputs.workers.value; + }; }; ch-k8s-lbaas = { - subnet_id = config.yk8s.terraform.outputs.subnet_id.value or null; - floating_ip_network_id = config.yk8s.terraform.outputs.floating_ip_network_id.value or null; + subnet_id = config.yk8s.terraform.outputs.subnet_id.value; + floating_ip_network_id = config.yk8s.terraform.outputs.floating_ip_network_id.value; }; }) ]; diff --git a/nix/yk8s/terraform.nix b/nix/yk8s/terraform.nix index 924e05dea4f55d3b97cf2af6958d336092acf52e..6fb1ae1c2c03c76b105d18ba7c472cc0c7170bb3 100644 --- a/nix/yk8s/terraform.nix +++ b/nix/yk8s/terraform.nix @@ -178,38 +178,30 @@ in { outputs = mkInternalOption { readOnly = true; - type = with types; nullOr attrs; + type = types.attrs; default = let tfOutputsPath = "terraform/outputs.json"; tfOutputsFullPath = "${config.yk8s.state_directory}/${tfOutputsPath}"; in if config.yk8s.state_directory != null && builtins.pathExists tfOutputsFullPath then builtins.fromJSON (builtins.readFile tfOutputsFullPath) - else null; + else throw "${tfOutputsPath} does not exist yet. Terraform stage needs to be run first."; }; }; config.yk8s = { - _inventory_packages = [ - (mkGroupVarsFile { - cfg = lib.attrsets.getAttrs ["enabled"] cfg; - inventory_path = "all/terraform.yaml"; - }) - ]; - _state_packages = - lib.optional cfg.enabled - ( - let - filteredTerraformCfg = yk8s-lib.removeAttrsByPath config.yk8s.terraform [["enabled"] ["outputs"]]; - filteredInfraCfg = lib.attrsets.getAttrs infraTerraformOptions config.yk8s.infra; - filteredOpenstackCfg = lib.attrsets.getAttrs openstackTerraformOptions config.yk8s.openstack; - mergedCfg = - builtins.foldl' (acc: e: lib.attrsets.recursiveUpdate acc (removeObsoleteOptions e)) {} - [filteredTerraformCfg filteredInfraCfg filteredOpenstackCfg]; - transformations = [filterInternal filterNull]; - varsFile = mkJson "tfvars.json" (pipe mergedCfg transformations); - in (pkgs.runCommandLocal "tfvars.json" {} '' - install -m 644 -D ${varsFile} $out/${tfvars_file_path} - '') - ); + _targets.terraform.state_packages = lib.optional cfg.enabled ( + let + filteredTerraformCfg = yk8s-lib.removeAttrsByPath config.yk8s.terraform [["enabled"] ["outputs"]]; + filteredInfraCfg = lib.attrsets.getAttrs infraTerraformOptions config.yk8s.infra; + filteredOpenstackCfg = lib.attrsets.getAttrs openstackTerraformOptions config.yk8s.openstack; + mergedCfg = + builtins.foldl' (acc: e: lib.attrsets.recursiveUpdate acc (removeObsoleteOptions e)) {} + [filteredTerraformCfg filteredInfraCfg filteredOpenstackCfg]; + transformations = [filterInternal filterNull]; + varsFile = mkJson "tfvars.json" (pipe mergedCfg transformations); + in (pkgs.runCommandLocal "tfvars.json" {} '' + install -m 644 -D ${varsFile} $out/${tfvars_file_path} + '') + ); }; } diff --git a/nix/yk8s/testing.nix b/nix/yk8s/testing.nix index ce50cc9c808e0434b001d76c4ba9c4259092a9a4..ace3963448da00006f7618fe49728ad5e250f999 100644 --- a/nix/yk8s/testing.nix +++ b/nix/yk8s/testing.nix @@ -48,7 +48,7 @@ in { message = "config.yk8s.testing.nodes: nodes [${concatStringsSep ", " nonExistentNodes}] don't exist. Note that full hostnames including the prefix '${config.yk8s.infra.cluster_name}-' must be supplied."; } ]; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ ( mkGroupVarsFile { inherit cfg; diff --git a/nix/yk8s/vault.nix b/nix/yk8s/vault.nix index 83ddbdda72daef17bfa4ec16580e0e153699349f..d78513174c235782cc3d3040c051f981e9fea6e9 100644 --- a/nix/yk8s/vault.nix +++ b/nix/yk8s/vault.nix @@ -6,7 +6,7 @@ }: let cfg = config.yk8s.vault; inherit (lib) mkOption types; - inherit (yk8s-lib) mkTopSection mkGroupVarsFile; + inherit (yk8s-lib) mkTopSection mkGroupVarsFile mkYamlAtPath; inherit (yk8s-lib.types) vaultChildNamespaceNameSegment @@ -40,11 +40,28 @@ in { default = "yaook/nodes"; }; }; - config.yk8s._inventory_packages = [ + config.yk8s._targets.ansible.inventory_packages = [ (mkGroupVarsFile { inherit cfg; ansible_prefix = "vault_"; inventory_path = "all/vault-backend.yaml"; }) ]; + config.yk8s._targets.vault = { + inventory_subdir = "vault"; + inventory_packages = [ + ( + mkYamlAtPath "main.yaml" { + wg_usage = config.yk8s.wireguard.enabled; + k8s_controller_manager_enable_signing_requests = config.yk8s.kubernetes.controller_manager.enable_signing_requests; + vault_cluster_name = cfg.cluster_name; + thanos_enabled = config.yk8s.k8s-service-layer.prometheus.use_thanos; + manage_thanos_bucket = config.yk8s.k8s-service-layer.prometheus.manage_thanos_bucket; + thanos_config_file = config.yk8s.k8s-service-layer.prometheus.thanos_objectstorage_config_file; + vault_backup_s3_enabled = config.yk8s.k8s-service-layer.vault.enable_backups; + vault_backup_s3_config_file = config.yk8s.k8s-service-layer.vault.s3_config_file; + } + ) + ]; + }; } diff --git a/tools/vault/import.sh b/tools/vault/import.sh index 3eaf798ec1795ea7ea6088f651406ef681e71c9b..e120a4718a8868df7ad52ca67c537ce258a19216 100755 --- a/tools/vault/import.sh +++ b/tools/vault/import.sh @@ -26,7 +26,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" mode="$1" @@ -55,7 +55,7 @@ scriptdir="$(dirname "$0")" inventory_etc=etc flag_file="$inventory_etc/migrated-to-vault" -wg_usage="$(yq '.enabled // true' inventory/yaook-k8s/group_vars/gateways/wireguard.yaml)" +wg_usage="$(yq '.wg_usage' "${vars_file}")" if [ ! -d 'etc' ]; then echo "$0: ./etc does not exist. are you running this from the right place?" >&2 diff --git a/tools/vault/k8s-login.sh b/tools/vault/k8s-login.sh index 57844d90fd6247eac075dca31b898b0c386b3248..70098c84ff91737dcb85b5737940a9d47d4ba022 100755 --- a/tools/vault/k8s-login.sh +++ b/tools/vault/k8s-login.sh @@ -2,6 +2,9 @@ set -euo pipefail actions_dir="$(realpath "$(dirname "$0")")/../../actions" +# Ensure that the latest config is deployed to the inventory +"$actions_dir/update-inventory.sh" vault + # shellcheck source=tools/vault/lib.sh . "$(dirname "$0")/lib.sh" @@ -32,9 +35,6 @@ if [ "$#" -ne "$arg_num" ]; then exit 2 fi -# Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" - cluster="$(get_clustername)" kubernetes_server="$1" username="vault:$(vault token lookup -format=json | jq -r .data.path)" diff --git a/tools/vault/lib.sh b/tools/vault/lib.sh index ec7e4e0ab36ee9afa0b6c312915c89818d73d5e4..ec22f4543ce4a797b4f8b2721fbe1daef1059863 100644 --- a/tools/vault/lib.sh +++ b/tools/vault/lib.sh @@ -2,17 +2,13 @@ set -euo pipefail cluster_repository="$(realpath ".")" -group_vars_dir="${cluster_repository}/inventory/yaook-k8s/group_vars" +vars_file="${cluster_repository}/inventory/vault/main.yaml" common_path_prefix="${YAOOK_K8S_VAULT_PATH_PREFIX:-yaook}" common_policy_prefix="${YAOOK_K8S_VAULT_POLICY_PREFIX:-yaook}" nodes_approle_name="${YAOOK_K8S_VAULT_NODES_APPROLE_NAME:-${common_path_prefix}/nodes}" nodes_approle_path="auth/$nodes_approle_name" -k8s_controller_manager_enable_signing_requests="$( - yq '.k8s_controller_manager_enable_signing_requests - | if (.|type)=="boolean" then . else error("unset-or-invalid") end' \ - "$group_vars_dir/all/kubernetes.yaml" 2>/dev/null -)" || unset k8s_controller_manager_enable_signing_requests # unset when unset, invalid or file missing +k8s_controller_manager_enable_signing_requests="$(yq '.k8s_controller_manager_enable_signing_requests' "$vars_file" 2>/dev/null)" if [ -n "${cluster:-}" ]; then cluster_path="$common_path_prefix/$cluster" @@ -67,7 +63,7 @@ function require_k8s_cluster_ca_backup_destruction { } function get_clustername() { - yq --raw-output '.vault_cluster_name // error("unset")' "${group_vars_dir}/all/vault-backend.yaml" + yq --raw-output '.vault_cluster_name' "${vars_file}" } function init_cluster_secrets_engines() { @@ -467,9 +463,9 @@ function import_ipsec_eap_psk() { } function import_thanos_config() { - thanos_enabled="$(yq '.monitoring_use_thanos' "${group_vars_dir}/all/prometheus.yaml")" - manage_thanos_bucket="$(yq '.monitoring_manage_thanos_bucket' "${group_vars_dir}/all/prometheus.yaml")" - thanos_config_file="$(yq -r '.monitoring_thanos_objectstorage_config_file' "${group_vars_dir}/all/prometheus.yaml")" + thanos_enabled="$(yq '.thanos_enabled' "${vars_file}")" + manage_thanos_bucket="$(yq '.manage_thanos_bucket' "${vars_file}")" + thanos_config_file="$(yq -r '.thanos_config_file' "${vars_file}")" if ! "$thanos_enabled"; then echo "Thanos is disabled." @@ -514,8 +510,8 @@ function import_thanos_config() { } function import_vault_backup_s3_config() { - vault_backup_s3_enabled="$(yq '.yaook_vault_enable_backups' "${group_vars_dir}/all/vault-svc.yaml")" - vault_backup_s3_config_file="$(yq -r '.yaook_vault_s3_config_file' "${group_vars_dir}/all/vault-svc.yaml")" + vault_backup_s3_enabled="$(yq '.vault_backup_s3_enabled' "${vars_file}")" + vault_backup_s3_config_file="$(yq -r '.vault_backup_s3_config_file' "${vars_file}")" if ! "$vault_backup_s3_enabled"; then echo "Vault S3 backup is disabled." diff --git a/tools/vault/load-signed-intermediates.sh b/tools/vault/load-signed-intermediates.sh index 5203eaf4b1b32a89a6a3274758d8f39bada706b8..a355d07fbbfd0403bc393114ac4f337e3aa7f1ff 100755 --- a/tools/vault/load-signed-intermediates.sh +++ b/tools/vault/load-signed-intermediates.sh @@ -13,7 +13,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" # reload the lib to update the vars after initializing the clustername diff --git a/tools/vault/mkcluster-intermediate.sh b/tools/vault/mkcluster-intermediate.sh index 067666e8e6b78369d34d7894c5698971a9f3b82f..a8783cf8ff9b9059543755624819617adc549eb4 100755 --- a/tools/vault/mkcluster-intermediate.sh +++ b/tools/vault/mkcluster-intermediate.sh @@ -13,7 +13,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" # reload the lib to update the vars after initializing the clustername diff --git a/tools/vault/mkcluster-root.sh b/tools/vault/mkcluster-root.sh index 6b5036264ed849c61f96ab3c40f2b2e371465c37..dbcaa10c69e676def3453318a1e2b6b045e0a214 100755 --- a/tools/vault/mkcluster-root.sh +++ b/tools/vault/mkcluster-root.sh @@ -13,7 +13,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" # reload the lib to update the vars after initializing the clustername diff --git a/tools/vault/rmcluster.sh b/tools/vault/rmcluster.sh index 24cd8588927ca4cbdd25453f5f8b301afa7e60aa..06410a8ce6060ac99aae134a14b0fc95949e153a 100755 --- a/tools/vault/rmcluster.sh +++ b/tools/vault/rmcluster.sh @@ -13,7 +13,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" # reload the lib to update the vars after initializing the clustername diff --git a/tools/vault/rotate-root-ca-intermediate.sh b/tools/vault/rotate-root-ca-intermediate.sh index f77737e201d90fbf427a24e611efa63501a3b2df..d517d3217be6f5d68669fb123279cbfa4a851f84 100755 --- a/tools/vault/rotate-root-ca-intermediate.sh +++ b/tools/vault/rotate-root-ca-intermediate.sh @@ -18,7 +18,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" # reload the lib to update the vars after initializing the clustername diff --git a/tools/vault/rotate-root-ca-root.sh b/tools/vault/rotate-root-ca-root.sh index 3e0419eaa390b0f662c32a9e8bbb38487365ceaf..0cdb1a822186726d224699059d81fb0196ae3ae8 100755 --- a/tools/vault/rotate-root-ca-root.sh +++ b/tools/vault/rotate-root-ca-root.sh @@ -19,7 +19,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" # reload the lib to update the vars after initializing the clustername diff --git a/tools/vault/update.sh b/tools/vault/update.sh index b7283b30290e7afd08eaea59513d32fb1f3ebf79..508eba2b82a64381f170a7ba3fa1aac1f04f40c9 100755 --- a/tools/vault/update.sh +++ b/tools/vault/update.sh @@ -13,7 +13,7 @@ if [ "$#" -ne "$arg_num" ]; then fi # Ensure that the latest config is deployed to the inventory -"$actions_dir/update-inventory.sh" +"$actions_dir/update-inventory.sh" vault cluster="$(get_clustername)" # reload the lib to update the vars after initializing the clustername