365 lines
9.7 KiB
YAML
365 lines
9.7 KiB
YAML
---
|
|
- name: Install Software
|
|
ansible.builtin.include_role:
|
|
name: nfc_common
|
|
vars:
|
|
common_gather_facts: false
|
|
aptInstall:
|
|
- name: curl
|
|
- name: iptables
|
|
- name: jq
|
|
- name: wireguard
|
|
|
|
|
|
- name: Remove swapfile from /etc/fstab
|
|
mount:
|
|
name: "{{ item }}"
|
|
fstype: swap
|
|
state: absent
|
|
with_items:
|
|
- swap
|
|
- none
|
|
when:
|
|
- ansible_os_family == 'Debian' # ansible_lsb.codename = bullseye, ansible_lsb.major_release = 11
|
|
tags:
|
|
- install
|
|
|
|
|
|
- name: Disable swap
|
|
command: swapoff -a
|
|
changed_when: false
|
|
when:
|
|
#- ansible_swaptotal_mb > 0
|
|
- ansible_os_family == 'Debian'
|
|
tags:
|
|
- install
|
|
|
|
- name: Check an armbian os system
|
|
stat:
|
|
path: /etc/default/armbian-zram-config
|
|
register: armbian_stat_result
|
|
|
|
|
|
- name: Armbian Disable Swap
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
sed -i 's/\# SWAP=false/SWAP=false/g' /etc/default/armbian-zram-config;
|
|
sed -i 's/ENABLED=true/ENABLED=false/g' /etc/default/armbian-zram-config;
|
|
args:
|
|
executable: bash
|
|
changed_when: false
|
|
# failed_when: false
|
|
#notify: RebootHost # doesnt need to reboot as swapoff -a covers the deployment
|
|
when: armbian_stat_result.stat.exists
|
|
|
|
|
|
- name: Create Required directories
|
|
ansible.builtin.file:
|
|
name: "{{ item.name }}"
|
|
state: "{{ item.state }}"
|
|
mode: "{{ item.mode }}"
|
|
loop: "{{ dirs }}"
|
|
vars:
|
|
dirs:
|
|
- name: /etc/rancher/k3s
|
|
state: directory
|
|
mode: 700
|
|
- name: /var/lib/rancher/k3s/server/logs
|
|
state: directory
|
|
mode: 700
|
|
- name: /var/lib/rancher/k3s/server/manifests
|
|
state: directory
|
|
mode: 700
|
|
|
|
|
|
- name: Add sysctl net.ipv4.ip_forward
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: '1'
|
|
sysctl_set: true
|
|
state: present
|
|
reload: true
|
|
notify: reboot_host
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
# On change reboot
|
|
|
|
|
|
- name: Check if K3s Installed
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
if [[ $(service k3s status) ]]; then exit 0; else exit 1; fi
|
|
executable: /bin/bash
|
|
changed_when: false
|
|
failed_when: false
|
|
register: k3s_installed
|
|
|
|
|
|
- name: Check Machine Architecture
|
|
ansible.builtin.set_fact:
|
|
nfc_kubernetes_install_architectures: "{{ nfc_kubernetes_install_architectures | default({}) | combine({ansible_architecture: ''}) }}"
|
|
|
|
|
|
- name: Download Install Scripts
|
|
ansible.builtin.uri:
|
|
url: "{{ item.url }}"
|
|
method: GET
|
|
return_content: true
|
|
status_code:
|
|
- 200
|
|
- 304
|
|
dest: "{{ item.dest }}"
|
|
mode: "744"
|
|
register: k3s_download_script
|
|
delegate_to: localhost
|
|
run_once: true
|
|
# no_log: true
|
|
when: ansible_os_family == 'Debian'
|
|
loop: "{{ download_files }}"
|
|
vars:
|
|
ansible_connection: local
|
|
download_files:
|
|
- dest: /tmp/install.sh
|
|
url: https://get.k3s.io
|
|
- dest: /tmp/install_olm.sh
|
|
url: https://raw.githubusercontent.com/operator-framework/operator-lifecycle-manager/v{{ kubernetes_version_olm }}/scripts/install.sh
|
|
|
|
|
|
- name: Download K3s Binary
|
|
ansible.builtin.uri:
|
|
url: |-
|
|
https://github.com/k3s-io/k3s/releases/download/v
|
|
{{- KubernetesVersion + KubernetesVersion_k3s_prefix | urlencode -}}
|
|
/k3s
|
|
{%- if cpu_arch.key == 'aarch64' -%}
|
|
-arm64
|
|
{%- endif %}
|
|
method: GET
|
|
return_content: false
|
|
status_code:
|
|
- 200
|
|
- 304
|
|
dest: "/tmp/k3s.{{ cpu_arch.key }}"
|
|
mode: "744"
|
|
register: k3s_download_files
|
|
delegate_to: localhost
|
|
run_once: true
|
|
# no_log: true
|
|
when: ansible_os_family == 'Debian'
|
|
loop: "{{ nfc_kubernetes_install_architectures | dict2items }}"
|
|
loop_control:
|
|
loop_var: cpu_arch
|
|
vars:
|
|
ansible_connection: local
|
|
|
|
|
|
- name: "[TRACE] Downloaded File SHA256"
|
|
ansible.builtin.set_fact:
|
|
hash_sha256_k3s_downloaded_binary: "{{ lookup('ansible.builtin.file', '/tmp/k3s.' + cpu_arch.key) | hash('sha256') | string }}"
|
|
delegate_to: localhost
|
|
loop: "{{ nfc_kubernetes_install_architectures | dict2items }}"
|
|
loop_control:
|
|
loop_var: cpu_arch
|
|
|
|
|
|
- name: Existing k3s File hash
|
|
ansible.builtin.stat:
|
|
checksum_algorithm: sha256
|
|
name: /usr/local/bin/k3s
|
|
register: hash_sha256_k3s_existing_binary
|
|
|
|
|
|
- name: Copy K3s binary to Host
|
|
ansible.builtin.copy:
|
|
src: "/tmp/k3s.{{ ansible_architecture }}"
|
|
dest: "/usr/local/bin/k3s"
|
|
mode: '740'
|
|
owner: root
|
|
group: root
|
|
when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary
|
|
|
|
- name: Copy install scripts to Host
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "{{ item }}"
|
|
mode: '755'
|
|
owner: root
|
|
group: root
|
|
loop: "{{ install_scripts }}"
|
|
vars:
|
|
install_scripts:
|
|
- "/tmp/install.sh"
|
|
- "/tmp/install_olm.sh"
|
|
# when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary
|
|
|
|
- name: Required Initial config files
|
|
ansible.builtin.copy:
|
|
content: |
|
|
{{ item.content }}
|
|
dest: "{{ item.path }}/{{ item.name }}"
|
|
mode: '740'
|
|
owner: root
|
|
group: root
|
|
loop: "{{ k3s.files }}"
|
|
when: >
|
|
item.when | default(true) | bool
|
|
# kubernetes_config.cluster.prime.name == inventory_hostname
|
|
|
|
|
|
- name: Fetch Join Token
|
|
ansible.builtin.slurp:
|
|
src: /var/lib/rancher/k3s/server/token
|
|
delegate_to: "{{ kubernetes_config.cluster.prime.name }}"
|
|
run_once: true
|
|
register: k3s_join_token
|
|
no_log: true # Value is sensitive
|
|
|
|
|
|
- name: Create Token fact
|
|
ansible.builtin.set_fact:
|
|
k3s_join_token: "{{ k3s_join_token.content | b64decode | replace('\n', '') }}"
|
|
delegate_to: "{{ kubernetes_config.cluster.prime.name }}"
|
|
run_once: true
|
|
no_log: true # Value is sensitive
|
|
|
|
|
|
- name: Copy Intial required templates
|
|
ansible.builtin.template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
mode: '700'
|
|
force: true
|
|
notify: "{{ item.notify | default(omit) }}"
|
|
loop: "{{ templates_to_apply }}"
|
|
when: >
|
|
item.when | default(true) | bool
|
|
vars:
|
|
templates_to_apply:
|
|
- src: k3s-config.yaml.j2
|
|
dest: /etc/rancher/k3s/config.yaml
|
|
notify: kubernetes_restart
|
|
- src: "calico.yaml.j2"
|
|
dest: /var/lib/rancher/k3s/server/manifests/calico.yaml
|
|
when: "{{ kubernetes_config.cluster.prime.name == inventory_hostname }}"
|
|
- src: k3s-registries.yaml.j2
|
|
dest: /etc/rancher/k3s/registries.yaml
|
|
notify: kubernetes_restart
|
|
when: "{{ (kubernetes_private_container_registry | default([])) | from_yaml | list | length > 0 }}"
|
|
|
|
|
|
# - name: Templates IPv6
|
|
# ansible.builtin.template:
|
|
# src: iptables-kubernetes.rules.j2
|
|
# dest: "/etc/ip6tables.rules.d/ip6tables-kubernetes.rules"
|
|
# owner: root
|
|
# mode: '700'
|
|
# force: true
|
|
# vars:
|
|
# ipv6: true
|
|
|
|
|
|
- name: Set IPTables to legacy mode
|
|
ansible.builtin.command:
|
|
cmd: update-alternatives --set iptables /usr/sbin/iptables-legacy
|
|
changed_when: false
|
|
|
|
|
|
- name: Install K3s (prime master)
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
INSTALL_K3S_SKIP_DOWNLOAD=true \
|
|
INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
|
|
/tmp/install.sh
|
|
changed_when: false
|
|
when: kubernetes_config.cluster.prime.name == inventory_hostname
|
|
|
|
|
|
- name: Wait for kubernetes prime to be ready
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
set -o pipefail
|
|
if [ `which jq` ]; then
|
|
echo $(kubectl get no $(hostname) -o json | jq .status.conditions[4].status | tr -d '"');
|
|
else
|
|
echo jq command not found;
|
|
exit 127;
|
|
fi
|
|
executable: /bin/bash
|
|
delegate_to: "{{ kubernetes_config.cluster.prime.name }}"
|
|
run_once: true
|
|
register: kubernetes_ready_check
|
|
retries: 30
|
|
delay: 10
|
|
until: >
|
|
kubernetes_ready_check.stdout | default(false) | bool
|
|
or
|
|
kubernetes_ready_check.rc != 0
|
|
changed_when: false
|
|
failed_when: kubernetes_ready_check.rc != 0
|
|
|
|
|
|
- name: Install olm
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
/tmp/install_olm.sh v{{ kubernetes_version_olm }}
|
|
changed_when: false
|
|
failed_when: >
|
|
'already installed' not in install_olm.stdout
|
|
and
|
|
install_olm.rc == 1
|
|
register: install_olm
|
|
when: >
|
|
kubernetes_config.cluster.prime.name == inventory_hostname
|
|
and
|
|
kubernetes_olm_install | default(true) | bool
|
|
|
|
- name: Enable Cluster Encryption
|
|
ansible.builtin.command:
|
|
cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'
|
|
changed_when: false
|
|
when: >
|
|
kubernetes_config.cluster.prime.name == inventory_hostname
|
|
and
|
|
kubernetes_config.cluster.networking.encrypt | default(false) | bool
|
|
|
|
|
|
- name: Install K3s (master nodes)
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
INSTALL_K3S_EXEC="server" \
|
|
INSTALL_K3S_SKIP_DOWNLOAD=true \
|
|
INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
|
|
K3S_TOKEN="{{ k3s_join_token }}" \
|
|
/tmp/install.sh
|
|
executable: /bin/bash
|
|
changed_when: false
|
|
when: >
|
|
Kubernetes_Master | default(false) | bool
|
|
and
|
|
not kubernetes_config.cluster.prime.name == inventory_hostname
|
|
|
|
|
|
- name: Install K3s (worker nodes)
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
set -o pipefail
|
|
INSTALL_K3S_EXEC="agent" \
|
|
INSTALL_K3S_SKIP_DOWNLOAD=true \
|
|
INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
|
|
K3S_TOKEN="{{ k3s_join_token }}" \
|
|
K3S_URL="https://{{ hostvars[kubernetes_config.cluster.prime.name].ansible_host }}:6443" \
|
|
/tmp/install.sh -
|
|
executable: /bin/bash
|
|
changed_when: false
|
|
when: >
|
|
not Kubernetes_Master | default(false) | bool
|
|
|
|
|
|
- name: Set Kubernetes Final Install Fact
|
|
ansible.builtin.set_fact:
|
|
kubernetes_installed: true
|
|
# Clear Token as no llonger required and due to being a sensitive value
|
|
k3s_join_token: null
|
|
nfc_kubernetes_install_architectures: {}
|