From 60fd25df8ec897e74c164d9cc0e49ed07d002d0e Mon Sep 17 00:00:00 2001
From: Jon <jonathon.lockwood@networkedweb.com>
Date: Sun, 29 Oct 2023 16:53:00 +0930
Subject: [PATCH] feat(networking): install and configure wireguard encryption

by default set to false.

!2 #3
---
 defaults/main.yml        |  1 +
 tasks/k3s.yaml           | 11 +++++++++++
 tasks/k3s/wireguard.yaml | 26 ++++++++++++++++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 tasks/k3s/wireguard.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 4fb8f8c..5fd19b4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -117,6 +117,7 @@ k3s:
 #       name: k3s-prod                  # Mandatory, String. Ansible inventory_host that will
 #                                       # act as the prime master node.
 #     networking:
+#       encrypt: true                   # Optional, Boolean. default `false`. Install wireguard for inter-node encryption
 #       podSubnet: 172.16.70.0/24       # Mandatory, String. CIDR
 #       ServiceSubnet: 172.16.72.0/24   # Mandatory, String. CIDR
 #                                       # Mandatory, String. Token to join nodes to the cluster
diff --git a/tasks/k3s.yaml b/tasks/k3s.yaml
index f0843ac..f0e4223 100644
--- a/tasks/k3s.yaml
+++ b/tasks/k3s.yaml
@@ -17,3 +17,14 @@
     install_kubernetes | default(true) | bool
       and
     not kubernetes_installed | default(false) | bool
+
+
+- name: Wireguard Cluster Encryption
+  ansible.builtin.include_tasks:
+    file: k3s/configure.yaml
+  when: >
+    install_kubernetes | default(true) | bool
+      and
+    not kubernetes_installed | default(false) | bool
+      and
+    not kubernetes_installed_encryption | default(false) | bool
diff --git a/tasks/k3s/wireguard.yaml b/tasks/k3s/wireguard.yaml
new file mode 100644
index 0000000..aa0adfb
--- /dev/null
+++ b/tasks/k3s/wireguard.yaml
@@ -0,0 +1,26 @@
+---
+- name: Install Wireguard
+  ansible.builtin.apt:
+    name:
+      - wireguard
+    update_cache: false
+  when: >
+    ansible_os_family == 'Debian'
+      and
+    kubernetes.networking.encrypt | default(false) | bool
+
+
+- name: Enable Cluster Encryption
+  ansible.builtin.command:
+    cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'
+  changed_when: false
+  when: >
+    ansible_os_family == 'Debian'
+      and
+    kubernetes.networking.encrypt | default(false) | bool
+      and
+    kubernetes_config.cluster.prime.name == inventory_hostname
+
+- name: Set Kubernetes Encryption Final Install Fact
+  ansible.builtin.set_fact:
+    kubernetes_installed_encryption: true