Update .gitignore to include .env file and enhance README.md with instructions for deploying secrets. Refactor noble.yml to improve Kubernetes health check handling and update templates for error reporting. Modify cert-manager and metallb tasks to apply secrets from .env and adjust timeout settings. Clarify Newt installation requirements in tasks. These changes aim to streamline deployment processes and improve documentation clarity.

2026-03-28 15:36:52 -04:00
parent 46cedc965f
commit a48ac16c14
15 changed files with 123 additions and 14 deletions
--- a/ansible/roles/noble_cert_manager/defaults/main.yml
+++ b/ansible/roles/noble_cert_manager/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# Warn when **cloudflare-dns-api-token** is missing after apply (also set in **group_vars/all.yml** when loaded).
+noble_cert_manager_require_cloudflare_secret: true
--- a/ansible/roles/noble_cert_manager/tasks/from_env.yml
+++ b/ansible/roles/noble_cert_manager/tasks/from_env.yml
@@ -0,0 +1,28 @@
+---
+# See repository **.env.sample** — copy to **.env** (gitignored).
+- name: Stat repository .env for deploy secrets
+  ansible.builtin.stat:
+    path: "{{ noble_repo_root }}/.env"
+  register: noble_deploy_env_file
+  changed_when: false
+
+- name: Create cert-manager Cloudflare DNS secret from .env
+  ansible.builtin.shell: |
+    set -euo pipefail
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    if [ -z "${CLOUDFLARE_DNS_API_TOKEN:-}" ]; then
+      echo NO_TOKEN
+      exit 0
+    fi
+    kubectl -n cert-manager create secret generic cloudflare-dns-api-token \
+      --from-literal=api-token="${CLOUDFLARE_DNS_API_TOKEN}" \
+      --dry-run=client -o yaml | kubectl apply -f -
+    echo APPLIED
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_deploy_env_file.stat.exists | default(false)
+  no_log: true
+  register: noble_cf_secret_from_env
+  changed_when: "'APPLIED' in (noble_cf_secret_from_env.stdout | default(''))"
--- a/ansible/roles/noble_cert_manager/tasks/main.yml
+++ b/ansible/roles/noble_cert_manager/tasks/main.yml
@@ -29,6 +29,9 @@
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true

+- name: Apply secrets from repository .env (optional)
+  ansible.builtin.include_tasks: from_env.yml
+
 - name: Check Cloudflare DNS API token Secret (required for ClusterIssuers)
  ansible.builtin.command:
    argv:
@@ -50,7 +53,7 @@
      Secret cert-manager/cloudflare-dns-api-token not found.
      Create it per clusters/noble/apps/cert-manager/README.md before ClusterIssuers can succeed.
  when:
-    - noble_cert_manager_require_cloudflare_secret | bool
+    - noble_cert_manager_require_cloudflare_secret | default(true) | bool
    - noble_cf_secret.rc != 0

 - name: Apply ClusterIssuers (staging + prod)
--- a/ansible/roles/noble_metallb/defaults/main.yml
+++ b/ansible/roles/noble_metallb/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# Helm **--wait** default is often too short when images pull slowly or nodes are busy.
+noble_helm_metallb_wait_timeout: 20m
--- a/ansible/roles/noble_metallb/tasks/main.yml
+++ b/ansible/roles/noble_metallb/tasks/main.yml
@@ -21,6 +21,8 @@
      - --namespace
      - metallb-system
      - --wait
+      - --timeout
+      - "{{ noble_helm_metallb_wait_timeout }}"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true
--- a/ansible/roles/noble_newt/defaults/main.yml
+++ b/ansible/roles/noble_newt/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# Set true after creating the newt-pangolin-auth Secret (see role / cluster docs).
+noble_newt_install: true
--- a/ansible/roles/noble_newt/tasks/from_env.yml
+++ b/ansible/roles/noble_newt/tasks/from_env.yml
@@ -0,0 +1,30 @@
+---
+# See repository **.env.sample** — copy to **.env** (gitignored).
+- name: Stat repository .env for deploy secrets
+  ansible.builtin.stat:
+    path: "{{ noble_repo_root }}/.env"
+  register: noble_deploy_env_file
+  changed_when: false
+
+- name: Create newt-pangolin-auth Secret from .env
+  ansible.builtin.shell: |
+    set -euo pipefail
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    if [ -z "${PANGOLIN_ENDPOINT:-}" ] || [ -z "${NEWT_ID:-}" ] || [ -z "${NEWT_SECRET:-}" ]; then
+      echo NO_VARS
+      exit 0
+    fi
+    kubectl -n newt create secret generic newt-pangolin-auth \
+      --from-literal=PANGOLIN_ENDPOINT="${PANGOLIN_ENDPOINT}" \
+      --from-literal=NEWT_ID="${NEWT_ID}" \
+      --from-literal=NEWT_SECRET="${NEWT_SECRET}" \
+      --dry-run=client -o yaml | kubectl apply -f -
+    echo APPLIED
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_deploy_env_file.stat.exists | default(false)
+  no_log: true
+  register: noble_newt_secret_from_env
+  changed_when: "'APPLIED' in (noble_newt_secret_from_env.stdout | default(''))"
--- a/ansible/roles/noble_newt/tasks/main.yml
+++ b/ansible/roles/noble_newt/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Skip Newt when not enabled
  ansible.builtin.debug:
-    msg: "noble_newt_install is false — create newt-pangolin-auth Secret and set noble_newt_install=true to deploy Newt."
+    msg: "noble_newt_install is false — set PANGOLIN_ENDPOINT, NEWT_ID, NEWT_SECRET in repo .env (or create the Secret manually) and set noble_newt_install=true to deploy Newt."
  when: not (noble_newt_install | bool)

 - name: Create Newt namespace
@@ -16,6 +16,10 @@
  when: noble_newt_install | bool
  changed_when: true

+- name: Apply Newt Pangolin auth Secret from repository .env (optional)
+  ansible.builtin.include_tasks: from_env.yml
+  when: noble_newt_install | bool
+
 - name: Install Newt chart
  ansible.builtin.command:
    argv: