Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.

2026-05-15 00:04:34 -04:00
parent 97da42b15c
commit 2fb86f5930
18 changed files with 674 additions and 45 deletions
--- a/ansible/roles/noble_newt/defaults/main.yml
+++ b/ansible/roles/noble_newt/defaults/main.yml
@@ -1,3 +1,11 @@
 ---
 # Set true after creating the newt-pangolin-auth Secret (see role / cluster docs).
 noble_newt_install: true
+
+# Pangolin Integration API — idempotent HTTP resources + Traefik targets (see clusters/noble/bootstrap/newt/README.md §4).
+noble_pangolin_sync_http_resources: false
+# Extra FQDNs to sync (in addition to **noble_authentik_ingress_extra_hosts** + **noble_open_webui_public_host** when set).
+noble_pangolin_http_fqdns_extra: []
+# Traefik HTTPS backend for Pangolin targets (MetalLB / LAN VIP). Empty → **kubectl** discovers the Traefik Service.
+noble_pangolin_traefik_target_ip: ""
+noble_pangolin_traefik_target_port: 443
--- a/ansible/roles/noble_newt/tasks/main.yml
+++ b/ansible/roles/noble_newt/tasks/main.yml
@@ -3,40 +3,46 @@
  ansible.builtin.debug:
    msg: "noble_newt_install is false — set PANGOLIN_ENDPOINT, NEWT_ID, NEWT_SECRET in repo .env (or create the Secret manually) and set noble_newt_install=true to deploy Newt."
  when: not (noble_newt_install | bool)
+  tags: [newt]

- name: Create Newt namespace
-  ansible.builtin.command:
-    argv:
-      - kubectl
-      - apply
-      - -f
-      - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/namespace.yaml"
-  environment:
-    KUBECONFIG: "{{ noble_kubeconfig }}"
+- name: Deploy Newt (Pangolin tunnel) and optional Pangolin HTTP resource sync
  when: noble_newt_install | bool
-  changed_when: true
+  tags: [newt, pangolin]
+  block:
+    - name: Create Newt namespace
+      ansible.builtin.command:
+        argv:
+          - kubectl
+          - apply
+          - -f
+          - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/namespace.yaml"
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      changed_when: true

- name: Apply Newt Pangolin auth Secret from repository .env (optional)
-  ansible.builtin.include_tasks: from_env.yml
-  when: noble_newt_install | bool
+    - name: Apply Newt Pangolin auth Secret from repository .env (optional)
+      ansible.builtin.include_tasks: from_env.yml

- name: Install Newt chart
-  ansible.builtin.command:
-    argv:
-      - helm
-      - upgrade
-      - --install
-      - newt
-      - fossorial/newt
-      - --namespace
-      - newt
-      - --version
-      - "1.5.0"
-      - -f
-      - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/values.yaml"
-      - --force-conflicts
-      - --wait
-  environment:
-    KUBECONFIG: "{{ noble_kubeconfig }}"
-  when: noble_newt_install | bool
-  changed_when: true
+    - name: Install Newt chart
+      ansible.builtin.command:
+        argv:
+          - helm
+          - upgrade
+          - --install
+          - newt
+          - fossorial/newt
+          - --namespace
+          - newt
+          - --version
+          - "1.5.0"
+          - -f
+          - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/values.yaml"
+          - --force-conflicts
+          - --wait
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      changed_when: true
+
+    - name: Optional Pangolin Integration API (HTTP resources + Traefik targets)
+      ansible.builtin.include_tasks: pangolin_sync.yml
+      when: noble_pangolin_sync_http_resources | default(false) | bool
--- a/ansible/roles/noble_newt/tasks/pangolin_sync.yml
+++ b/ansible/roles/noble_newt/tasks/pangolin_sync.yml
@@ -0,0 +1,95 @@
+---
+# Pangolin Integration API — public HTTP resources → Newt site → Traefik (see clusters/noble/bootstrap/newt/README.md §4).
+# Included only when **noble_pangolin_sync_http_resources** is true.
+- name: Build Pangolin HTTP FQDN list
+  ansible.builtin.set_fact:
+    noble_pangolin_http_fqdns_effective: >-
+      {{
+        (
+          noble_pangolin_http_fqdns_extra | default([])
+          + (noble_authentik_ingress_extra_hosts | default([]))
+          + ([noble_open_webui_public_host | trim] if (noble_open_webui_public_host | default('') | trim | length) > 0 else [])
+        ) | unique | list
+      }}
+
+- name: Discover Traefik LoadBalancer IP for Pangolin targets (when not set explicitly)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - get
+      - svc
+      - -n
+      - traefik
+      - -l
+      - app.kubernetes.io/name=traefik
+      - -o
+      - jsonpath={.items[0].status.loadBalancer.ingress[0].ip}
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_pangolin_traefik_lb_ip
+  changed_when: false
+  failed_when: false
+  when:
+    - noble_pangolin_http_fqdns_effective | length > 0
+    - noble_pangolin_traefik_target_ip | default('') | trim | length == 0
+
+- name: Resolve Traefik IP for Pangolin sync
+  ansible.builtin.set_fact:
+    noble_pangolin_traefik_ip_resolved: >-
+      {{
+        (noble_pangolin_traefik_target_ip | default('') | trim)
+        if (noble_pangolin_traefik_target_ip | default('') | trim | length > 0)
+        else (noble_pangolin_traefik_lb_ip.stdout | default('') | trim)
+      }}
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Require Traefik IP for Pangolin sync
+  ansible.builtin.assert:
+    that:
+      - noble_pangolin_traefik_ip_resolved | length > 0
+    fail_msg: >-
+      Set **noble_pangolin_traefik_target_ip** in inventory (Traefik Service LoadBalancer / MetalLB IP), or ensure
+      **kubectl** can read **traefik** Services (see **clusters/noble/bootstrap/traefik/**).
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Stat repository .env for Pangolin API credentials
+  ansible.builtin.stat:
+    path: "{{ noble_repo_root }}/.env"
+  register: noble_pangolin_env_file
+  changed_when: false
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Require .env for Pangolin Integration API secrets
+  ansible.builtin.assert:
+    that:
+      - noble_pangolin_env_file.stat.exists | default(false)
+    fail_msg: >-
+      Pangolin sync needs **.env** at the repo root with **NOBLE_PANGOLIN_*** variables (see **.env.sample**).
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Sync Pangolin public HTTP resources (Integration API)
+  ansible.builtin.command:
+    argv:
+      - python3
+      - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/scripts/sync_pangolin_http_resources.py"
+      - "--env-file"
+      - "{{ noble_repo_root }}/.env"
+      - "--fqdns"
+      - "{{ noble_pangolin_http_fqdns_effective | join(',') }}"
+      - "--traefik-ip"
+      - "{{ noble_pangolin_traefik_ip_resolved }}"
+      - "--traefik-port"
+      - "{{ noble_pangolin_traefik_target_port | int | string }}"
+  register: noble_pangolin_sync_cmd
+  changed_when: >-
+    '[create]' in (noble_pangolin_sync_cmd.stdout | default(''))
+    or '[target]' in (noble_pangolin_sync_cmd.stdout | default(''))
+    or 'target created' in (noble_pangolin_sync_cmd.stdout | default(''))
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Skip Pangolin sync (no public FQDNs configured)
+  ansible.builtin.debug:
+    msg: >-
+      noble_pangolin_sync_http_resources is true but the FQDN list is empty
+      (set **noble_authentik_ingress_extra_hosts**, **noble_open_webui_public_host**, and/or **noble_pangolin_http_fqdns_extra**).
+  when: noble_pangolin_http_fqdns_effective | length == 0