Skip to content

Commit

Permalink
Merge branch 'master' into create-service-account-token
Browse files Browse the repository at this point in the history
  • Loading branch information
@robertvolkmann
robertvolkmann authored Feb 12, 2024
2 parents 75f874c + 6952b74 commit 6cbdb0b
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 29 deletions.
37 changes: 22 additions & 15 deletions partition/roles/pixiecore/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,25 @@ Deploys pixiecore in a systemd-managed Docker container.

## Variables

| Name | Mandatory | Description |
| --------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------- |
| pixiecore_image_name | yes | Image version of the pixiecore |
| pixiecore_image_tag | yes | Image tag of the pixiecore |
| pixiecore_api_host | yes | The host on which the metal-hammer can reach the pixiecore to ask for metal-api communication credentials. |
| pixiecore_api_port | | The port on which the pixiecore api is listening |
| pixiecore_dns_servers | | Alternative DNS servers to be used by the pixiecore (can be used for configuring kernel and boot image cache) |
| pixiecore_partition_id | | The partition where pixiecore is installed |
| pixiecore_grpc_cert_dir | | The directory where the grpc certificates reside |
| pixiecore_grpc_ca_cert | yes | The filename of the ca certificate |
| pixiecore_grpc_client_cert | yes | The filename of the client certificate |
| pixiecore_grpc_client_key | yes | The filename of the client key |
| pixiecore_grpc_address | | The address of metal-api grpc endpoint in the form (ip or hostname:port) |
| pixiecore_metal_api_url | | The URL where to reach metal-api |
| pixiecore_metal_api_hmac_view_key | | A view hmac to authenticate against metal-api (given to the metal-hammer) |
| Name | Mandatory | Description |
|---------------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------|
| pixiecore_image_name | yes | Image version of the pixiecore |
| pixiecore_image_tag | yes | Image tag of the pixiecore |
| pixiecore_debug | | Enable debugging |
| pixiecore_api_host | yes | The host on which the metal-hammer can reach the pixiecore to ask for metal-api communication credentials. |
| pixiecore_api_port | | The port on which the pixiecore api is listening |
| pixiecore_dns_servers | | Alternative DNS servers to be used by the pixiecore (can be used for configuring kernel and boot image cache) |
| pixiecore_partition_id | | The partition where pixiecore is installed |
| pixiecore_grpc_cert_dir | | The directory where the grpc certificates reside |
| pixiecore_grpc_ca_cert | yes | The filename of the ca certificate |
| pixiecore_grpc_client_cert | yes | The filename of the client certificate |
| pixiecore_grpc_client_key | yes | The filename of the client key |
| pixiecore_grpc_address | | The address of metal-api grpc endpoint in the form (ip or hostname:port) |
| pixiecore_metal_api_url | | The URL where to reach metal-api |
| pixiecore_metal_api_hmac_view_key | | A view hmac to authenticate against metal-api (given to the metal-hammer) |
| pixiecore_metal_hammer_logging_endpoint | | set metal-hammer to send logs to this endpoint |
| pixiecore_metal_hammer_logging_user | | set metal-hammer to send logs to a remote endpoint and authenticate with this user for basic auth |
| pixiecore_metal_hammer_logging_password | | set metal-hammer to send logs to a remote endpoint and authenticate with this password for basic auth |
| pixiecore_metal_hammer_logging_cert | | set metal-hammer to send logs to a remote endpoint and authenticate with this cert for mtls auth |
| pixiecore_metal_hammer_logging_key | | set metal-hammer to send logs to a remote endpoint and authenticate with this key for mtls auth |
| pixiecore_metal_hammer_logging_tls_insecure | | set metal-hammer to send logs to a remote endpoint without verifying the tls certificate for mtls auth |
9 changes: 8 additions & 1 deletion partition/roles/pixiecore/defaults/main/main.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
pixiecore_dns_servers: []
pixiecore_partition_id: "{{ metal_partition_id }}"

pixiecore_debug: false
pixiecore_api_port: 4242

pixiecore_grpc_address: "{{ metal_partition_metal_api_grpc_address }}"
Expand All @@ -12,3 +12,10 @@ pixiecore_grpc_client_key: "{{ metal_partition_metal_api_grpc_client_key }}"

pixiecore_metal_api_url: "{{ metal_partition_metal_api_protocol }}://{{ metal_partition_metal_api_addr }}:{{ metal_partition_metal_api_port }}{{ metal_partition_metal_api_basepath }}"
pixiecore_metal_api_hmac_view_key: "{{ metal_partition_metal_api_hmac_view_key }}"

pixiecore_metal_hammer_logging_endpoint:
pixiecore_metal_hammer_logging_user:
pixiecore_metal_hammer_logging_password:
pixiecore_metal_hammer_logging_cert:
pixiecore_metal_hammer_logging_key:
pixiecore_metal_hammer_logging_tls_insecure: false
32 changes: 19 additions & 13 deletions partition/roles/pixiecore/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,24 @@
label: "{{ item.filename }}"
register: grpc_certs

- name: copy logging certificates
copy:
dest: "{{ pixiecore_grpc_cert_dir }}/{{ item.filename }}"
mode: 0640
content: "{{ item.content }}"
no_log: yes
loop:
- filename: logging-client.crt
content: "{{ pixiecore_metal_hammer_logging_cert }}"
- filename: logging-client.key
content: "{{ pixiecore_metal_hammer_logging_key }}"
loop_control:
label: "{{ item.filename }}"
register: loki_certs
when:
- pixiecore_metal_hammer_logging_cert
- pixiecore_metal_hammer_logging_key

- name: deploy pixiecore
include_role:
name: ansible-common/roles/systemd-docker-service
Expand All @@ -57,17 +75,5 @@
systemd_docker_network: host
# With the flag --dhcp-no-bind Pixiecore does not bind to the DHCP port and only listens for Pixie-Requests
# This enables to use an existing DHCP server
systemd_docker_command:
- "grpc"
- "--debug"
- "--dhcp-no-bind"
- "--port={{ pixiecore_api_port }}"
- "--pixie-api-url={{ pixiecore_api_host }}:{{ pixiecore_api_port }}/certs"
- "--grpc-address={{ pixiecore_grpc_address }}"
- "--grpc-ca-cert=/certs/grpc/ca.pem"
- "--grpc-cert=/certs/grpc/client.pem"
- "--grpc-key=/certs/grpc/client-key.pem"
- "--metal-api-url={{ pixiecore_metal_api_url }}"
- "--metal-api-view-hmac={{ pixiecore_metal_api_hmac_view_key }}"
- "--partition={{ pixiecore_partition_id }}"
systemd_docker_command: "{{ lookup('template', 'pixie-cmd.j2') | from_yaml }}"
systemd_external_config_changed: "{{ grpc_certs is changed }}"
30 changes: 30 additions & 0 deletions partition/roles/pixiecore/templates/pixie-cmd.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
- "grpc"
{% if pixiecore_debug %}
- "--debug"
{% endif %}
- "--dhcp-no-bind"
- "--port={{ pixiecore_api_port }}"
- "--pixie-api-url={{ pixiecore_api_host }}:{{ pixiecore_api_port }}/certs"
- "--grpc-address={{ pixiecore_grpc_address }}"
- "--grpc-ca-cert=/certs/grpc/ca.pem"
- "--grpc-cert=/certs/grpc/client.pem"
- "--grpc-key=/certs/grpc/client-key.pem"
- "--metal-api-url={{ pixiecore_metal_api_url }}"
- "--metal-api-view-hmac={{ pixiecore_metal_api_hmac_view_key }}"
- "--partition={{ pixiecore_partition_id }}"
{% if pixiecore_metal_hammer_logging_endpoint %}
- "--metal-hammer-logging-endpoint={{ pixiecore_metal_hammer_logging_endpoint }}"
{% endif %}
{% if pixiecore_metal_hammer_logging_user %}
- "--metal-hammer-logging-user={{ pixiecore_metal_hammer_logging_user }}"
{% endif %}
{% if pixiecore_metal_hammer_logging_password %}
- "--metal-hammer-logging-password={{ pixiecore_metal_hammer_logging_password }}"
{% endif %}
{% if pixiecore_metal_hammer_logging_cert and pixiecore_metal_hammer_logging_key %}
- "--metal-hammer-logging-cert=/certs/grpc/logging-client.crt"
- "--metal-hammer-logging-key=/certs/grpc/logging-client.key"
{% endif %}
{% if pixiecore_metal_hammer_logging_tls_insecure %}
- "--metal-hammer-logging-tls-insecure={{ pixiecore_metal_hammer_logging_tls_insecure | lower }}"
{% endif %}

0 comments on commit 6cbdb0b

Please sign in to comment.