| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- ---
- # roxctl doesn't really leave any specific signature, so check for sensor.sh
- - name: sensor.sh check
- stat:
- path: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-secured/sensor.sh"
- register: sensor_script_present
- - name: check for deployments anyway as well
- kubernetes.core.k8s_info:
- kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
- validate_certs: no
- api_version: apps/v1
- kind: deployment
- namespace: "{{ clusters[cluster].namespace }}"
- label_selectors:
- - app.kubernetes.io/instance=stackrox-secured-cluster-services
- register: sensor_deployments_present
- - name: create sensor.sh resources
- ansible.builtin.command:
- argv:
- - /usr/local/bin/roxctl
- - -e
- - "{{ api_ep }}"
- - --token-file={{ ansible_facts['user_dir'] }}/api-token
- - sensor
- - generate
- - openshift
- - --openshift-version=4
- - --admission-controller-scan-inline=true
- - --admission-controller-timeout=10
- - --admission-controller-listen-on-events
- - --admission-controller-listen-on-creates
- - --admission-controller-listen-on-updates
- - --central={{ api_ep }}
- - --collection-method=kernel-module
- - --slim-collector=true
- - --name={{ clusters[cluster].name }}
- - --output-dir=./{{ clusters[cluster].name }}-secured
- chdir: "{{ ansible_facts['user_dir'] }}"
- when: not sensor_script_present.stat.exists
- - name: apply sensor.sh resources
- ansible.builtin.command:
- argv:
- - /usr/bin/env
- - REGISTRY_USERNAME={{ pull_user }}
- - REGISTRY_PASSWORD={{ pull_pass }}
- - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
- - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-secured/sensor.sh"
- chdir: "{{ ansible_facts['user_dir'] }}"
- when: sensor_deployments_present.resources | length < 2
- ...
|
