dch-webhooks: Enable host provisioning feature

The *dch-webhooks* server now has a _POST /host/online_ hook that can be triggered by a new machine when it first comes online. This hook starts an automatic provisioning process by creating a Kubernetes Job to run Ansible and publishing information about the host to provision via AMQP. Thus, the server now needs access to the Kubernetes API in order to create the Job and access to RabbitMQ in order to publish the task parameters.
2025-02-08 10:44:19 -06:00
parent 4d11a60e62
commit bed5ed5767
10 changed files with 225 additions and 1 deletions
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -1,4 +1,14 @@
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dch-webhooks
+  labels:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/part-of: dch-webhooks
+
+---
+apiVersion: v1
 kind: Service
 metadata:
  labels:
@@ -42,12 +52,14 @@ spec:
    spec:
      containers:
      - name: dch-webhooks
-        image: git.pyrocufflink.net/containerimages/dch-webhooks
+        image: git.pyrocufflink.net/infra/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
+        - name: ANSIBLE_JOB_YAML
+          value: /etc/dch-webhooks/ansible-job.yaml
        envFrom:
        - configMapRef:
            name: dch-webhooks
@@ -76,22 +88,37 @@ spec:
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
+        - mountPath: /run/secrets/du5t1n.me/rabbitmq
+          name: rabbitmq-cert
+          readOnly: true
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
+        - mountPath: /etc/dch-webhooks
+          name: host-provisioner
+          readOnly: true
      securityContext:
        runAsNonRoot: true
+      serviceAccountName: dch-webhooks
      volumes:
      - name: firefly-token
        secret:
          secretName: firefly-token
          optional: true
+      - name: host-provisioner
+        configMap:
+          name: host-provisioner
+          optional: true
      - name: paperless-token
        secret:
          secretName: paperless-token
          optional: true
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          optional: true
      - name: root-ca
        configMap:
          name: dch-root-ca