61 lines
1.7 KiB
YAML
61 lines
1.7 KiB
YAML
---
|
|
# Helm --wait on the operator does not guarantee the first policyvalidate call from apiserver succeeds.
|
|
- name: Wait for Kyverno admission controller Deployment rollout
|
|
ansible.builtin.command:
|
|
argv:
|
|
- kubectl
|
|
- rollout
|
|
- status
|
|
- deployment/kyverno-admission-controller
|
|
- -n
|
|
- kyverno
|
|
- --timeout=300s
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
changed_when: false
|
|
|
|
- name: Wait for Kyverno webhook Service (kyverno-svc) to have endpoints
|
|
ansible.builtin.command:
|
|
argv:
|
|
- kubectl
|
|
- get
|
|
- endpoints
|
|
- kyverno-svc
|
|
- -n
|
|
- kyverno
|
|
- -o
|
|
- 'jsonpath={range .subsets[*].addresses[*]}{.ip}{"\n"}{end}'
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
register: noble_kyverno_policies_ep
|
|
until: (noble_kyverno_policies_ep.stdout | default('') | trim | length) > 0
|
|
retries: "{{ noble_kyverno_policies_endpoint_wait_retries }}"
|
|
delay: "{{ noble_kyverno_policies_endpoint_wait_delay }}"
|
|
changed_when: false
|
|
|
|
- name: Install Kyverno policy chart (PSS baseline, Audit)
|
|
ansible.builtin.command:
|
|
argv:
|
|
- helm
|
|
- upgrade
|
|
- --install
|
|
- kyverno-policies
|
|
- kyverno/kyverno-policies
|
|
- -n
|
|
- kyverno
|
|
- --version
|
|
- "3.7.1"
|
|
- -f
|
|
- "{{ noble_repo_root }}/clusters/noble/bootstrap/kyverno/policies-values.yaml"
|
|
- --force-conflicts
|
|
- --wait
|
|
- --timeout
|
|
- 10m
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
register: noble_kyverno_policies_helm
|
|
retries: "{{ noble_kyverno_policies_helm_retries }}"
|
|
delay: "{{ noble_kyverno_policies_helm_delay }}"
|
|
until: noble_kyverno_policies_helm.rc == 0
|
|
changed_when: true
|