added dry-run functionality and restart pods after configmap change

.gitignore

@@ -1,4 +1,7 @@
 .venv
+inventory
 secret.txt
 vaultfile.yaml
-inventory
+group_vars/cluster*.yaml
+*-bundle*.yaml
+.DS_store

README.md

@@ -103,49 +103,73 @@ The group_vars directory contains YAML files that have to be named as the groups
 |nia_version|Node Image Analyzer Image tag|
 |nia_api_endpoint|Node Image Analyzer api endpoint|
 |nia_collector_endpoint|Node Image Analyzer collector endpoint|
-
-### Vault
-The vault file will contain a single variable that will be the SysDig account access key for the SaaS backend. 
-
-|Parameter Name| Description|
-|---|---|
 |sysdig_access_key|a variable containing the account access key|
 
+### Sysdig Access Key
+The sysdig access key can be insered in multiple ways. you can define the key in a Vault file that will be encrypted. this is the most secure way to store your password.
+you can also insert the key directly in the group_vars, in this case the key can be also specific for each cluster.
+
 > you can find this parameter in your personal settings in the Sysdig SaaS or in the Agent Installation section
 
-The vault file should look like this: 
+The vault file should look like this before the encryption:
 
 ```yaml
 sysdig_access_key: XXXXXX-YOUR-AGENT-KEY-XXXXXX
 ```
 
-To create it, you can simply run:
-
-```bash
-ansible-vault encrypt_string --name=sysdig_access_key > ./vaultfile.yaml
-```
-
-> you will be asked to insert the ansible vault password and after that will be reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)
-
 #### Vault
 
-You can define a secret.txt where the ansible-vault password will be stored, __make sure that only you can access this file!__
+The vault file will contain a single variable that will be the SysDig account access key for the SaaS backend. 
+
+You can define a secret.txt where the ansible-vault password will be stored, __make sure that only you can access this file!__ or you can simply use the `--ask-vault-password` to prompt the password when necessary.
 
 ```bash
 echo "YOUR_SUPER_SECRET_PASSWORD" > secret.txt
 ```
 
-At this point you can do:
+At this point you can create the `vaultfile.yaml` file:
 
 ```bash
-ansible-vault encrypt_string --vault-password-file=secret.txt --name=sysdig_access_key XXXXXX-YOUR-AGENT-KEY-XXXXXX > vaultfile.yaml
+ansible-vault create vaultfile.yaml --vault-password-file=secret.txt
+```
+
+#### Group Vars
+You can specify in the `group_vars` group file the `sysdig_access_key` simply by defining the variable like in the exampple below: 
+
+```yaml
+# cluster1.yaml.example
+...
+sysdig_access_key: XXXXXX-YOUR-AGENT-KEY-XXXXXX
+...
 ```
 
 ## Run ansible to install sysdig
 At this point you can start the installation process simply by running:
+```bash
+ansible-playbook sysdig-agent.install.yml
+```
+
+if you use the vault:
+
 ```bash
 ansible-playbook sysdig-agent.install.yml --vault-password-file=secret.txt
 ```
+### Dry Run
+> this execution option is reserved to Kubernetes & Openshift **only** also you can not use the vault metod.
+
+You can run the playbook in k8s "*Dry-Run*" fashion, with this option on the specified clusters __will not be executed any command__ directly. Instead, the execution will generate a bundle file for each Cluster. In the case of a K8s Cluster the file will be called k8s-bundle-CLUSTER_NAME.yaml. In the case of an Openshift Cluster, the file will be called openshift-bundle-CLUSTER_NAME.yaml.
+
+
+start the execution of the dry-run with this command:
+```bash
+ansible-playbook sysdig-agent.install.dry-run.yml --extra-vars 'dry_run=True'
+```
+
+in case of OCP Cluster you have tu run manually: 
+```bash
+oc adm policy add-scc-to-user privileged system:serviceaccount:{{ sysdig_agent_namespace }}:sysdig-agent
+```
+
 ## Contacts
 If you have questions or suggestions feel free to contact us:
 

group_vars/cluster1.yaml.example

@@ -7,6 +7,7 @@ cluster_name: example-1
 agent_version: latest
 sysdig_agent_namespace: sysdig-agent
 kube_config_path: /home/myansibleuser/.kube/config
+sysdig_access_key: XXXXXX-YOUR-AGENT-KEY-XXXXXX
 # Resources needed are subjective to the actual workload.
 # Please refer to Sysdig Support for more info.
 # See also: https://docs.sysdig.com/en/tuning-sysdig-agent.html

roles/install-sysdig-agent/defaults/main.yml

@@ -13,4 +13,5 @@ resources_limits_cpu: 1000m
 resources_limits_memory: 1024Mi
 # Node Image Analyzer default variables
 nia_enabled: False
-nia_version: latest
+nia_version: latest
+dry_run: false

roles/install-sysdig-agent/handlers/main.yml

@@ -1,2 +1,19 @@
 ---
 # handlers file for install-sysdig-agent
+- name: Restart sysdig-agent pods
+  kubernetes.core.k8s:
+    kind: Pod
+    namespace: "{{ sysdig_agent_namespace }}"
+    state: absent
+    kubeconfig: "{{ kube_config_path }}"
+    label_selectors:
+      - 'app=sysdig-agent'
+
+- name: Restart sysdig NIA pods
+  kubernetes.core.k8s:
+    kind: Pod
+    namespace: "{{ sysdig_agent_namespace }}"
+    state: absent
+    kubeconfig: "{{ kube_config_path }}"
+    label_selectors:
+      - 'app=sysdig-node-analyzer'

roles/install-sysdig-agent/tasks/agent-install-k8s-dry-run.yml

@@ -0,0 +1,65 @@
+---
+
+- name: Delete old bundles
+  delegate_to: localhost
+  file:
+    path: "k8s-bundle-{{ group_names[0] }}.yaml"
+    state: absent
+
+- name: Creating new bundle
+  delegate_to: localhost
+  file:
+    path: "k8s-bundle-{{ group_names[0] }}.yaml"
+    state: touch
+
+- name: Create {{ sysdig_agent_namespace }} namespace
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-namespace.yaml.j2')}}"
+    dest: "k8s-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create Service Account for sysdig agent
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-serviceaccount.yaml.j2')}}"
+    dest: "k8s-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create ClusterRole for sysdig-agent account
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-clusterrole.yaml.j2')}}"
+    dest: "k8s-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create ClusterRoleBinding for cluster-reader for sysdig-agent account
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-clusterrolebinding.yaml.j2')}}"
+    dest: "k8s-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create secret for sysdig-agent
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-secret.yaml.j2')}}"
+    dest: "k8s-bundle-{{ group_names[0] }}.yaml"
+
+- name: Configure agent configmap, service and daemonset
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', '{{item}}.yaml.j2')}}"
+    dest: "k8s-bundle-{{ group_names[0] }}.yaml"
+  loop:
+    - sysdig-agent-configmap
+    - sysdig-agent-service
+    - sysdig-agent-daemonset-v2
+
+- name: Configure NIA configmap and daemonset
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', '{{item}}.yaml.j2')}}"
+    dest: "k8s-bundle-{{ group_names[0] }}.yaml"
+  loop:
+    - sysdig-node-image-analyzer-configmap
+    - sysdig-node-image-analyzer-daemonset
+    - sysdig-node-benchmark-runner-configmap
+    - sysdig-node-host-analyzer-configmap
+  when: nia_enabled

roles/install-sysdig-agent/tasks/agent-install-k8s.yml

@@ -56,31 +56,43 @@
     state: present
     kubeconfig: "{{ kube_config_path }}"
 
-- name: Debug Agent ConfigMap
-  debug:
-    msg: "{{ ((lookup('template', 'sysdig-agent-configmap.yaml.j2') | from_yaml).data | from_yaml )['dragent.yaml'] | from_yaml }}"
-    verbosity: 3
+- name: Configure agent configmap
+  kubernetes.core.k8s:
+    resource_definition: "{{ lookup('template', 'sysdig-agent-configmap.yaml.j2')}}"
+    namespace: "{{ sysdig_agent_namespace }}"
+    state: present
+    kubeconfig: "{{ kube_config_path }}"
+  notify:
+    - Restart sysdig-agent pods
 
-- name: Configure agent configmap, service and daemonset
+- name: Configure agent service and daemonset
   kubernetes.core.k8s:
     resource_definition: "{{ lookup('template', '{{ item }}.yaml.j2')}}"
     namespace: "{{ sysdig_agent_namespace }}"
     state: present
     kubeconfig: "{{ kube_config_path }}"
   loop:
-    - sysdig-agent-configmap
     - sysdig-agent-service
     - sysdig-agent-daemonset-v2
 
-- name: Configure NIA configmap and daemonset
+- name: Configure NIA configmaps
   kubernetes.core.k8s:
     resource_definition: "{{ lookup('template', '{{ item }}.yaml.j2')}}"
     namespace: "{{ sysdig_agent_namespace }}"
     state: present
     kubeconfig: "{{ kube_config_path }}"
   loop:
     - sysdig-node-image-analyzer-configmap
-    - sysdig-node-image-analyzer-daemonset
     - sysdig-node-benchmark-runner-configmap
     - sysdig-node-host-analyzer-configmap
   when: nia_enabled
+  notify:
+    - Restart sysdig NIA pods
+
+- name: Configure NIA daemonset
+  kubernetes.core.k8s:
+    resource_definition: "{{ lookup('template', 'sysdig-node-image-analyzer-daemonset.yaml.j2')}}"
+    namespace: "{{ sysdig_agent_namespace }}"
+    state: present
+    kubeconfig: "{{ kube_config_path }}"
+  when: nia_enabled

roles/install-sysdig-agent/tasks/agent-install-ocp-dry-run.yml

@@ -0,0 +1,65 @@
+---
+
+- name: Delete old bundles
+  delegate_to: localhost
+  file:
+    path: "openshift-bundle-{{ group_names[0] }}.yaml"
+    state: absent
+
+- name: Creating new bundle
+  delegate_to: localhost
+  file:
+    path: "openshift-bundle-{{ group_names[0] }}.yaml"
+    state: touch
+
+- name: Create {{ sysdig_agent_namespace }} namespace
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-namespace.yaml.j2')}}"
+    dest: "openshift-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create Service Account for sysdig agent
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-serviceaccount.yaml.j2')}}"
+    dest: "openshift-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create RoleBinding for privileged scc for sysdig-agent account
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-privileged-rolebinding.yaml.j2')}}"
+    dest: "openshift-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create ClusterRoleBinding for cluster-reader for sysdig-agent account
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'cluster-reader-sysdig-agent-clusterrolebinding.yaml.j2')}}"
+    dest: "openshift-bundle-{{ group_names[0] }}.yaml"
+
+- name: Create secret for sysdig-agent
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', 'sysdig-agent-secret.yaml.j2')}}"
+    dest: "openshift-bundle-{{ group_names[0] }}.yaml"
+
+- name: Configure agent configmap, service and daemonset
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', '{{item}}.yaml.j2')}}"
+    dest: "openshift-bundle-{{ group_names[0] }}.yaml"
+  loop:
+    - sysdig-agent-configmap
+    - sysdig-agent-service
+    - sysdig-agent-daemonset-v2
+
+- name: Configure NIA configmap and daemonset
+  delegate_to: localhost
+  lineinfile:
+    line: "{{ lookup('template', '{{item}}.yaml.j2')}}"
+    dest: "openshift-bundle-{{ group_names[0] }}.yaml"
+  loop:
+    - sysdig-node-image-analyzer-configmap
+    - sysdig-node-image-analyzer-daemonset
+    - sysdig-node-benchmark-runner-configmap
+    - sysdig-node-host-analyzer-configmap
+  when: nia_enabled

roles/install-sysdig-agent/tasks/agent-install-ocp.yml

@@ -60,26 +60,43 @@
     state: present
     kubeconfig: "{{ kube_config_path }}"
 
-- name: Configure agent configmap, service and daemonset
+- name: Configure agent configmap
+  kubernetes.core.k8s:
+    resource_definition: "{{ lookup('template', 'sysdig-agent-configmap.yaml.j2')}}"
+    namespace: "{{ sysdig_agent_namespace }}"
+    state: present
+    kubeconfig: "{{ kube_config_path }}"
+  notify:
+    - Restart sysdig-agent pods
+
+- name: Configure agent service and daemonset
   kubernetes.core.k8s:
     resource_definition: "{{ lookup('template', '{{ item }}.yaml.j2')}}"
     namespace: "{{ sysdig_agent_namespace }}"
     state: present
     kubeconfig: "{{ kube_config_path }}"
   loop:
-    - sysdig-agent-configmap
     - sysdig-agent-service
     - sysdig-agent-daemonset-v2
 
-- name: Configure NIA configmap and daemonset
+- name: Configure NIA configmaps
   kubernetes.core.k8s:
     resource_definition: "{{ lookup('template', '{{ item }}.yaml.j2')}}"
     namespace: "{{ sysdig_agent_namespace }}"
     state: present
     kubeconfig: "{{ kube_config_path }}"
   loop:
     - sysdig-node-image-analyzer-configmap
-    - sysdig-node-image-analyzer-daemonset
     - sysdig-node-benchmark-runner-configmap
     - sysdig-node-host-analyzer-configmap
+  when: nia_enabled
+  notify:
+    - Restart sysdig NIA pods
+
+- name: Configure NIA daemonset
+  kubernetes.core.k8s:
+    resource_definition: "{{ lookup('template', 'sysdig-node-image-analyzer-daemonset.yaml.j2')}}"
+    namespace: "{{ sysdig_agent_namespace }}"
+    state: present
+    kubeconfig: "{{ kube_config_path }}"
   when: nia_enabled