management: Initial config for api-server service

docker-compose.yaml

@@ -3,7 +3,7 @@ version: '3.8'
 services:
   api:
     build: api
-    image: registry.kadet.net/mgmt/api:${API_VERSION:-latest}
+    image: registry.kadet.net/management/api-server:${API_VERSION:-latest}
     environment:
       - SSH_AUTH_SOCK
     ports: 

services/management/stack.yml

@@ -0,0 +1,56 @@
+version: "{{ compose_version }}"
+
+services:
+  api:
+    image: registry.kadet.net/management/api-server:{{ api_server_version }}
+    command: ['--proxy-headers']
+    extra_hosts:
+      - manager.swarm.local:{{ swarm_host_address }}
+    networks:
+      - default
+      - "{{ ingress_network }}"
+    environment:
+      - API_INVENTORY=inventory/swarm.ini
+      - ANSIBLE_VAULT_PASSWORD_FILE=/var/run/secrets/vault-password
+    volumes:
+      - ./project:/var/project
+      - private-dir:/var/run/ansible
+    secrets:
+      - source: id-rsa
+        target: /home/api-server/.ssh/id_rsa
+      - source: users_{{ users_config.checksum }}
+        target: /etc/api-server/users.yaml
+      - source: vault-password_{{ vault_password.checksum[:12] }}
+        target: /var/run/secrets/vault-password
+    configs:
+      - source: id-rsa-pub
+        target: /home/api-server/.ssh/id_rsa.pub
+      - source: inventory_{{ inventory_config.checksum }}
+        target: /var/project/inventory/swarm.ini
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.{{ service }}.rule=Host(`mgmt.{{ main_domain }}`)
+        - traefik.http.routers.{{ service }}.tls=true
+        - traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
+        - traefik.http.services.{{ service }}.loadbalancer.server.port=8080
+      placement:
+        constraints:
+          - node.role == manager
+
+volumes:
+  private-dir: ~
+
+configs:
+  id-rsa-pub:
+    file: ./ssh/id_rsa.pub
+  inventory_{{ inventory_config.checksum }}:
+    file: ./config/inventory.ini
+
+secrets:
+  id-rsa:
+    file: ./ssh/id_rsa
+  users_{{ users_config.checksum }}:
+    file: ./config/users.yaml
+  vault-password_{{ vault_password.checksum[:12] }}:
+    file: ./config/vault-password

services/management/tasks/config.yml

@@ -0,0 +1,45 @@
+---
+- name: 'Ensure config directory exists for "{{ service }}"'
+  file:
+    path: "{{ remote_service_path }}/config"
+    state: directory
+    owner: "{{ ansible_user }}"
+  tags:
+    - config
+
+- name: 'Generate inventory file for "{{ service }}"'
+  template:
+    src: "{{ service_path }}/templates/inventory.ini.j2"
+    dest: "{{ remote_service_path }}/config/inventory.ini"
+  register: inventory_config
+  tags:
+    - config
+
+- name: 'Generate users file for "{{ service }}"'
+  template:
+    src: "{{ service_path }}/templates/users.yml.j2"
+    dest: "{{ remote_service_path }}/config/users.yaml"
+  register: users_config
+  tags:
+    - config
+
+- name: 'Generate vault password file for "{{ service }}"'
+  when: api_server_vault_password is defined
+  copy:
+    dest: "{{ remote_service_path }}/config/vault-password"
+    content: "{{ api_server_vault_password }}"
+  register: vault_password
+  tags:
+    - config
+
+- name: 'Ensure SSH config directory exists for "{{ service }}'
+  file:
+    path: "{{ remote_service_path }}/ssh"
+    state: directory
+    owner: "{{ ansible_user }}"
+  tags:
+    - config
+
+- name: 'Generate SSH key pair for "{{ service }}"'
+  community.crypto.openssh_keypair:
+    path: "{{ remote_service_path }}/ssh/id_rsa"

services/management/templates/inventory.ini.j2

@@ -0,0 +1,7 @@
+[main]
+manager.swarm.local
+
+[main:vars]
+ansible_user={{ ansible_user }}
+main_domain={{ main_domain }}
+swarm_addr={{ swarm_addr }}

services/management/templates/users.yml.j2

@@ -0,0 +1 @@
+{{ api_server_users|to_nice_yaml(indent=2) }}

services/management/vars/main.yml

@@ -0,0 +1,3 @@
+---
+api_server_version: latest
+api_server_users: []

vars/services.yml

@@ -172,5 +172,26 @@ service_config:
         bucket: kadet-docker
   portainer: {}
   system: {}
+  management:
+    api_server_vault_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38376138373336636630386339653761646333313238386365653365623335383035643231643162
+          3936353164363934633939306462346262666438346262310a313366353766303833373734383032
+          38643039376636633762653838623565376236653061633734626262616530313734366231326632
+          6530373935323033360a613236366135656436306330306162636661313963613466656163316139
+          32333032613461633834396261623166656365666364393761326438366536306237373661303834
+          3339396235393636346666346365306463643430373639613762
+    api_server_users:
+      - token: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66663262646661623837363865366463323034376436303738353165306464623933393464666433
+          6632356435323463303436333561333030383163646630350a613831303734336234623366313931
+          39623963653466326239376163313033313139653332343738306634623036666464326131633532
+          3730643635373436380a396662643061653664653366356137366538653431373361383236336362
+          34366665636631373165346338343962613266643036386532326461633766633632373932383663
+          32363837663436663131306238616536623637376137393134623565353436663864333666346231
+          38333435346561306163666533373166363739636533383335663435363431643566383930366163
+          31363565343065313631
+        allowed_services: ["wipe-stg"]
 www_data_users:
   - vagrant