feat: add restricted kubeconfig creation

Signed-off-by: Gerard Vanloo <gerard.vanloo@ibm.com>

Author: Red-GV

sre/roles/agent/tasks/generate_restricted_kubeconfig.yaml

@@ -0,0 +1,35 @@
+---
+- name: Load kubeconfig file
+  ansible.builtin.set_fact:
+    agent_kubeconfig: "{{ lookup('ansible.builtin.file', agent_cluster.kubeconfig) | from_yaml }}"
+
+- name: Find index of current context cluster
+  ansible.builtin.set_fact:
+    agent_cluster_index: "{{ lookup('ansible.utils.index_of', agent_kubeconfig.clusters, 'eq', cluster, 'name') }}"
+  vars:
+    cluster: "{{ agent_kubeconfig['current-context'] }}"
+
+- name: Generate contexts and users
+  ansible.builtin.set_fact:
+    agent_contexts: "{{ (agent_contexts | default([])) + [{'cluster': cluster, 'user': 'agent', 'namespace': kv.key}] }}"
+    agent_users: "{{ (agent_users | default([])) +[{'name': 'agent', 'user': {'token': kv.value}}] }}"
+  loop: "{{ agent_application_tokens | dict2items }}"
+  loop_control:
+    label: application/{{ kv.key }}
+    loop_var: kv
+  vars:
+    cluster: "{{ agent_kubeconfig['current-context'] }}"
+  when:
+    - kv.value != ""
+
+- name: Create restricted kubeconfig file in temporary directory
+  ansible.builtin.copy:
+    content: "{{ lookup('ansible.builtin.template', 'templates/kubeconfig.j2') | from_yaml | to_nice_yaml(indent=2) }}"
+    dest: /tmp/restricted_config
+    mode: "0644"
+  vars:
+    certificate_authority_data: "{{ agent_kubeconfig.clusters[agent_cluster_index].cluster['certificate-authority-data'] }}"
+    cluster: "{{ agent_kubeconfig.clusters[agent_cluster_index].name }}"
+    contexts: "{{ agent_contexts }}"
+    server: "{{ agent_kubeconfig.clusters[agent_cluster_index].cluster.server }}"
+    users: "{{ agent_users }}"

sre/roles/agent/templates/kubeconfig.j2

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Config
+preferences: {}
+clusters:
+  - cluster:
+      server: {{ server }}
+      certificate-authority-data: {{ certificate_authority_data }}
+    name: {{ cluster }}
+contexts:  {{ contexts }}
+current-context: {{ cluster }}
+users: {{ users }}

sre/roles/applications/tasks/install.yaml

@@ -21,14 +21,12 @@
     - applications_required.otel_demo is defined
     - applications_required.otel_demo.enabled
 
-# TODO: Enable these tasks during the refactor of the e2e
-
-# - name: Import Deployment Time tasks
-#   ansible.builtin.import_tasks:
-#     file: register_deployment_time.yaml
-
-# - name: Import Deployment Failure tasks
-#   ansible.builtin.import_tasks:
-#     file: register_deployment_failure.yaml
-#   when:
-#     - (sre_bench_runner | default(false))
+- name: Import agents role for restricted kubeconfig generation
+  ansible.builtin.import_role:
+    name: agent
+    tasks_from: generate_restricted_kubeconfig
+  vars:
+    agent_application_tokens:
+      "{{ applications_helm_releases.otel_demo.namespace }}": "{{ applications_otel_demo_token | default('') }}"
+    agent_cluster:
+      kubeconfig: "{{ cluster.kubeconfig }}"

sre/roles/applications/tasks/install_otel_demo.yaml

@@ -399,3 +399,7 @@
       namespace: "{{ helm_release.namespace }}"
     agent_cluster:
       kubeconfig: "{{ cluster.kubeconfig }}"
+
+- name: Set token variable for telemetry access
+  ansible.builtin.set_fact:
+    applications_otel_demo_token: "{{ agent_token_request.result.status.token }}"