272 lines
7.2 KiB
YAML
272 lines
7.2 KiB
YAML
---
|
|
- name: Wireguard Cluster Encryption
|
|
ansible.builtin.include_tasks:
|
|
file: k3s/wireguard.yaml
|
|
when: >
|
|
not kubernetes_installed_encryption | default(false) | bool
|
|
|
|
|
|
- name: Install Software
|
|
ansible.builtin.include_role:
|
|
name: nfc_common
|
|
vars:
|
|
common_gather_facts: false
|
|
aptInstall:
|
|
- name: curl
|
|
- name: iptables
|
|
- name: jq
|
|
- name: wireguard
|
|
|
|
|
|
- name: Create Required directories
|
|
ansible.builtin.file:
|
|
name: "{{ item.name }}"
|
|
state: "{{ item.state }}"
|
|
mode: "{{ item.mode }}"
|
|
loop: "{{ dirs }}"
|
|
vars:
|
|
dirs:
|
|
- name: /etc/rancher/k3s
|
|
state: directory
|
|
mode: 700
|
|
- name: /var/lib/rancher/k3s/server/logs
|
|
state: directory
|
|
mode: 700
|
|
- name: /var/lib/rancher/k3s/server/manifests
|
|
state: directory
|
|
mode: 700
|
|
|
|
|
|
- name: Add sysctl net.ipv4.ip_forward
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: '1'
|
|
sysctl_set: true
|
|
state: present
|
|
reload: true
|
|
notify: reboot_host
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
# On change reboot
|
|
|
|
|
|
- name: Check if K3s Installed
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
if [[ $(service k3s status) ]]; then exit 0; else exit 1; fi
|
|
executable: /bin/bash
|
|
changed_when: false
|
|
failed_when: false
|
|
register: k3s_installed
|
|
|
|
|
|
- name: Download K3s Binary
|
|
ansible.builtin.uri:
|
|
url: "{{ item.url }}"
|
|
method: GET
|
|
return_content: true
|
|
status_code:
|
|
- 200
|
|
- 304
|
|
dest: "{{ item.dest }}"
|
|
mode: "744"
|
|
register: k3s_download_files
|
|
delegate_to: localhost
|
|
run_once: true
|
|
# no_log: true
|
|
when: ansible_os_family == 'Debian'
|
|
loop: "{{ download_files }}"
|
|
vars:
|
|
ansible_connection: local
|
|
download_files:
|
|
- dest: /tmp/install.sh
|
|
url: https://get.k3s.io
|
|
- dest: "/tmp/k3s"
|
|
url: "https://github.com/k3s-io/k3s/releases/download/v{{ KubernetesVersion + KubernetesVersion_k3s_prefix | urlencode }}/k3s"
|
|
|
|
|
|
- name: "[TRACE] Downloaded File SHA256"
|
|
ansible.builtin.set_fact:
|
|
hash_sha256_k3s_downloaded_binary: "{{ lookup('ansible.builtin.file', '/tmp/k3s') | hash('sha256') | string }}"
|
|
delegate_to: localhost
|
|
|
|
|
|
- name: Existing k3s File hash
|
|
ansible.builtin.stat:
|
|
checksum_algorithm: sha256
|
|
name: /usr/local/bin/k3s
|
|
register: hash_sha256_k3s_existing_binary
|
|
|
|
|
|
- name: Copy K3s binary to Host
|
|
ansible.builtin.copy:
|
|
src: "/tmp/k3s"
|
|
dest: "/usr/local/bin/k3s"
|
|
mode: '740'
|
|
owner: root
|
|
group: root
|
|
when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary
|
|
|
|
- name: Copy install script to Host
|
|
ansible.builtin.copy:
|
|
src: "/tmp/install.sh"
|
|
dest: "/tmp/install.sh"
|
|
mode: '755'
|
|
owner: root
|
|
group: root
|
|
# when: hash_sha256_k3s_existing_binary.stat.checksum | default('0') != hash_sha256_k3s_downloaded_binary
|
|
|
|
- name: Required Initial config files
|
|
ansible.builtin.copy:
|
|
content: |
|
|
{{ item.content }}
|
|
dest: "{{ item.path }}/{{ item.name }}"
|
|
mode: '740'
|
|
owner: root
|
|
group: root
|
|
loop: "{{ k3s.files }}"
|
|
when: >
|
|
item.when | default(true) | bool
|
|
# kubernetes_config.cluster.prime.name == inventory_hostname
|
|
|
|
|
|
- name: Copy Intial required templates
|
|
ansible.builtin.template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
mode: '700'
|
|
force: true
|
|
notify: "{{ item.notify | default(omit) }}"
|
|
loop: "{{ templates_to_apply }}"
|
|
when: >
|
|
item.when | default(true) | bool
|
|
vars:
|
|
templates_to_apply:
|
|
- src: k3s-config.yaml.j2
|
|
dest: /etc/rancher/k3s/config.yaml
|
|
notify: kubernetes_restart
|
|
- src: "calico.yaml.j2"
|
|
dest: /var/lib/rancher/k3s/server/manifests/calico.yaml
|
|
when: "{{ kubernetes_config.cluster.prime.name == inventory_hostname }}"
|
|
- src: k3s-registries.yaml.j2
|
|
dest: /etc/rancher/k3s/registries.yaml
|
|
notify: kubernetes_restart
|
|
|
|
|
|
# - name: Templates IPv6
|
|
# ansible.builtin.template:
|
|
# src: iptables-kubernetes.rules.j2
|
|
# dest: "/etc/ip6tables.rules.d/ip6tables-kubernetes.rules"
|
|
# owner: root
|
|
# mode: '700'
|
|
# force: true
|
|
# vars:
|
|
# ipv6: true
|
|
|
|
|
|
- name: Set IPTables to legacy mode
|
|
ansible.builtin.command:
|
|
cmd: update-alternatives --set iptables /usr/sbin/iptables-legacy
|
|
changed_when: false
|
|
|
|
|
|
- name: Install K3s (prime master)
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
INSTALL_K3S_SKIP_DOWNLOAD=true \
|
|
INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
|
|
/tmp/install.sh
|
|
changed_when: false
|
|
when: kubernetes_config.cluster.prime.name == inventory_hostname
|
|
|
|
|
|
- name: Wait for kubernetes prime to be ready
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
set -o pipefail
|
|
if [ `which jq` ]; then
|
|
echo $(kubectl get no $(hostname) -o json | jq .status.conditions[4].status | tr -d '"');
|
|
else
|
|
echo jq command not found;
|
|
exit 127;
|
|
fi
|
|
executable: /bin/bash
|
|
delegate_to: "{{ kubernetes_config.cluster.prime.name }}"
|
|
run_once: true
|
|
register: kubernetes_ready_check
|
|
retries: 30
|
|
delay: 10
|
|
until: >
|
|
kubernetes_ready_check.stdout | default(false) | bool
|
|
or
|
|
kubernetes_ready_check.rc != 0
|
|
changed_when: false
|
|
failed_when: kubernetes_ready_check.rc != 0
|
|
|
|
|
|
- name: Enable Cluster Encryption
|
|
ansible.builtin.command:
|
|
cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'
|
|
changed_when: false
|
|
when: >
|
|
kubernetes_config.cluster.prime.name == inventory_hostname
|
|
and
|
|
kubernetes.networking.encrypt | default(false) | bool
|
|
|
|
|
|
- name: Fetch Join Token
|
|
ansible.builtin.slurp:
|
|
src: /var/lib/rancher/k3s/server/token
|
|
delegate_to: "{{ kubernetes_config.cluster.prime.name }}"
|
|
run_once: true
|
|
register: k3s_join_token
|
|
no_log: true # Value is sensitive
|
|
|
|
|
|
- name: Create Token fact
|
|
ansible.builtin.set_fact:
|
|
k3s_join_token: "{{ k3s_join_token.content | b64decode | replace('\n', '') }}"
|
|
delegate_to: "{{ kubernetes_config.cluster.prime.name }}"
|
|
run_once: true
|
|
no_log: true # Value is sensitive
|
|
|
|
|
|
- name: Install K3s (master nodes)
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
set -o pipefail
|
|
INSTALL_K3S_EXEC="server" \
|
|
INSTALL_K3S_SKIP_DOWNLOAD=true \
|
|
INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
|
|
K3S_TOKEN="{{ k3s_join_token }}" \
|
|
/tmp/install.sh
|
|
changed_when: false
|
|
when: >
|
|
Kubernetes_Master | default(false) | bool
|
|
and
|
|
not kubernetes_config.cluster.prime.name == inventory_hostname
|
|
|
|
|
|
- name: Install K3s (worker nodes)
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
set -o pipefail
|
|
INSTALL_K3S_EXEC="agent" \
|
|
INSTALL_K3S_SKIP_DOWNLOAD=true \
|
|
INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
|
|
K3S_TOKEN="{{ k3s_join_token }}" \
|
|
K3S_URL="https://{{ hostvars[kubernetes_config.cluster.prime.name].ansible_host }}:6443" \
|
|
/tmp/install.sh -
|
|
executable: /bin/bash
|
|
changed_when: false
|
|
when: >
|
|
not Kubernetes_Master | default(false) | bool
|
|
|
|
|
|
- name: Set Kubernetes Final Install Fact
|
|
ansible.builtin.set_fact:
|
|
kubernetes_installed: true
|
|
# Clear Token as no llonger required and due to being a sensitive value
|
|
k3s_join_token: null
|