add pipeline for running ansible

cicd/ansible/kustomization.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: "cicd-ansible"
+resources:
+  - https://api.hub.tekton.dev/v1/resource/tekton/task/git-clone/0.9/raw
+  - task-ssh-key-generate.yaml
+  - task-ssh-key-sign.yaml
+  - task-ansible-run-playbook.yaml
+  - pipeline.yaml
+  - namespace.yaml
+  - rbac.yaml

cicd/ansible/namespace.yaml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: ansible
+  labels:
+    name: ansible

cicd/ansible/pipeline.yaml

@@ -0,0 +1,99 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: "ansible"
+spec:
+  description: "This pipeline clones a github repo, builds it and uploads assets."
+  params:
+    - name: "ansible-repo-clone-url"
+      type: "string"
+      description: "URL of the Ansible repo to clone"
+    - name: "ansible-inventory-repo-clone-url"
+      type: "string"
+      description: "URL of the Ansible inventory repo to clone"
+    - name: "revision"
+      type: "string"
+      default: ""
+    - description: "Endpoint of Vault API"
+      name: "vault-address"
+      type: "string"
+    - description: "Vault SSH role"
+      name: "vault-ssh-role"
+      type: "string"
+    - description: "Vault SSH mount"
+      name: "vault-ssh-mount"
+      type: "string"
+    - description: "Vault Kubernetes auth role"
+      name: "vault-kubernetes-auth-role"
+      type: "string"
+    - description: "Vault Kubernetes auth mount"
+      name: "vault-kubernetes-auth-mount"
+      type: "string"
+  workspaces:
+    - name: "shared-data"
+      description: "This workspace contains the cloned repo files, so they can be read by the next task."
+    - name: "ssh-creds"
+      description: "Workspace containing the SSH keys to clone from GitHub"
+  tasks:
+    - name: "git-clone-ansible"
+      taskRef:
+        name: "git-clone"
+      workspaces:
+        - name: "output"
+          workspace: "shared-data"
+      params:
+        - name: "url"
+          value: $(params.ansible-repo-clone-url)
+        - name: "revision"
+          value: $(params.revision)
+        - name: "subdirectory"
+          value: "ansible"
+    - name: "git-clone-ansible-inventory"
+      taskRef:
+        name: "git-clone"
+      workspaces:
+        - name: "output"
+          workspace: "shared-data"
+        - name: "ssh-directory"
+          workspace: "ssh-creds"
+      params:
+        - name: "url"
+          value: $(params.ansible-inventory-repo-clone-url)
+        - name: "revision"
+          value: $(params.revision)
+        - name: "subdirectory"
+          value: "inventory"
+    - name: "ssh-key-generate"
+      taskRef:
+        name: "ssh-key-generate"
+      workspaces:
+        - name: "keypair"
+          workspace: "shared-data"
+    - name: "ssh-key-sign"
+      runAfter: ["ssh-key-generate"]
+      taskRef:
+        name: "ssh-key-sign"
+      workspaces:
+        - name: "keypair"
+          workspace: "shared-data"
+      params:
+        - name: "vault-address"
+          value: $(params.vault-address)
+        - name: "vault-ssh-role"
+          value: $(params.vault-ssh-role)
+        - name: "vault-ssh-mount"
+          value: $(params.vault-ssh-mount)
+        - name: "vault-kubernetes-auth-role"
+          value: $(params.vault-kubernetes-auth-role)
+        - name: "vault-kubernetes-auth-mount"
+          value: $(params.vault-kubernetes-auth-mount)
+    - name: "ansible-run-playbook"
+      runAfter: ["git-clone-ansible", "git-clone-ansible-inventory", "ssh-key-sign"]
+      taskRef:
+        name: "ansible-run-playbook"
+      workspaces:
+        - name: "source"
+          workspace: "shared-data"
+        - name: "keypair"
+          workspace: "shared-data"

cicd/ansible/rbac.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: "v1"
+kind: "ServiceAccount"
+metadata:
+  name: "ansible"
+---
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "Role"
+metadata:
+  name: "ansible"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch"]
+---
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "RoleBinding"
+metadata:
+  name: "secret-manager-binding"
+subjects:
+  - kind: "ServiceAccount"
+    name: "ansible"
+    namespace: "cicd-ansible"
+roleRef:
+  kind: "Role"
+  name: "ansible"
+  apiGroup: "rbac.authorization.k8s.io"

cicd/ansible/task-ansible-run-playbook.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: "ansible-run-playbook"
+spec:
+  description: "Runs an Ansible playbook"
+  workspaces:
+    - name: "source"
+    - name: "keypair"
+  steps:
+    - name: "ansible-run-playbook"
+      image: "cr.svc.ez.soeren.cloud/ansible"
+      imagePullPolicy: Always
+      env:
+        - name: "HOME"
+          value: "/tmp"
+      command:
+        - sleep
+        - "300"
+    - name: "ansible-run-playbook"
+      image: "cr.svc.ez.soeren.cloud/ansible"
+      imagePullPolicy: Always
+      env:
+        - name: "HOME"
+          value: "/tmp"
+      command:
+        - ansible-playbook
+        - -i inventory/inventory.yml
+        - -e ansible_ssh_private_key_file=$(workspaces.keypair.path)/key
+        - ansible/playbooks/jukebox/playbook.yml

cicd/ansible/task-ssh-key-generate.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: "ssh-key-generate"
+spec:
+  description: "Generates a ssh public key pair"
+  workspaces:
+    - name: "keypair"
+  steps:
+    - name: "generate-ssh-key"
+      image: "cr.svc.ez.soeren.cloud/alpine"
+      imagePullPolicy: Always
+      env:
+        - name: "HOME"
+          value: "/tmp"
+      script: |-
+        ssh-keygen -t ed25519 -f /workspace/keypair/key -N ""

cicd/ansible/task-ssh-key-sign.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: "ssh-key-sign"
+spec:
+  description: "Sign a ssh public key"
+  workspaces:
+    - name: "keypair"
+  params:
+    - description: "Endpoint of Vault API"
+      name: "vault-address"
+      type: "string"
+    - description: "Vault SSH role"
+      name: "vault-ssh-role"
+      type: "string"
+    - description: "Vault SSH mount"
+      name: "vault-ssh-mount"
+      type: "string"
+      default: "ssh"
+    - description: "Vault Kubernetes auth role"
+      name: "vault-kubernetes-auth-role"
+      type: "string"
+    - description: "Vault Kubernetes auth mount"
+      name: "vault-kubernetes-auth-mount"
+      type: "string"
+      default: "kubernetes"
+  steps:
+    - name: "sign-ssh-key"
+      image: "ghcr.io/soerenschneider/vault-ssh-cli:1.9.1"
+      imagePullPolicy: IfNotPresent
+      env:
+        - name: "HOME"
+          value: "/tmp"
+      args:
+        - "--vault-address=$(params.vault-address)"
+        - "sign-user-key"
+        - "--pub-key-file=$(workspaces.keypair.path)/key.pub"
+        - "--signed-key-file=$(workspaces.keypair.path)/key-cert.pub"
+        - "--vault-ssh-role=$(params.vault-ssh-role)"
+        - "--vault-ssh-mount=$(params.vault-ssh-mount)"
+        - "--vault-auth-kubernetes-role=$(params.vault-kubernetes-auth-role)"
+        - "--vault-auth-kubernetes-mount=$(params.vault-kubernetes-auth-mount)"