Fix duplicated fileAssets bug (#40)

* Fix duplicated fileassets define

* Traling new line

* Define encryption provider via kops

* Add assert for encryptionConfig

* Add test_asserts.yml for CI test to verify input vars

* Migrate Travis CI to github action

* Remove travis CI config

* Remove tty in docker run

* Update to github action badge

* Fix the indentation format

* Make sure alwasy using latest image on localhost

* Fix the list index issue in ansible 2.5

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @Flaconi/devops

.github/release-drafter.yml

@@ -0,0 +1,25 @@
+---
+# Configuration for Release Drafter: https://github.com/toolmantim/release-drafter
+name-template: '$NEXT_MINOR_VERSION 🌈'
+tag-template: '$NEXT_MINOR_VERSION'
+categories:
+  - title: '🚀 Features'
+    labels:
+      - feature
+      - enhancement
+  - title: '🐛 Bug Fixes'
+    labels:
+      - fix
+      - bugfix
+      - bug
+  - title: '🧰 Maintenance'
+    labels:
+      - chore
+      - dependencies
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+branches:
+  - master
+template: |
+  ## What's Changed
+
+  $CHANGES

.github/workflows/ci.yaml

@@ -0,0 +1,22 @@
+---
+name: CI build
+on: [push]
+
+jobs:
+  ci_test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@master
+
+      - name: Lint Files
+        run: |
+          make lint
+
+      - name: Test Asserts with sample value ansible=2.8
+        run: |
+          make test
+
+      - name: Test Asserts with sample value ansible=latest
+        run: |
+          make test ANSIBLE_VERSION=latest

Makefile

@@ -1,7 +1,7 @@
 ###
 ### Variables
 ###
-ANSIBLE_VERSION=2.5
+ANSIBLE_VERSION=2.8
 
 
 ###
@@ -14,7 +14,7 @@ help:
 	@printf "%s\n"   "make help             Show help"
 
 test:
-	docker run --rm -it \
+	docker run --rm --pull=always \
 		-v ${PWD}:/etc/ansible/roles/rolename \
 		--workdir /etc/ansible/roles/rolename/tests \
 		flaconi/ansible:${ANSIBLE_VERSION} ./support/run-tests.sh

README.md

@@ -8,7 +8,7 @@ Full dry-run is supported.
 **Note:** By default only configuration files are created, actual state store or cluster actions
 must be explicitly stated.
 
-[![Build Status](https://travis-ci.org/Flaconi/ansible-role-kops.svg?branch=master)](https://travis-ci.org/Flaconi/ansible-role-kops)
+[![CI build](https://github.com/Flaconi/ansible-role-kops/actions/workflows/ci.yaml/badge.svg)](https://github.com/Flaconi/ansible-role-kops/actions/workflows/ci.yaml)
 [![Version](https://img.shields.io/github/tag/Flaconi/ansible-role-kops.svg)](https://github.com/Flaconi/ansible-role-kops/tags)
 [![Ansible Galaxy](https://img.shields.io/ansible/role/d/25923.svg)](https://galaxy.ansible.com/Flaconi/kops/)
 
@@ -19,7 +19,7 @@ This Ansible role is tagged according to the latest compatible (and tested by us
 
 ## Requirements
 
-* Ansible 2.5
+* Ansible 2.8
 * Python lib: [pyaml](https://github.com/yaml/pyyaml)
 * Binary: [kops](https://github.com/kubernetes/kops/blob/master/docs/install.md)
 

defaults/main.yml

@@ -90,3 +90,8 @@ kops_default_aws_iam_authenticator_enabled: false
 ### Cluster array definition (See README.md)
 ###
 kops_cluster: []
+
+kops_default_encryptionConfig:
+  enabled: false
+  image: "flaconi/aws-encryption-provider:v0.1.0"
+  kms_id: "12345678-1234-1234-1234-1234567890ab"

library/udiff.py

@@ -302,7 +302,10 @@ def normalize_yaml(string, ignore):
 
 
     # Sort the list by keys: metadata.name
-    s_sections = sorted(sections, key=lambda k: k['metadata']['name'])
+    if 'metadata' in ignore:
+      s_sections = sections
+    else:
+      s_sections = sorted(sections, key=lambda k: k['metadata']['name'])
 
     output = ''
     for section in s_sections:

meta/main.yml

@@ -6,7 +6,7 @@ galaxy_info:
   author: Patrick Plocke
   license: Apache 2.0
   description: Create customized KOPS (Kubernetes) templates.
-  min_ansible_version: 2.5
+  min_ansible_version: 2.8
   platforms:
     - name: all
       versions:

tasks/asserts.yml

@@ -86,3 +86,50 @@
       is not within '[{{ cluster.az | default(kops_default_az) | join(',') }}]'
   with_items:
     - "{{ cluster.workers }}"
+
+###
+### Validate encryptionConfig setting
+###
+- name: "({{ cluster.name }}) ensure encryptionConfig enabled is boolean"
+  assert:
+    that:
+      - item.enabled is defined
+      - item.enabled | type_debug == 'bool'
+    msg: "enabled should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.encryptionConfig is defined and 'enabled' in cluster.encryptionConfig -%}
+      {{ cluster.encryptionConfig }}
+      {%- else -%}
+      {{ kops_default_encryptionConfig }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure encryptionConfig image is defined"
+  assert:
+    that:
+      - item.image is defined
+      - item.image | length > 0
+    msg: "No 'image' is defined"
+  with_items:
+    - >-
+      {%- if cluster.encryptionConfig is defined and 'enabled' in cluster.encryptionConfig and
+      cluster.encryptionConfig.enabled -%}
+      {{ cluster.encryptionConfig }}
+      {%- else -%}
+      {{ kops_default_encryptionConfig }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure encryptionConfig kms_id is defined"
+  assert:
+    that:
+      - item.kms_id is defined
+      - item.kms_id | length == 36
+    msg: "Check 'kms_id' is defined and length is 36"
+  with_items:
+    - >-
+      {%- if cluster.encryptionConfig is defined and 'enabled' in cluster.encryptionConfig and
+      cluster.encryptionConfig.enabled -%}
+      {{ cluster.encryptionConfig }}
+      {%- else -%}
+      {{ kops_default_encryptionConfig }}
+      {%- endif -%}

tasks/generate_templates.yml

@@ -13,6 +13,7 @@
   loop:
     - cluster.yml
     - instance-groups.yml
+    - encryption-config.yml
     - ssh-key.pub
 
 - name: "({{ cluster.name }}) generate shell scripts"

tasks/run_kops.yml

@@ -51,6 +51,30 @@
     - kops_update is defined
     - kops_update == 'state' or kops_update == 'update' or kops_update == 'all'
 
+- name: "({{ cluster.name }}) diff generated EncryptionConfiguration against remote state store"
+  udiff:
+    source: "{{ lookup('template', 'encryption-config.yml.j2') }}"
+    target: |
+      # If using boto_profile, make kops aware of it
+      if [ -n "${BOTO_PROFILE}" ]; then
+        export AWS_PROFILE="{{ kops_aws_profile | default('') }}";
+      fi
+      # Don't fail to show that remote has nothing yet
+      kops get secret encryptionconfig -o plaintext \
+        --state s3://{{ cluster.s3_bucket_name }} \
+        --name {{ cluster.name }} || true
+    source_type: string
+    target_type: command
+    diff: yaml
+    diff_yaml_ignore: ['metadata']
+  check_mode: False
+  register: _kops_diff_state_encryptionconfig
+  environment:
+    BOTO_PROFILE: "{{ kops_aws_profile | default('') }}"
+  when:
+    - kops_update is defined
+    - kops_update == 'state' or kops_update == 'update' or kops_update == 'all'
+
 - name: "({{ cluster.name }}) diff ssh public key against remote state store"
   udiff:
     source: |
@@ -123,6 +147,25 @@
     - kops_update is defined
     - kops_update == 'state' or kops_update == 'update' or kops_update == 'all'
 
+- name: "({{ cluster.name }}) update state store for EncryptionConfiguration"
+  shell: |
+    # If using boto_profile, make kops aware of it
+    if [ -n "${BOTO_PROFILE}" ]; then
+      export AWS_PROFILE="{{ kops_aws_profile | default('') }}";
+    fi
+    kops create secret encryptionconfig -v 9 --force \
+      --state s3://{{ cluster.s3_bucket_name }} \
+      --name {{ cluster.name }} \
+      -f {{ kops_default_build_directory }}/{{ cluster.name }}/encryption-config.yml
+  args:
+    executable: bash
+  environment:
+    BOTO_PROFILE: "{{ kops_aws_profile | default('') }}"
+  when:
+    - _kops_diff_state_encryptionconfig['changed']
+    - kops_update is defined
+    - kops_update == 'state' or kops_update == 'update' or kops_update == 'all'
+
 - name: "({{ cluster.name }}) update state store for ssh public key"
   shell: |
     # If using boto_profile, make kops aware of it

templates/cluster.yml.j2

@@ -30,10 +30,60 @@ spec:
   kubeAPIServer:
 {{ cluster.kube_api_server | to_nice_yaml(indent=2) | indent(width=4, first=True) }}
 {% endif %}
-{% if 'file_assets' in cluster and cluster.file_assets %}
+{% set file_assets_enabled = true if 'file_assets' in cluster and cluster.file_assets %}
+{% set encryption_enabled = true if cluster.encryptionConfig is defined and 'enabled' in cluster.encryptionConfig and cluster.encryptionConfig.enabled %}
+{% if file_assets_enabled or encryption_enabled %}
   fileAssets:
+{% if file_assets_enabled %}
 {{ cluster.file_assets | to_nice_yaml(indent=2) | indent(width=4, first=True) }}
+{%- endif %}
+{% if encryption_enabled %}
+    - name: aws-encryption-provider.yaml
+      ## Note if not path is specified the default path it /srv/kubernetes/assets/<name>
+      path: /etc/kubernetes/manifests/aws-encryption-provider.yaml
+      roles:
+      - Master
+      content: |
+        apiVersion: v1
+        kind: Pod
+        metadata:
+          annotations:
+            scheduler.alpha.kubernetes.io/critical-pod: ""
+          labels:
+            k8s-app: aws-encryption-provider
+          name: aws-encryption-provider
+          namespace: kube-system
+        spec:
+          containers:
+          - image: {{ cluster.encryptionConfig.image }}
+            name: aws-encryption-provider
+            command:
+            - /aws-encryption-provider
+            - --key=arn:aws:kms:{{ cluster.region }}:{{ aws_account }}:key/{{ cluster.encryptionConfig.kms_id }}
+            - --region={{ cluster.region }}
+            - --listen=/srv/kubernetes/socket.sock
+            - --health-port=:8083
+            ports:
+            - containerPort: 8083
+              protocol: TCP
+            livenessProbe:
+              httpGet:
+                path: /healthz
+                port: 8083
+            volumeMounts:
+            - mountPath: /srv/kubernetes
+              name: kmsplugin
+          hostNetwork: true
+          priorityClassName: system-cluster-critical
+          volumes:
+          - name: kmsplugin
+            hostPath:
+              path: /srv/kubernetes
+              type: DirectoryOrCreate
+{% endif %}
+{# End of encryption_enabled #}
 {% endif %}
+{# End of file_assets_enabled or encryption_enabled #}
 {% if 'additionalPolicies' in cluster and cluster.additionalPolicies and
   ( 'node' in cluster.additionalPolicies and cluster.additionalPolicies.node or
   'master' in cluster.additionalPolicies and cluster.additionalPolicies.master ) %}
@@ -129,47 +179,4 @@ spec:
 {% if cluster.encryptionConfig is defined and 'enabled' in cluster.encryptionConfig and
   cluster.encryptionConfig.enabled %}
   encryptionConfig: true
-  fileAssets:
-  - name: aws-encryption-provider.yaml
-    ## Note if not path is specified the default path it /srv/kubernetes/assets/<name>
-    path: /etc/kubernetes/manifests/aws-encryption-provider.yaml
-    roles:
-    - Master
-    content: |
-      apiVersion: v1
-      kind: Pod
-      metadata:
-        annotations:
-          scheduler.alpha.kubernetes.io/critical-pod: ""
-        labels:
-          k8s-app: aws-encryption-provider
-        name: aws-encryption-provider
-        namespace: kube-system
-      spec:
-        containers:
-        - image: {{ cluster.encryptionConfig.image }}
-          name: aws-encryption-provider
-          command:
-          - /aws-encryption-provider
-          - --key=arn:aws:kms:{{ cluster.region }}:{{ aws_account }}:key/{{ cluster.encryptionConfig.kms_id }}
-          - --region={{ cluster.region }}
-          - --listen=/srv/kubernetes/socket.sock
-          - --health-port=:8083
-          ports:
-          - containerPort: 8083
-            protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 8083
-          volumeMounts:
-          - mountPath: /srv/kubernetes
-            name: kmsplugin
-        hostNetwork: true
-        priorityClassName: system-cluster-critical
-        volumes:
-        - name: kmsplugin
-          hostPath:
-            path: /srv/kubernetes
-            type: DirectoryOrCreate
 {% endif %}