333 lines
8.5 KiB
YAML
333 lines
8.5 KiB
YAML
# Copyright 2023 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Get cluster credentials
|
|
shell: >
|
|
gcloud container clusters get-credentials {{ cluster }} \
|
|
--region {{ region }} \
|
|
--project {{ project_id }} \
|
|
--internal-ip
|
|
|
|
- name: Download cert-manager
|
|
uri:
|
|
url: https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml
|
|
dest: ~/cert-manager.yaml
|
|
|
|
- name: Apply metrics-server manifest to the cluster.
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
src: ~/cert-manager.yaml
|
|
|
|
- name:
|
|
kubernetes.core.k8s_info:
|
|
kind: Pod
|
|
wait: yes
|
|
label_selectors:
|
|
- "app.kubernetes.io/instance=cert-manager"
|
|
namespace: cert-manager
|
|
wait_timeout: 90
|
|
wait_condition:
|
|
type: Ready
|
|
status: True
|
|
|
|
- name: Fetch apigeectl version
|
|
uri:
|
|
url: https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/current-version.txt?ignoreCache=1
|
|
return_content: yes
|
|
register: version
|
|
|
|
- name: Download apigeectl bundle
|
|
uri:
|
|
url: https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/{{ version.content }}/apigeectl_linux_64.tar.gz
|
|
dest: "~/apigeectl.tar.gz"
|
|
status_code: [200, 304]
|
|
|
|
- name: Extract apigeectl bundle
|
|
unarchive:
|
|
src: "~/apigeectl.tar.gz"
|
|
dest: "~"
|
|
remote_src: yes
|
|
|
|
- name: Move apigeectl folder
|
|
shell: >
|
|
mv ~/apigeectl_* ~/apigeectl
|
|
|
|
- name: Create hybrid-files
|
|
file:
|
|
path: "~/hybrid-files/{{ item }}"
|
|
state: directory
|
|
with_items:
|
|
- overrides
|
|
- certs
|
|
|
|
- name: Create a symbolic links
|
|
file:
|
|
src: ~/apigeectl/{{ item }}
|
|
dest: "~/hybrid-files/{{ item }}"
|
|
state: link
|
|
with_items:
|
|
- tools
|
|
- config
|
|
- templates
|
|
- plugins
|
|
|
|
- name: Create apigee namespace
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: apigee
|
|
|
|
- name: Create k8s service accounts
|
|
include_tasks: k8s_service_accounts.yaml
|
|
vars:
|
|
google_service_account: "{{ item.key }}"
|
|
k8s_service_accounts: "{{ item.value }}"
|
|
with_dict: "{{ service_accounts }}"
|
|
|
|
- name: Set hostnames
|
|
set_fact:
|
|
hostnames: "{{ hostnames | default([]) + item.value }}"
|
|
with_dict: "{{ envgroups }}"
|
|
|
|
- name: Create certificate and private key
|
|
shell: >
|
|
openssl req \
|
|
-nodes \
|
|
-new \
|
|
-x509 \
|
|
-keyout ~/hybrid-files/certs/server.key \
|
|
-out ~/hybrid-files/certs/server.crt \
|
|
-subj "/CN=apigee.com' \
|
|
-addext "subjectAltName={{ hostnames | map('regex_replace', '^', 'DNS:') | join(',') }}""
|
|
-days 3650
|
|
|
|
- name: Read certificate
|
|
slurp:
|
|
src: ~/hybrid-files/certs/server.crt
|
|
register: certificate_output
|
|
|
|
- name: Read private ket
|
|
slurp:
|
|
src: ~/hybrid-files/certs/server.key
|
|
register: privatekey_output
|
|
|
|
- name: Create secret
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: tls-hybrid-ingress
|
|
namespace: apigee
|
|
type: kubernetes.io/tls
|
|
data:
|
|
tls.crt: "{{ certificate_output.content }}"
|
|
tls.key: "{{ privatekey_output.content }}"
|
|
|
|
- name: Create overrides.yaml
|
|
template:
|
|
src: templates/overrides.yaml.j2
|
|
dest: ~/hybrid-files/overrides/overrides.yaml
|
|
|
|
- name: Enable syncronizer access
|
|
shell: >
|
|
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \
|
|
-H "Content-Type:application/json" \
|
|
"https://apigee.googleapis.com/v1/organizations/{{ project_id }}:setSyncAuthorization" \
|
|
-d '{"identities":["'"serviceAccount:apigee-synchronizer@{{ project_id }}.iam.gserviceaccount.com"'"]}'
|
|
|
|
- name: Dry-run (init)
|
|
shell: >
|
|
~/apigeectl/apigeectl init -f overrides/overrides.yaml --dry-run=client
|
|
args:
|
|
chdir: ~/hybrid-files
|
|
|
|
- name: Install the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook.
|
|
shell: >
|
|
~/apigeectl/apigeectl init -f overrides/overrides.yaml
|
|
args:
|
|
chdir: ~/hybrid-files
|
|
|
|
- name: Wait for apigee-controller pod to be ready
|
|
kubernetes.core.k8s_info:
|
|
kind: Pod
|
|
wait: yes
|
|
label_selectors:
|
|
- "app=apigee-controller"
|
|
namespace: apigee-system
|
|
wait_timeout: 600
|
|
wait_condition:
|
|
type: Ready
|
|
status: True
|
|
|
|
- name: Wait for apigee-selfsigned-issuer issuer to be ready
|
|
kubernetes.core.k8s_info:
|
|
kind: Issuer
|
|
wait: yes
|
|
name: apigee-selfsigned-issuer
|
|
namespace: apigee-system
|
|
wait_timeout: 600
|
|
wait_condition:
|
|
type: Ready
|
|
status: True
|
|
|
|
- name: Wait for apigee-serving-cert certificate to be ready
|
|
kubernetes.core.k8s_info:
|
|
kind: Certificate
|
|
wait: yes
|
|
name: apigee-serving-cert
|
|
namespace: apigee-system
|
|
wait_timeout: 600
|
|
wait_condition:
|
|
type: Ready
|
|
status: True
|
|
|
|
- name: Wait for apigee-resources-install job to be complete
|
|
kubernetes.core.k8s_info:
|
|
kind: Job
|
|
wait: yes
|
|
name: apigee-resources-install
|
|
namespace: apigee-system
|
|
wait_timeout: 360
|
|
wait_condition:
|
|
type: Complete
|
|
status: True
|
|
|
|
- name: Dry-run (apply)
|
|
shell: >
|
|
~/apigeectl/apigeectl apply -f overrides/overrides.yaml --dry-run=client
|
|
args:
|
|
chdir: ~/hybrid-files
|
|
|
|
- name: Install the Apigee runtime components
|
|
shell: >
|
|
~/apigeectl/apigeectl apply -f overrides/overrides.yaml
|
|
args:
|
|
chdir: ~/hybrid-files
|
|
|
|
- name: Wait for apigee-runtime pod to be ready
|
|
kubernetes.core.k8s_info:
|
|
kind: Pod
|
|
wait: yes
|
|
label_selectors:
|
|
- "app=apigee-runtime"
|
|
namespace: apigee
|
|
wait_timeout: 360
|
|
wait_condition:
|
|
type: Ready
|
|
status: True
|
|
|
|
- name:
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: apigee.cloud.google.com/v1alpha1
|
|
kind: ApigeeRoute
|
|
metadata:
|
|
name: apigee-wildcard
|
|
namespace: apigee
|
|
spec:
|
|
hostnames:
|
|
- '*'
|
|
ports:
|
|
- number: 443
|
|
protocol: HTTPS
|
|
tls:
|
|
credentialName: tls-hybrid-ingress
|
|
mode: SIMPLE
|
|
selector:
|
|
app: apigee-ingressgateway
|
|
enableNonSniClient: true
|
|
|
|
- name: Create google-managed certificate
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: networking.gke.io/v1
|
|
kind: ManagedCertificate
|
|
metadata:
|
|
name: "apigee-cert-hybrid"
|
|
namespace: apigee
|
|
spec:
|
|
domains: "{{ hostnames }}"
|
|
|
|
- name: Create backend config
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: cloud.google.com/v1
|
|
kind: BackendConfig
|
|
metadata:
|
|
name: apigee-ingress-backendconfig
|
|
namespace: apigee
|
|
spec:
|
|
healthCheck:
|
|
requestPath: /healthz/ready
|
|
port: 15021
|
|
type: HTTP
|
|
logging:
|
|
enable: true
|
|
sampleRate: 0.5
|
|
|
|
- name: Create service
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: apigee-ingressgateway-hybrid
|
|
namespace: apigee
|
|
annotations:
|
|
cloud.google.com/backend-config: '{"default": "apigee-ingress-backendconfig"}'
|
|
cloud.google.com/neg: '{"ingress": true}'
|
|
cloud.google.com/app-protocols: '{"https":"HTTPS", "status-port": "HTTP"}'
|
|
labels:
|
|
app: apigee-ingressgateway-hybrid
|
|
spec:
|
|
ports:
|
|
- name: status-port
|
|
port: 15021
|
|
targetPort: 15021
|
|
- name: https
|
|
port: 443
|
|
targetPort: 8443
|
|
selector:
|
|
app: apigee-ingressgateway
|
|
ingress_name: ingress
|
|
type: ClusterIP
|
|
|
|
- name: Create ingress
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
annotations:
|
|
networking.gke.io/managed-certificates: "apigee-cert-hybrid"
|
|
kubernetes.io/ingress.global-static-ip-name: "{{ ingress_ip_name }}"
|
|
kubernetes.io/ingress.allow-http: "false"
|
|
name: xlb-apigee
|
|
namespace: apigee
|
|
spec:
|
|
defaultBackend:
|
|
service:
|
|
name: apigee-ingressgateway-hybrid
|
|
port:
|
|
number: 443 |