Wpb 22439 wiab dev fixes

ansible/inventory/demo/host.yml

@@ -18,7 +18,7 @@ wiab:
     wire_ip: ""
 
     # artifact_hash
-    artifact_hash: "8e5087a0d9c58a9bd34c6c02f87514abe8b3ce0e"
+    artifact_hash: "94523acf6df5a177fd7fc1a7fdc004ce5335233b"
 
     # docker vars
     docker_ce_version: "5:28.1.1-1~ubuntu.24.04~noble"

ansible/wiab-demo/deploy_wiab.yml

@@ -36,16 +36,62 @@
   import_playbook: ./install_pkgs.yml
   tags: install_pkgs
 
+- name: Check and configure Ansible Python interpreter for Kubernetes operations
+  tags: always
+  hosts: deploy_node
+  tasks:
+  - name: Detect available Python interpreters and Kubernetes module
+    block:
+    - name: Check if kubernetes module is available in system Python
+      shell: "python3 -c 'import kubernetes; print(kubernetes.__version__)' 2>/dev/null"
+      register: system_k8s_check
+      changed_when: false
+      failed_when: false
+
+    - name: Check virtual environment only if system Python doesn't have kubernetes
+      block:
+      - name: Check if kubernetes module is available in virtual environment
+        shell: "/opt/ansible-venv/bin/python -c 'import kubernetes; print(kubernetes.__version__)' 2>/dev/null"
+        register: venv_k8s_check
+        changed_when: false
+        failed_when: false
+
+      - name: Configure to use virtual environment
+        block:
+        - name: Set ansible_python_interpreter to use virtual environment
+          set_fact:
+            ansible_python_interpreter: /opt/ansible-venv/bin/python
+            ansible_venv_path: /opt/ansible-venv
+
+        when: venv_k8s_check.rc == 0
+
+      - name: Kubernetes module not found - run install_pkgs playbook
+        fail:
+          msg: |
+            ❌ Kubernetes Python module not found!
+
+            System Python (/usr/bin/python3):
+              Status: NOT available
+
+            Virtual Environment (/opt/ansible-venv/bin/python):
+              Status: NOT available
+
+            To install kubernetes module, run:
+            ansible-playbook -i inventory.yml deploy_wiab.yml --tags install_pkgs
+        when: venv_k8s_check.rc != 0
+
+      when: system_k8s_check.rc != 0
+
 - name: Manage SSH keys (dependency for minikube, asset_host, seed_containers)
   import_playbook: ./setup_ssh.yml
   tags: always
   when: >
-    (('minikube' not in ansible_skip_tags or
+    ('minikube' not in ansible_skip_tags or
     'asset_host' not in ansible_skip_tags or
     'seed_containers' not in ansible_skip_tags)
-    and (ansible_skip_tags | length > 0))
-    or
-    ('minikube' in ansible_run_tags or
+    and
+    ('all' in ansible_run_tags or
+    'minikube' in ansible_run_tags or
     'asset_host' in ansible_run_tags or
     'seed_containers' in ansible_run_tags)
 
@@ -104,15 +150,16 @@
 
     tags: always
     when: >
-      (('minikube' not in ansible_skip_tags or
+      ('minikube' not in ansible_skip_tags or
       'asset_host' not in ansible_skip_tags or
-      'seed_containers' not in ansible_skip_tags)
-      and (ansible_skip_tags | length > 0))
-      or
-      ('minikube' in ansible_run_tags or
+      'seed_containers' not in ansible_skip_tags or
+      'helm_install' not in ansible_skip_tags)
+      and
+      ('all' in ansible_run_tags or
+      'minikube' in ansible_run_tags or
       'asset_host' in ansible_run_tags or
-      'seed_containers' in ansible_run_tags)
-      or use_cert_manager
+      'seed_containers' in ansible_run_tags or
+      'helm_install' in ansible_run_tags)
 
 - name: Configure Iptables rules
   import_playbook: ./iptables_rules.yml
@@ -126,6 +173,7 @@
   hosts: deploy_node
   become: yes
   become_user: "{{ ansible_user }}"
+  tags: always
   tasks:
   - name: Create a block for Minikube node tasks
     block:
@@ -209,13 +257,12 @@
       delegate_facts: true
       with_items: "{{ groups['k8s-cluster'] }}"
 
-    tags: always
     when: >
-      (('asset_host' not in ansible_skip_tags or
+      ('asset_host' not in ansible_skip_tags or
       'seed_containers' not in ansible_skip_tags)
-      and (ansible_skip_tags | length > 0))
-      or
-      ('asset_host' in ansible_run_tags or
+      and
+      ('all' in ansible_run_tags or
+      'asset_host' in ansible_run_tags or
       'seed_containers' in ansible_run_tags)
 
 - name: Setup Asset Host
@@ -246,11 +293,6 @@
   import_playbook: ./helm_install.yml
   tags: helm_install
 
-- name: Veirfy Cert Manager hairpin Networking
-  import_playbook: ./hairpin_networking.yml
-  tags: always
-  when: use_cert_manager
-
 # since, the temp_dir are created in a different set of tasks, these directories need to be searched 
 - name: Clean up temporary directories
   hosts: localhost

ansible/wiab-demo/helm_install.yml

@@ -271,3 +271,7 @@
         - "For more information:"
         - "https://github.com/wireapp/wire-server/tree/develop/charts/nginx-ingress-services"
     when: not use_cert_manager
+
+- name: Verify Cert Manager hairpin Networking
+  import_playbook: ./hairpin_networking.yml
+  when: use_cert_manager

ansible/wiab-demo/install_pkgs.yml

@@ -65,17 +65,30 @@
 
   - name: Ensure required Python libraries are installed for Kubernetes operations
     block:
-    - name: Install kubernetes Python library via pip
+    - name: Create Python virtual environment for Ansible
+      command: python3 -m venv /opt/ansible-venv
+      args:
+        creates: /opt/ansible-venv/bin/python
+      become: yes
+
+    - name: Install kubernetes Python library in virtual environment
       pip:
         name: 
           - kubernetes>=18.0.0
           - pyyaml>=5.4.1
-        executable: /usr/bin/pip3
+        executable: /opt/ansible-venv/bin/pip
         state: present
-        extra_args: "--break-system-packages"
       become: yes
       register: pip_install_result
 
+    - name: Create symbolic link for ansible Python interpreter
+      file:
+        src: /opt/ansible-venv/bin/python
+        dest: /usr/local/bin/ansible-python
+        state: link
+        force: yes
+      become: yes
+
     - name: Check if Docker CE is installed with correct version
       shell: apt policy docker-ce | grep "Installed:" | awk '{print $2}'
       register: installed_docker_version

ansible/wiab-demo/wire_secrets.yml

@@ -73,52 +73,43 @@
 
   - name: Initialize secrets.yaml files from demo templates
     block:
-    - name: Discover all chart directories in values_dir for initialization
+    - name: Find all demo-secrets.example.yaml files in one pass
       find:
         paths: "{{ values_dir }}"
-        file_type: directory
-        recurse: no
-      register: chart_dirs
+        patterns: "demo-secrets.example.yaml"
+        recurse: yes
+      register: demo_secrets_files
+      changed_when: false
 
-    - name: Verify demo-secrets.example.yaml template files exist
-      stat:
-        path: "{{ item.path }}/demo-secrets.example.yaml"
-      register: demo_secrets_stat
-      loop: "{{ chart_dirs.files }}"
+    - name: Backup and initialize secrets for all charts
+      shell: |
+        #!/bin/bash
+        set -e
+        demo_file="{{ item }}"
+        chart_dir="$(dirname "$demo_file")"
+        secrets_file="$chart_dir/secrets.yaml"
+
+        # Create timestamped backup if secrets.yaml exists
+        if [ -f "$secrets_file" ]; then
+          backup_file="${secrets_file}.bak.$(date +%Y%m%d_%H%M%S)"
+          mv "$secrets_file" "$backup_file"
+          echo "Backed up: $backup_file"
+        fi
+
+        # Copy demo template to secrets.yaml
+        cp "$demo_file" "$secrets_file"
+        echo "Initialized: $secrets_file"
+      args:
+        executable: /bin/bash
+      register: init_result
+      changed_when: "'Initialized:' in init_result.stdout"
+      loop: "{{ demo_secrets_files.files | map(attribute='path') | list }}"
       no_log: true
 
-    - name: Create timestamped backups of existing secrets.yaml files
-      block:
-      - name: Check if secrets.yaml file exists before backup
-        stat:
-          path: "{{ item.item.path }}/secrets.yaml"
-        register: secrets_file_stat
-        loop: "{{ demo_secrets_stat.results }}"
-        no_log: true
-
-      - name: Create backup with timestamp
-        shell: |
-          #!/bin/bash
-          source_file="{{ item.item.path }}/secrets.yaml"
-          backup_file="{{ item.item.path }}/secrets.yaml.bak.{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}"
-          if [ -f "$source_file" ]; then
-            mv "$source_file" "$backup_file"
-          fi
-        args:
-          executable: /bin/bash
-        when: item.stat.exists
-        loop: "{{ demo_secrets_stat.results }}"
-        register: backup_result
-        no_log: true
-
-    - name: Initialize secrets.yaml from demo template for each chart
-      copy:
-        src: "{{ item.item.path }}/demo-secrets.example.yaml"
-        dest: "{{ item.item.path }}/secrets.yaml"
-        remote_src: yes
-      when: item.stat.exists
-      loop: "{{ demo_secrets_stat.results }}"
-      no_log: true
+    - name: Display backup and initialization summary
+      debug:
+        msg: "{{ init_result.results | map(attribute='stdout_lines') | flatten | list }}"
+      when: init_result.results | length > 0
 
     when: not skip_secret_generation
 
@@ -165,12 +156,9 @@
         set_fact:
           temp_dir: "{{ zauth_temp_dir.path }}"
 
-      - name: Generate Ed25519 private key in PEM format
-        openssl_privatekey:
-          path: "{{ temp_dir }}/key.pem"
-          type: Ed25519
-          force: yes
-        no_log: true
+      - name: Generate Ed25519 private key using openssl
+        shell: "openssl genpkey -algorithm ed25519 -out '{{ temp_dir }}/key.pem'"
+        changed_when: false
 
       - name: Extract private key in DER format
         shell: "openssl pkey -in '{{ temp_dir }}/key.pem' -outform DER 2>/dev/null > '{{ temp_dir }}/priv.der'"
@@ -193,12 +181,12 @@
         changed_when: false
 
       - name: Encode combined key to base64 (private key)
-        shell: "base64 -w 0 < '{{ temp_dir }}/combined.bytes'"
+        shell: "base64 -w 0 < '{{ temp_dir }}/combined.bytes' | tr -- '+/' '-_'"
         register: libsodium_priv
         changed_when: false
 
       - name: Encode public key to base64
-        shell: "base64 -w 0 < '{{ temp_dir }}/pub.bytes'"
+        shell: "base64 -w 0 < '{{ temp_dir }}/pub.bytes' | tr -- '+/' '-_'"
         register: libsodium_pub
         changed_when: false
 
@@ -230,29 +218,33 @@
           - name: Verify private key is valid base64
             assert:
               that:
-                - libsodium_priv.stdout is regex('^[A-Za-z0-9+/]+=*$')
+                - libsodium_priv.stdout is regex('^[A-Za-z0-9_-]+=*$')
               fail_msg: "Private key is not valid base64: {{ libsodium_priv.stdout }}"
               quiet: yes
 
           - name: Verify public key is valid base64
             assert:
               that:
-                - libsodium_pub.stdout is regex('^[A-Za-z0-9+/]+=*$')
+                - libsodium_pub.stdout is regex('^[A-Za-z0-9_-]+=*$')
               fail_msg: "Public key is not valid base64: {{ libsodium_pub.stdout }}"
               quiet: yes
 
       - name: Validate decoded key lengths
         block:
           - name: Decode and verify private key length (should be 64 bytes)
-            shell: "echo '{{ libsodium_priv.stdout }}' | base64 -d | wc -c"
+            shell: "printf '%s' '{{ libsodium_priv.stdout }}' | tr -- '-_' '+/' | base64 -d | wc -c"
             register: priv_decoded_len
             changed_when: false
 
           - name: Decode and verify public key length (should be 32 bytes)
-            shell: "echo '{{ libsodium_pub.stdout }}' | base64 -d | wc -c"
+            shell: "printf '%s' '{{ libsodium_pub.stdout }}' | tr -- '-_' '+/' | base64 -d | wc -c"
             register: pub_decoded_len
             changed_when: false
 
+          - name: debug
+            debug:
+              msg: " {{libsodium_pub.stdout}} {{libsodium_priv.stdout }}"
+
           - name: Assert decoded key lengths are correct
             assert:
               that: