Add automation for install Advanced cluster security across infra (#255)

* Add automation for install Advanced cluster security across infra

.gitignore

@@ -7,3 +7,5 @@ install/kubeconfig
 **/ansible-navigator.log
 *-artifact-*
 **/aws_record
+install/init-bundle.yaml
+install/acs_api_token

install/roles/tealc/tasks/infra-setup/delete/advanced-cluster-management/delete_acm.yaml

@@ -4,8 +4,7 @@
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     namespace: "{{ acm_namespace }}"
-    state: present
-    apply: true
+    state: absent
     verify_ssl: no
     template: "{{ item }}"
   loop:
@@ -16,8 +15,7 @@
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     namespace: "{{ acm_namespace }}"
-    state: present
-    apply: true
+    state: absent
     verify_ssl: no
     template: "{{ item }}"
   loop:
@@ -31,4 +29,4 @@
     api_version: v1
     kind: Namespace
     verify_ssl: no
-    state: present
+    state: absent

install/roles/tealc/tasks/infra-setup/delete/advanced-cluster-management/delete_observability.yaml

@@ -3,8 +3,7 @@
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     namespace: "{{ acm_observability_namespace }}"
-    state: present
-    apply: true
+    state: absent
     template: templates/acm/07-multicluster-observability.yaml.j2
     verify_ssl: no
   register: observability_setup
@@ -13,8 +12,7 @@
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     namespace: "{{ acm_observability_namespace }}"
-    state: present
-    apply: true
+    state: absent
     template: templates/acm/06-thanos-storage-secret.yaml.j2
     verify_ssl: no
 
@@ -25,4 +23,4 @@
     api_version: v1
     kind: Namespace
     verify_ssl: no
-    state: present
+    state: absent

install/roles/tealc/tasks/infra-setup/delete/advanced-cluster-management/unregister_clusters.yaml

@@ -4,28 +4,23 @@
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     namespace: "{{ clusterName }}"
-    state: present
-    apply: true
+    state: absent
     template: templates/acm/05-klusterlet-addon-config.yaml.j2
     verify_ssl: no
 
 - name: "Delete {{ clusterName }}'s managed cluster on Infra cluster"
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     namespace: "{{ clusterName }}"
-    state: present
-    apply: true
+    state: absent
     template: templates/acm/04-managed-cluster.yaml.j2
     verify_ssl: no
 
 - name: "Delete {{ clusterName }} namespace on Infra cluster"
   kubernetes.core.k8s:
     kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
     name: "{{ clusterName }}"
-    state: present
+    api_version: v1
+    kind: Namespace
     verify_ssl: no
-    definition:
-      apiVersion: v1
-      kind: Namespace
-      metadata:
-        name: "{{ clusterName }}"
+    state: absent

install/roles/tealc/tasks/infra-setup/delete/advanced-cluster-security/delete_acs.yaml

@@ -0,0 +1,31 @@
+---
+- name: "Delete central on Infra cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    namespace: "{{ acs_namespace }}"
+    state: absent
+    verify_ssl: no
+    template: "{{ item }}"
+  loop:
+    - templates/acs/02-central.yaml.j2
+  register: acs_operator
+
+- name: "Delete ACS operator group and subscription on Infra cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    namespace: "{{ acs_namespace }}"
+    state: absent
+    verify_ssl: no
+    template: "{{ item }}"
+  loop:
+    - templates/acm/00-operator-group.yaml.j2
+    - templates/acm/01-acs-subscription.yaml.j2
+
+- name: "Delete ACS namespace on Infra cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    name: "{{ acs_namespace }}"
+    api_version: v1
+    kind: Namespace
+    verify_ssl: no
+    state: absent

install/roles/tealc/tasks/infra-setup/delete/advanced-cluster-security/unregister_clusters.yaml

@@ -0,0 +1,17 @@
+---
+- name: "Delete {{ clusterName }} secured cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ clusterName }}"
+    namespace: "{{ acs_stackrox_namespace }}"
+    state: absent
+    template: templates/acs/03-secure-cluster.yaml.j2
+    verify_ssl: no
+
+- name: "Delete {{ clusterName }} namespace on Infra cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    name: "{{ acs_stackrox_namespace }}"
+    api_version: v1
+    kind: Namespace
+    verify_ssl: no
+    state: absent

install/roles/tealc/tasks/infra-setup/delete/delete_acs.yaml

@@ -0,0 +1,14 @@
+---
+- include_tasks:
+    file: advanced-cluster-security/unregister_clusters.yaml
+  loop: "{{ worker_clusters }}"
+  loop_control:
+    loop_var: clusterName
+
+- include_tasks:
+    file: advanced-cluster-security/unregister_clusters.yaml
+  vars:
+    clusterName: "{{ infra_context_name }}"
+
+- include_tasks:
+    file: advanced-cluster-security/delete_acs.yaml

install/roles/tealc/tasks/infra-setup/install/advanced-cluster-security/install_acs_central.yaml

@@ -0,0 +1,33 @@
+---
+- name: "Create central on Infra cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    namespace: "{{ acs_namespace }}"
+    state: present
+    apply: true
+    verify_ssl: no
+    template: "{{ item }}"
+  loop:
+    - templates/acs/02-central.yaml.j2
+  register: acs_central
+
+- name: Sleep for 30 seconds and continue with play
+  wait_for:
+    timeout: 30
+  when: acs_central.changed
+
+- name: "Wait for Central custom resource on Infra cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    namespace: "{{ acs_namespace }}"
+    kind: Central
+    api_version: platform.stackrox.io/v1alpha1
+    name: stackrox-central-services
+    wait: true
+    verify_ssl: no
+    wait_condition:
+      type: Deployed
+      status: True
+      reason: UpgradeSuccessful
+  retries: 60
+  delay: 10

install/roles/tealc/tasks/infra-setup/install/advanced-cluster-security/install_acs_operator.yaml

@@ -0,0 +1,20 @@
+- name: "Create ACS namespace on {{ clusterName }} cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ clusterName }}"
+    api_version: v1
+    kind: Namespace
+    name: "{{ acs_namespace }}"
+    verify_ssl: no
+    state: present
+
+- name: "Create ACS operator group and subscription on {{ clusterName }} cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ clusterName }}"
+    namespace: "{{ acs_namespace }}"
+    state: present
+    apply: true
+    verify_ssl: no
+    template: "{{ item }}"
+  loop:
+    - templates/acs/00-operator-group.yaml.j2
+    - templates/acs/01-acs-subscription.yaml.j2

install/roles/tealc/tasks/infra-setup/install/advanced-cluster-security/register_cluster.yaml

@@ -0,0 +1,71 @@
+- name: Check if api_token exists
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: Secret
+    name: stackrox-api-token
+    namespace: "{{ acs_namespace }}"
+    verify_ssl: no
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+  register: token
+
+- name: Check if init-bundle exists
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: Secret
+    name: stackrox-init-bundle
+    namespace: "{{ acs_namespace }}"
+    verify_ssl: no
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+  register: init_bundle
+
+- name: Generate api token
+  shell: |
+    curl -k -X POST -u "admin:`oc get secret central-htpasswd -o yaml -n {{ acs_namespace }} | grep "password" | awk '{print $2}' | base64 -d`" "$ROX_ENDPOINT/v1/apitokens/generate" -d '{"name":"admin-{{ lookup('community.general.random_string', length=4, special=False) }}", "role": "Admin"}' | jq .token > {{ acs_api_token_file }}
+    oc create secret generic stackrox-api-token --from-file token={{ acs_api_token_file }} -n "{{ acs_namespace }}"
+  environment:
+    KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+  when: token.resources | length == 0
+
+- name: Generate init bundle
+  shell: |
+    oc get secret stackrox-api-token -n {{ acs_namespace }} -o jsonpath={.data.token} | base64 -d > {{ acs_api_token_file }}
+    roxctl -e {{ acs_central_url }} --token-file={{ acs_api_token_file }} central init-bundles generate init-bundle-{{ lookup('community.general.random_string', length=4, special=False) }} --insecure-skip-tls-verify --output-secrets {{ acs_init_secrets }}
+    oc create secret generic stackrox-init-bundle --from-file deploy={{ acs_init_secrets }} -n "{{ acs_namespace }}"
+  environment:
+    KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+  when: init_bundle.resources | length == 0
+
+- name: Get deployment files for stackrox
+  shell: |
+    oc get secret stackrox-init-bundle -n {{ acs_namespace }} -o jsonpath={.data.deploy} | base64 -d > {{ acs_init_secrets }}
+  environment:
+    KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+
+- name: "Create {{ acs_stackrox_namespace }} on {{ clusterName }} cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ clusterName }}"
+    api_version: v1
+    kind: Namespace
+    name: "{{ acs_stackrox_namespace }}"
+    verify_ssl: no
+    state: present
+
+- name: Deploy secrets for stackrox
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ clusterName }}"
+    namespace: "{{ acs_stackrox_namespace }}"
+    state: present
+    apply: true
+    verify_ssl: no
+    src: "{{ acs_init_secrets }}"
+
+- name: "Create secured cluster {{ clusterName }} cluster"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ clusterName }}"
+    namespace: "{{ acs_stackrox_namespace }}"
+    state: present
+    apply: true
+    verify_ssl: no
+    template: "{{ item }}"
+  loop:
+    - templates/acs/03-secure-cluster.yaml.j2

install/roles/tealc/tasks/infra-setup/install/orchestrate_acs.yaml

@@ -0,0 +1,18 @@
+---
+# Install operator on infra cluster
+- include_tasks:
+    file: advanced-cluster-security/install_acs_operator.yaml
+  loop: "{{ clusters }}"
+  loop_control:
+    loop_var: clusterName
+
+# Install central on infra cluster
+- include_tasks:
+    file: advanced-cluster-security/install_acs_central.yaml
+
+# Register infra cluster as secured cluster
+- include_tasks:
+    file: advanced-cluster-security/register_cluster.yaml
+  loop: "{{ clusters }}"
+  loop_control:
+    loop_var: clusterName

install/roles/tealc/tasks/main.yml

@@ -72,6 +72,9 @@
 - import_tasks: infra-setup/install/orchestrate_logging.yaml
   tags: [logging, infra, monitoring, never]
 
+- import_tasks: infra-setup/install/orchestrate_acs.yaml
+  tags: [acs, infra, security, never]
+
 - import_tasks: infra-setup/install/install_links.yaml
   tags: [infra, console-link, links, never]
 
@@ -113,5 +116,8 @@
 - import_tasks: infra-setup/delete/delete_acm.yaml
   tags: [never, teardown-acm, teardown-logging, teardown, teardown-monitoring]
 
+- import_tasks: infra-setup/delete/delete_acs.yaml
+  tags: [never, teardown-acs, teardown, teardown-security]
+
 - import_tasks: infra-setup/delete/delete_kubed.yaml
   tags: [never, teardown, teardown-kubed]

install/roles/tealc/templates/acs/00-operator-group.yaml.j2

@@ -0,0 +1,7 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: rhacs-operator-group
+  namespace: {{ acs_namespace }}
+spec:
+  upgradeStrategy: Default

install/roles/tealc/templates/acs/01-acs-subscription.yaml.j2

@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: rhacs-operator
+  namespace: {{ acs_namespace }}
+spec:
+  channel: rhacs-{{ acs_version }}
+  installPlanApproval: Automatic
+  name: rhacs-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace

install/roles/tealc/templates/acs/02-central.yaml.j2

@@ -0,0 +1,37 @@
+apiVersion: platform.stackrox.io/v1alpha1
+kind: Central
+metadata:
+  name: stackrox-central-services
+  namespace: {{ acs_namespace }}
+spec:
+  monitoring:
+    openshift:
+      enabled: true
+  central:
+    exposure:
+      loadBalancer:
+        enabled: false
+        port: 443
+      nodePort:
+        enabled: false
+      route:
+        enabled: true
+    telemetry:
+      enabled: true
+    db:
+      isEnabled: Default
+      persistence:
+        persistentVolumeClaim:
+          claimName: central-db
+    persistence:
+      persistentVolumeClaim:
+        claimName: stackrox-db
+  egress:
+    connectivityPolicy: Online
+  scanner:
+    analyzer:
+      scaling:
+        autoScaling: Enabled
+        maxReplicas: 5
+        minReplicas: 2
+        replicas: 3