ansible-collections/kubernetes
2
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Projects Releases 28 Wiki Activity

feat(networking): install and configure wireguard encryption

Browse Source 
by default set to false.

!2 #3
This commit is contained in:
Jon Lockwood
2023-10-29 16:53:00 +09:30
parent 57d268ec3c
commit 60fd25df8e
3 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -117,6 +117,7 @@ k3s:
# name: k3s-prod # Mandatory, String. Ansible inventory_host that will # name: k3s-prod # Mandatory, String. Ansible inventory_host that will
# # act as the prime master node. # # act as the prime master node.
# networking: # networking:
# encrypt: true # Optional, Boolean. default `false`. Install wireguard for inter-node encryption
# podSubnet: 172.16.70.0/24 # Mandatory, String. CIDR # podSubnet: 172.16.70.0/24 # Mandatory, String. CIDR
# ServiceSubnet: 172.16.72.0/24 # Mandatory, String. CIDR # ServiceSubnet: 172.16.72.0/24 # Mandatory, String. CIDR
# # Mandatory, String. Token to join nodes to the cluster # # Mandatory, String. Token to join nodes to the cluster

11
tasks/k3s.yaml
View File

@ -17,3 +17,14 @@
install_kubernetes | default(true) | bool install_kubernetes | default(true) | bool
and and
not kubernetes_installed | default(false) | bool not kubernetes_installed | default(false) | bool
- name: Wireguard Cluster Encryption
ansible.builtin.include_tasks:
file: k3s/configure.yaml
when: >
install_kubernetes | default(true) | bool
and
not kubernetes_installed | default(false) | bool
and
not kubernetes_installed_encryption | default(false) | bool

26
tasks/k3s/wireguard.yaml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Install Wireguard
ansible.builtin.apt:
name:
- wireguard
update_cache: false
when: >
ansible_os_family == 'Debian'
and
kubernetes.networking.encrypt | default(false) | bool
- name: Enable Cluster Encryption
ansible.builtin.command:
cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'
changed_when: false
when: >
ansible_os_family == 'Debian'
and
kubernetes.networking.encrypt | default(false) | bool
and
kubernetes_config.cluster.prime.name == inventory_hostname
- name: Set Kubernetes Encryption Final Install Fact
ansible.builtin.set_fact:
kubernetes_installed_encryption: true