From 4908775367a657867878111ad7e8a75e5203e492 Mon Sep 17 00:00:00 2001 From: Jon Date: Sat, 28 Oct 2023 16:43:22 +0930 Subject: [PATCH 01/14] fix: dont flush handlers !2 --- tasks/common.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/tasks/common.yaml b/tasks/common.yaml index d3508f6..0c86273 100644 --- a/tasks/common.yaml +++ b/tasks/common.yaml @@ -185,13 +185,6 @@ - containerRegistry -- name: Restart ContainerD if required - meta: flush_handlers - tags: - - install - - containerRegistry - - - name: Install required python modules ansible.builtin.pip: name: kubernetes @@ -295,14 +288,6 @@ - firewall -- name: Apply new firewall rules, if required - meta: flush_handlers - tags: - - install - - iptables - - firewall - - - name: Create local workdir file: path: "{{ item }}" From 7abfb70320419ab1e98666a16453bb1b0a48426e Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 13:40:27 +0930 Subject: [PATCH 02/14] docs: Ansible setup !2 #4 --- .../ansible/roles/kubernetes/index.md | 136 +++++++++++++++++- 1 file changed, 132 insertions(+), 4 deletions(-) diff --git a/docs/projects/ansible/roles/kubernetes/index.md b/docs/projects/ansible/roles/kubernetes/index.md index f9367ed..6dc9b83 100644 --- a/docs/projects/ansible/roles/kubernetes/index.md +++ b/docs/projects/ansible/roles/kubernetes/index.md @@ -6,14 +6,142 @@ template: project.html about: https://gitlab.com/nofusscomputing/projects/ansible/roles/kubernetes --- +This Ansible roles purpose is to install and configure Kubernetes with configuration from code. -Expected inventory setup: +## Inventory Setup -- each host has a host_vars file with `ansible_host` defined. _can be either DNS name, IPv4/IPv6 Address_ -- `k3s` host group with all hosts part of this group -- `kubernetes_master` host group with all master nodes part of +There are many ways to layout your inventory within Ansible. To take full advantage of this role the following could be used: + +- A aroup containing all master nodes + +- A group containing all worker nodes + +- a group containing all nodes for a cluster + +- All groups above made a subordinate of a master group + +- variable `ansible_host`. _can be either DNS name, IPv4/IPv6 Address_ + + !!! info Info + The nfc_kubernetes role uses this field for any configuration that requires a hostname. You are strongly encouraged to use DNS name and the DNS name be resolveable for each host accessing to the host in question. Using DNS host name is of paramount importance for a host with dynamic DHCP being used. - variable `Kubernetes_Master` _boolean_ set for all host that are master nodes. - hosts that require Kubernetes API access added to variable `kubernetes_config.cluster.access` + +An example inventory file that would suffice. + +``` yaml +all: + hosts: + localhost: + vars: + ansible_connection: local + children: + + kubernetes: + children: + + k3s: + hosts: + + + k8s: + hosts: + + + kubernetes_cluster: + children: + + kubernetes_cluster_{cluster_name_here}: + hosts: + + + kubernetes_master: + hosts: + + + kubernetes_worker: + hosts: + +``` + +The reasoning for the layout above is: + +- group `kubernetes` used as a selector within playbook or limitor when running a playbook to cover all kubernetes hosts. + +- groups `kubernetes`, `k3s`, `k8s` and `kubernetes_cluster_{cluster_name_here}` used for variable files (`inventory/group_vars/{group_name}.yaml`). with the latter containing all settings for the cluster in question. + +- Hosts are added to ALL groups relevent to them. + + +The following group variable files will also need to be created: + +- `inventory/group_vars/all.yaml` Variables applicable to all hosts + +- `inventory/group_vars/kubernetes.yaml` software versions for kubernetes + +- `inventory/group_vars/kubernetes_cluster_{cluster_name_here}.yaml` cluster configuration + + +## Playbooks Setup + +Whilst there are many ways to skin a cat, using the inventory layout as defined above, with the creation of playbooks as detailed below is a possible solution covering most basis' of using this role. + +playbooks/kubernetes.yaml + +``` yaml +--- +- name: Kubernetes Group and sub-groups + hosts: "{{ groups.kubernetes }}" + gather_facts: true + + roles: [] + + - name: Kubernetes Master + import_playbook: kubernetes/master.yaml + +- name: Kubernetes Worker + import_playbook: kubernetes/worker.yaml +``` + +playbooks/kubernetes/master.yaml +``` yaml +--- +- name: Kubernetes Master Nodes + hosts: "{{ kubernetes_master }}" + gather_facts: true + + roles: + - name: Kubernetes Setup + role: nfc_kubernetes + +``` + +playbooks/kubernetes/worker.yaml +``` yaml +--- +- name: Kubernetes worker Nodes + hosts: "{{ kubernetes_worker }}" + gather_facts: true + + roles: + - name: Kubernetes Setup + role: nfc_kubernetes + +``` + +Running the above playbooks with the inventory setup allows the following and more: + +- Setup Kubernetes on all applicable kubernetes hosts + + > `ansible-playbook -i inventory/production playbooks/kubernetes.yaml` + +- Setup kubernetes cluster `{cluster_name}` + + > `ansible-playbook --limit kubernetes_cluster_{cluster_name_here} -i inventory/production playbooks/kubernetes.yaml` + +- Setup all Kubernetes master nodes, regardless of cluster + + > `ansible-playbook --limit kubernetes_master -i inventory/production playbooks/kubernetes.yaml` From 3e785d7db158e41744ad19c4fcab1c11aa23823f Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 13:54:43 +0930 Subject: [PATCH 03/14] docs: added other projects to blurb !2 #4 --- docs/projects/ansible/execution_environment/index.md | 0 docs/projects/ansible/index.md | 0 docs/projects/ansible/playbooks/index.md | 0 docs/projects/ansible/roles/index.md | 0 docs/projects/ansible/roles/kubernetes/index.md | 5 ++--- mkdocs.yml | 12 ++++++++++++ 6 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 docs/projects/ansible/execution_environment/index.md create mode 100644 docs/projects/ansible/index.md create mode 100644 docs/projects/ansible/playbooks/index.md create mode 100644 docs/projects/ansible/roles/index.md diff --git a/docs/projects/ansible/execution_environment/index.md b/docs/projects/ansible/execution_environment/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/projects/ansible/index.md b/docs/projects/ansible/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/projects/ansible/playbooks/index.md b/docs/projects/ansible/playbooks/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/projects/ansible/roles/index.md b/docs/projects/ansible/roles/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/projects/ansible/roles/kubernetes/index.md b/docs/projects/ansible/roles/kubernetes/index.md index 6dc9b83..92f55b4 100644 --- a/docs/projects/ansible/roles/kubernetes/index.md +++ b/docs/projects/ansible/roles/kubernetes/index.md @@ -1,13 +1,12 @@ --- -title: Kubernetes Ansible Role +title: Kubernetes description: No Fuss Computings Ansible role nfc_kubernetes date: 2023-10-24 template: project.html about: https://gitlab.com/nofusscomputing/projects/ansible/roles/kubernetes --- -This Ansible roles purpose is to install and configure Kubernetes with configuration from code. - +This Ansible roles purpose is to install and configure Kubernetes with configuration from code. You can also use [our playbooks](../../playbooks/index.md) to deploy this role. thsi is especially useful if you are also using [our Ansible Execution Environment](../../execution_environment/index.md) ## Inventory Setup diff --git a/mkdocs.yml b/mkdocs.yml index 602da14..94b3319 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -19,8 +19,20 @@ nav: - Ansible: + - projects/ansible/index.md + + - Execution Environment: + + - projects/ansible/execution_environment/index.md + + - Playbooks: + + - projects/ansible/playbooks/index.md + - Roles: + - projects/ansible/roles/index.md + - Kubernetes: - projects/ansible/roles/kubernetes/index.md From bbfbbedd11ea5b1fde199899b70cd87119e3a989 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 14:50:19 +0930 Subject: [PATCH 04/14] docs: initial docs for rbac !2 #4 --- .../ansible/roles/kubernetes/firewall.md | 2 +- .../projects/ansible/roles/kubernetes/rbac.md | 37 +++++++++++++++++++ mkdocs.yml | 2 + templates/kubernetes-manifest-rbac.yaml.j2 | 12 +++--- 4 files changed, 46 insertions(+), 7 deletions(-) create mode 100644 docs/projects/ansible/roles/kubernetes/rbac.md diff --git a/docs/projects/ansible/roles/kubernetes/firewall.md b/docs/projects/ansible/roles/kubernetes/firewall.md index 0869fee..20fbaf8 100644 --- a/docs/projects/ansible/roles/kubernetes/firewall.md +++ b/docs/projects/ansible/roles/kubernetes/firewall.md @@ -1,5 +1,5 @@ --- -title: Firewall - nfc_kubernetes +title: Firewall description: No Fuss Computings Ansible role nfc_kubernetes date: 2023-10-24 template: project.html diff --git a/docs/projects/ansible/roles/kubernetes/rbac.md b/docs/projects/ansible/roles/kubernetes/rbac.md new file mode 100644 index 0000000..adae73f --- /dev/null +++ b/docs/projects/ansible/roles/kubernetes/rbac.md @@ -0,0 +1,37 @@ +--- +title: RBAC +description: No Fuss Computings Ansible role nfc_kubernetes RBAC documentation. +date: 2023-10-29 +template: project.html +about: https://gitlab.com/nofusscomputing/projects/ansible/roles/kubernetes +--- + +As part of this roles workflow, A set of Clester Roles and Cluster Bindings are deployed and ready to use. The intent of these roles is to create a default set of roles that only require the authorization system to provide the users groups. As they have been defined as Cluster Roles you can bind to both cluster and/or namespace. +A minimum access required princible has been adopted in the creation of these roles. With the roles designed to be for whom would access/use the cluster (An End user). + +!!! tip + All Deployed `ClusterRole` include a labels `authorization/description` and `authorization/target` explaining their intended purpose and where they a recommended for binding. + + +Currently the following roles are deployed as part of this Anible role: + +- authorization:namespace:read + + > Full read access to all objects except secrets + +- authorization:full + + > Full read/write access to all objects including secrets + +- authorization:namespace:owner + + > Full read/write access to all objects including secrets + +- authorization:cluster:view-metrics + + > View node and pod metrics + +- **[ToDo-#6](https://gitlab.com/nofusscomputing/projects/ansible/kubernetes/-/issues/6)** authorization:cluster:admin + + > Configure the cluster with this not including anything that can be deployed. + diff --git a/mkdocs.yml b/mkdocs.yml index 94b3319..523bc46 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,6 +39,8 @@ nav: - projects/ansible/roles/kubernetes/firewall.md + - projects/ansible/roles/kubernetes/rbac.md + - Operations: diff --git a/templates/kubernetes-manifest-rbac.yaml.j2 b/templates/kubernetes-manifest-rbac.yaml.j2 index 5b7d099..7f2cdca 100644 --- a/templates/kubernetes-manifest-rbac.yaml.j2 +++ b/templates/kubernetes-manifest-rbac.yaml.j2 @@ -13,7 +13,7 @@ metadata: app.kubernetes.io/part-of: nfc_kubernetes app.kubernetes.io/managed-by: ansible app.kubernetes.io/version: '' - name: authorization:common:full + name: authorization:full rules: - apiGroups: - "*" @@ -37,7 +37,7 @@ metadata: app.kubernetes.io/part-of: nfc_kubernetes app.kubernetes.io/managed-by: ansible app.kubernetes.io/version: '' - name: authorization:common:namespace:read + name: authorization:namespace:read rules: - apiGroups: # Get Metrics - metrics.k8s.io @@ -88,7 +88,7 @@ metadata: app.kubernetes.io/part-of: nfc_kubernetes app.kubernetes.io/managed-by: ansible app.kubernetes.io/version: '' - name: authorization:common:namespace:owner + name: authorization:namespace:owner rules: - apiGroups: # Read-only access to resrouces - "*" @@ -122,7 +122,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: authorization:common:cluster:view-metrics + name: authorization:cluster:view-metrics rules: - apiGroups: - metrics.k8s.io @@ -144,7 +144,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: authorization:common:namespace:read + name: authorization:namespace:read subjects: - kind: Group name: administrators @@ -163,7 +163,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: authorization:common:cluster:view-metrics + name: authorization:cluster:view-metrics subjects: - apiGroup: rbac.authorization.k8s.io kind: Group From 0f4a02cadd24dc1890e57bba5266f17dd44e9766 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 15:35:54 +0930 Subject: [PATCH 05/14] fix(install): restructure and uncommented install steps !2 --- tasks/k3s.yaml | 254 +++------------------------------------ tasks/k3s/configure.yaml | 73 +++++++++++ tasks/k3s/install.yaml | 169 ++++++++++++++++++++++++++ 3 files changed, 258 insertions(+), 238 deletions(-) create mode 100644 tasks/k3s/configure.yaml create mode 100644 tasks/k3s/install.yaml diff --git a/tasks/k3s.yaml b/tasks/k3s.yaml index 44fbdfd..f0843ac 100644 --- a/tasks/k3s.yaml +++ b/tasks/k3s.yaml @@ -1,241 +1,19 @@ --- -- name: Install Software - ansible.builtin.include_role: - name: nfc_common - vars: - common_gather_facts: false - aptInstall: - - name: curl - - name: iptables +# kubernetes_installed + +- name: K3s Install + ansible.builtin.include_tasks: + file: k3s/install.yaml + when: > + install_kubernetes | default(true) | bool + and + not kubernetes_installed | default(false) | bool -- name: Create Required directories - ansible.builtin.file: - name: "{{ item.name }}" - state: "{{ item.state }}" - mode: "{{ item.mode }}" - loop: "{{ dirs }}" - vars: - dirs: - - name: /etc/rancher/k3s - state: directory - mode: 700 - - name: /var/lib/rancher/k3s/server/logs - state: directory - mode: 700 - - name: /var/lib/rancher/k3s/server/manifests - state: directory - mode: 700 - - -# - name: Local Container Registry -# ansible.builtin.copy: -# content: | -# # -# # Private Container Registries for Kubernetes -# # -# # Managed By ansible/role/nfc_kubernetes -# # -# # Dont edit this file directly as it will be overwritten. -# # - -# {% set registries = kubernetes_private_container_registry | default([]) -%} - -# {% if registries | length > 0 %}mirrors: -# {% for entry in registries %} - -# {{ entry.name }}: -# endpoint: -# - "{{ entry.url }}" - -# {%- endfor %} -# {% endif %} -# dest: /etc/rancher/k3s/registries.yaml -# owner: root -# mode: '700' -# # notify: "restart ContainerD" -# # with_items: "{{ containerd.repositories }}" -# # when: -# # ansible_os_family == 'Debian' -# # and -# # Kubernetes_private_container_registry | default([]) | length > 0 - - -- name: Add sysctl net.ipv4.ip_forward - sysctl: - name: net.ipv4.ip_forward - value: '1' - sysctl_set: true - state: present - reload: true - notify: reboot_host - when: - - ansible_os_family == 'Debian' - # On change reboot - - -- name: Check if K3s Installed - ansible.builtin.shell: - cmd: | - if [[ $(service k3s status) ]]; then exit 0; else exit 1; fi - executable: /bin/bash - changed_when: false - failed_when: false - register: k3s_installed - - -# - name: Download K3s Binary -# ansible.builtin.uri: -# url: "{{ item.url }}" -# method: GET -# return_content: true -# # body: "" -# status_code: -# - 200 -# - 304 -# # headers: -# # App-Token: "{{ glpi.app_token }}" -# # Authorization: "user_token {{ glpi.user_token }}" -# #body_format: json -# # validate_certs: false -# dest: "{{ item.dest }}" -# mode: "744" -# register: k3s_download_files -# delegate_to: localhost -# # no_log: true -# when: ansible_os_family == 'Debian' -# loop: "{{ download_files }}" -# vars: -# ansible_connection: local -# download_files: -# - dest: /tmp/install.sh -# url: https://get.k3s.io -# - dest: "/tmp/k3s" -# url: "https://github.com/k3s-io/k3s/releases/download/v{{ KubernetesVersion + KubernetesVersion_k3s_prefix | urlencode }}/k3s" - - -# - name: "[TRACE] Downloaded File SHA256" -# ansible.builtin.set_fact: -# hash_sha256_k3s_downloaded_binary: "{{ lookup('ansible.builtin.file', '/tmp/k3s') | hash('sha256') | string }}" -# delegate_to: localhost - - -# - name: Existing k3s File hash -# ansible.builtin.stat: -# checksum_algorithm: sha256 -# name: /usr/local/bin/k3s -# register: hash_sha256_k3s_existing_binary - - -# - name: Copy K3s binary to Host -# ansible.builtin.copy: -# src: "/tmp/k3s" -# dest: "/usr/local/bin/k3s" -# mode: '740' -# owner: root -# group: root -# when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary - -# - name: Copy install script to Host -# ansible.builtin.copy: -# src: "/tmp/install.sh" -# dest: "/tmp/install.sh" -# mode: '755' -# owner: root -# group: root -# # when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary - -- name: Additional config files - ansible.builtin.copy: - content: | - {{ item.content }} - dest: "{{ item.path }}/{{ item.name }}" - mode: '740' - owner: root - group: root - loop: "{{ k3s.files }}" - - -- name: Copy Templates - ansible.builtin.template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root - mode: '700' - force: true - notify: "{{ item.notify | default(omit) }}" - loop: "{{ templates_to_apply }}" - vars: - templates_to_apply: - - src: "calico.yaml.j2" - dest: /var/lib/rancher/k3s/server/manifests/calico.yaml - - src: kubernetes-manifest-rbac.yaml.j2 - dest: /var/lib/rancher/k3s/server/manifests/rbac-authorization-common.yaml - # - src: firewall-kubernetes.j2 - # dest: "/etc/network/if-up.d/firewall-kubernetes" - - - src: iptables-kubernetes.rules.j2 - dest: "/etc/iptables.rules.d/iptables-kubernetes.rules" - notify: firewall_reloader - - src: k3s-registries.yaml.j2 - dest: /etc/rancher/k3s/registries.yaml - notify: kubernetes_restart - - src: k3s-config.yaml.j2 - dest: /etc/rancher/k3s/config.yaml - notify: kubernetes_restart - - -# - name: Templates IPv6 -# ansible.builtin.template: -# src: iptables-kubernetes.rules.j2 -# dest: "/etc/ip6tables.rules.d/ip6tables-kubernetes.rules" -# owner: root -# mode: '700' -# force: true -# vars: -# ipv6: true - - -- name: Set IPTables to legacy mode - ansible.builtin.command: - cmd: update-alternatives --set iptables /usr/sbin/iptables-legacy - changed_when: false - - -# - name: Server install K3s -# ansible.builtin.shell: -# cmd: | -# # INSTALL_K3S_SKIP_DOWNLOAD=true \ -# # INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \ -# # /tmp/install.sh -# curl -sfL https://get.k3s.io | \ -# INSTALL_K3S_VERSION="v1.26.9+k3s1" \ -# sh - -# failed_when: false -# # when: > -# # k3s_installed.rc | int == 1 -# # and -# # Kubernetes_Master | default(false) -# when: Kubernetes_Master | default(false) - -# - name: Agent install K3s -# ansible.builtin.shell: -# cmd: | -# INSTALL_K3S_SKIP_DOWNLOAD=true \ -# INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \ -# K3S_URL=https://{{ hostvars[kubernetes_config.cluster.prime.name].ansible_host }}:6443 \ -# K3S_TOKEN={{ node_token }} \ -# /tmp/install.sh -# when: > -# k3s_installed.rc | int == 1 -# and -# not Kubernetes_Master | default(false) - - -# # - name: Look up AAAA (IPv4) records for example.org -# # ansible.builtin.debug: -# # msg: "{{ query('community.dns.lookup', 'nww-au1.networkedweb.com.', type='A') }}" - -# # - name: Look up AAAA (IPv6) records for example.org -# # ansible.builtin.debug: -# # msg: "{{ query('community.dns.lookup', 'nww-au1.networkedweb.com.', type='AAAA') }}" +- name: K3s Configure + ansible.builtin.include_tasks: + file: k3s/configure.yaml + when: > + install_kubernetes | default(true) | bool + and + not kubernetes_installed | default(false) | bool diff --git a/tasks/k3s/configure.yaml b/tasks/k3s/configure.yaml new file mode 100644 index 0000000..563bf89 --- /dev/null +++ b/tasks/k3s/configure.yaml @@ -0,0 +1,73 @@ +--- + +- name: Local Container Registry + ansible.builtin.copy: + content: | + # + # Private Container Registries for Kubernetes + # + # Managed By ansible/role/nfc_kubernetes + # + # Dont edit this file directly as it will be overwritten. + # + + {% set registries = kubernetes_private_container_registry | default([]) -%} + + {% if registries | length > 0 %}mirrors: + {% for entry in registries %} + + {{ entry.name }}: + endpoint: + - "{{ entry.url }}" + + {%- endfor %} + {% endif %} + dest: /etc/rancher/k3s/registries.yaml + owner: root + mode: '700' + # notify: "restart ContainerD" + # with_items: "{{ containerd.repositories }}" + # when: + # ansible_os_family == 'Debian' + # and + # Kubernetes_private_container_registry | default([]) | length > 0 + + +- name: Additional config files + ansible.builtin.copy: + content: | + {{ item.content }} + dest: "{{ item.path }}/{{ item.name }}" + mode: '740' + owner: root + group: root + loop: "{{ k3s.files }}" + + +- name: Copy Templates + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + mode: '700' + force: true + notify: "{{ item.notify | default(omit) }}" + loop: "{{ templates_to_apply }}" + vars: + templates_to_apply: + - src: "calico.yaml.j2" + dest: /var/lib/rancher/k3s/server/manifests/calico.yaml + - src: kubernetes-manifest-rbac.yaml.j2 + dest: /var/lib/rancher/k3s/server/manifests/rbac-authorization-common.yaml + # - src: firewall-kubernetes.j2 + # dest: "/etc/network/if-up.d/firewall-kubernetes" + + - src: iptables-kubernetes.rules.j2 + dest: "/etc/iptables.rules.d/iptables-kubernetes.rules" + notify: firewall_reloader + - src: k3s-registries.yaml.j2 + dest: /etc/rancher/k3s/registries.yaml + notify: kubernetes_restart + - src: k3s-config.yaml.j2 + dest: /etc/rancher/k3s/config.yaml + notify: kubernetes_restart diff --git a/tasks/k3s/install.yaml b/tasks/k3s/install.yaml new file mode 100644 index 0000000..b03562c --- /dev/null +++ b/tasks/k3s/install.yaml @@ -0,0 +1,169 @@ +--- +- name: Install Software + ansible.builtin.include_role: + name: nfc_common + vars: + common_gather_facts: false + aptInstall: + - name: curl + - name: iptables + + +- name: Create Required directories + ansible.builtin.file: + name: "{{ item.name }}" + state: "{{ item.state }}" + mode: "{{ item.mode }}" + loop: "{{ dirs }}" + vars: + dirs: + - name: /etc/rancher/k3s + state: directory + mode: 700 + - name: /var/lib/rancher/k3s/server/logs + state: directory + mode: 700 + - name: /var/lib/rancher/k3s/server/manifests + state: directory + mode: 700 + + +- name: Add sysctl net.ipv4.ip_forward + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: true + state: present + reload: true + notify: reboot_host + when: + - ansible_os_family == 'Debian' + # On change reboot + + +- name: Check if K3s Installed + ansible.builtin.shell: + cmd: | + if [[ $(service k3s status) ]]; then exit 0; else exit 1; fi + executable: /bin/bash + changed_when: false + failed_when: false + register: k3s_installed + + +- name: Download K3s Binary + ansible.builtin.uri: + url: "{{ item.url }}" + method: GET + return_content: true + status_code: + - 200 + - 304 + dest: "{{ item.dest }}" + mode: "744" + register: k3s_download_files + delegate_to: localhost + # no_log: true + when: ansible_os_family == 'Debian' + loop: "{{ download_files }}" + vars: + ansible_connection: local + download_files: + - dest: /tmp/install.sh + url: https://get.k3s.io + - dest: "/tmp/k3s" + url: "https://github.com/k3s-io/k3s/releases/download/v{{ KubernetesVersion + KubernetesVersion_k3s_prefix | urlencode }}/k3s" + + +# - name: "[TRACE] Downloaded File SHA256" +# ansible.builtin.set_fact: +# hash_sha256_k3s_downloaded_binary: "{{ lookup('ansible.builtin.file', '/tmp/k3s') | hash('sha256') | string }}" +# delegate_to: localhost + + +# - name: Existing k3s File hash +# ansible.builtin.stat: +# checksum_algorithm: sha256 +# name: /usr/local/bin/k3s +# register: hash_sha256_k3s_existing_binary + + +- name: Copy K3s binary to Host + ansible.builtin.copy: + src: "/tmp/k3s" + dest: "/usr/local/bin/k3s" + mode: '740' + owner: root + group: root + when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary + +- name: Copy install script to Host + ansible.builtin.copy: + src: "/tmp/install.sh" + dest: "/tmp/install.sh" + mode: '755' + owner: root + group: root + # when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary + +- name: Required Initial config files + ansible.builtin.copy: + content: | + {{ item.content }} + dest: "{{ item.path }}/{{ item.name }}" + mode: '740' + owner: root + group: root + loop: "{{ k3s.files }}" + + +# - name: Templates IPv6 +# ansible.builtin.template: +# src: iptables-kubernetes.rules.j2 +# dest: "/etc/ip6tables.rules.d/ip6tables-kubernetes.rules" +# owner: root +# mode: '700' +# force: true +# vars: +# ipv6: true + + +- name: Set IPTables to legacy mode + ansible.builtin.command: + cmd: update-alternatives --set iptables /usr/sbin/iptables-legacy + changed_when: false + + +- name: Server install K3s + ansible.builtin.shell: + cmd: | + # INSTALL_K3S_SKIP_DOWNLOAD=true \ + # INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \ + # /tmp/install.sh + curl -sfL https://get.k3s.io | \ + INSTALL_K3S_VERSION="v1.26.9+k3s1" \ + sh - + failed_when: false + # when: > + # k3s_installed.rc | int == 1 + # and + # Kubernetes_Master | default(false) + when: Kubernetes_Master | default(false) | bool + + +- name: Agent install K3s + ansible.builtin.shell: + cmd: | + INSTALL_K3S_SKIP_DOWNLOAD=true \ + INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \ + K3S_URL=https://{{ hostvars[kubernetes_config.cluster.prime.name].ansible_host }}:6443 \ + K3S_TOKEN={{ node_token }} \ + /tmp/install.sh + when: > + k3s_installed.rc | int == 1 + and + not Kubernetes_Master | default(false) | bool + +- name: Set Kubernetes Final Install Fact + ansible.builtin.set_fact: + kubernetes_installed: true From 60392a565c53010faca6c6eda15d2c386133a8f7 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 15:42:35 +0930 Subject: [PATCH 06/14] docs: restructure for seperate role index and ansible setup !2 #4 --- .../ansible/roles/kubernetes/ansible.md | 146 ++++++++++++++++++ .../ansible/roles/kubernetes/index.md | 136 +--------------- mkdocs.yml | 2 + 3 files changed, 154 insertions(+), 130 deletions(-) create mode 100644 docs/projects/ansible/roles/kubernetes/ansible.md diff --git a/docs/projects/ansible/roles/kubernetes/ansible.md b/docs/projects/ansible/roles/kubernetes/ansible.md new file mode 100644 index 0000000..8e28b7b --- /dev/null +++ b/docs/projects/ansible/roles/kubernetes/ansible.md @@ -0,0 +1,146 @@ +--- +title: Ansible +description: No Fuss Computings Ansible role nfc_kubernetes Ansible docs +date: 2023-10-24 +template: project.html +about: https://gitlab.com/nofusscomputing/projects/ansible/roles/kubernetes +--- + +This page intends to describe/explain the setup of ansible for this role. + +## Inventory Setup + +There are many ways to layout your inventory within Ansible. To take full advantage of this role the following could be used: + +- A aroup containing all master nodes + +- A group containing all worker nodes + +- a group containing all nodes for a cluster + +- All groups above made a subordinate of a master group + +- variable `ansible_host`. _can be either DNS name, IPv4/IPv6 Address_ + + !!! info Info + The nfc_kubernetes role uses this field for any configuration that requires a hostname. You are strongly encouraged to use DNS name and the DNS name be resolveable for each host accessing to the host in question. Using DNS host name is of paramount importance for a host with dynamic DHCP being used. + +- variable `Kubernetes_Master` _boolean_ set for all host that are master nodes. + +- hosts that require Kubernetes API access added to variable `kubernetes_config.cluster.access` + +An example inventory file that would suffice. + +``` yaml +all: + hosts: + localhost: + vars: + ansible_connection: local + children: + + kubernetes: + children: + + k3s: + hosts: + + + k8s: + hosts: + + + kubernetes_cluster: + children: + + kubernetes_cluster_{cluster_name_here}: + hosts: + + + kubernetes_master: + hosts: + + + kubernetes_worker: + hosts: + +``` + +The reasoning for the layout above is: + +- group `kubernetes` used as a selector within playbook or limitor when running a playbook to cover all kubernetes hosts. + +- groups `kubernetes`, `k3s`, `k8s` and `kubernetes_cluster_{cluster_name_here}` used for variable files (`inventory/group_vars/{group_name}.yaml`). with the latter containing all settings for the cluster in question. + +- Hosts are added to ALL groups relevent to them. + + +The following group variable files will also need to be created: + +- `inventory/group_vars/all.yaml` Variables applicable to all hosts + +- `inventory/group_vars/kubernetes.yaml` software versions for kubernetes + +- `inventory/group_vars/kubernetes_cluster_{cluster_name_here}.yaml` cluster configuration + + +## Playbooks Setup + +Whilst there are many ways to skin a cat, using the inventory layout as defined above, with the creation of playbooks as detailed below is a possible solution covering most basis' of using this role. + +playbooks/kubernetes.yaml + +``` yaml +--- +- name: Kubernetes Group and sub-groups + hosts: "{{ groups.kubernetes }}" + gather_facts: true + + roles: [] + + - name: Kubernetes Master + import_playbook: kubernetes/master.yaml + +- name: Kubernetes Worker + import_playbook: kubernetes/worker.yaml +``` + +playbooks/kubernetes/master.yaml +``` yaml +--- +- name: Kubernetes Master Nodes + hosts: "{{ kubernetes_master }}" + gather_facts: true + + roles: + - name: Kubernetes Setup + role: nfc_kubernetes + +``` + +playbooks/kubernetes/worker.yaml +``` yaml +--- +- name: Kubernetes worker Nodes + hosts: "{{ kubernetes_worker }}" + gather_facts: true + + roles: + - name: Kubernetes Setup + role: nfc_kubernetes + +``` + +Running the above playbooks with the inventory setup allows the following and more: + +- Setup Kubernetes on all applicable kubernetes hosts + + > `ansible-playbook -i inventory/production playbooks/kubernetes.yaml` + +- Setup kubernetes cluster `{cluster_name}` + + > `ansible-playbook --limit kubernetes_cluster_{cluster_name_here} -i inventory/production playbooks/kubernetes.yaml` + +- Setup all Kubernetes master nodes, regardless of cluster + + > `ansible-playbook --limit kubernetes_master -i inventory/production playbooks/kubernetes.yaml` diff --git a/docs/projects/ansible/roles/kubernetes/index.md b/docs/projects/ansible/roles/kubernetes/index.md index 92f55b4..7c8353f 100644 --- a/docs/projects/ansible/roles/kubernetes/index.md +++ b/docs/projects/ansible/roles/kubernetes/index.md @@ -6,141 +6,17 @@ template: project.html about: https://gitlab.com/nofusscomputing/projects/ansible/roles/kubernetes --- -This Ansible roles purpose is to install and configure Kubernetes with configuration from code. You can also use [our playbooks](../../playbooks/index.md) to deploy this role. thsi is especially useful if you are also using [our Ansible Execution Environment](../../execution_environment/index.md) - -## Inventory Setup - -There are many ways to layout your inventory within Ansible. To take full advantage of this role the following could be used: - -- A aroup containing all master nodes - -- A group containing all worker nodes - -- a group containing all nodes for a cluster - -- All groups above made a subordinate of a master group - -- variable `ansible_host`. _can be either DNS name, IPv4/IPv6 Address_ - - !!! info Info - The nfc_kubernetes role uses this field for any configuration that requires a hostname. You are strongly encouraged to use DNS name and the DNS name be resolveable for each host accessing to the host in question. Using DNS host name is of paramount importance for a host with dynamic DHCP being used. - -- variable `Kubernetes_Master` _boolean_ set for all host that are master nodes. - -- hosts that require Kubernetes API access added to variable `kubernetes_config.cluster.access` - -An example inventory file that would suffice. - -``` yaml -all: - hosts: - localhost: - vars: - ansible_connection: local - children: - - kubernetes: - children: - - k3s: - hosts: +This Ansible roles purpose is to install and configure Kubernetes with configuration from code. You can also use [our playbooks](../../playbooks/index.md) to deploy using this role. this is especially useful if you are also using [our Ansible Execution Environment](../../execution_environment/index.md) - k8s: - hosts: +## Features - kubernetes_cluster: - children: - - kubernetes_cluster_{cluster_name_here}: - hosts: +## Default Variables - kubernetes_master: - hosts: +``` yaml title="defaults/main.yaml" linenums="1" +--8<-- "defaults/main.yaml" - kubernetes_worker: - hosts: - -``` - -The reasoning for the layout above is: - -- group `kubernetes` used as a selector within playbook or limitor when running a playbook to cover all kubernetes hosts. - -- groups `kubernetes`, `k3s`, `k8s` and `kubernetes_cluster_{cluster_name_here}` used for variable files (`inventory/group_vars/{group_name}.yaml`). with the latter containing all settings for the cluster in question. - -- Hosts are added to ALL groups relevent to them. - - -The following group variable files will also need to be created: - -- `inventory/group_vars/all.yaml` Variables applicable to all hosts - -- `inventory/group_vars/kubernetes.yaml` software versions for kubernetes - -- `inventory/group_vars/kubernetes_cluster_{cluster_name_here}.yaml` cluster configuration - - -## Playbooks Setup - -Whilst there are many ways to skin a cat, using the inventory layout as defined above, with the creation of playbooks as detailed below is a possible solution covering most basis' of using this role. - -playbooks/kubernetes.yaml - -``` yaml ---- -- name: Kubernetes Group and sub-groups - hosts: "{{ groups.kubernetes }}" - gather_facts: true - - roles: [] - - - name: Kubernetes Master - import_playbook: kubernetes/master.yaml - -- name: Kubernetes Worker - import_playbook: kubernetes/worker.yaml -``` - -playbooks/kubernetes/master.yaml -``` yaml ---- -- name: Kubernetes Master Nodes - hosts: "{{ kubernetes_master }}" - gather_facts: true - - roles: - - name: Kubernetes Setup - role: nfc_kubernetes - -``` - -playbooks/kubernetes/worker.yaml -``` yaml ---- -- name: Kubernetes worker Nodes - hosts: "{{ kubernetes_worker }}" - gather_facts: true - - roles: - - name: Kubernetes Setup - role: nfc_kubernetes - -``` - -Running the above playbooks with the inventory setup allows the following and more: - -- Setup Kubernetes on all applicable kubernetes hosts - - > `ansible-playbook -i inventory/production playbooks/kubernetes.yaml` - -- Setup kubernetes cluster `{cluster_name}` - - > `ansible-playbook --limit kubernetes_cluster_{cluster_name_here} -i inventory/production playbooks/kubernetes.yaml` - -- Setup all Kubernetes master nodes, regardless of cluster - - > `ansible-playbook --limit kubernetes_master -i inventory/production playbooks/kubernetes.yaml` +``` \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 523bc46..80b3705 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -37,6 +37,8 @@ nav: - projects/ansible/roles/kubernetes/index.md + - projects/ansible/roles/kubernetes/ansible.md + - projects/ansible/roles/kubernetes/firewall.md - projects/ansible/roles/kubernetes/rbac.md From b69d5b8a358e6b024b0afda819af0082c0b87a48 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 15:57:22 +0930 Subject: [PATCH 07/14] docs: feature list !2 #4 --- docs/projects/ansible/roles/kubernetes/index.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/projects/ansible/roles/kubernetes/index.md b/docs/projects/ansible/roles/kubernetes/index.md index 7c8353f..14b5a17 100644 --- a/docs/projects/ansible/roles/kubernetes/index.md +++ b/docs/projects/ansible/roles/kubernetes/index.md @@ -11,6 +11,22 @@ This Ansible roles purpose is to install and configure Kubernetes with configura ## Features +This role deploys a K3s cluster. In addition it has the following features: + +- CNI Setup + +- Configurable Container Registries + +- _[ToDo-#3](https://gitlab.com/nofusscomputing/projects/ansible/kubernetes/-/issues/3)_ Encryption between nodes (Wireguard) + +- [Firewall configured for kubernetes host](firewall.md) + +- _[ToDo-#2](https://gitlab.com/nofusscomputing/projects/ansible/kubernetes/-/issues/2)_ Multi-node Deployment + +- [Basic RBAC `ClusterRoles` and Bindings](rbac.md) + +- _[ToDo-#5](https://gitlab.com/nofusscomputing/projects/ansible/kubernetes/-/issues/5)_ Restore backup on fresh install of a cluster + ## Default Variables From 93897ea7d5d8e11725aa1c285fac64388215d00b Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 15:58:00 +0930 Subject: [PATCH 08/14] refactor: moved config file deploy to be part of install tasks they are required to install k2s !2 --- tasks/k3s/configure.yaml | 5 +++-- tasks/k3s/install.yaml | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/tasks/k3s/configure.yaml b/tasks/k3s/configure.yaml index 563bf89..abe54a8 100644 --- a/tasks/k3s/configure.yaml +++ b/tasks/k3s/configure.yaml @@ -57,17 +57,18 @@ templates_to_apply: - src: "calico.yaml.j2" dest: /var/lib/rancher/k3s/server/manifests/calico.yaml + - src: kubernetes-manifest-rbac.yaml.j2 dest: /var/lib/rancher/k3s/server/manifests/rbac-authorization-common.yaml - # - src: firewall-kubernetes.j2 - # dest: "/etc/network/if-up.d/firewall-kubernetes" - src: iptables-kubernetes.rules.j2 dest: "/etc/iptables.rules.d/iptables-kubernetes.rules" notify: firewall_reloader + - src: k3s-registries.yaml.j2 dest: /etc/rancher/k3s/registries.yaml notify: kubernetes_restart + - src: k3s-config.yaml.j2 dest: /etc/rancher/k3s/config.yaml notify: kubernetes_restart diff --git a/tasks/k3s/install.yaml b/tasks/k3s/install.yaml index b03562c..a4038f8 100644 --- a/tasks/k3s/install.yaml +++ b/tasks/k3s/install.yaml @@ -117,6 +117,21 @@ loop: "{{ k3s.files }}" +- name: Copy Intial required templates + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + mode: '700' + force: true + notify: "{{ item.notify | default(omit) }}" + loop: "{{ templates_to_apply }}" + vars: + templates_to_apply: + - src: k3s-config.yaml.j2 + dest: /etc/rancher/k3s/config.yaml + notify: kubernetes_restart + # - name: Templates IPv6 # ansible.builtin.template: # src: iptables-kubernetes.rules.j2 From 57d268ec3cd990ea21979cbafe7421a0af04ea91 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 16:06:13 +0930 Subject: [PATCH 09/14] fix(install): config files only required for prime master !2 --- tasks/k3s/install.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/k3s/install.yaml b/tasks/k3s/install.yaml index a4038f8..5abeda5 100644 --- a/tasks/k3s/install.yaml +++ b/tasks/k3s/install.yaml @@ -115,6 +115,8 @@ owner: root group: root loop: "{{ k3s.files }}" + when: > + kubernetes_config.cluster.prime.name == inventory_hostname - name: Copy Intial required templates @@ -131,6 +133,8 @@ - src: k3s-config.yaml.j2 dest: /etc/rancher/k3s/config.yaml notify: kubernetes_restart + when: > + kubernetes_config.cluster.prime.name == inventory_hostname # - name: Templates IPv6 # ansible.builtin.template: From 60fd25df8ec897e74c164d9cc0e49ed07d002d0e Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 16:53:00 +0930 Subject: [PATCH 10/14] feat(networking): install and configure wireguard encryption by default set to false. !2 #3 --- defaults/main.yml | 1 + tasks/k3s.yaml | 11 +++++++++++ tasks/k3s/wireguard.yaml | 26 ++++++++++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 tasks/k3s/wireguard.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 4fb8f8c..5fd19b4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -117,6 +117,7 @@ k3s: # name: k3s-prod # Mandatory, String. Ansible inventory_host that will # # act as the prime master node. # networking: +# encrypt: true # Optional, Boolean. default `false`. Install wireguard for inter-node encryption # podSubnet: 172.16.70.0/24 # Mandatory, String. CIDR # ServiceSubnet: 172.16.72.0/24 # Mandatory, String. CIDR # # Mandatory, String. Token to join nodes to the cluster diff --git a/tasks/k3s.yaml b/tasks/k3s.yaml index f0843ac..f0e4223 100644 --- a/tasks/k3s.yaml +++ b/tasks/k3s.yaml @@ -17,3 +17,14 @@ install_kubernetes | default(true) | bool and not kubernetes_installed | default(false) | bool + + +- name: Wireguard Cluster Encryption + ansible.builtin.include_tasks: + file: k3s/configure.yaml + when: > + install_kubernetes | default(true) | bool + and + not kubernetes_installed | default(false) | bool + and + not kubernetes_installed_encryption | default(false) | bool diff --git a/tasks/k3s/wireguard.yaml b/tasks/k3s/wireguard.yaml new file mode 100644 index 0000000..aa0adfb --- /dev/null +++ b/tasks/k3s/wireguard.yaml @@ -0,0 +1,26 @@ +--- +- name: Install Wireguard + ansible.builtin.apt: + name: + - wireguard + update_cache: false + when: > + ansible_os_family == 'Debian' + and + kubernetes.networking.encrypt | default(false) | bool + + +- name: Enable Cluster Encryption + ansible.builtin.command: + cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}' + changed_when: false + when: > + ansible_os_family == 'Debian' + and + kubernetes.networking.encrypt | default(false) | bool + and + kubernetes_config.cluster.prime.name == inventory_hostname + +- name: Set Kubernetes Encryption Final Install Fact + ansible.builtin.set_fact: + kubernetes_installed_encryption: true From c3843ddef0a6d4f885a989675b79ac5861e21138 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 16:53:19 +0930 Subject: [PATCH 11/14] docs: role workflow !2 #4 --- .../ansible/roles/kubernetes/index.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/projects/ansible/roles/kubernetes/index.md b/docs/projects/ansible/roles/kubernetes/index.md index 14b5a17..c2b1d6c 100644 --- a/docs/projects/ansible/roles/kubernetes/index.md +++ b/docs/projects/ansible/roles/kubernetes/index.md @@ -28,6 +28,25 @@ This role deploys a K3s cluster. In addition it has the following features: - _[ToDo-#5](https://gitlab.com/nofusscomputing/projects/ansible/kubernetes/-/issues/5)_ Restore backup on fresh install of a cluster +## Role Workflow + +The roles workflow is as follows + +1. Download both install script and k3s binary to ansible controller + +1. copy install script and k3s binary to host + +1. Create required config files needed for installation + +1. _(kubernetes prime only)_ Add install required config files + +1. Install kubernetes + +1. Configure Kubernetes + +If the playbook is setup as per [our recommendation](ansible.md) step 2 onwards is first done on master nodes then worker nodes. + + ## Default Variables From 8272b2507b298ccec05e6dbaa2a526b5136b8d2d Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 17:09:41 +0930 Subject: [PATCH 12/14] fix: uncommented hash tasks as they are required !2 --- tasks/k3s/install.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/k3s/install.yaml b/tasks/k3s/install.yaml index 5abeda5..f28d4cc 100644 --- a/tasks/k3s/install.yaml +++ b/tasks/k3s/install.yaml @@ -75,17 +75,17 @@ url: "https://github.com/k3s-io/k3s/releases/download/v{{ KubernetesVersion + KubernetesVersion_k3s_prefix | urlencode }}/k3s" -# - name: "[TRACE] Downloaded File SHA256" -# ansible.builtin.set_fact: -# hash_sha256_k3s_downloaded_binary: "{{ lookup('ansible.builtin.file', '/tmp/k3s') | hash('sha256') | string }}" -# delegate_to: localhost +- name: "[TRACE] Downloaded File SHA256" + ansible.builtin.set_fact: + hash_sha256_k3s_downloaded_binary: "{{ lookup('ansible.builtin.file', '/tmp/k3s') | hash('sha256') | string }}" + delegate_to: localhost -# - name: Existing k3s File hash -# ansible.builtin.stat: -# checksum_algorithm: sha256 -# name: /usr/local/bin/k3s -# register: hash_sha256_k3s_existing_binary +- name: Existing k3s File hash + ansible.builtin.stat: + checksum_algorithm: sha256 + name: /usr/local/bin/k3s + register: hash_sha256_k3s_existing_binary - name: Copy K3s binary to Host From 9ac52ee165fd364c7091ab3f1e14df365270f532 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 17:10:10 +0930 Subject: [PATCH 13/14] fix(k3s): use correct variables in conditional clauses !2 --- tasks/k3s.yaml | 8 +++++--- tasks/k3s/wireguard.yaml | 8 ++------ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/tasks/k3s.yaml b/tasks/k3s.yaml index f0e4223..51f028f 100644 --- a/tasks/k3s.yaml +++ b/tasks/k3s.yaml @@ -16,15 +16,17 @@ when: > install_kubernetes | default(true) | bool and - not kubernetes_installed | default(false) | bool + kubernetes_installed | default(false) | bool - name: Wireguard Cluster Encryption ansible.builtin.include_tasks: - file: k3s/configure.yaml + file: k3s/wireguard.yaml when: > install_kubernetes | default(true) | bool and - not kubernetes_installed | default(false) | bool + kubernetes_installed | default(false) | bool and not kubernetes_installed_encryption | default(false) | bool + and + kubernetes_config.cluster.networking.encrypt | default(false) | bool diff --git a/tasks/k3s/wireguard.yaml b/tasks/k3s/wireguard.yaml index aa0adfb..2effdc6 100644 --- a/tasks/k3s/wireguard.yaml +++ b/tasks/k3s/wireguard.yaml @@ -6,8 +6,8 @@ update_cache: false when: > ansible_os_family == 'Debian' - and - kubernetes.networking.encrypt | default(false) | bool + # and + # kubernetes.networking.encrypt | default(false) | bool - name: Enable Cluster Encryption @@ -15,10 +15,6 @@ cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}' changed_when: false when: > - ansible_os_family == 'Debian' - and - kubernetes.networking.encrypt | default(false) | bool - and kubernetes_config.cluster.prime.name == inventory_hostname - name: Set Kubernetes Encryption Final Install Fact From 779be0200e71956a3125332d57ac6e0dc7a4914a Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 29 Oct 2023 17:10:47 +0930 Subject: [PATCH 14/14] docs: add to feature list openid !2 --- docs/projects/ansible/roles/kubernetes/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/projects/ansible/roles/kubernetes/index.md b/docs/projects/ansible/roles/kubernetes/index.md index c2b1d6c..8a2fba6 100644 --- a/docs/projects/ansible/roles/kubernetes/index.md +++ b/docs/projects/ansible/roles/kubernetes/index.md @@ -23,6 +23,8 @@ This role deploys a K3s cluster. In addition it has the following features: - _[ToDo-#2](https://gitlab.com/nofusscomputing/projects/ansible/kubernetes/-/issues/2)_ Multi-node Deployment +- OpenID Connect SSO Authentication + - [Basic RBAC `ClusterRoles` and Bindings](rbac.md) - _[ToDo-#5](https://gitlab.com/nofusscomputing/projects/ansible/kubernetes/-/issues/5)_ Restore backup on fresh install of a cluster