Remove login to AWS ECR for production & NUC installations (#1693)

* split retrieval of kubeconfig file from k3s installation * Disable aws ecr login for Production and NUC installs Production servers and NUCs use public images from public.ecr.aws/thecombine by default so no login is needed.
sillsdev · Jul 14, 2022 · e9e64f2 · e9e64f2
1 parent fa91bb3
commit e9e64f2
Show file tree

Hide file tree

Showing 7 changed files with 75 additions and 52 deletions.
diff --git a/deploy/ansible/playbook_kube_install.yaml b/deploy/ansible/playbook_kube_install.yaml
@@ -39,3 +39,9 @@
     - name: Install Kubernetes Tools
       import_role:
         name: k8s_install
+
+    - name: Get Kubernetes Configuration
+      import_role:
+        name: k8s_config
+      tags:
+        - kubeconfig
diff --git a/deploy/ansible/roles/k8s_config/defaults/main.yml b/deploy/ansible/roles/k8s_config/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# Used to setup the certificate for kubectl
+# Can be overridden by specific groups/hosts
+k8s_dns_name: "{{ combine_server_name }}"
diff --git a/deploy/ansible/roles/k8s_config/tasks/main.yml b/deploy/ansible/roles/k8s_config/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+- name: Get home directory for {{ k8s_user }}
+  shell: >
+    getent passwd {{ k8s_user }} | awk -F: '{ print $6 }'
+  register: k8s_user_home
+  changed_when: false
+
+- name: Save kubectl configuration on host
+  fetch:
+    src: "{{ k8s_user_home.stdout }}/.kube/config"
+    dest: "{{ kubecfg }}"
+    flat: yes
+
+- name: Restrict permissions to kubeconfig to owner
+  delegate_to: localhost
+  become: no
+  file:
+    path: "{{ kubecfg }}"
+    state: file
+    mode: 0600
+
+  # The kubeconfig file that is generated by k3s on the target
+  # system identifies the server by the IP address.  This updates
+  # the file when it has been copied to the host to replace the
+  # IP address with the server name.  This is needed in the a
+  # cloud environment where the IP address seen on the host is not
+  # the public IP address.  For example:
+  #   server: 10.0.0.40:6443
+  # is changed to:
+  #   server: nuc2:6443
+  # (kubectl communicates with the cluster over port 16443 or 6443)
+- name: Replace server IP with DNS name in site_files copy
+  delegate_to: localhost
+  become: no
+  lineinfile:
+    state: present
+    path: "{{ kubecfg }}"
+    regexp: '^(\s+server: https:\/\/)[.0-9]+:(1?6443)'
+    backrefs: yes
+    line: '\1{{ k8s_dns_name }}:\2'
+
+- name: Replace 'default' cluster, user, etc with {{ kubecfgdir }}
+  delegate_to: localhost
+  become: no
+  replace:
+    path: "{{ kubecfg }}"
+    regexp: "^(.*)default(.*)$"
+    replace: '\1{{ kubecfgdir }}\2'
+
+- name: Link ~/.kube/config to {{ kubecfg }}
+  delegate_to: localhost
+  become: no
+  file:
+    state: link
+    src: "{{ kubecfg }}"
+    dest: "{{ lookup('env', 'HOME') }}/.kube/config"
+    mode: 0600
+  when: link_kubeconfig | default(false)
diff --git a/deploy/ansible/roles/k8s_install/tasks/k3s.yml b/deploy/ansible/roles/k8s_install/tasks/k3s.yml
@@ -59,55 +59,3 @@
 - name: Change context name from 'default'
   command: kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml config rename-context default {{ kubecfgdir }}
   when: k3s_contexts.stdout is regex("^\*? +default.*")
-
-- name: Save kubectl configuration on host
-  fetch:
-    src: "{{ k8s_user_home.stdout }}/.kube/config"
-    dest: "{{ kubecfg }}"
-    flat: yes
-
-- name: Restrict permissions to kubeconfig to owner
-  delegate_to: localhost
-  become: no
-  file:
-    path: "{{ kubecfg }}"
-    state: file
-    mode: 0600
-
-  # The kubeconfig file that is generated by k3s on the target
-  # system identifies the server by the IP address.  This updates
-  # the file when it has been copied to the host to replace the
-  # IP address with the server name.  This is needed in the a
-  # cloud environment where the IP address seen on the host is not
-  # the public IP address.  For example:
-  #   server: 10.0.0.40:6443
-  # is changed to:
-  #   server: nuc2:6443
-  # (kubectl communicates with the cluster over port 16443 or 6443)
-- name: Replace server IP with DNS name in site_files copy
-  delegate_to: localhost
-  become: no
-  lineinfile:
-    state: present
-    path: "{{ kubecfg }}"
-    regexp: '^(\s+server: https:\/\/)[.0-9]+:(1?6443)'
-    backrefs: yes
-    line: '\1{{ k8s_dns_name }}:\2'
-
-- name: Replace 'default' cluster, user, etc with {{ kubecfgdir }}
-  delegate_to: localhost
-  become: no
-  replace:
-    path: "{{ kubecfg }}"
-    regexp: "^(.*)default(.*)$"
-    replace: '\1{{ kubecfgdir }}\2'
-
-- name: Link ~/.kube/config to {{ kubecfg }}
-  delegate_to: localhost
-  become: no
-  file:
-    state: link
-    src: "{{ kubecfg }}"
-    dest: "{{ lookup('env', 'HOME') }}/.kube/config"
-    mode: 0600
-  when: link_kubeconfig | default(false)
diff --git a/deploy/helm/aws-login/templates/aws-login-service-acct.yaml b/deploy/helm/aws-login/templates/aws-login-service-acct.yaml
@@ -3,7 +3,9 @@ kind: ServiceAccount
 metadata:
   name: {{ .Values.awsEcr.serviceAccount }}
   namespace: {{ .Release.Namespace }}
+{{- if ne .Values.global.pullSecretName "None" }}
 imagePullSecrets:
   - name: {{ .Values.global.pullSecretName }}
+{{- end }}
 secrets:
   - name: {{ .Values.awsEcr.secretsName }}
diff --git a/deploy/scripts/setup_files/profiles/nuc.yaml b/deploy/scripts/setup_files/profiles/nuc.yaml
@@ -13,6 +13,7 @@ charts:
       enabled: false
     global:
       awsS3Location: prod.thecombine.app
+      pullSecretName: None
 
     cert-proxy-client:
       enabled: true

diff --git a/deploy/scripts/setup_files/profiles/prod.yaml b/deploy/scripts/setup_files/profiles/prod.yaml
@@ -25,9 +25,13 @@ charts:
       maxBackups: "3"
     global:
       awsS3Location: prod.thecombine.app
+      pullSecretName: None
     certManager:
       enabled: false
   cert-proxy-server:
+    aws-login:
+      enabled: false
     global:
       awsS3Location: prod.thecombine.app
+      pullSecretName: None
     combineCertProxyList: nuc1.thecombine.app nuc2.thecombine.app nuc3.thecombine.app