From feab494a3e660a5dfb96ae9bd71344c7422160c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Fri, 23 Aug 2024 17:08:50 +0000
Subject: [PATCH] Security assets with GLPI tool

---
 common/playbooks/security-assets.yaml         | 40 +++++++++++++++++++
 .../etc/glpi-agent/conf.d/01-eosc.cfg.j2      |  7 ++++
 requirements.yml                              |  1 +
 staging1/deploy.sh                            |  2 +
 staging1/playbooks/security-assets.yaml       |  1 +
 staging1/playbooks/templates/etc/glpi-agent   |  1 +
 6 files changed, 52 insertions(+)
 create mode 100644 common/playbooks/security-assets.yaml
 create mode 100644 common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
 create mode 120000 staging1/playbooks/security-assets.yaml
 create mode 120000 staging1/playbooks/templates/etc/glpi-agent

diff --git a/common/playbooks/security-assets.yaml b/common/playbooks/security-assets.yaml
new file mode 100644
index 0000000..0ae2fe8
--- /dev/null
+++ b/common/playbooks/security-assets.yaml
@@ -0,0 +1,40 @@
+---
+#
+# Secrets in "/glpi-agent":
+#
+# * server (or local)
+# * user
+# * password
+# * tag
+#
+- name: GLPI Agent Configuration
+  hosts: allnodes
+  become: true
+  tasks:
+    - name: Get Secrets From Vault
+      set_fact:
+        secret: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/glpi-agent', token_validate=false) }}"
+    - name: Debug Secrets
+      debug:
+        msg: "{{ item.key }} = {{ item.value }}"
+      loop: "{{ secret | dict2items }}"
+    - name: Directory for for GLPI agent configuration
+      file:
+        path: /etc/glpi-agent/conf.d
+        state: directory
+        mode: 0755
+    - name: Configuration For GLPI Agent
+      template:
+        src: "templates/{{ item }}.j2"
+        dest: "{{ item }}"
+        mode: 0600
+      loop:
+        - /etc/glpi-agent/conf.d/01-eosc.cfg
+
+- name: GLPI Agent Deployment
+  hosts: allnodes
+  roles:
+    - role: 'ipr-cnrs.glpi_agent'
+      vars:
+        glpi_agent__install_from_url: true
+        glpi_agent__version: '1.10-1'
diff --git a/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2 b/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
new file mode 100644
index 0000000..49dc79c
--- /dev/null
+++ b/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+{% for key, value in secret.items() -%}
+{% if value|length -%}
+{{ key }} = {{ value }}
+{% endif -%}
+{% endfor -%}
diff --git a/requirements.yml b/requirements.yml
index afe4528..9e77ef3 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -6,3 +6,4 @@ collections:
   - community.hashi_vault
 roles:
   - grycap.kubernetes
+  - ipr-cnrs.glpi_agent
diff --git a/staging1/deploy.sh b/staging1/deploy.sh
index feba196..68cffd8 100755
--- a/staging1/deploy.sh
+++ b/staging1/deploy.sh
@@ -53,3 +53,5 @@ ansible-playbook playbooks/cvmfs.yaml
 
 # wait for finish
 while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n +3 | grep -v ' Running '; do sleep 5; done
+
+ansible-playbook playbooks/security-assets.yaml
diff --git a/staging1/playbooks/security-assets.yaml b/staging1/playbooks/security-assets.yaml
new file mode 120000
index 0000000..6bc8155
--- /dev/null
+++ b/staging1/playbooks/security-assets.yaml
@@ -0,0 +1 @@
+../../common/playbooks/security-assets.yaml
\ No newline at end of file
diff --git a/staging1/playbooks/templates/etc/glpi-agent b/staging1/playbooks/templates/etc/glpi-agent
new file mode 120000
index 0000000..dfa13f5
--- /dev/null
+++ b/staging1/playbooks/templates/etc/glpi-agent
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/glpi-agent
\ No newline at end of file
-- 
GitLab