From 20b0ac86f5d7e695bfa023eaf7f3f33bcfe50ae2 Mon Sep 17 00:00:00 2001
From: Felix Nehrke <felix@nehrke.info>
Date: Fri, 28 Nov 2025 22:04:06 +0100
Subject: [PATCH] Add snappass to the cluster

This change is surprisingly tricky and needed some temporary
workarounds. First, there is no "official" snappass helm chart but I
found one, which does the job and looked good enough. The other problem
is the missing "official" image of snappass. The helm-chart used a
customized image which I didn't want to use, therefore I had to rebuild
a brand new image quickly. This new image is unfortunately not bound to
any repository or pipeline yet, which means that this change needs some
trust for the moment until I've set up the needed repo and CI
structures.

Reference: https://github.com/lmacka/helm-snappass/tree/main
Reference: https://github.com/pinterest/snappass
---
 README.adoc                         |  1 +
 config.yml                          |  4 ++++
 roles/k8s-setup/defaults/main.yml   |  5 ++++
 roles/k8s-setup/tasks/_snappass.yml | 37 +++++++++++++++++++++++++++++
 roles/k8s-setup/tasks/main.yml      |  7 ++++++
 5 files changed, 54 insertions(+)
 create mode 100644 roles/k8s-setup/tasks/_snappass.yml

diff --git a/README.adoc b/README.adoc
index 0047405..bb18c9f 100644
--- a/README.adoc
+++ b/README.adoc
@@ -176,6 +176,7 @@ You can restrict playbook scope to specific areas using `--tags`.
 `cert-manager`:: Apply changes to the cert-manager including support for `Let's Encrypt`
 `gitea`:: Apply changes to gitea
 `concourse`:: Apply changes to concourse
+`snappass`:: Apply changes to snappass
 
 == Scaling the Cluster
 
diff --git a/config.yml b/config.yml
index 2a462ba..97381dc 100644
--- a/config.yml
+++ b/config.yml
@@ -30,6 +30,10 @@ all:
     concourse_local_users: "{{ vault_concourse_local_users }}"
     concourse_worker_replicas: 2
 
+    snappass_state: present
+    snappass_host: snappass.nehrke.info
+    snappass_certificate_issuer: letsencrypt-prod
+
 k3s_cluster:
   vars:
     ansible_user: root
diff --git a/roles/k8s-setup/defaults/main.yml b/roles/k8s-setup/defaults/main.yml
index db3f33a..98be8bb 100644
--- a/roles/k8s-setup/defaults/main.yml
+++ b/roles/k8s-setup/defaults/main.yml
@@ -16,3 +16,8 @@ concourse_state: present
 concourse_namespace: concourse
 concourse_local_users: {}
 concourse_worker_replicas: 2
+
+snappass_chart_version: 0.1.13
+snappass_state: present
+snappass_namespace: snappass
+snappass_tls_secret: snappass-tls
diff --git a/roles/k8s-setup/tasks/_snappass.yml b/roles/k8s-setup/tasks/_snappass.yml
new file mode 100644
index 0000000..510b08e
--- /dev/null
+++ b/roles/k8s-setup/tasks/_snappass.yml
@@ -0,0 +1,37 @@
+- name: Ensure snappass namespace
+  kubernetes.core.k8s:
+    state: "{{ snappass_state }}"
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ snappass_namespace }}"
+        labels:
+          name: "{{ snappass_namespace }}"
+
+- name: Deploy snappass
+  kubernetes.core.helm:
+    name: snappass
+    chart_ref: snappass
+    chart_version: "{{ snappass_chart_version }}"
+    chart_repo_url: https://lmacka.github.io/helm-snappass/
+    release_namespace: "{{ snappass_namespace }}"
+    release_state: "{{ snappass_state }}"
+    values:
+      image:
+        repository: nemoinho/snappass
+      ingress:
+        enabled: True
+        className: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: "{{ snappass_certificate_issuer }}"
+          traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        hosts:
+        - host: "{{ snappass_host }}"
+          paths:
+          - path: /
+            pathType: Prefix
+        tls:
+        - hosts:
+          - "{{ snappass_host }}"
+          secretName: "{{ snappass_tls_secret }}"
diff --git a/roles/k8s-setup/tasks/main.yml b/roles/k8s-setup/tasks/main.yml
index b3d3cba..5aff577 100644
--- a/roles/k8s-setup/tasks/main.yml
+++ b/roles/k8s-setup/tasks/main.yml
@@ -18,3 +18,10 @@
   - k8s
   - concourse
   import_tasks: _concourse.yml
+
+- name: Ensure snappass
+  tags:
+  - init
+  - k8s
+  - snappass
+  import_tasks: _snappass.yml