Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.
This commit is contained in:
Nikholas Pcenicni
@@ -3,40 +3,46 @@
|
||||
ansible.builtin.debug:
|
||||
msg: "noble_newt_install is false — set PANGOLIN_ENDPOINT, NEWT_ID, NEWT_SECRET in repo .env (or create the Secret manually) and set noble_newt_install=true to deploy Newt."
|
||||
when: not (noble_newt_install | bool)
|
||||
tags: [newt]
|
||||
|
||||
- name: Create Newt namespace
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- kubectl
|
||||
- apply
|
||||
- -f
|
||||
- "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/namespace.yaml"
|
||||
environment:
|
||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||
- name: Deploy Newt (Pangolin tunnel) and optional Pangolin HTTP resource sync
|
||||
when: noble_newt_install | bool
|
||||
changed_when: true
|
||||
tags: [newt, pangolin]
|
||||
block:
|
||||
- name: Create Newt namespace
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- kubectl
|
||||
- apply
|
||||
- -f
|
||||
- "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/namespace.yaml"
|
||||
environment:
|
||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||
changed_when: true
|
||||
|
||||
- name: Apply Newt Pangolin auth Secret from repository .env (optional)
|
||||
ansible.builtin.include_tasks: from_env.yml
|
||||
when: noble_newt_install | bool
|
||||
- name: Apply Newt Pangolin auth Secret from repository .env (optional)
|
||||
ansible.builtin.include_tasks: from_env.yml
|
||||
|
||||
- name: Install Newt chart
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- helm
|
||||
- upgrade
|
||||
- --install
|
||||
- newt
|
||||
- fossorial/newt
|
||||
- --namespace
|
||||
- newt
|
||||
- --version
|
||||
- "1.5.0"
|
||||
- -f
|
||||
- "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/values.yaml"
|
||||
- --force-conflicts
|
||||
- --wait
|
||||
environment:
|
||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||
when: noble_newt_install | bool
|
||||
changed_when: true
|
||||
- name: Install Newt chart
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- helm
|
||||
- upgrade
|
||||
- --install
|
||||
- newt
|
||||
- fossorial/newt
|
||||
- --namespace
|
||||
- newt
|
||||
- --version
|
||||
- "1.5.0"
|
||||
- -f
|
||||
- "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/values.yaml"
|
||||
- --force-conflicts
|
||||
- --wait
|
||||
environment:
|
||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||
changed_when: true
|
||||
|
||||
- name: Optional Pangolin Integration API (HTTP resources + Traefik targets)
|
||||
ansible.builtin.include_tasks: pangolin_sync.yml
|
||||
when: noble_pangolin_sync_http_resources | default(false) | bool
|
||||
|
||||
95
ansible/roles/noble_newt/tasks/pangolin_sync.yml
Normal file
95
ansible/roles/noble_newt/tasks/pangolin_sync.yml
Normal file
@@ -0,0 +1,95 @@
|
||||
---
|
||||
# Pangolin Integration API — public HTTP resources → Newt site → Traefik (see clusters/noble/bootstrap/newt/README.md §4).
|
||||
# Included only when **noble_pangolin_sync_http_resources** is true.
|
||||
- name: Build Pangolin HTTP FQDN list
|
||||
ansible.builtin.set_fact:
|
||||
noble_pangolin_http_fqdns_effective: >-
|
||||
{{
|
||||
(
|
||||
noble_pangolin_http_fqdns_extra | default([])
|
||||
+ (noble_authentik_ingress_extra_hosts | default([]))
|
||||
+ ([noble_open_webui_public_host | trim] if (noble_open_webui_public_host | default('') | trim | length) > 0 else [])
|
||||
) | unique | list
|
||||
}}
|
||||
|
||||
- name: Discover Traefik LoadBalancer IP for Pangolin targets (when not set explicitly)
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- kubectl
|
||||
- get
|
||||
- svc
|
||||
- -n
|
||||
- traefik
|
||||
- -l
|
||||
- app.kubernetes.io/name=traefik
|
||||
- -o
|
||||
- jsonpath={.items[0].status.loadBalancer.ingress[0].ip}
|
||||
environment:
|
||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||
register: noble_pangolin_traefik_lb_ip
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
when:
|
||||
- noble_pangolin_http_fqdns_effective | length > 0
|
||||
- noble_pangolin_traefik_target_ip | default('') | trim | length == 0
|
||||
|
||||
- name: Resolve Traefik IP for Pangolin sync
|
||||
ansible.builtin.set_fact:
|
||||
noble_pangolin_traefik_ip_resolved: >-
|
||||
{{
|
||||
(noble_pangolin_traefik_target_ip | default('') | trim)
|
||||
if (noble_pangolin_traefik_target_ip | default('') | trim | length > 0)
|
||||
else (noble_pangolin_traefik_lb_ip.stdout | default('') | trim)
|
||||
}}
|
||||
when: noble_pangolin_http_fqdns_effective | length > 0
|
||||
|
||||
- name: Require Traefik IP for Pangolin sync
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- noble_pangolin_traefik_ip_resolved | length > 0
|
||||
fail_msg: >-
|
||||
Set **noble_pangolin_traefik_target_ip** in inventory (Traefik Service LoadBalancer / MetalLB IP), or ensure
|
||||
**kubectl** can read **traefik** Services (see **clusters/noble/bootstrap/traefik/**).
|
||||
when: noble_pangolin_http_fqdns_effective | length > 0
|
||||
|
||||
- name: Stat repository .env for Pangolin API credentials
|
||||
ansible.builtin.stat:
|
||||
path: "{{ noble_repo_root }}/.env"
|
||||
register: noble_pangolin_env_file
|
||||
changed_when: false
|
||||
when: noble_pangolin_http_fqdns_effective | length > 0
|
||||
|
||||
- name: Require .env for Pangolin Integration API secrets
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- noble_pangolin_env_file.stat.exists | default(false)
|
||||
fail_msg: >-
|
||||
Pangolin sync needs **.env** at the repo root with **NOBLE_PANGOLIN_*** variables (see **.env.sample**).
|
||||
when: noble_pangolin_http_fqdns_effective | length > 0
|
||||
|
||||
- name: Sync Pangolin public HTTP resources (Integration API)
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- python3
|
||||
- "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/scripts/sync_pangolin_http_resources.py"
|
||||
- "--env-file"
|
||||
- "{{ noble_repo_root }}/.env"
|
||||
- "--fqdns"
|
||||
- "{{ noble_pangolin_http_fqdns_effective | join(',') }}"
|
||||
- "--traefik-ip"
|
||||
- "{{ noble_pangolin_traefik_ip_resolved }}"
|
||||
- "--traefik-port"
|
||||
- "{{ noble_pangolin_traefik_target_port | int | string }}"
|
||||
register: noble_pangolin_sync_cmd
|
||||
changed_when: >-
|
||||
'[create]' in (noble_pangolin_sync_cmd.stdout | default(''))
|
||||
or '[target]' in (noble_pangolin_sync_cmd.stdout | default(''))
|
||||
or 'target created' in (noble_pangolin_sync_cmd.stdout | default(''))
|
||||
when: noble_pangolin_http_fqdns_effective | length > 0
|
||||
|
||||
- name: Skip Pangolin sync (no public FQDNs configured)
|
||||
ansible.builtin.debug:
|
||||
msg: >-
|
||||
noble_pangolin_sync_http_resources is true but the FQDN list is empty
|
||||
(set **noble_authentik_ingress_extra_hosts**, **noble_open_webui_public_host**, and/or **noble_pangolin_http_fqdns_extra**).
|
||||
when: noble_pangolin_http_fqdns_effective | length == 0
|
||||
Reference in New Issue
Block a user