ansible: Deploy ARA

[ARA Records Ansible][0] is a results storage system for Ansible. It provides a convenient UI for tracking Ansible playbooks and tasks. The data are populated by an Ansible callback plugin. ARA is a fairly simple Python+Django application. It needs a database to store Ansible results, so we've connected it to the main PostgreSQL database and configured it to connect and authenticate using mTLS. Rather than mess with managing and distributing a static password for ARA clients, I've configured Autheliad to allow anonymous access to post data to the ARA API from within the private network or the Kubernetes cluster. Access to the web UI does require authentication. [0]: https://ara.recordsansible.org/
2025-02-01 18:03:36 -06:00
parent 32175156ac
commit 759d8f112f
9 changed files with 266 additions and 0 deletions
--- a/ansible/ingress.yaml
+++ b/ansible/ingress.yaml
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ara
+  labels:
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+  annotations:
+    cert-manager.io/cluster-issuer: dch-ca
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - ara.ansible.pyrocufflink.blue
+    secretName: ara-cert
+  rules:
+  - host: ara.ansible.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ara
+            port:
+              name: http