Initial ansible proof of concept

ventifus · Aug 8, 2024 · 7722231 · 7722231
1 parent 75a681e
commit 7722231
Show file tree

Hide file tree

Showing 27 changed files with 2,322 additions and 0 deletions.
diff --git a/Dockerfile.ansible b/Dockerfile.ansible
@@ -0,0 +1,49 @@
+ARG REGISTRY
+ARG VERSION
+
+###############################################################################
+# ansible is the base Python image with ansible and azure-cli
+###############################################################################
+FROM ${REGISTRY}/ubi9/python-311:1-66 AS ansible
+# Versions
+# pipx https://pypi.org/project/pipx/#history
+# azure-cli https://pypi.org/project/azure-cli/#history
+# ansible https://pypi.org/project/ansible/#history
+# ansible.azcollection https://galaxy.ansible.com/ui/repo/published/azure/azcollection/
+ARG PIPX_VERSION=1.6.0 \
+    ANSIBLE_VERSION=10.2.0 \
+    AZURE_CLI_VERSION=2.62.0 \
+    ANSIBLE_AZCOLLECTION_VERSION=2.3.0
+
+# Have Ansible to print task timing information
+ENV ANSIBLE_CALLBACKS_ENABLED=profile_tasks
+USER root
+COPY ansible /ansible
+WORKDIR /ansible
+
+# Using pipx here because ansible and azure-cli have differing required core Azure modules
+# They each need a separate venv to avoid collisions
+RUN ${APP_ROOT}/bin/pip install "pipx==${PIPX_VERSION}" && \
+    ${APP_ROOT}/bin/pipx install "azure-cli==${AZURE_CLI_VERSION}" && \
+    ${APP_ROOT}/bin/pipx install "ansible==${ANSIBLE_VERSION}" --include-deps && \
+    ${APP_ROOT}/bin/pipx runpip ansible install -r "/ansible/ansible-requirements.txt" && \
+    ${HOME}/.local/bin/ansible-galaxy collection install "azure.azcollection==${ANSIBLE_AZCOLLECTION_VERSION}" && \
+    ${APP_ROOT}/bin/pipx runpip ansible install -r "${HOME}/.ansible/collections/ansible_collections/azure/azcollection/requirements-azure.txt" && \
+    ${APP_ROOT}/bin/pipx list && \
+    rm -rf ${HOME}/.ansible ${HOME}/.azure
+
+###############################################################################
+# linter takes the ansible image and injects ansible-lint. Ansible-lint needs
+# ansible itself and all ansible modules and python modules installed to correctly lint
+###############################################################################
+FROM ansible AS linter
+ARG ANSIBLE_LINT_VERSION=24.7.0
+RUN ${APP_ROOT}/bin/pipx inject --include-apps ansible "ansible-lint==${ANSIBLE_LINT_VERSION}" && \
+    ${HOME}/.local/bin/ansible-lint -v -c /ansible/.ansible_lint.yaml --project-dir /ansible --format sarif | tee /opt/app-root/src/sarif.txt
+
+###############################################################################
+# Final image is the base image plus ansible-lint's output
+###############################################################################
+FROM ansible
+COPY --from=linter /opt/app-root/src/sarif.txt /opt/app-root/src/sarif.txt
+ENTRYPOINT ["/opt/app-root/src/.local/bin/ansible-playbook"]
diff --git a/Dockerfile.ansible.dockerignore b/Dockerfile.ansible.dockerignore
diff --git a/Makefile b/Makefile
@@ -5,6 +5,7 @@ ARO_IMAGE_BASE = ${RP_IMAGE_ACR}.azurecr.io/aro
 E2E_FLAGS ?= -test.v --ginkgo.v --ginkgo.timeout 180m --ginkgo.flake-attempts=2 --ginkgo.junit-report=e2e-report.xml
 GO_FLAGS ?= -tags=containers_image_openpgp,exclude_graphdriver_btrfs,exclude_graphdriver_devicemapper
 NO_CACHE ?= true
+PODMAN_VOLUME_OVERLAY=$(shell if [[ $$(getenforce) == "Enforcing" ]]; then echo ":O"; else echo ""; fi 2>/dev/null)
 
 export GOFLAGS=$(GO_FLAGS)
 
@@ -342,3 +343,29 @@ vendor:
 .PHONY: install-go-tools
 install-go-tools:
 	go install ${GOTESTSUM}
+
+.PHONY: ansible-image
+ansible-image:
+	docker image exists aro-ansible:$(VERSION) || docker build . -f Dockerfile.ansible --build-arg REGISTRY=$(REGISTRY) --build-arg VERSION=$(VERSION) --no-cache=$(NO_CACHE) --tag aro-ansible:$(VERSION)
+
+.PHONY: cluster
+LOCATION := eastus
+CLUSTERPREFIX := $(USER)
+CLUSTERPATTERN := basic
+CLEANUP := False
+SSH_CONFIG_DIR := $(HOME)/.ssh/
+SSH_KEY_BASENAME := id_rsa
+ifneq ($(CLUSTERPATTERN),*)
+	CLUSTERFILTER = -l $(CLUSTERPATTERN)
+endif
+ifeq ($(VERBOSE),False)
+	SKIP_VERBOSE = --skip-tags verbose
+endif
+# Note: When running this from a pipeline, don't mount the ansible directory (omit -v ./ansible:/ansible),
+# use the one baked into the ansible image in order to ensure that the Ansible resources used correspond to the desired commit.
+cluster: ansible-image
+	docker run --rm -it -v $${AZURE_CONFIG_DIR:-~/.azure}:/opt/app-root/src/.azure$(PODMAN_VOLUME_OVERLAY) -v ./ansible:/ansible$(PODMAN_VOLUME_OVERLAY) -v $(SSH_CONFIG_DIR):/root/.ssh$(PODMAN_VOLUME_OVERLAY) aro-ansible:$(VERSION) -i hosts.yaml $(CLUSTERFILTER) -e location=$(LOCATION) -e CLUSTERPREFIX=$(CLUSTERPREFIX) -e CLEANUP=$(CLEANUP) -e SSH_KEY_BASENAME=$(SSH_KEY_BASENAME) $(SKIP_VERBOSE) playbook.yaml
+
+.PHONY: lint-ansible
+lint-ansible:
+	cd ansible; ansible-lint -c .ansible_lint.yaml
diff --git a/ansible/.ansible_lint.yaml b/ansible/.ansible_lint.yaml
@@ -0,0 +1,10 @@
+profile: production
+exclude_paths: []
+use_default_rules: true
+skip_list:
+  - no-changed-when
+enable_list:
+  - args
+  - empty-string-compare
+  - no-same-owner
+  - name[prefix]
diff --git a/ansible/ansible-requirements.txt b/ansible/ansible-requirements.txt
@@ -0,0 +1,4 @@
+kubernetes==29.0.0
+microsoft-kiota-http==1.3.1
+msal==1.28.1
+msgraph-core==1.0.0
diff --git a/ansible/group_vars/all.yaml b/ansible/group_vars/all.yaml
@@ -0,0 +1,2 @@
+delegation: localhost
+upgrade_paths: