Add snappass to the cluster

This change is surprisingly tricky and needed some temporary workarounds. First, there is no "official" snappass helm chart but I found one, which does the job and looked good enough. The other problem is the missing "official" image of snappass. The helm-chart used a customized image which I didn't want to use, therefore I had to rebuild a brand new image quickly. This new image is unfortunately not bound to any repository or pipeline yet, which means that this change needs some trust for the moment until I've set up the needed repo and CI structures. Reference: https://github.com/lmacka/helm-snappass/tree/main Reference: https://github.com/pinterest/snappass
2025-11-28 22:04:06 +01:00
parent f562241b5c
commit 20b0ac86f5
5 changed files with 54 additions and 0 deletions
--- a/README.adoc
+++ b/README.adoc
@@ -176,6 +176,7 @@ You can restrict playbook scope to specific areas using `--tags`.
 `cert-manager`:: Apply changes to the cert-manager including support for `Let's Encrypt`
 `gitea`:: Apply changes to gitea
 `concourse`:: Apply changes to concourse
+`snappass`:: Apply changes to snappass

 == Scaling the Cluster

--- a/config.yml
+++ b/config.yml
@@ -30,6 +30,10 @@ all:
    concourse_local_users: "{{ vault_concourse_local_users }}"
    concourse_worker_replicas: 2

+    snappass_state: present
+    snappass_host: snappass.nehrke.info
+    snappass_certificate_issuer: letsencrypt-prod
+
 k3s_cluster:
  vars:
    ansible_user: root
--- a/roles/k8s-setup/defaults/main.yml
+++ b/roles/k8s-setup/defaults/main.yml
@@ -16,3 +16,8 @@ concourse_state: present
 concourse_namespace: concourse
 concourse_local_users: {}
 concourse_worker_replicas: 2
+
+snappass_chart_version: 0.1.13
+snappass_state: present
+snappass_namespace: snappass
+snappass_tls_secret: snappass-tls
--- a/roles/k8s-setup/tasks/_snappass.yml
+++ b/roles/k8s-setup/tasks/_snappass.yml
@@ -0,0 +1,37 @@
+- name: Ensure snappass namespace
+  kubernetes.core.k8s:
+    state: "{{ snappass_state }}"
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ snappass_namespace }}"
+        labels:
+          name: "{{ snappass_namespace }}"
+
+- name: Deploy snappass
+  kubernetes.core.helm:
+    name: snappass
+    chart_ref: snappass
+    chart_version: "{{ snappass_chart_version }}"
+    chart_repo_url: https://lmacka.github.io/helm-snappass/
+    release_namespace: "{{ snappass_namespace }}"
+    release_state: "{{ snappass_state }}"
+    values:
+      image:
+        repository: nemoinho/snappass
+      ingress:
+        enabled: True
+        className: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: "{{ snappass_certificate_issuer }}"
+          traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        hosts:
+        - host: "{{ snappass_host }}"
+          paths:
+          - path: /
+            pathType: Prefix
+        tls:
+        - hosts:
+          - "{{ snappass_host }}"
+          secretName: "{{ snappass_tls_secret }}"
--- a/roles/k8s-setup/tasks/main.yml
+++ b/roles/k8s-setup/tasks/main.yml
@@ -18,3 +18,10 @@
  - k8s
  - concourse
  import_tasks: _concourse.yml
+
+- name: Ensure snappass
+  tags:
+  - init
+  - k8s
+  - snappass
+  import_tasks: _snappass.yml