Merge pull request #40 from mojaloop/feature-integrate-minio2

Integrate minio and argocd OIDC changes

mojaloop/iac/playbooks/control_center_deploy.yaml

@@ -10,7 +10,7 @@
     - mojaloop.iac.gitlab_common
     - mojaloop.iac.docker
     - mojaloop.iac.nexus_server
-    - mojaloop.iac.seaweedfs_server
+    - mojaloop.iac.minio
 
 - hosts: gitlab
   become: true

mojaloop/iac/roles/argocd/defaults/main.yaml

@@ -18,5 +18,6 @@ kubectl_version: "1.24.6"
 coredns_version: "1.28.2"
 coredns_max_scale: 10
 install_nodelocaldns: false
-gitlab_oidc_issuer: http://issuer-fqdn/oidc
-argocd_fqdn: argocd.example.com
+gitlab_oidc_issuer: http://issuer-fqdn
+argocd_fqdn: example.com
+oidc_admin_group: tenant-admins

mojaloop/iac/roles/argocd/tasks/main.yaml

@@ -58,7 +58,8 @@
     src: "templates/{{ item }}.yaml.j2"
     dest: "{{ argotmpvalues.path }}/{{ item }}.yaml"
   with_items:
-    - argo-cm
+    - argocd-cm-patch
+    - argocd-rbac-cm-patch
     - argo-gitlab
     - argo-root-app
     - argo-service-acct-patch
@@ -68,6 +69,9 @@
     - vault-service-account-etc
     - vault-env
     - netclient
+    - argo-oidc-secrets
+    - argocd-server-patch
+    - argocd-cmd-params-cm-patch    
     #- coredns-values
 
 # - name: Install coredns

mojaloop/iac/roles/argocd/templates/argo-oidc-secrets.yaml.j2

@@ -13,8 +13,9 @@ spec:
     name: argo-oidc
     creationPolicy: Owner
     template:
-      labels:
-        app.kubernetes.io/part-of: argocd
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
   data:
     - secretKey: clientid
       remoteRef: 

mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 → mojaloop/iac/roles/argocd/templates/argocd-cm-patch.yaml.j2

@@ -1,12 +1,18 @@
 apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-cm
 data:
-  url: https://{{ argocd_fqdn }}
+  url: https://argocd.{{ cluster_domain }}
   oidc.config: |
     name: Gitlab
-    issuer: {{ gitlab_oidc_issuer }}
-    clientID: $argo-oidc.clientid
-    clientSecret: $argo-oidc.clientsecret
-    requestedScopes: ["read_api"]
+    issuer: {{ gitlab_server_url }}
+    clientID: $argo-oidc:clientid
+    clientSecret: $argo-oidc:clientsecret
+    requestedScopes: ["openid"]
   application.instanceLabelKey: argocd.argoproj.io/instance
   kustomize.buildOptions: --enable-helm
   ui.bannercontent: "argocd application install"
@@ -49,9 +55,3 @@ data:
         hs.status = "Progressing"
         hs.message = "Waiting for certificate"
         return hs
-kind: ConfigMap
-metadata:
-  labels:
-    app.kubernetes.io/name: argocd-cm
-    app.kubernetes.io/part-of: argocd
-  name: argocd-cm

mojaloop/iac/roles/argocd/templates/argocd-cmd-params-cm-patch.yaml.j2

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  labels:
+    app.kubernetes.io/name: argocd-cmd-params-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  server.insecure: "false"

mojaloop/iac/roles/argocd/templates/argocd-rbac-cm-patch.yaml.j2

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  policy.csv: |
+    p, group:{{ oidc_admin_group }}, applications, sync, my-project/*, allow
+    g, group:{{ oidc_admin_group }}, role:admin
+  policy.default: role:readonly
+  scopes: '[groups]'

mojaloop/iac/roles/argocd/templates/argocd-server-patch.yaml.j2

@@ -0,0 +1,5 @@
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
+    value: "0"

mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2

@@ -14,15 +14,28 @@ resources:
 - argo-oidc-secrets.yaml
 
 patches:
-- path: argo-cm.yaml
+- path: argocd-cm-patch.yaml
   target:
     kind: ConfigMap
     name: argocd-cm
+- path: argocd-rbac-cm-patch.yaml
+  target:
+    kind: ConfigMap
+    name: argocd-rbac-cm    
 - path: argocd-lovely-plugin.yaml
   target:
     kind: Deployment
     name: argocd-repo-server
 - path: argo-service-acct-patch.yaml
   target:
     kind: Deployment
-    name: argocd-repo-server
+    name: argocd-repo-server
+    name: argocd-repo-server
+- path: argocd-cmd-params-cm-patch.yaml
+  target:
+    kind: ConfigMap
+    name: argocd-cmd-params-cm
+- path: argocd-server-patch.yaml
+  target:
+    kind: Deployment
+    name: argocd-server    

mojaloop/iac/roles/docker/tasks/main.yaml

@@ -43,11 +43,19 @@
     dev: "{{ ebs_volume_device_name }}"
   when: docker_extra_vol_mount
 
-- name: Create a volume
-  community.docker.docker_volume:
-    name: "{{ docker_extra_volume_name }}"
-    state: present
-    driver_options:
-      type: ext4
-      device: "{{ ebs_volume_device_name }}"
+- name: Mount the extra vol disk
+  mount:
+    name: "/var/lib/docker/volumes"
+    src: "{{ ebs_volume_device_name }}"
+    fstype: ext4
+    state: mounted
   when: docker_extra_vol_mount
+
+#- name: Create a volume
+#  community.docker.docker_volume:
+#    name: "{{ docker_extra_volume_name }}"
+#    state: present
+#    driver_options:
+#      type: ext4
+#      device: "{{ ebs_volume_device_name }}"
+#  when: docker_extra_vol_mount

mojaloop/iac/roles/gitlab_ci/defaults/main.yaml

@@ -1,8 +1,8 @@
 gitlab_runner_version: 15.11.0
 gitlab_server_hostname: gitlab.domain
 gitlab_external_url: changeme
-seaweedfs_s3_gitlab_access_key: s3accesskey
-seaweedfs_s3_gitlab_secret_key: s3accesssecret
-seaweedfs_s3_server_host: hostname
-seaweedfs_s3_listening_port: 9000
+gitlab_minio_user: s3accesskey
+gitlab_minio_secret: s3accesssecret
+minio_server_host: hostname
+minio_listening_port: 9000
 gitlab_runner_service_stop_timeout: 7200

mojaloop/iac/roles/gitlab_ci/tasks/main.yaml

@@ -77,9 +77,9 @@
     --output-limit 409600 \
     --cache-type s3 \
     --cache-shared=true \
-    --cache-s3-server-address '{{ seaweedfs_s3_server_host }}:{{ seaweedfs_s3_listening_port }}' \
-    --cache-s3-access-key '{{ seaweedfs_s3_gitlab_access_key }}' \
-    --cache-s3-secret-key '{{ seaweedfs_s3_gitlab_secret_key }}' \
+    --cache-s3-server-address '{{ minio_server_host }}:{{ minio_listening_port }}' \
+    --cache-s3-access-key '{{ gitlab_minio_user }}' \
+    --cache-s3-secret-key '{{ gitlab_minio_secret }}' \
     --cache-s3-bucket-name 'gitlab-ci' \
     --cache-s3-insecure=true"
   when: runner_exists.results[item].stdout == "0"

mojaloop/iac/roles/gitlab_server/tasks/configure.yaml

@@ -53,12 +53,12 @@
     mode: 'u=rw,g=r,o=r'
     backup: yes
 
-- name: Create empty buckets
-  amazon.aws.s3_bucket:
-    name: "{{ item }}"
-    state: present
-    endpoint_url: "{{ s3_server_url }}"
-    secret_key: "{{ s3_password }}"
-    region: "us-east-1"
-    access_key: "{{ s3_username }}"
-  with_items: "{{ s3_create_bucket_list }}"
+#- name: Create empty buckets
+#  amazon.aws.s3_bucket:
+#    name: "{{ item }}"
+#    state: present
+#    endpoint_url: "{{ s3_server_url }}"
+#    secret_key: "{{ s3_password }}"
+#    region: "us-east-1"
+#    access_key: "{{ s3_username }}"
+#  with_items: "{{ s3_create_bucket_list }}"

mojaloop/iac/roles/haproxy/defaults/main.yaml

@@ -1,9 +1,9 @@
 haproxy_version: 2.8
-seaweedfs_s3_listening_port: 8333
+minio_listening_port: 9001
 nexus_docker_repo_listening_port: 8082
 local_vault_listening_port: 8200
 vault_listening_port: 443
 nexus_fqdn: private_ip
-seaweedfs_fqdn: private_ip
+minio_fqdn: private_ip
 vault_fqdn: private_ip
 enable_internal_egress_lb: true

mojaloop/iac/roles/haproxy/templates/haproxy.cfg.j2

@@ -3,9 +3,9 @@ defaults
   timeout client 50000
   timeout server 50000
 
-frontend seaweed
-  bind :{{ seaweedfs_s3_listening_port }}
-  default_backend seaweed
+frontend minio
+  bind :{{ minio_listening_port }}
+  default_backend minio
 
 frontend nexus
   bind :{{ nexus_docker_repo_listening_port }}
@@ -17,8 +17,8 @@ frontend vault
   default_backend vault
 
 
-backend seaweed
-  server seaweed {{ seaweedfs_fqdn }}:{{ seaweedfs_s3_listening_port }}
+backend minio
+  server minio {{ minio_fqdn }}:{{ minio_listening_port }}
 
 backend nexus
   server nexus {{ nexus_fqdn }}:{{ nexus_docker_repo_listening_port }}

mojaloop/iac/roles/minio/defaults/main.yml

@@ -6,6 +6,8 @@ minio_root_password: changeme
 minio_image_version: RELEASE.2024-02-04T22-36-13Z
 nginx_image_version: 1.19.2-alpine
 docker_extra_volume_name: docker-extra
-minio_client_download_url: https://dl.min.io/client/mc/release/linux-arm64/mc  #https://dl.min.io/client/mc/release/linux-amd64/mc
+minio_client_download_url: https://dl.min.io/client/mc/release/linux-amd64/mc  #https://dl.min.io/client/mc/release/linux-arm64/mc 
 gitlab_minio_user: gitlab-user
 gitlab_minio_secret: changeme
+minio_create_bucket_list: ["gitlab-registry", "gitlab-artifacts", "gitlab-external-diffs", "gitlab-lfs-objects", "gitlab-uploads", "gitlab-packages", "gitlab-dependency-proxy", "gitlab-terraform-state", "gitlab-ci", "gitlab-pages"]
+

mojaloop/iac/roles/minio/tasks/configure.yml

@@ -1,15 +1,16 @@
 ---
-# configure     
+# configure
 
 - name: "Check if mc is installed"
-  command: which mc
+  stat:
+     path: "{{ minio_work_dir }}/mc"
   changed_when: false
   failed_when: false
   register: mc_installed
 
 - name: Wait minio healthcheck api to respond
   uri:
-    url: http://localhost:9000/minio/health/live
+    url: http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9000/minio/health/live
     method: GET
   register: _result
   until: _result.status == 200
@@ -19,36 +20,40 @@
 - name: "Install minio client"
   get_url:
     url: "{{ minio_client_download_url }}"
-    dest: /usr/local/bin/mc
+    dest: "{{ minio_work_dir }}/mc"
     mode: 0700
-  when: not mc_installed 
-      
+  when: not mc_installed.stat.exists
+
 - name: "Create minio alias"
-  command: mc alias set infitx-minio http://localhost:9000 {{ minio_root_user }} {{ minio_root_password }} 
+  command: "{{ minio_work_dir }}/mc alias set infitx-minio http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9000 {{ minio_root_user }} {{ minio_root_password }}"
 
 - name: "Check if user is created with policy"
-  shell: 'mc admin user info infitx-minio gitlab-user --quiet --json'
+  shell: '{{ minio_work_dir }}/mc admin user info infitx-minio {{ gitlab_minio_user }} --quiet --json'
   register: mc_gitlab_user_info
-  ignore_errors: true  
+  ignore_errors: true
 
 - set_fact:
     mc_gitlab_access_policy: "{{ mc_gitlab_user_info.stdout | from_json | json_query('policyName') }}"
 
 
 - name: "Create minio user for gitlab"
-  command: mc admin user add infitx-minio {{ gitlab_minio_user }} {{ gitlab_minio_secret }}
+  command: "{{ minio_work_dir }}/mc admin user add infitx-minio {{ gitlab_minio_user }} {{ gitlab_minio_secret }}"
 
 - name: "Copy policy.json"
-  template: 
+  template:
     src: policy.json
     dest: /tmp/policy.json
     owner: root
     group: root
 
 - name: "Create access policy for gitlab"
-  command: mc admin policy create infitx-minio gitlab-access-policy /tmp/policy.json
-    
+  command: "{{ minio_work_dir }}/mc admin policy create infitx-minio gitlab-access-policy /tmp/policy.json"
+
 
 - name: "Attacth policy to gitlab user"
-  command: mc admin policy attach infitx-minio gitlab-access-policy --user {{ gitlab_minio_user }}
+  command: "{{ minio_work_dir }}/mc admin policy attach infitx-minio gitlab-access-policy --user {{ gitlab_minio_user }}"
   when: mc_gitlab_access_policy != 'gitlab-access-policy'
+
+- name: Create empty buckets for gitlab
+  command: "{{ minio_work_dir }}/mc mb infitx-minio/{{ item }} --ignore-existing"
+  with_items: "{{ minio_create_bucket_list }}"