# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Get HMAC secret from Secret Manager - name: Get the HMAC cloud stroage key from Secret Manager IF it exists run_once: true ignore_errors: true shell: | export HAS_SECRET=$(gcloud secrets list --filter="name~{{ longhorn_secret_name }}" --format="value(name)" --project="{{ google_project_id }}") if [ -z "$HAS_SECRET" ]; then exit 1 else VERSION_EXISTS=$(gcloud secrets versions list {{ longhorn_secret_name }} --filter="state=enabled" --format="value(name)" --project="{{ google_project_id }}") if [ -z "${VERSION_EXISTS}" ]; then # no valid versions found, need to create a new one exit 1 fi exit 0 fi args: executable: /bin/bash environment: PATH: "{{ tools_base_path }}/google-cloud-sdk/bin:{{ ansible_env.PATH }}" register: hmac_longhorn_secret changed_when: hmac_longhorn_secret.rc != 0 tags: - longhorn-hmac-keys - longhorn-install # TODO: Check for exsiting secret and/or HMAC key on bucket before creating a new one - name: Create new HMAC key for longhorn backup to cloud stoarge and push to Secret Manager run_once: true shell: | gsutil hmac create longhorn-cloud-storage@{{ google_project_id }}.iam.gserviceaccount.com > /tmp/hmackey.txt access_key=`cat /tmp/hmackey.txt | awk -F: '{print $2}' | xargs | awk '{print $1}'` access_secret=`cat /tmp/hmackey.txt | awk -F: '{print $2}' | xargs | awk '{print $2}'` echo "{\"access_key\": \"${access_key}\", \"access_secret\": \"${access_secret}\" , \"endpoint\" : \"https://storage.googleapis.com\" }" > /tmp/hmacsecret.json gcloud secrets create {{ longhorn_secret_name }} --replication-policy="automatic" --project="{{ google_project_id }}" gcloud secrets versions add {{ longhorn_secret_name }} --data-file="/tmp/hmacsecret.json" rm -rf /tmp/hmacsecret.json /tmp/hmackey.txt # delete temp file exit $? args: executable: /bin/bash environment: PATH: "{{ tools_base_path }}/google-cloud-sdk/bin:{{ ansible_env.PATH }}" when: hmac_longhorn_secret.rc > 0 tags: - longhorn-hmac-keys - longhorn-install - name: Copy Longhorn namespace and configmap template: src: longhorn-default-setting.yaml.j2 dest: "{{ acm_config_files }}/longhorn-default-setting.yaml" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) tags: - longhorn-config-management - longhorn-install - name: Create Longhorn namespace and configmap command: cmd: kubectl apply -f {{ acm_config_files }}/longhorn-default-setting.yaml when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) retries: 3 register: cmc_result until: cmc_result.rc == 0 environment: KUBECONFIG: "{{ kubeconfig_shared_location }}" tags: - longhorn-config-management - name: Download Longhorn YAML installation script ansible.builtin.get_url: url: "{{ longhorn_installation_yaml_url }}" dest: "{{ longhorn_installation_dir }}/longhorn.yaml" mode: '0400' when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) tags: - longhorn-config-management - longhorn-install - name: Create Longhorn namespace and configmap command: cmd: kubectl apply -f {{ longhorn_installation_dir }}/longhorn.yaml when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) retries: 3 register: long_result until: long_result.rc == 0 environment: KUBECONFIG: "{{ kubeconfig_shared_location }}" tags: - longhorn-config-management - longhorn-install