cloud-foundation-fabric/blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/tasks/main.yaml

# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Get cluster credentials
  shell: >
    gcloud container clusters get-credentials {{ cluster }} \
    --region {{ region }} \
    --project {{ project_id }} \
    --internal-ip

- name: Download cert-manager
  uri:
    url: https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml
    dest: ~/cert-manager.yaml

- name: Apply metrics-server manifest to the cluster.
  kubernetes.core.k8s:
    state: present
    src: ~/cert-manager.yaml

- name:
  kubernetes.core.k8s_info:
    kind: Pod
    wait: yes
    label_selectors:
      - "app.kubernetes.io/instance=cert-manager"
    namespace: cert-manager
    wait_timeout: 90
    wait_condition:
      type: Ready
      status: True

- name: Fetch apigeectl version
  uri:
    url: https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/current-version.txt?ignoreCache=1
    return_content: yes
  register: version

- name: Download apigeectl bundle
  uri:
    url: https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/{{ version.content }}/apigeectl_linux_64.tar.gz
    dest: "~/apigeectl.tar.gz"
    status_code: [200, 304]

- name: Extract apigeectl bundle
  unarchive:
    src: "~/apigeectl.tar.gz"
    dest: "~"
    remote_src: yes

- name: Move apigeectl folder
  shell: >
    mv ~/apigeectl_* ~/apigeectl

- name: Create hybrid-files
  file:
    path: "~/hybrid-files/{{ item }}"
    state: directory
  with_items:
    - overrides
    - certs

- name: Create a symbolic links
  file:
    src: ~/apigeectl/{{ item }}
    dest: "~/hybrid-files/{{ item }}"
    state: link
  with_items:
    - tools
    - config
    - templates
    - plugins

- name: Create apigee namespace
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Namespace
      metadata:
        name: apigee

- name: Create k8s service accounts
  include_tasks: k8s_service_accounts.yaml
  vars:
    google_service_account: "{{ item.key }}"
    k8s_service_accounts: "{{ item.value }}"
  with_dict: "{{ service_accounts }}"

- name: Set hostnames
  set_fact:
    hostnames: "{{ hostnames | default([]) + item.value }}"
  with_dict: "{{ envgroups }}"

- name: Create certificate and private key
  shell: >
    openssl req  \ 
    -nodes \
    -new \
    -x509 \
    -keyout ~/hybrid-files/certs/server.key \
    -out ~/hybrid-files/certs/server.crt \
    -subj "/CN=apigee.com' \ 
    -addext "subjectAltName={{ hostnames | map('regex_replace', '^', 'DNS:') | join(',') }}""
    -days 3650

- name: Read certificate 
  slurp: 
    src: ~/hybrid-files/certs/server.crt
  register: certificate_output

- name: Read private ket 
  slurp: 
    src: ~/hybrid-files/certs/server.key
  register: privatekey_output

- name: Create secret
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: tls-hybrid-ingress
        namespace: apigee
      type: kubernetes.io/tls
      data:
        tls.crt: "{{ certificate_output.content }}"
        tls.key: "{{ privatekey_output.content }}"

- name: Create overrides.yaml
  template:
    src: templates/overrides.yaml.j2
    dest: ~/hybrid-files/overrides/overrides.yaml

- name: Enable syncronizer access
  shell: >
    curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type:application/json" \
    "https://apigee.googleapis.com/v1/organizations/{{ project_id }}:setSyncAuthorization" \
    -d '{"identities":["'"serviceAccount:apigee-synchronizer@{{ project_id }}.iam.gserviceaccount.com"'"]}'

- name: Dry-run (init)
  shell: >
    ~/apigeectl/apigeectl init -f overrides/overrides.yaml --dry-run=client
  args:
    chdir: ~/hybrid-files

- name: Install the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook.
  shell: >
    ~/apigeectl/apigeectl init -f overrides/overrides.yaml
  args:
    chdir: ~/hybrid-files

- name: Wait for apigee-controller pod to be ready
  kubernetes.core.k8s_info:
    kind: Pod
    wait: yes
    label_selectors:
      - "app=apigee-controller"
    namespace: apigee-system
    wait_timeout: 600
    wait_condition:
      type: Ready
      status: True

- name: Wait for apigee-selfsigned-issuer issuer to be ready
  kubernetes.core.k8s_info:
    kind: Issuer
    wait: yes
    name: apigee-selfsigned-issuer
    namespace: apigee-system
    wait_timeout: 600
    wait_condition:
      type: Ready
      status: True

- name: Wait for apigee-serving-cert certificate to be ready
  kubernetes.core.k8s_info:
    kind: Certificate
    wait: yes
    name: apigee-serving-cert
    namespace: apigee-system
    wait_timeout: 600
    wait_condition:
      type: Ready
      status: True

- name: Wait for apigee-resources-install job to be complete
  kubernetes.core.k8s_info:
    kind: Job
    wait: yes
    name: apigee-resources-install
    namespace: apigee-system
    wait_timeout: 360
    wait_condition:
      type: Complete
      status: True

- name: Dry-run (apply)
  shell: >
    ~/apigeectl/apigeectl apply -f overrides/overrides.yaml --dry-run=client
  args:
    chdir: ~/hybrid-files

- name: Install the Apigee runtime components
  shell: >
    ~/apigeectl/apigeectl apply -f overrides/overrides.yaml
  args:
    chdir: ~/hybrid-files

- name: Wait for apigee-runtime pod to be ready
  kubernetes.core.k8s_info:
    kind: Pod
    wait: yes
    label_selectors:
      - "app=apigee-runtime"
    namespace: apigee
    wait_timeout: 360
    wait_condition:
      type: Ready
      status: True

- name: 
  kubernetes.core.k8s:
    state: present   
    definition: 
      apiVersion: apigee.cloud.google.com/v1alpha1
      kind: ApigeeRoute
      metadata:
        name: apigee-wildcard
        namespace: apigee
      spec:
        hostnames:
        - '*'
        ports:
        - number: 443
          protocol: HTTPS
          tls:
            credentialName: tls-hybrid-ingress
            mode: SIMPLE
        selector:
          app: apigee-ingressgateway
        enableNonSniClient: true 

- name: Create google-managed certificate
  kubernetes.core.k8s:
    state: present   
    definition: 
      apiVersion: networking.gke.io/v1
      kind: ManagedCertificate
      metadata:
        name: "apigee-cert-hybrid"
        namespace: apigee
      spec:
        domains: "{{ hostnames }}"
      
- name: Create backend config
  kubernetes.core.k8s:
    state: present  
    definition:  
      apiVersion: cloud.google.com/v1
      kind: BackendConfig
      metadata:
        name: apigee-ingress-backendconfig
        namespace: apigee
      spec:
        healthCheck:
          requestPath: /healthz/ready
          port: 15021
          type: HTTP
        logging:
          enable: true
          sampleRate: 0.5

- name: Create service
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Service
      metadata:
        name: apigee-ingressgateway-hybrid
        namespace: apigee
        annotations:
          cloud.google.com/backend-config: '{"default": "apigee-ingress-backendconfig"}'
          cloud.google.com/neg: '{"ingress": true}'
          cloud.google.com/app-protocols: '{"https":"HTTPS", "status-port": "HTTP"}'
        labels:
          app: apigee-ingressgateway-hybrid
      spec:
        ports:
        - name: status-port
          port: 15021
          targetPort: 15021
        - name: https
          port: 443
          targetPort: 8443
        selector:
          app: apigee-ingressgateway
          ingress_name: ingress
        type: ClusterIP

- name: Create ingress
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        annotations:
          networking.gke.io/managed-certificates: "apigee-cert-hybrid"
          kubernetes.io/ingress.global-static-ip-name: "{{ ingress_ip_name }}"
          kubernetes.io/ingress.allow-http: "false"
        name: xlb-apigee
        namespace: apigee
      spec:
        defaultBackend:
          service:
            name: apigee-ingressgateway-hybrid
            port:
              number: 443
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`# Copyright 2023 Google LLC`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`#`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`#`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`# http://www.apache.org/licenses/LICENSE-2.0`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`#`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`- name: Get cluster credentials`
			`shell: >`
			`gcloud container clusters get-credentials {{ cluster }} \`
			`--region {{ region }} \`
			`--project {{ project_id }} \`
			`--internal-ip`

Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- name: Download cert-manager`
			`uri:`
			`url: https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml`
			`dest: ~/cert-manager.yaml`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- name: Apply metrics-server manifest to the cluster.`
			`kubernetes.core.k8s:`
			`state: present`
			`src: ~/cert-manager.yaml`

			`- name:`
			`kubernetes.core.k8s_info:`
			`kind: Pod`
			`wait: yes`
			`label_selectors:`
			`- "app.kubernetes.io/instance=cert-manager"`
			`namespace: cert-manager`
			`wait_timeout: 90`
			`wait_condition:`
			`type: Ready`
			`status: True`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
			`- name: Fetch apigeectl version`
			`uri:`
			`url: https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/current-version.txt?ignoreCache=1`
			`return_content: yes`
			`register: version`

			`- name: Download apigeectl bundle`
			`uri:`
			`url: https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/{{ version.content }}/apigeectl_linux_64.tar.gz`
			`dest: "~/apigeectl.tar.gz"`
			`status_code: [200, 304]`

			`- name: Extract apigeectl bundle`
			`unarchive:`
			`src: "~/apigeectl.tar.gz"`
			`dest: "~"`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`remote_src: yes`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
			`- name: Move apigeectl folder`
			`shell: >`
			`mv ~/apigeectl_* ~/apigeectl`

			`- name: Create hybrid-files`
			`file:`
			`path: "~/hybrid-files/{{ item }}"`
			`state: directory`
			`with_items:`
			`- overrides`
			`- certs`

			`- name: Create a symbolic links`
			`file:`
			`src: ~/apigeectl/{{ item }}`
			`dest: "~/hybrid-files/{{ item }}"`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`state: link`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`with_items:`
			`- tools`
			`- config`
			`- templates`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- plugins`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- name: Create apigee namespace`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: apigee`

			`- name: Create k8s service accounts`
			`include_tasks: k8s_service_accounts.yaml`
			`vars:`
			`google_service_account: "{{ item.key }}"`
			`k8s_service_accounts: "{{ item.value }}"`
			`with_dict: "{{ service_accounts }}"`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- name: Set hostnames`
			`set_fact:`
			`hostnames: "{{ hostnames \| default([]) + item.value }}"`
			`with_dict: "{{ envgroups }}"`

			`- name: Create certificate and private key`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`shell: >`
			`openssl req \`
			`-nodes \`
			`-new \`
			`-x509 \`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`-keyout ~/hybrid-files/certs/server.key \`
			`-out ~/hybrid-files/certs/server.crt \`
			`-subj "/CN=apigee.com' \`
			`-addext "subjectAltName={{ hostnames \| map('regex_replace', '^', 'DNS:') \| join(',') }}""`
			`-days 3650`

			`- name: Read certificate`
			`slurp:`
			`src: ~/hybrid-files/certs/server.crt`
			`register: certificate_output`

			`- name: Read private ket`
			`slurp:`
			`src: ~/hybrid-files/certs/server.key`
			`register: privatekey_output`

			`- name: Create secret`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: tls-hybrid-ingress`
			`namespace: apigee`
			`type: kubernetes.io/tls`
			`data:`
			`tls.crt: "{{ certificate_output.content }}"`
			`tls.key: "{{ privatekey_output.content }}"`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
			`- name: Create overrides.yaml`
			`template:`
			`src: templates/overrides.yaml.j2`
			`dest: ~/hybrid-files/overrides/overrides.yaml`

			`- name: Enable syncronizer access`
			`shell: >`
			`curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \`
			`-H "Content-Type:application/json" \`
			`"https://apigee.googleapis.com/v1/organizations/{{ project_id }}:setSyncAuthorization" \`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`-d '{"identities":["'"serviceAccount:apigee-synchronizer@{{ project_id }}.iam.gserviceaccount.com"'"]}'`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
			`- name: Dry-run (init)`
			`shell: >`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`~/apigeectl/apigeectl init -f overrides/overrides.yaml --dry-run=client`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`args:`
			`chdir: ~/hybrid-files`

			`- name: Install the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook.`
			`shell: >`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`~/apigeectl/apigeectl init -f overrides/overrides.yaml`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`args:`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`chdir: ~/hybrid-files`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- name: Wait for apigee-controller pod to be ready`
			`kubernetes.core.k8s_info:`
			`kind: Pod`
			`wait: yes`
			`label_selectors:`
			`- "app=apigee-controller"`
			`namespace: apigee-system`
			`wait_timeout: 600`
			`wait_condition:`
			`type: Ready`
			`status: True`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- name: Wait for apigee-selfsigned-issuer issuer to be ready`
			`kubernetes.core.k8s_info:`
			`kind: Issuer`
			`wait: yes`
			`name: apigee-selfsigned-issuer`
			`namespace: apigee-system`
			`wait_timeout: 600`
			`wait_condition:`
			`type: Ready`
			`status: True`

			`- name: Wait for apigee-serving-cert certificate to be ready`
			`kubernetes.core.k8s_info:`
			`kind: Certificate`
			`wait: yes`
			`name: apigee-serving-cert`
			`namespace: apigee-system`
			`wait_timeout: 600`
			`wait_condition:`
			`type: Ready`
			`status: True`

			`- name: Wait for apigee-resources-install job to be complete`
			`kubernetes.core.k8s_info:`
			`kind: Job`
			`wait: yes`
			`name: apigee-resources-install`
			`namespace: apigee-system`
			`wait_timeout: 360`
			`wait_condition:`
			`type: Complete`
			`status: True`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
			`- name: Dry-run (apply)`
			`shell: >`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`~/apigeectl/apigeectl apply -f overrides/overrides.yaml --dry-run=client`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`args:`
			`chdir: ~/hybrid-files`

			`- name: Install the Apigee runtime components`
			`shell: >`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`~/apigeectl/apigeectl apply -f overrides/overrides.yaml`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00			`args:`
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`chdir: ~/hybrid-files`
Apigee hybrid on GKE 2023-01-03 08:25:09 -08:00
Improvements in apigee hybrid-gke: now using workload identity and GLB 2023-01-13 03:45:18 -08:00			`- name: Wait for apigee-runtime pod to be ready`
			`kubernetes.core.k8s_info:`
			`kind: Pod`
			`wait: yes`
			`label_selectors:`
			`- "app=apigee-runtime"`
			`namespace: apigee`
			`wait_timeout: 360`
			`wait_condition:`
			`type: Ready`
			`status: True`

			`- name:`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: apigee.cloud.google.com/v1alpha1`
			`kind: ApigeeRoute`
			`metadata:`
			`name: apigee-wildcard`
			`namespace: apigee`
			`spec:`
			`hostnames:`
			`- '*'`
			`ports:`
			`- number: 443`
			`protocol: HTTPS`
			`tls:`
			`credentialName: tls-hybrid-ingress`
			`mode: SIMPLE`
			`selector:`
			`app: apigee-ingressgateway`
			`enableNonSniClient: true`

			`- name: Create google-managed certificate`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: networking.gke.io/v1`
			`kind: ManagedCertificate`
			`metadata:`
			`name: "apigee-cert-hybrid"`
			`namespace: apigee`
			`spec:`
			`domains: "{{ hostnames }}"`

			`- name: Create backend config`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: cloud.google.com/v1`
			`kind: BackendConfig`
			`metadata:`
			`name: apigee-ingress-backendconfig`
			`namespace: apigee`
			`spec:`
			`healthCheck:`
			`requestPath: /healthz/ready`
			`port: 15021`
			`type: HTTP`
			`logging:`
			`enable: true`
			`sampleRate: 0.5`

			`- name: Create service`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: apigee-ingressgateway-hybrid`
			`namespace: apigee`
			`annotations:`
			`cloud.google.com/backend-config: '{"default": "apigee-ingress-backendconfig"}'`
			`cloud.google.com/neg: '{"ingress": true}'`
			`cloud.google.com/app-protocols: '{"https":"HTTPS", "status-port": "HTTP"}'`
			`labels:`
			`app: apigee-ingressgateway-hybrid`
			`spec:`
			`ports:`
			`- name: status-port`
			`port: 15021`
			`targetPort: 15021`
			`- name: https`
			`port: 443`
			`targetPort: 8443`
			`selector:`
			`app: apigee-ingressgateway`
			`ingress_name: ingress`
			`type: ClusterIP`

			`- name: Create ingress`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: networking.k8s.io/v1`
			`kind: Ingress`
			`metadata:`
			`annotations:`
			`networking.gke.io/managed-certificates: "apigee-cert-hybrid"`
			`kubernetes.io/ingress.global-static-ip-name: "{{ ingress_ip_name }}"`
			`kubernetes.io/ingress.allow-http: "false"`
			`name: xlb-apigee`
			`namespace: apigee`
			`spec:`
			`defaultBackend:`
			`service:`
			`name: apigee-ingressgateway-hybrid`
			`port:`
			`number: 443`