Ansible vault

.dockerignore

@@ -1,2 +1,3 @@
 node_modules
 npm-debug.log
+integrativeprojectchart

.github/workflows/deploy.yml

@@ -0,0 +1,60 @@
+name: 'Deploy'
+
+on:
+
+  workflow_dispatch:
+
+jobs:
+
+  deployHelmChart:
+    name: Deploy Helm chart to Kubernetes Cluster
+    runs-on: ubuntu-latest
+    environment: Test
+
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Import Secrets
+        uses: hashicorp/[email protected]
+        with:
+          url: ${{ secrets.VAULT_IP }}
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+              kv/azure username | AZURE_VAULT_USERNAME;
+              kv/azure password | AZURE_VAULT_PASSWORD;
+              kv/azure_container username | AZURE_VAULT_CONTAINER_USERNAME;
+              kv/azure_container password | AZURE_VAULT_CONTAINER_PASSWORD;
+
+      - name: Login to Azure CLI
+        run: |	
+          az login -u $AZURE_VAULT_USERNAME -p $AZURE_VAULT_PASSWORD
+
+      - name: Set aks context
+        uses: azure/[email protected]
+        with:
+          resource-group: Integrative-DevOps-Project
+          cluster-name: example-aks1
+
+      - name: Create a new namespace named pacman-namespace
+        run: |
+          kubectl create namespace pacman-namespace
+
+      - name: Create docker-registry secret for K8s
+        run: |
+          kubectl create secret docker-registry acr-secret \
+          --namespace pacman-namespace \
+          --docker-server=containerregistry1123581321.azurecr.io \
+          --docker-username=$AZURE_VAULT_CONTAINER_USERNAME \
+          --docker-password=$AZURE_VAULT_CONTAINER_PASSWORD
+
+      - name: Installing integrativeprojectchart
+        working-directory: integrativeprojectchart/charts
+        run: |
+          helm install pacman-chart integrativeprojectchart-0.1.0.tgz --namespace pacman-namespace
+

.github/workflows/main.yml

@@ -0,0 +1,37 @@
+name: 'Push Image ACR'
+
+on:
+
+  workflow_dispatch:
+
+jobs:
+  ContainerRegistry:
+    runs-on: ubuntu-latest    
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Import Secrets
+        uses: hashicorp/[email protected]
+        with:
+          url: ${{ secrets.VAULT_IP }}
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+              kv/azure username | AZURE_VAULT_USERNAME;
+              kv/azure password | AZURE_VAULT_PASSWORD;
+
+      - name: Login to Azure CLI and Azure Container Registry
+        run: |	
+          az login -u $AZURE_VAULT_USERNAME -p $AZURE_VAULT_PASSWORD 
+          az acr login --name ${{ secrets.CONTAINER_NAME }}
+
+      - name: Build and push docker image to azure registry
+        working-directory: ./docker
+        run: |
+            docker build . -t ${{ secrets.CONTAINER_NAME }}/jesus/pacman-nodejs-app:latest
+            docker push ${{ secrets.CONTAINER_NAME }}/jesus/pacman-nodejs-app:latest

.github/workflows/remove_deploy.yml

@@ -0,0 +1,48 @@
+name: 'Remove deploy'
+
+on:
+
+  workflow_dispatch:
+
+jobs:
+
+  uninstallHelm:
+    name: 'Update image on deployment'
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Import Secrets
+        uses: hashicorp/[email protected]
+        with:
+          url: ${{ secrets.VAULT_IP }}
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+              kv/azure username | AZURE_VAULT_USERNAME;
+              kv/azure password | AZURE_VAULT_PASSWORD;
+
+      - name: "Login to Azure CLI"
+        run: |	
+          az login -u $AZURE_VAULT_USERNAME -p $AZURE_VAULT_PASSWORD
+
+      - name: Set aks context
+        uses: azure/[email protected]
+        with:
+          resource-group: Integrative-DevOps-Project
+          cluster-name: example-aks1
+
+
+      - name: 'Uninstalling helm chart'
+        run: |
+          helm uninstall pacman-chart --namespace pacman-namespace
+
+      - name: 'Delete pacman-namespace'
+        run: |
+          kubectl delete namespace pacman-namespace

.github/workflows/update_deploy.yml

@@ -0,0 +1,45 @@
+name: 'Update deployment'
+
+on:
+
+  workflow_dispatch:
+
+jobs:
+
+  restartDeployment:
+    name: 'Update the the image from the replicas'
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+
+      - name: Import Secrets
+        uses: hashicorp/[email protected]
+        with:
+          url: ${{ secrets.VAULT_IP }}
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+              kv/azure username | AZURE_VAULT_USERNAME;
+              kv/azure password | AZURE_VAULT_PASSWORD;
+
+      - name: "Login to Azure CLI"
+        run: |	
+          az login -u $AZURE_VAULT_USERNAME -p $AZURE_VAULT_PASSWORD    
+
+
+      - name: Set aks context
+        uses: azure/[email protected]
+        with:
+          resource-group: Integrative-DevOps-Project
+          cluster-name: example-aks1
+
+      - name: Rolling restart deployment deployment.apps/pacman
+        run: |
+          kubectl rollout restart deployment.apps/pacman -n pacman-namespace

ansible-vault/inventory.ini

@@ -0,0 +1,5 @@
+#13.67.215.79 ansible_user=azureuser
+#proyectvm.centralus.cloudapp.azure.com ansible_user=azureuser 
+#40.77.26.179 ansible_user=azureuser
+#secretsvm.centralus.cloudapp.azure.com ansible_user=azureuser
+13.89.245.9 ansible_user=azureuser

ansible-vault/playbook.yml

@@ -0,0 +1,17 @@
+---
+- hosts: all
+  become: true
+  remote_user: azureuser
+  become_user: root
+  become_method: sudo
+  roles:
+    - vault
+
+- hosts: all
+  vars:
+    unseal_keys_dir_output: "{{ playbook_dir }}/unsealKey/"
+    root_token_dir_output: "{{ playbook_dir }}/rootKey/"
+  roles:
+    - vault-init
+    - vault-unseal
+

ansible-vault/roles/vault-init/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

ansible-vault/roles/vault-init/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

ansible-vault/roles/vault-init/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# defaults file for roles/vault-init
+unseal_keys_dir_output: "{{ playbook_dir }}/unsealKey/"
+root_token_dir_output: "{{ playbook_dir }}/rootKey/"
+vault_addr: 'http://0.0.0.0:8200'
+#vault_addr: 'http://127.0.0.1:8200'

ansible-vault/roles/vault-init/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+# tasks file for roles/vault-init
+- name: Create unseal directories
+  file:
+    path: "{{ unseal_keys_dir_output }}"
+    state: "directory"
+  delegate_to: localhost
+
+- name: Create root key directories
+  file:
+    path: "{{ root_token_dir_output }}"
+    state: "directory"
+  delegate_to: localhost
+
+- name: Initialise Vault operator
+  shell: vault operator init -key-shares=5 -key-threshold=3 -format json 
+  environment:
+    VAULT_ADDR: '{{ vault_addr }}'
+  register: vault_init_results
+
+
+- name: Parse output of vault init
+  set_fact:
+    vault_init_parsed: "{{ vault_init_results.stdout | from_json }}"
+
+- name: Write unseal keys to files
+  copy:
+    dest: "{{ unseal_keys_dir_output }}/unseal_key_{{ item.0 }}"
+    content: "{{ item.1 }}"
+  with_indexed_items: "{{ vault_init_parsed.unseal_keys_hex }}"
+  delegate_to: localhost
+
+- name: Write root token to file
+  copy:
+    content: "{{ vault_init_parsed.root_token }}"
+    dest: "{{root_token_dir_output}}/rootkey"
+  delegate_to: localhost

ansible-vault/roles/vault-init/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

ansible-vault/roles/vault-init/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - roles/vault-init

ansible-vault/roles/vault-init/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for roles/vault-init

ansible-vault/roles/vault-unseal/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/