Merge pull request #1 from comsysto/feature/artifactory-prototype

Feature/artifactory

.github/workflows/configure-cluster.yml

@@ -28,7 +28,7 @@ jobs:
         run: | 
           pipx uninstall ansible-core 
           pip3 install ansible 
-          ansible-galaxy collection install azure.azcollection community.kubernetes --force
+          ansible-galaxy collection install azure.azcollection community.kubernetes community.general kubernetes.core --force
 
       - name: Install Dependecies 
         run: | 

playbook.yml

@@ -13,3 +13,13 @@
         namespace: ingress-nginx-2
         release_name: ingress-nginx-2
         ingress_class_name: nginx-2
+- name: Deploy artifactory with mTLS configurations 
+  hosts: localhost
+  connection: local
+  gather_facts: false 
+  roles:
+    - ca_certificate
+    - tls_certificate
+    - artifactory_deploy
+    - nginx_ingress_mtls
+

roles/artifactory_deploy/README.md

@@ -0,0 +1,31 @@
+Artifactory Deploy
+=========
+
+Deploys multiple instances of Artifactory OSS version on Kubernetes cluster. 
+
+Requirements
+------------
+- configured access to Kubernetes cluster (kubectl should access the cluster on designated host) 
+- internet access to Helm charts
+
+Role Variables
+--------------
+
+```
+# List of instances with name, namespace and hostname
+artifactory_instances:
+  - name: artifactory1
+    namespace: artifactory-instance1
+    host: artifactory1.example.com
+  - name: artifactory2
+    namespace: artifactory-instance2
+    host: artifactory2.example.com
+```
+
+Example Playbook
+----------------
+
+    - hosts: localhost 
+      roles:
+         - artifactory_deploy 
+

roles/artifactory_deploy/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for artifactory_deploy

roles/artifactory_deploy/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for artifactory_deploy

roles/artifactory_deploy/meta/main.yml

@@ -0,0 +1,34 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/artifactory_deploy/tasks/main.yml

@@ -0,0 +1,196 @@
+
+---
+- name: Add JFrog Helm Repository
+  command: helm repo add jfrog https://charts.jfrog.io
+  args:
+    creates: ~/.cache/helm/repository/jfrog-index.yaml
+  changed_when: false
+
+- name: Create Namespaces for Artifactory Instances
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ item.namespace }}"
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.namespace }}"
+
+- name: Create TLS Secret for Nginx Sidecar
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ item.name }}-nginx-tls-secret"
+        namespace: "{{ item.namespace }}"
+      type: kubernetes.io/tls
+      data:
+        tls.crt: "{{ lookup('file', 'certs/{{ item.name }}.crt') | b64encode }}"
+        tls.key: "{{ lookup('file', 'certs/{{ item.name }}.key') | b64encode }}"
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.name }}"
+
+- name: Create CA Secret in Artifactory Namespace
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: root-ca-secret
+        namespace: "{{ item.namespace }}"
+      data:
+        ca.crt: "{{ lookup('file', 'certs/rootCA.crt') | b64encode }}"
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.name }}"
+
+- name: Create Nginx ConfigMap
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: "{{ item.name }}-nginx-config"
+        namespace: "{{ item.namespace }}"
+      data:
+        nginx.conf: |
+          user  nginx;
+          worker_processes  1;
+          error_log  /var/log/nginx/error.log warn;
+          pid        /var/run/nginx.pid;
+
+          events {
+              worker_connections  1024;
+          }
+
+          http {
+              include       /etc/nginx/mime.types;
+              default_type  application/octet-stream;
+
+              log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                                '$status $body_bytes_sent "$http_referer" '
+                                '"$http_user_agent" "$http_x_forwarded_for"';
+
+              access_log  /var/log/nginx/access.log  main;
+
+              sendfile        on;
+              keepalive_timeout  65;
+
+              server {
+                  listen       8443 ssl;
+                  server_name  localhost;
+
+                  ssl_certificate           /etc/nginx/tls/tls.crt;
+                  ssl_certificate_key       /etc/nginx/tls/tls.key;
+                  ssl_client_certificate    /etc/nginx/ca/ca.crt;
+                  ssl_verify_client         on;
+
+                  ssl_protocols             TLSv1.2 TLSv1.3;
+                  ssl_ciphers               HIGH:!aNULL:!MD5;
+
+                  location / {
+                      proxy_pass              http://127.0.0.1:8081;
+                      proxy_set_header        Host $host;
+                      proxy_set_header        X-Real-IP $remote_addr;
+                      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+                  }
+              }
+          }
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.name }}"
+
+- name: Create Custom Values Files
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.name }}"
+  copy:
+    dest: "{{ item.name }}-values.yaml"
+    content: |
+      {{ lookup('file', 'values.yaml') | indent(6) }}
+
+- name: Adjust Values File for OSS Deployment and Nginx Sidecar
+  blockinfile:
+    path: "{{ item.name }}-values.yaml"
+    block: |
+      artifactory:
+        nginx:
+          enabled: false
+        customSidecarContainers: |
+          - name: nginx-sidecar
+            image: nginx:1.21-alpine
+            ports:
+              - containerPort: 8443
+            volumeMounts:
+              - name: nginx-config
+                mountPath: /etc/nginx/nginx.conf
+                subPath: nginx.conf
+              - name: nginx-tls
+                mountPath: /etc/nginx/tls
+              - name: nginx-ca
+                mountPath: /etc/nginx/ca
+            resources:
+              requests:
+                memory: "64Mi"
+                cpu: "50m"
+              limits:
+                memory: "256Mi"
+                cpu: "200m"
+        customVolumes: |
+          - name: nginx-config
+            configMap:
+              name: "{{ item.name }}-nginx-config"
+          - name: nginx-tls
+            secret:
+              secretName: "{{ item.name }}-nginx-tls-secret"
+          - name: nginx-ca
+            secret:
+              secretName: "root-ca-secret"
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.name }}"
+
+- name: Deploy Artifactory Instances with Helm
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.name }}"
+  community.kubernetes.helm:
+    state: present
+    release_name: "{{ item.name }}"
+    chart_ref: jfrog/artifactory
+    release_namespace: "{{ item.namespace }}"
+    update_repo_cache: true
+    values_files:
+      - "{{ item.name }}-values.yaml"
+    create_namespace: false
+
+- name: Create Service for Nginx Sidecar
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: "{{ item.name }}-nginx-service"
+        namespace: "{{ item.namespace }}"
+        labels:
+          app: "{{ item.name }}"
+          component: nginx-sidecar
+      spec:
+        selector:
+          app: "{{ item.name }}"
+        ports:
+          - protocol: TCP
+            port: 8443
+            targetPort: 8443
+            name: https
+  loop: "{{ artifactory_instances }}"
+  loop_control:
+    label: "{{ item.name }}"

roles/artifactory_deploy/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/artifactory_deploy/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - artifactory_deploy

roles/artifactory_deploy/vars/main.yml

@@ -0,0 +1,8 @@
+---
+artifactory_instances:
+  - name: artifactory1
+    namespace: artifactory-instance1
+    host: artifactory1.example.com
+  - name: artifactory2
+    namespace: artifactory-instance2
+    host: artifactory2.example.com

roles/ca_certificate/README.md

@@ -0,0 +1,36 @@
+CA Certificate
+=========
+
+This role handles the creation and management of the Root CA certificate. It checks if the CA exists and creates it if it doesn't. It also stores the CA certificate in a dedicated namespace.
+
+Note: CA key is stored as a Secret resource which is not safe. Ideally in production environment, such key would be stored on solution such as Hashicorp Vault.
+
+Requirements
+------------
+
+- configured access to Kubernetes cluster (kubectl should access the cluster on designated host) 
+- permissions to read and create secrets in specified namespace
+
+Role Variables
+--------------
+```
+ca_namespace: certificates # namespace where the secret is stored
+ca_secret_name: root-ca-secret # name of the secret resource
+root_ca_key: rootCA.key # CA key filename 
+root_ca_cert: rootCA.crt # CA certificate filename
+```
+
+Dependencies
+------------
+
+- kubernetes.core
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: localhost 
+      roles:
+         - ca_certificate 
+

roles/ca_certificate/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+ca_namespace: certificates # namespace where the secret is stored
+ca_secret_name: root-ca-secret # name of the secret resource
+root_ca_key: rootCA.key # CA key filename 
+root_ca_cert: rootCA.crt # CA certificate filename

roles/ca_certificate/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for ca_certificate

roles/ca_certificate/meta/main.yml

@@ -0,0 +1,34 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.