feat: replace ansible templating with makejinja

.envrc

@@ -6,7 +6,7 @@ PATH_add "$(expand_path ./.venv/bin)"
 export VIRTUAL_ENV="$(expand_path ./.venv)"
 export ANSIBLE_COLLECTIONS_PATH=$(expand_path ./.venv/galaxy)
 export ANSIBLE_ROLES_PATH=$(expand_path ./.venv/galaxy/ansible_roles)
-export ANSIBLE_VARS_ENABLED="host_group_vars,community.sops.sops"
+export ANSIBLE_VARS_ENABLED="host_group_vars"
 export ANSIBLE_LOCALHOST_WARNING="False"
 export ANSIBLE_INVENTORY_UNPARSED_WARNING="False"
 export K8S_AUTH_KUBECONFIG="$(expand_path ./kubeconfig)"

.github/tests/config-k0s.yaml

@@ -16,7 +16,7 @@ bootstrap_cloudflare_account_tag: fake
 bootstrap_cloudflare_tunnel_secret: fake
 bootstrap_cloudflare_tunnel_id: fake
 bootstrap_node_cidr: 10.10.10.0/24
-bootstrap_kubeapi_addr: 10.10.10.254
+bootstrap_kube_api_addr: 10.10.10.254
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
@@ -30,7 +30,19 @@ bootstrap_nodes:
     - name: k8s-0
       address: 10.10.10.100
       username: fake
-  worker:
     - name: k8s-1
       address: 10.10.10.101
       username: fake
+    - name: k8s-2
+      address: 10.10.10.102
+      username: fake
+  worker:
+    - name: k8s-3
+      address: 10.10.10.103
+      username: fake
+    - name: k8s-4
+      address: 10.10.10.104
+      username: fake
+    - name: k8s-5
+      address: 10.10.10.105
+      username: fake

.github/tests/config-k3s-ipv4.yaml

@@ -16,7 +16,7 @@ bootstrap_cloudflare_account_tag: fake
 bootstrap_cloudflare_tunnel_secret: fake
 bootstrap_cloudflare_tunnel_id: fake
 bootstrap_node_cidr: 10.10.10.0/24
-bootstrap_kubeapi_addr: 10.10.10.254
+bootstrap_kube_api_addr: 10.10.10.254
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
@@ -30,7 +30,19 @@ bootstrap_nodes:
     - name: k8s-0
       address: 10.10.10.100
       username: fake
-  worker:
     - name: k8s-1
       address: 10.10.10.101
       username: fake
+    - name: k8s-2
+      address: 10.10.10.102
+      username: fake
+  worker:
+    - name: k8s-3
+      address: 10.10.10.103
+      username: fake
+    - name: k8s-4
+      address: 10.10.10.104
+      username: fake
+    - name: k8s-5
+      address: 10.10.10.105
+      username: fake

.github/tests/config-k3s-ipv6.yaml

@@ -16,7 +16,7 @@ bootstrap_cloudflare_account_tag: fake
 bootstrap_cloudflare_tunnel_secret: fake
 bootstrap_cloudflare_tunnel_id: fake
 bootstrap_node_cidr: 10.10.10.0/24
-bootstrap_kubeapi_addr: 10.10.10.254
+bootstrap_kube_api_addr: 10.10.10.254
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
@@ -30,7 +30,19 @@ bootstrap_nodes:
     - name: k8s-0
       address: 10.10.10.100
       username: fake
-  worker:
     - name: k8s-1
       address: 10.10.10.101
       username: fake
+    - name: k8s-2
+      address: 10.10.10.102
+      username: fake
+  worker:
+    - name: k8s-3
+      address: 10.10.10.103
+      username: fake
+    - name: k8s-4
+      address: 10.10.10.104
+      username: fake
+    - name: k8s-5
+      address: 10.10.10.105
+      username: fake

.github/tests/config-k3s-no-kube-vip.yaml

@@ -0,0 +1,32 @@
+---
+ci_test: true
+
+bootstrap_distribution: k3s
+bootstrap_github_username: onedr0p
+bootstrap_github_repository_name: flux-cluster-template
+bootstrap_github_repository_branch: main
+bootstrap_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
+bootstrap_timezone: Etc/UTC
+bootstrap_acme_email: fake
+bootstrap_acme_production_enabled: false
+bootstrap_flux_github_webhook_token: fake
+bootstrap_cloudflare_domain: fake
+bootstrap_cloudflare_token: fake
+bootstrap_cloudflare_account_tag: fake
+bootstrap_cloudflare_tunnel_secret: fake
+bootstrap_cloudflare_tunnel_id: fake
+bootstrap_node_cidr: 10.10.10.0/24
+bootstrap_kube_api_addr: # left blank to not use kube-vip
+bootstrap_k8s_gateway_addr: 10.10.10.253
+bootstrap_external_ingress_addr: 10.10.10.252
+bootstrap_internal_ingress_addr: 10.10.10.251
+bootstrap_cilium_loadbalancer_mode: dsr
+bootstrap_ipv6_enabled: false
+bootstrap_cluster_cidr: 10.42.0.0/16
+bootstrap_service_cidr: 10.43.0.0/16
+bootstrap_local_storage_path: /var/openebs/local
+bootstrap_nodes:
+  master:
+    - name: k8s-0
+      address: 10.10.10.100
+      username: fake

.github/workflows/e2e.yaml

@@ -40,6 +40,7 @@ jobs:
           - k0s
           - k3s-ipv4
           - k3s-ipv6
+          - k3s-no-kube-vip
         addon-files: ["addons"]
     steps:
       - name: Checkout
@@ -109,7 +110,7 @@ jobs:
 
       - name: Run configure
         shell: bash
-        run: task --yes configure
+        run: task configure --yes
 
       - name: Run kubeconform
         shell: bash
@@ -124,4 +125,4 @@ jobs:
         shell: bash
         run: |
           task repo:clean
-          task --yes repo:reset
+          task repo:reset --yes

.gitignore

@@ -1,3 +1,7 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
 # Trash
 .DS_Store
 Thumbs.db

.taskfiles/Ansible/Taskfile.yaml

@@ -11,7 +11,7 @@ env:
   VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv"
   ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy"
   ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles"
-  ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops"
+  ANSIBLE_VARS_ENABLED: "host_group_vars"
   ANSIBLE_LOCALHOST_WARNING: "False"
   ANSIBLE_INVENTORY_UNPARSED_WARNING: "False"
 

.taskfiles/K0s/Taskfile.yaml

@@ -10,22 +10,22 @@ tasks:
   kubeconfig:
     desc: Gets k0s cluster kubeconfig
     cmds:
-      - k0sctl kubeconfig --config k0s-config.yaml > kubeconfig
+      - k0sctl kubeconfig --config {{.ROOT_DIR}}/k0s-config.yaml > kubeconfig
     preconditions:
       - { msg: "k0s-config.yaml not found", sh: "test -f {{.ROOT_DIR}}/k0s-config.yaml" }
 
   apply:
     desc: Apply k0s cluster k0s-config.yaml
     cmds:
-      - k0sctl apply --config k0s-config.yaml
+      - k0sctl apply --config {{.ROOT_DIR}}/k0s-config.yaml
       - task: kubeconfig
     preconditions:
       - { msg: "k0s-config.yaml not found", sh: "test -f {{.ROOT_DIR}}/k0s-config.yaml" }
 
   reset:
     desc: Resets the k0s cluster
     cmds:
-      - k0sctl reset --config k0s-config.yaml
+      - k0sctl reset --config {{.ROOT_DIR}}/k0s-config.yaml
       - task: :ansible:run
         vars:
           playbook: cluster-nuke

.taskfiles/Repo/Taskfile.yaml

@@ -12,28 +12,28 @@ tasks:
       - rm -rf {{.ROOT_DIR}}/.github/workflows/e2e.yaml
       # Move bootstrap directory to gitignored directory
       - mkdir -p {{.ROOT_DIR}}/.private
-      - mv {{.ROOT_DIR}}/bootstrap {{.ROOT_DIR}}/.private/bootstrap-{{now | date "150405"}}
+      - mv {{.BOOTSTRAP_DIR}} {{.ROOT_DIR}}/.private/bootstrap-{{now | date "150405"}}
       # Update renovate.json5
       - sed -i {{if eq OS "darwin"}}''{{end}} 's/(..\.j2)\?(..\.j2)\?//g' {{.ROOT_DIR}}/.github/renovate.json5
       - sed -i {{if eq OS "darwin"}}''{{end}} '/addons/d' {{.ROOT_DIR}}/.github/renovate.json5
     preconditions:
-      - { msg: "bootstrap dir not found",  sh: "test -d {{.ROOT_DIR}}/bootstrap" }
+      - { msg: "bootstrap dir not found",  sh: "test -d {{.BOOTSTRAP_DIR}}" }
       - { msg: "renovate.json5 not found", sh: "test -f {{.ROOT_DIR}}/.github/renovate.json5" }
 
   reset:
-    desc: Remove templated configuration files
-    prompt: Remove templated configuration files... continue?
+    desc: Reset templated configuration files
+    prompt: Reset templated configuration files... continue?
     cmds:
       - rm -rf {{.ROOT_DIR}}/.sops.yaml
       - rm -rf {{.ROOT_DIR}}/k0s-config.yaml
-      - rm -rf {{.ROOT_DIR}}/ansible
-      - rm -rf {{.ROOT_DIR}}/kubernetes
+      - rm -rf {{.ANSIBLE_DIR}}
+      - rm -rf {{.KUBERNETES_DIR}}
 
-  reset-repo:
-    desc: Set repo back to HEAD
-    prompt: Set repo back to HEAD... continue?
+  force-reset:
+    desc: Reset repo back to HEAD
+    prompt: Reset repo back to HEAD... continue?
     cmds:
       - task: reset
       - git reset --hard HEAD
       - git clean -f -d
-      - git pull
+      - git pull origin main

.taskfiles/Sops/Taskfile.yaml

@@ -12,7 +12,6 @@ tasks:
 
   encrypt:
     desc: Encrypt a secret
-    aliases: ["e"]
     summary: |
       Args:
         file: Path to file to encrypt (required)
@@ -23,15 +22,13 @@ tasks:
       - { msg: "Sops config not found", sh: "test -f {{.ROOT_DIR}}/.sops.yaml" }
       - { msg: "Age key not found",     sh: "test -f {{.ROOT_DIR}}/age.key" }
 
-  decrypt:
-    desc: Decrypt a secret
-    aliases: ["d"]
-    summary: |
-      Args:
-        file: Path to file to decrypt (required)
-    cmd: sops --decrypt --in-place {{.SECRET}}
+  encrypt:all:
+    desc: Encrypt all Kubernetes SOPS secrets
+    cmds:
+      - for: { var: file }
+        task: encrypt
+        vars:
+          file: '{{.ITEM}}'
     vars:
-      claim: '{{ or .file (fail "Argument (file) is required") }}'
-    preconditions:
-      - { msg: "Sops config not found", sh: "test -f {{.ROOT_DIR}}/.sops.yaml" }
-      - { msg: "Age key not found",     sh: "test -f {{.ROOT_DIR}}/age.key" }
+      file:
+        sh: find {{.KUBERNETES_DIR}} -type f -name "*.sops.*"

.taskfiles/Workstation/ArchPackages

@@ -1,17 +1,15 @@
 age
-cilium-cli
 cloudflared-bin
 direnv
 flux-bin
+go-task
+go-yq
 helm
 jq
 k0sctl-bin
-k9s
 kubeconform
 kubectl-bin
 kustomize
 moreutils
 sops
 stern-bin
-go-task
-go-yq

.taskfiles/Workstation/Brewfile

@@ -1,18 +1,15 @@
 tap "fluxcd/tap"
 tap "go-task/tap"
 tap "k0sproject/tap"
-tap "kubecolor/tap"
 brew "age"
-brew "cilium-cli"
 brew "cloudflared"
 brew "direnv"
 brew "fluxcd/tap/flux"
+brew "go-task/tap/go-task"
 brew "helm"
 brew "jq"
 brew "k0sproject/tap/k0sctl"
-brew "k9s"
 brew "kubeconform"
-brew "kubecolor/tap/kubecolor"
 brew "kubernetes-cli"
 brew "kustomize"
 brew "moreutils"

.taskfiles/Workstation/Taskfile.yaml

@@ -14,8 +14,18 @@ tasks:
           Head over to https://brew.sh to get up and running.
       - { msg: "Brewfile not found", sh: "test -f {{.ROOT_DIR}}/.taskfiles/Workstation/Brewfile" }
 
-  yay:
+  paru:
     desc: Install workstation dependencies with Paru
+    cmd: paru -Syu --needed --noconfirm --noprogressbar $(cat {{.ROOT_DIR}}/.taskfiles/Workstation/ArchPackages | xargs)
+    preconditions:
+      - sh: command -v paru
+        msg: |
+          Paru is not installed. Using ArchLinux?
+          Head over to https://github.com/Morganamilo/paru to get up and running.
+      - { msg: "ArchPackages not found", sh: "test -f {{.ROOT_DIR}}/.taskfiles/Workstation/ArchPackages" }
+
+  yay:
+    desc: Install workstation dependencies with Yay
     cmd: yay -Syu --needed --noconfirm --noprogressbar $(cat {{.ROOT_DIR}}/.taskfiles/Workstation/ArchPackages | xargs)
     preconditions:
       - sh: command -v yay

Taskfile.yaml

@@ -47,6 +47,33 @@ tasks:
   configure:
     desc: Configure repository from Ansible vars
     prompt: Any conflicting config in the root kubernetes and ansible directories will be overwritten... continue?
-    cmd: ./.venv/bin/ansible-playbook {{.BOOTSTRAP_DIR}}/configure.yaml
+    cmds:
+      - task: .validate
+      - task: .template
+      - task: sops:encrypt:all
+
+  .validate:
+    internal: true
+    cmd: ./.venv/bin/ansible-playbook {{.BOOTSTRAP_DIR}}/validate.yaml
     env:
       ANSIBLE_DISPLAY_SKIPPED_HOSTS: "false"
+    preconditions:
+      - { msg: "addons file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/addons.yaml" }
+      - { msg: "config file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/config.yaml" }
+
+  .template:
+    internal: true
+    cmds:
+      - ./.venv/bin/makejinja
+          --input "{{.BOOTSTRAP_DIR}}/templates"
+          --output "{{.ROOT_DIR}}"
+          --data "{{.BOOTSTRAP_DIR}}/vars/config.yaml"
+          --data "{{.BOOTSTRAP_DIR}}/vars/addons.yaml"
+          --import-path "{{.BOOTSTRAP_DIR}}/scripts"
+          --loader "loader:Loader"
+          --jinja-suffix ".j2" --quiet --force
+      - find {{.ANSIBLE_DIR}} {{.KUBERNETES_DIR}} -type d -empty -delete
+    preconditions:
+      - { msg: "addons file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/addons.yaml" }
+      - { msg: "config file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/config.yaml" }
+      - { msg: "loader file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/scripts/loader.py" }