broken down tasks into function groups

roles/federate-clusters/tasks/helm.yml

@@ -0,0 +1,86 @@
+---
+# helm uses some undecipherable configmaps, so we need to use the binary
+- name: helm chart check
+  ansible.builtin.command:
+    argv:
+      - /usr/bin/env
+      - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
+      - /usr/local/bin/helm
+      - -n
+      - stackrox
+      - list
+      - -o
+      - json
+      - --filter
+      - stackrox.*services
+    chdir: "{{ ansible_facts['user_dir'] }}"
+  register: helm_chart_status
+
+- name: assert chart isn't there
+  set_fact:
+    helm_chart_present: false
+
+- name: unless proven otherwise
+  set_fact:
+    helm_chart_present: true
+  when:
+    - helm_chart_status.stdout | from_json | list | length > 0
+    - (helm_chart_status.stdout | from_json | list)[0].status == "deployed"
+
+- name: create helm vars
+  template:
+    src: templates/helm-vars.yml
+    dest: "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-helm-vars.yaml"
+    mode: 0600
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+  when:
+    - not helm_chart_present
+
+- name: check the repo
+  ansible.builtin.command:
+    argv:
+      - /usr/bin/env
+      - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
+      - /usr/local/bin/helm
+      - repo
+      - list
+      - -o
+      - json
+    chdir: "{{ ansible_facts['user_dir'] }}"
+  ignore_errors: yes
+  register: repo_is_there
+
+- name: add the repo
+  ansible.builtin.command:
+    argv:
+      - /usr/bin/env
+      - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
+      - /usr/local/bin/helm
+      - repo
+      - add
+      - rhacs
+      - https://mirror.openshift.com/pub/rhacs/charts/
+    chdir: "{{ ansible_facts['user_dir'] }}"
+  when: repo_is_there.failed or (repo_is_there.stdout | from_json | list | length) == 0
+
+- name: apply helm chart
+  ansible.builtin.command:
+    argv:
+      - /usr/bin/env
+      - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
+      - /usr/local/bin/helm
+      - install
+      - -n
+      - stackrox
+      - --create-namespace
+      - stackrox-secured-cluster-services
+      - rhacs/secured-cluster-services
+      - -f 
+      - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-helm-bundle.yaml"
+      - -f 
+      - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-helm-vars.yaml"
+    chdir: "{{ ansible_facts['user_dir'] }}"
+  when:
+    - not helm_chart_present
+...

roles/federate-clusters/tasks/init-bundles.yml

@@ -0,0 +1,79 @@
+---
+- name: init bundle check
+  uri:
+    method: GET
+    return_content: true
+    validate_certs: false
+    url: "https://{{ api_ep }}/v1/cluster-init/init-bundles"
+    headers:
+      Authorization: Bearer {{ api_token }}
+      Accept: application/json
+  register: init_bundle_response
+
+- name: assume init bundle isn't there
+  set_fact:
+    init_bundle_present: false
+
+- name: unless found
+  set_fact:
+    init_bundle_present: true
+  when:
+    - init_bundle_response.json['items'] | length > 0
+    - (init_bundle_response.json['items'] | items2dict(key_name='name', value_name='expiresAt'))[clusters[cluster].name] is defined
+
+- name: generate init bundle
+  uri:
+    method: POST
+    return_content: true
+    validate_certs: false
+    url: "https://{{ api_ep }}/v1/cluster-init/init-bundles"
+    headers:
+      Authorization: Bearer {{ api_token }}
+      Accept: application/json
+      Content-Type: application/json
+    body: '{"name":"{{ clusters[cluster].name | string }}"}'
+  register: init_bundle_content
+  when:
+    - not init_bundle_present
+
+- name: store init bundle - operator
+  copy:
+    dest: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-init-bundle.yaml"
+    content: "{{ init_bundle_content.json.kubectlBundle | b64decode }}"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: 0600
+  when:
+    - not init_bundle_present
+    - clusters[cluster].method == 'operator'
+
+- name: store init bundle - helm
+  copy:
+    dest: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-helm-bundle.yaml"
+    content: "{{ init_bundle_content.json.helmValuesBundle | b64decode }}"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: 0600
+  when:
+    - not init_bundle_present
+    - clusters[cluster].method == 'helm'
+
+- name: make sure namespace is there
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
+    validate_certs: no
+    api_version: v1
+    kind: Namespace
+    name: "{{ clusters[cluster].namespace }}"
+    namespace: ""
+    state: present
+
+- name: create init bundle
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
+    validate_certs: no
+    src: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-init-bundle.yaml"
+    namespace: "{{ clusters[cluster].namespace }}"
+  when:
+    - clusters[cluster].method == 'operator'
+...

roles/federate-clusters/tasks/main.yml

@@ -46,86 +46,8 @@
     # (this last one is because roxctl creates a cluster record but leaves its status at null until services check in)
 
 # step 1: we could have lots of fun (authentication in place)
-- block:
-
-  - name: init bundle check
-    uri:
-      method: GET
-      return_content: true
-      validate_certs: false
-      url: "https://{{ api_ep }}/v1/cluster-init/init-bundles"
-      headers:
-        Authorization: Bearer {{ api_token }}
-        Accept: application/json
-    register: init_bundle_response
-
-  - name: assume init bundle isn't there
-    set_fact:
-      init_bundle_present: false
-
-  - name: unless found
-    set_fact:
-      init_bundle_present: true
-    when:
-      - init_bundle_response.json['items'] | length > 0
-      - (init_bundle_response.json['items'] | items2dict(key_name='name', value_name='expiresAt'))[clusters[cluster].name] is defined
-
-  - name: generate init bundle
-    uri:
-      method: POST
-      return_content: true
-      validate_certs: false
-      url: "https://{{ api_ep }}/v1/cluster-init/init-bundles"
-      headers:
-        Authorization: Bearer {{ api_token }}
-        Accept: application/json
-        Content-Type: application/json
-      body: '{"name":"{{ clusters[cluster].name | string }}"}'
-    register: init_bundle_content
-    when:
-      - not init_bundle_present
-
-  - name: store init bundle - operator
-    copy:
-      dest: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-init-bundle.yaml"
-      content: "{{ init_bundle_content.json.kubectlBundle | b64decode }}"
-      owner: "{{ ansible_user }}"
-      group: "{{ ansible_user }}"
-      mode: 0600
-    when:
-      - not init_bundle_present
-      - clusters[cluster].method == 'operator'
-
-  - name: store init bundle - helm
-    copy:
-      dest: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-helm-bundle.yaml"
-      content: "{{ init_bundle_content.json.helmValuesBundle | b64decode }}"
-      owner: "{{ ansible_user }}"
-      group: "{{ ansible_user }}"
-      mode: 0600
-    when:
-      - not init_bundle_present
-      - clusters[cluster].method == 'helm'
-
-  - name: make sure namespace is there
-    kubernetes.core.k8s:
-      kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
-      validate_certs: no
-      api_version: v1
-      kind: Namespace
-      name: "{{ clusters[cluster].namespace }}"
-      namespace: ""
-      state: present
-
-  - name: create init bundle
-    kubernetes.core.k8s:
-      kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
-      validate_certs: no
-      src: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-init-bundle.yaml"
-      namespace: "{{ clusters[cluster].namespace }}"
-    when:
-      - clusters[cluster].method == 'operator'
-
+- include_tasks:
+    file: init-bundles.yml
   when:
     - clusters[cluster].method in ['operator', 'helm']
     - not cluster_found
@@ -133,177 +55,9 @@
   # no init bundles for method 'roxctl'
 
 # step 2: there's so much we can do (not really, just make sure artifacts are either present or created)
-
-# operator has its securedcluster resource
-- block:
-  - name: securedcluster cr check
-    k8s_info:
-      kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
-      validate_certs: no
-      api_version: platform.stackrox.io/v1alpha1
-      kind: SecuredCluster
-      namespace: "{{ clusters[cluster].namespace }}"
-      name: "{{ clusters[cluster].name }}"
-    register: secured_cr
-
-  - name: create cr resource
-    kubernetes.core.k8s:
-      kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
-      validate_certs: no
-      template: templates/securedcluster-cr.yml
-    when: secured_cr.resources | length == 0
-
-  when:
-    - clusters[cluster].method == 'operator'
-    - not cluster_found
-
-# roxctl doesn't really leave any specific signature, so check for sensor.sh
-- block:
-  - name: sensor.sh check
-    stat:
-      path: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-secured/sensor.sh"
-    register: sensor_script_present
-
-  - name: check for deployments anyway as well
-    k8s_info:
-      kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
-      validate_certs: no
-      api_version: apps/v1
-      kind: deployment
-      namespace: "{{ clusters[cluster].namespace }}"
-      label_selectors:
-        - app.kubernetes.io/instance=stackrox-secured-cluster-services
-    register: sensor_deployments_present
-
-  - name: create sensor.sh resources
-    ansible.builtin.command:
-      argv:
-        - /usr/local/bin/roxctl
-        - -e
-        - "{{ api_ep }}"
-        - --token-file={{ ansible_facts['user_dir'] }}/api-token
-        - sensor
-        - generate
-        - openshift
-        - --openshift-version=4
-        - --admission-controller-scan-inline=true
-        - --admission-controller-timeout=10
-        - --admission-controller-listen-on-events
-        - --admission-controller-listen-on-creates
-        - --admission-controller-listen-on-updates
-        - --central={{ api_ep }}
-        - --collection-method=kernel-module
-        - --slim-collector=true
-        - --name={{ clusters[cluster].name }}
-        - --output-dir=./{{ clusters[cluster].name }}-secured
-      chdir: "{{ ansible_facts['user_dir'] }}"
-    when: not sensor_script_present.stat.exists
-
-  - name: apply sensor.sh resources
-    ansible.builtin.command:
-      argv:
-        - /usr/bin/env
-        - REGISTRY_USERNAME={{ pull_user }}
-        - REGISTRY_PASSWORD={{ pull_pass }}
-        - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
-        - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-secured/sensor.sh"
-      chdir: "{{ ansible_facts['user_dir'] }}"
-    when: sensor_deployments_present.resources | length < 2
-
-  when:
-    - clusters[cluster].method == 'roxctl'
-    - not cluster_found
-
-# helm uses some undecipherable configmaps, so we need to use the binary
-- block:
-  - name: helm chart check
-    ansible.builtin.command:
-      argv:
-        - /usr/bin/env
-        - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
-        - /usr/local/bin/helm
-        - -n
-        - stackrox
-        - list
-        - -o
-        - json
-        - --filter
-        - stackrox.*services
-      chdir: "{{ ansible_facts['user_dir'] }}"
-    register: helm_chart_status
-
-  - name: assert chart isn't there
-    set_fact:
-      helm_chart_present: false
-
-  - name: unless proven otherwise
-    set_fact:
-      helm_chart_present: true
-    when:
-      - helm_chart_status.stdout | from_json | list | length > 0
-      - (helm_chart_status.stdout | from_json | list)[0].status == "deployed"
-
-  - name: create helm vars
-    template:
-      src: templates/helm-vars.yml
-      dest: "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-helm-vars.yaml"
-      mode: 0600
-      owner: "{{ ansible_user }}"
-      group: "{{ ansible_user }}"
-    when:
-      - not helm_chart_present
-
-  - name: check the repo
-    ansible.builtin.command:
-      argv:
-        - /usr/bin/env
-        - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
-        - /usr/local/bin/helm
-        - repo
-        - list
-        - -o
-        - json
-      chdir: "{{ ansible_facts['user_dir'] }}"
-    ignore_errors: yes
-    register: repo_is_there
-
-  - debug: var=repo_is_there
-
-  - name: add the repo
-    ansible.builtin.command:
-      argv:
-        - /usr/bin/env
-        - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
-        - /usr/local/bin/helm
-        - repo
-        - add
-        - rhacs
-        - https://mirror.openshift.com/pub/rhacs/charts/
-      chdir: "{{ ansible_facts['user_dir'] }}"
-    when: repo_is_there.failed or (repo_is_there.stdout | from_json | list | length) == 0
-
-  - name: apply helm chart
-    ansible.builtin.command:
-      argv:
-        - /usr/bin/env
-        - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
-        - /usr/local/bin/helm
-        - install
-        - -n
-        - stackrox
-        - --create-namespace
-        - stackrox-secured-cluster-services
-        - rhacs/secured-cluster-services
-        - -f 
-        - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-helm-bundle.yaml"
-        - -f 
-        - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-helm-vars.yaml"
-      chdir: "{{ ansible_facts['user_dir'] }}"
-    when:
-      - not helm_chart_present
-
+- include_tasks:
+    file: "{{ clusters[cluster].method }}.yml"
   when:
-    - clusters[cluster].method == 'helm'
     - not cluster_found
 
 # step 3: there is just you and me (wait for pods to pop up)
@@ -406,5 +160,20 @@
     - pending_pods.resources[0].metadata.labels.app == 'collector'
 
 # step 5: don't you know the time has arrived (just recheck the cluster in central - it should be healthy)
-
+- name: check that the cluster is marked as discovered
+  uri:
+    method: GET
+    return_content: true
+    validate_certs: false
+    url: "https://{{ api_ep }}/v1/clusters"
+    headers:
+      Authorization: Bearer {{ api_token }}
+      Accept: application/json
+  register: cluster_query_fin
+  until:
+    - cluster_query_fin.json.clusters | length > 0
+    - (cluster_query_fin.json.clusters | items2dict(key_name='name', value_name='status'))[clusters[cluster].name] is defined
+    - ((cluster_query_fin.json.clusters | items2dict(key_name='name', value_name='status'))[clusters[cluster].name]).sensorVersion is defined
+  retries: 30
+  delay: 5
 ...

roles/federate-clusters/tasks/operator.yml

@@ -0,0 +1,19 @@
+---
+# operator has its securedcluster resource
+- name: securedcluster cr check
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
+    validate_certs: no
+    api_version: platform.stackrox.io/v1alpha1
+    kind: SecuredCluster
+    namespace: "{{ clusters[cluster].namespace }}"
+    name: "{{ clusters[cluster].name }}"
+  register: secured_cr
+
+- name: create cr resource
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
+    validate_certs: no
+    template: templates/securedcluster-cr.yml
+  when: secured_cr.resources | length == 0
+...

roles/federate-clusters/tasks/roxctl.yml

@@ -0,0 +1,53 @@
+---
+# roxctl doesn't really leave any specific signature, so check for sensor.sh
+- name: sensor.sh check
+  stat:
+    path: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-secured/sensor.sh"
+  register: sensor_script_present
+
+- name: check for deployments anyway as well
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
+    validate_certs: no
+    api_version: apps/v1
+    kind: deployment
+    namespace: "{{ clusters[cluster].namespace }}"
+    label_selectors:
+      - app.kubernetes.io/instance=stackrox-secured-cluster-services
+  register: sensor_deployments_present
+
+- name: create sensor.sh resources
+  ansible.builtin.command:
+    argv:
+      - /usr/local/bin/roxctl
+      - -e
+      - "{{ api_ep }}"
+      - --token-file={{ ansible_facts['user_dir'] }}/api-token
+      - sensor
+      - generate
+      - openshift
+      - --openshift-version=4
+      - --admission-controller-scan-inline=true
+      - --admission-controller-timeout=10
+      - --admission-controller-listen-on-events
+      - --admission-controller-listen-on-creates
+      - --admission-controller-listen-on-updates
+      - --central={{ api_ep }}
+      - --collection-method=kernel-module
+      - --slim-collector=true
+      - --name={{ clusters[cluster].name }}
+      - --output-dir=./{{ clusters[cluster].name }}-secured
+    chdir: "{{ ansible_facts['user_dir'] }}"
+  when: not sensor_script_present.stat.exists
+
+- name: apply sensor.sh resources
+  ansible.builtin.command:
+    argv:
+      - /usr/bin/env
+      - REGISTRY_USERNAME={{ pull_user }}
+      - REGISTRY_PASSWORD={{ pull_pass }}
+      - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
+      - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-secured/sensor.sh"
+    chdir: "{{ ansible_facts['user_dir'] }}"
+  when: sensor_deployments_present.resources | length < 2
+...