Cluster is not k3s anymore.
This commit is contained in:
parent
ddca67b512
commit
203a3967eb
27 changed files with 0 additions and 993 deletions
|
@ -1,10 +0,0 @@
|
|||
#!/bin/bash
|
||||
cilium install \
|
||||
--helm-set=ipam.mode=kubernetes \
|
||||
--helm-set=kubeProxyReplacement=true \
|
||||
--helm-set=k8sServiceHost=167.235.217.82 \
|
||||
--helm-set=policyAuditMode=true \
|
||||
--helm-set=hostFirewall.enabled=true \
|
||||
--helm-set=extraConfig.allow-localhost=policy \
|
||||
--helm-set=hubble.relay.enabled=true \
|
||||
--helm-set=hubble.ui.enabled=true
|
|
@ -1,8 +0,0 @@
|
|||
#shellcheck disable=SC2148,SC2155
|
||||
export SOPS_AGE_KEY_FILE="$(expand_path ../../age.key)"
|
||||
export VIRTUAL_ENV="$(expand_path ../../.venv)"
|
||||
export ANSIBLE_COLLECTIONS_PATH=$(expand_path ../../.venv/galaxy)
|
||||
export ANSIBLE_ROLES_PATH=$(expand_path ../../.venv/galaxy/ansible_roles)
|
||||
export ANSIBLE_VARS_ENABLED="host_group_vars,community.sops.sops"
|
||||
export ANSIBLE_INVENTORY=$(expand_path ./inventory/hosts.yaml)
|
||||
PATH_add "$(expand_path ../../.venv/bin)"
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
# renovate: datasource=github-releases depName=k3s-io/k3s
|
||||
k3s_release_version: "v1.29.0+k3s1"
|
||||
k3s_install_hard_links: true
|
||||
k3s_become: true
|
||||
k3s_etcd_datastore: true
|
||||
k3s_registration_address: 10.5.0.2
|
||||
# /var/lib/rancher/k3s/server/manifests
|
||||
k3s_server_manifests_urls:
|
||||
# Essential Prometheus Operator CRDs (the rest are installed with the kube-prometheus-stack helm release)
|
||||
- url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
|
||||
filename: custom-prometheus-podmonitors.yaml
|
||||
- url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
|
||||
filename: custom-prometheus-prometheusrules.yaml
|
||||
- url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
|
||||
filename: custom-prometheus-scrapeconfigs.yaml
|
||||
- url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
|
||||
filename: custom-prometheus-servicemonitors.yaml
|
||||
# /var/lib/rancher/k3s/server/manifests
|
||||
k3s_server_manifests_templates:
|
||||
- custom-coredns-helmchart.yaml.j2
|
||||
- custom-cilium-helmchart.yaml.j2
|
||||
# k3s_registries:
|
||||
# mirrors:
|
||||
# docker.io:
|
||||
# endpoint: ["http://harbor.hsn.dev/v2/docker.io"]
|
||||
# ghcr.io:
|
||||
# endpoint: ["http://harbor.hsn.dev/v2/ghcr.io"]
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
github_username: jahanson
|
||||
timezone: America/Chicago
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
k3s_control_node: true
|
||||
k3s_server:
|
||||
cluster-cidr: 10.32.0.0/16
|
||||
disable: ["coredns", "flannel", "local-storage", "metrics-server", "servicelb", "traefik"]
|
||||
disable-cloud-controller: true
|
||||
disable-helm-controller: false
|
||||
disable-kube-proxy: true
|
||||
disable-network-policy: true
|
||||
docker: false
|
||||
etcd-disable-snapshots: true
|
||||
etcd-expose-metrics: true
|
||||
flannel-backend: "none" # quote
|
||||
https-listen-port: 6443
|
||||
# kube-apiserver-arg: ["anonymous-auth=true"]
|
||||
# kubelet-arg: ["feature-gates=ImageMaximumGCAge=true","imageMaximumGCAge=30m"]
|
||||
kubelet-arg: ["image-gc-high-threshold=85","image-gc-low-threshold=80"]
|
||||
kube-controller-manager-arg: ["bind-address=0.0.0.0"]
|
||||
kube-scheduler-arg: ["bind-address=0.0.0.0"]
|
||||
node-ip: "{{ ansible_host }}"
|
||||
pause-image: registry.k8s.io/pause:3.9
|
||||
secrets-encryption: true
|
||||
service-cidr: 10.33.0.0/16
|
||||
tls-san: ["{{ k3s_registration_address }}"]
|
||||
write-kubeconfig-mode: "0644"
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
k3s_control_node: false
|
||||
k3s_agent:
|
||||
node-ip: "{{ ansible_host }}"
|
||||
pause-image: registry.k8s.io/pause:3.9
|
|
@ -1,32 +0,0 @@
|
|||
---
|
||||
kubernetes:
|
||||
vars:
|
||||
ansible_user: jahanson
|
||||
ansible_ssh_port: 22
|
||||
children:
|
||||
master:
|
||||
hosts:
|
||||
galadriel:
|
||||
ansible_host: 10.1.1.61
|
||||
thrain:
|
||||
ansible_host: 10.1.1.62
|
||||
cirdan:
|
||||
ansible_host: 10.1.1.63
|
||||
workers:
|
||||
hosts:
|
||||
nenya:
|
||||
ansible_host: 10.1.1.41
|
||||
ceph_drives:
|
||||
- /dev/disk/by-id/nvme-PC300_NVMe_SK_hynix_256GB_EJ75N587410705M4U
|
||||
vilya:
|
||||
ansible_host: 10.1.1.42
|
||||
ceph_drives:
|
||||
- /dev/disk/by-id/nvme-PC300_NVMe_SK_hynix_256GB_EJ75N587411205N58
|
||||
elrond:
|
||||
ansible_host: 10.1.1.43
|
||||
ceph_drives:
|
||||
- /dev/xvdb
|
||||
narya:
|
||||
ansible_host: 10.1.1.44
|
||||
ceph_drives:
|
||||
- /dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J
|
|
@ -1,44 +0,0 @@
|
|||
---
|
||||
- name: Add user 'jahanson' and add to sudo group
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: Create user 'jahanson'
|
||||
ansible.builtin.user:
|
||||
name: jahanson
|
||||
state: present
|
||||
- name: Add user 'jahanson' to sudo group
|
||||
when: ansible_user == 'root'
|
||||
ansible.builtin.user:
|
||||
name: jahanson
|
||||
groups: sudo
|
||||
append: true
|
||||
- name: User Configuration | SSH keys
|
||||
ansible.posix.authorized_key:
|
||||
user: "jahanson"
|
||||
key: "https://github.com/jahanson.keys"
|
||||
- name: User Configuration | Silence login
|
||||
ansible.builtin.file:
|
||||
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.hushlogin"
|
||||
state: touch
|
||||
owner: "{{ ansible_user }}"
|
||||
group: "{{ ansible_user }}"
|
||||
mode: "0644"
|
||||
modification_time: preserve
|
||||
access_time: preserve
|
||||
- name: Copy .vimrc file
|
||||
ansible.builtin.copy:
|
||||
src: "files/.vimrc"
|
||||
dest: "/home/jahanson/.vimrc"
|
||||
owner: "{{ ansible_user }}"
|
||||
group: "{{ ansible_user }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: User Configuration | Add user to sudoers
|
||||
ansible.builtin.copy:
|
||||
content: "jahanson ALL=(ALL:ALL) NOPASSWD:ALL"
|
||||
dest: "/etc/sudoers.d/jahanson"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0440"
|
|
@ -1,40 +0,0 @@
|
|||
---
|
||||
- name: Reset Ceph Drives
|
||||
hosts: kubernetes
|
||||
become: true
|
||||
gather_facts: true
|
||||
any_errors_fatal: true
|
||||
pre_tasks:
|
||||
- name: Pausing for 2 seconds...
|
||||
ansible.builtin.pause:
|
||||
seconds: 2
|
||||
tasks:
|
||||
- name: Reset Ceph Drives # noqa: ignore-errors
|
||||
ignore_errors: true
|
||||
when: ceph_drives | default([]) | length > 0
|
||||
block:
|
||||
- name: Delete (/var/lib/rook)
|
||||
ansible.builtin.file:
|
||||
state: absent
|
||||
path: /var/lib/rook
|
||||
- name: Delete (/dev/mapper/ceph-*) # noqa: no-changed-when
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail
|
||||
ls /dev/mapper/ceph-* | xargs -I% -- dmsetup remove_all --force % || true
|
||||
- name: Delete (/dev/ceph-*) # noqa: no-changed-when
|
||||
ansible.builtin.command: rm -rf /dev/ceph-*
|
||||
- name: Delete (/dev/mapper/ceph--*) # noqa: no-changed-when
|
||||
ansible.builtin.command: rm -rf /dev/mapper/ceph--*
|
||||
- name: Wipe (sgdisk) # noqa: no-changed-when
|
||||
ansible.builtin.command: "sgdisk --zap-all {{ item }}"
|
||||
loop: "{{ ceph_drives }}"
|
||||
- name: Wipe (dd) # noqa: no-changed-when
|
||||
ansible.builtin.command: "dd if=/dev/zero of={{ item }} bs=1M count=100 oflag=direct,dsync"
|
||||
loop: "{{ ceph_drives }}"
|
||||
- name: Wipe (blkdiscard) # noqa: no-changed-when
|
||||
ansible.builtin.command: "blkdiscard {{ item }}"
|
||||
loop: "{{ ceph_drives }}"
|
||||
when: "'nvme' in item"
|
||||
- name: Wipe (partprobe) # noqa: no-changed-when
|
||||
ansible.builtin.command: "partprobe {{ item }}"
|
||||
loop: "{{ ceph_drives }}"
|
|
@ -1,107 +0,0 @@
|
|||
---
|
||||
- name: Cluster Installation
|
||||
hosts: kubernetes
|
||||
become: true
|
||||
gather_facts: true
|
||||
any_errors_fatal: true
|
||||
pre_tasks:
|
||||
- name: Pausing for 2 seconds...
|
||||
ansible.builtin.pause:
|
||||
seconds: 2
|
||||
tasks:
|
||||
- name: Check if cluster is installed
|
||||
check_mode: false
|
||||
ansible.builtin.stat:
|
||||
path: /etc/rancher/k3s/config.yaml
|
||||
register: k3s_installed
|
||||
|
||||
- name: Ignore manifests templates and urls if the cluster is already installed
|
||||
when: k3s_installed.stat.exists
|
||||
ansible.builtin.set_fact:
|
||||
k3s_server_manifests_templates: []
|
||||
k3s_server_manifests_urls: []
|
||||
|
||||
- name: Install Kubernetes
|
||||
ansible.builtin.include_role:
|
||||
name: xanmanning.k3s
|
||||
public: true
|
||||
vars:
|
||||
k3s_state: installed
|
||||
|
||||
- name: Kubeconfig
|
||||
ansible.builtin.include_tasks: tasks/kubeconfig.yaml
|
||||
vars:
|
||||
repository_base: "{{ lookup('ansible.builtin.pipe', 'git rev-parse --show-toplevel') }}"
|
||||
|
||||
- name: Wait for custom manifests to rollout
|
||||
when:
|
||||
- k3s_primary_control_node
|
||||
- (k3s_server_manifests_templates | length > 0
|
||||
or k3s_server_manifests_urls | length > 0)
|
||||
kubernetes.core.k8s_info:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
kind: "{{ item.kind }}"
|
||||
name: "{{ item.name }}"
|
||||
namespace: "{{ item.namespace | default('') }}"
|
||||
wait: true
|
||||
wait_sleep: 10
|
||||
wait_timeout: 360
|
||||
loop:
|
||||
- { name: cilium, kind: HelmChart, namespace: kube-system }
|
||||
- { name: coredns, kind: HelmChart, namespace: kube-system }
|
||||
- { name: policy, kind: CiliumL2AnnouncementPolicy }
|
||||
- { name: pool, kind: CiliumLoadBalancerIPPool }
|
||||
- { name: podmonitors.monitoring.coreos.com, kind: CustomResourceDefinition }
|
||||
- { name: prometheusrules.monitoring.coreos.com, kind: CustomResourceDefinition }
|
||||
- { name: scrapeconfigs.monitoring.coreos.com, kind: CustomResourceDefinition }
|
||||
- { name: servicemonitors.monitoring.coreos.com, kind: CustomResourceDefinition }
|
||||
|
||||
- name: Coredns
|
||||
when: k3s_primary_control_node
|
||||
ansible.builtin.include_tasks: tasks/coredns.yaml
|
||||
|
||||
- name: Cilium
|
||||
when: k3s_primary_control_node
|
||||
ansible.builtin.include_tasks: tasks/cilium.yaml
|
||||
|
||||
- name: Cruft
|
||||
when: k3s_primary_control_node
|
||||
ansible.builtin.include_tasks: tasks/cruft.yaml
|
||||
|
||||
- name: Stale Containers
|
||||
ansible.builtin.include_tasks: tasks/stale_containers.yaml
|
||||
vars:
|
||||
stale_containers_state: disabled
|
||||
|
||||
# - name: Helm controller
|
||||
# notify: Restart Kubernetes
|
||||
# when: k3s_control_node
|
||||
# ansible.builtin.include_tasks: tasks/helm_controller.yaml
|
||||
|
||||
# TODO: Replace this with embedded spegel in the future
|
||||
- name: Copy custom containerd configuration
|
||||
when: inventory_hostname != 'temp'
|
||||
notify: Restart Kubernetes
|
||||
ansible.builtin.copy:
|
||||
src: files/config.toml.tmpl
|
||||
dest: /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: Copy custom containerd configuration
|
||||
when: inventory_hostname == 'temp'
|
||||
notify: Restart Kubernetes
|
||||
ansible.builtin.copy:
|
||||
src: files/config.nvidia.toml.tmpl
|
||||
dest: /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
|
||||
handlers:
|
||||
- name: Restart Kubernetes
|
||||
ansible.builtin.systemd:
|
||||
name: k3s
|
||||
state: restarted
|
|
@ -1,61 +0,0 @@
|
|||
---
|
||||
- name: Cluster Nuke
|
||||
hosts: kubernetes
|
||||
become: true
|
||||
gather_facts: true
|
||||
any_errors_fatal: true
|
||||
pre_tasks:
|
||||
- name: Pausing for 2 seconds...
|
||||
ansible.builtin.pause:
|
||||
seconds: 2
|
||||
tasks:
|
||||
- name: Stop Kubernetes # noqa: ignore-errors
|
||||
ignore_errors: true
|
||||
block:
|
||||
- name: Stop Kubernetes
|
||||
ansible.builtin.include_role:
|
||||
name: xanmanning.k3s
|
||||
public: true
|
||||
vars:
|
||||
k3s_state: stopped
|
||||
|
||||
# https://github.com/k3s-io/docs/blob/main/docs/installation/network-options.md
|
||||
- name: Networking
|
||||
block:
|
||||
- name: Networking | Delete Cilium links
|
||||
ansible.builtin.command:
|
||||
cmd: "ip link delete {{ item }}"
|
||||
removes: "/sys/class/net/{{ item }}"
|
||||
loop: ["cilium_host", "cilium_net", "cilium_vxlan"]
|
||||
- name: Networking | Flush iptables
|
||||
ansible.builtin.iptables:
|
||||
table: "{{ item }}"
|
||||
flush: true
|
||||
loop: ["filter", "nat", "mangle", "raw"]
|
||||
- name: Networking | Flush ip6tables
|
||||
ansible.builtin.iptables:
|
||||
table: "{{ item }}"
|
||||
flush: true
|
||||
ip_version: ipv6
|
||||
loop: ["filter", "nat", "mangle", "raw"]
|
||||
- name: Networking | Delete CNI directory
|
||||
ansible.builtin.file:
|
||||
path: /etc/cni/net.d
|
||||
state: absent
|
||||
|
||||
- name: Uninstall Kubernetes
|
||||
ansible.builtin.include_role:
|
||||
name: xanmanning.k3s
|
||||
public: true
|
||||
vars:
|
||||
k3s_state: uninstalled
|
||||
|
||||
- name: Stale Containers
|
||||
ansible.builtin.include_tasks: tasks/stale_containers.yaml
|
||||
vars:
|
||||
stale_containers_state: disabled
|
||||
|
||||
- name: Reboot
|
||||
ansible.builtin.reboot:
|
||||
msg: Rebooting nodes
|
||||
reboot_timeout: 3600
|
|
@ -1,130 +0,0 @@
|
|||
---
|
||||
- name: Prepare System
|
||||
hosts: kubernetes
|
||||
become: true
|
||||
gather_facts: true
|
||||
any_errors_fatal: true
|
||||
pre_tasks:
|
||||
- name: Pausing for 2 seconds...
|
||||
ansible.builtin.pause:
|
||||
seconds: 2
|
||||
tasks:
|
||||
- name: Locale
|
||||
block:
|
||||
- name: Locale | Set timezone
|
||||
community.general.timezone:
|
||||
name: "{{ timezone | default('Etc/UTC') }}"
|
||||
|
||||
- name: Packages
|
||||
block:
|
||||
- name: Packages | Add non-free repository
|
||||
ansible.builtin.apt_repository:
|
||||
repo: deb http://deb.debian.org/debian/ stable main contrib non-free
|
||||
filename: non-free
|
||||
update_cache: true
|
||||
- name: Packages | Install Intel common packages
|
||||
when: inventory_hostname != 'elrond'
|
||||
ansible.builtin.apt:
|
||||
name: vim,i965-va-driver-shaders,apt-transport-https,ca-certificates,conntrack,curl,dirmngr,gdisk,
|
||||
gnupg,hdparm,htop,btop,intel-gpu-tools,intel-media-va-driver-non-free,iperf3,iptables,iputils-ping,ipvsadm,
|
||||
libseccomp2,lm-sensors,neofetch,net-tools,nfs-common,nvme-cli,open-iscsi,parted,psmisc,python3,
|
||||
python3-apt,python3-openshift,python3-kubernetes,python3-yaml,smartmontools,socat,software-properties-common,
|
||||
unzip,util-linux
|
||||
install_recommends: false
|
||||
- name: Packages | Install AMD common packages
|
||||
when: inventory_hostname == 'elrond'
|
||||
ansible.builtin.apt:
|
||||
name: vim,apt-transport-https,ca-certificates,conntrack,curl,dirmngr,gdisk,
|
||||
gnupg,hdparm,htop,btop,iperf3,iptables,iputils-ping,ipvsadm,
|
||||
libseccomp2,lm-sensors,neofetch,net-tools,nfs-common,nvme-cli,open-iscsi,parted,psmisc,python3,
|
||||
python3-apt,python3-openshift,python3-kubernetes,python3-yaml,smartmontools,socat,software-properties-common,
|
||||
unzip,util-linux
|
||||
install_recommends: false
|
||||
|
||||
|
||||
- name: Fish
|
||||
block:
|
||||
- name: Fish | Add fish apt key
|
||||
ansible.builtin.get_url:
|
||||
url: https://download.opensuse.org/repositories/shells:fish:release:3/Debian_12/Release.key
|
||||
dest: /etc/apt/trusted.gpg.d/fish.asc
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
- name: Fish | Add fish repository
|
||||
ansible.builtin.apt_repository:
|
||||
repo: deb [signed-by=/etc/apt/trusted.gpg.d/fish.asc] http://download.opensuse.org/repositories/shells:/fish:/release:/3/Debian_12/ /
|
||||
filename: fish
|
||||
update_cache: true
|
||||
- name: Fish | Install fish
|
||||
ansible.builtin.apt:
|
||||
name: fish
|
||||
install_recommends: false
|
||||
- name: Fish | Set as default shell
|
||||
ansible.builtin.user:
|
||||
name: "{{ ansible_user }}"
|
||||
shell: /usr/bin/fish
|
||||
- name: Fish | Create configuration directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions"
|
||||
state: directory
|
||||
owner: "{{ ansible_user }}"
|
||||
group: "{{ ansible_user }}"
|
||||
recurse: true
|
||||
- name: Fish | Create neofetch greeting
|
||||
ansible.builtin.copy:
|
||||
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions/fish_greeting.fish"
|
||||
owner: "{{ ansible_user }}"
|
||||
group: "{{ ansible_user }}"
|
||||
mode: "0755"
|
||||
content: neofetch --config none
|
||||
- name: Fish | Create kubectl shorthand
|
||||
ansible.builtin.copy:
|
||||
dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions/k.fish"
|
||||
owner: "{{ ansible_user }}"
|
||||
group: "{{ ansible_user }}"
|
||||
mode: "0755"
|
||||
content: |
|
||||
function k --wraps=kubectl --description 'kubectl shorthand'
|
||||
kubectl $argv
|
||||
end
|
||||
|
||||
- name: System Configuration
|
||||
notify: Reboot
|
||||
block:
|
||||
- name: System Configuration | Disable swap
|
||||
ansible.posix.mount:
|
||||
name: "{{ item }}"
|
||||
fstype: swap
|
||||
state: absent
|
||||
loop: ["none", "swap"]
|
||||
- name: System Configuration | Create Kernel modules
|
||||
ansible.builtin.copy:
|
||||
dest: "/etc/modules-load.d/{{ item }}.conf"
|
||||
mode: "0644"
|
||||
content: "{{ item }}"
|
||||
loop: ["br_netfilter", "ceph", "ip_vs", "ip_vs_rr", "overlay", "rbd", "tcp_bbr"]
|
||||
register: modules_status
|
||||
- name: System Configuration | Reload Kernel modules # noqa: no-changed-when no-handler
|
||||
when: modules_status.changed
|
||||
ansible.builtin.systemd:
|
||||
name: systemd-modules-load
|
||||
state: restarted
|
||||
- name: System Configuration | Sysctl
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
sysctl_file: /etc/sysctl.d/99-kubernetes.conf
|
||||
reload: true
|
||||
with_dict: "{{ sysctl_config }}"
|
||||
vars:
|
||||
sysctl_config:
|
||||
fs.inotify.max_queued_events: 65536
|
||||
fs.inotify.max_user_watches: 524288
|
||||
fs.inotify.max_user_instances: 8192
|
||||
|
||||
handlers:
|
||||
- name: Reboot
|
||||
ansible.builtin.reboot:
|
||||
msg: Rebooting nodes
|
||||
reboot_timeout: 3600
|
|
@ -1,71 +0,0 @@
|
|||
---
|
||||
# https://github.com/kevincoakley/ansible-role-k8s-rolling-update
|
||||
- name: Cluster update rollout
|
||||
hosts: kubernetes
|
||||
become: true
|
||||
gather_facts: true
|
||||
any_errors_fatal: true
|
||||
serial: 1
|
||||
pre_tasks:
|
||||
- name: Pausing for 2 seconds...
|
||||
ansible.builtin.pause:
|
||||
seconds: 2
|
||||
tasks:
|
||||
- name: Details
|
||||
ansible.builtin.command: "kubectl get node {{ inventory_hostname }} -o json"
|
||||
register: kubectl_get_node
|
||||
delegate_to: "{{ groups['master'][0] }}"
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
|
||||
- name: Update
|
||||
when:
|
||||
# When status.conditions[x].type == Ready then check stats.conditions[x].status for True|False
|
||||
- kubectl_get_node['stdout'] | from_json | json_query("status.conditions[?type == 'Ready'].status")
|
||||
# If spec.unschedulable is defined then the node is cordoned
|
||||
- not (kubectl_get_node['stdout'] | from_json).spec.unschedulable is defined
|
||||
block:
|
||||
- name: Cordon
|
||||
kubernetes.core.k8s_drain:
|
||||
name: "{{ inventory_hostname }}"
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
state: cordon
|
||||
delegate_to: "{{ groups['master'][0] }}"
|
||||
|
||||
- name: Drain
|
||||
kubernetes.core.k8s_drain:
|
||||
name: "{{ inventory_hostname }}"
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
state: drain
|
||||
delete_options:
|
||||
delete_emptydir_data: true
|
||||
ignore_daemonsets: true
|
||||
terminate_grace_period: 600
|
||||
wait_timeout: 900
|
||||
pod_selectors:
|
||||
- app!=rook-ceph-osd
|
||||
delegate_to: "{{ groups['master'][0] }}"
|
||||
|
||||
- name: Update
|
||||
ansible.builtin.apt:
|
||||
upgrade: dist
|
||||
update_cache: true
|
||||
|
||||
- name: Check if reboot is required
|
||||
ansible.builtin.stat:
|
||||
path: /var/run/reboot-required
|
||||
register: reboot_required
|
||||
|
||||
- name: Reboot
|
||||
when: reboot_required.stat.exists
|
||||
ansible.builtin.reboot:
|
||||
msg: Rebooting node
|
||||
post_reboot_delay: 120
|
||||
reboot_timeout: 3600
|
||||
|
||||
- name: Uncordon
|
||||
kubernetes.core.k8s_drain:
|
||||
name: "{{ inventory_hostname }}"
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
state: uncordon
|
||||
delegate_to: "{{ groups['master'][0] }}"
|
|
@ -1,2 +0,0 @@
|
|||
source $VIMRUNTIME/defaults.vim
|
||||
set mouse-=a
|
|
@ -1,35 +0,0 @@
|
|||
version = 2
|
||||
|
||||
[plugins."io.containerd.internal.v1.opt"]
|
||||
path = "/var/lib/rancher/k3s/agent/containerd"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri"]
|
||||
stream_server_address = "127.0.0.1"
|
||||
stream_server_port = "10010"
|
||||
enable_selinux = false
|
||||
enable_unprivileged_ports = true
|
||||
enable_unprivileged_icmp = true
|
||||
sandbox_image = "registry.k8s.io/pause:3.9"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd]
|
||||
snapshotter = "overlayfs"
|
||||
disable_snapshot_annotations = true
|
||||
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
|
||||
privileged_without_host_devices = false
|
||||
runtime_engine = ""
|
||||
runtime_root = ""
|
||||
runtime_type = "io.containerd.runc.v2"
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia.options]
|
||||
BinaryName = "/usr/bin/nvidia-container-runtime"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
|
||||
runtime_type = "io.containerd.runc.v2"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
|
||||
SystemdCgroup = true
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry]
|
||||
config_path = "/var/lib/rancher/k3s/agent/etc/containerd/certs.d"
|
|
@ -1,25 +0,0 @@
|
|||
version = 2
|
||||
|
||||
[plugins."io.containerd.internal.v1.opt"]
|
||||
path = "/var/lib/rancher/k3s/agent/containerd"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri"]
|
||||
stream_server_address = "127.0.0.1"
|
||||
stream_server_port = "10010"
|
||||
enable_selinux = false
|
||||
enable_unprivileged_ports = true
|
||||
enable_unprivileged_icmp = true
|
||||
sandbox_image = "registry.k8s.io/pause:3.9"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd]
|
||||
snapshotter = "overlayfs"
|
||||
disable_snapshot_annotations = true
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
|
||||
runtime_type = "io.containerd.runc.v2"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
|
||||
SystemdCgroup = true
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry]
|
||||
config_path = "/var/lib/rancher/k3s/agent/etc/containerd/certs.d"
|
|
@ -1,6 +0,0 @@
|
|||
[Unit]
|
||||
Description=Stale containers
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/k3s crictl rmi --prune
|
|
@ -1,11 +0,0 @@
|
|||
[Unit]
|
||||
Description=Stale containers
|
||||
|
||||
[Timer]
|
||||
OnCalendar=weekly
|
||||
AccuracySec=1h
|
||||
Persistent=true
|
||||
RandomizedDelaySec=6000
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
|
@ -1,56 +0,0 @@
|
|||
---
|
||||
- name: Cilium
|
||||
block:
|
||||
- name: Cilium | Check if Cilium HelmChart exists
|
||||
kubernetes.core.k8s_info:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: cilium
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
register: cilium_helmchart
|
||||
|
||||
- name: Cilium | Wait for Cilium to rollout
|
||||
when: cilium_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s_info:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: helm-install-cilium
|
||||
kind: Job
|
||||
namespace: kube-system
|
||||
wait: true
|
||||
wait_condition:
|
||||
type: Complete
|
||||
status: true
|
||||
wait_timeout: 360
|
||||
|
||||
- name: Cilium | Patch the Cilium HelmChart to unmanage it
|
||||
when: cilium_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s_json_patch:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: cilium
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
patch:
|
||||
- op: add
|
||||
path: /metadata/annotations/helmcharts.helm.cattle.io~1unmanaged
|
||||
value: "true"
|
||||
|
||||
- name: Cilium | Delete the Cilium HelmChart CR
|
||||
when: cilium_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: cilium
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
state: absent
|
||||
|
||||
- name: Cilium | Force delete the Cilium HelmChart
|
||||
when: cilium_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: cilium
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
state: patched
|
||||
definition:
|
||||
metadata:
|
||||
finalizers: []
|
|
@ -1,56 +0,0 @@
|
|||
---
|
||||
- name: Coredns
|
||||
block:
|
||||
- name: Coredns | Check if Coredns HelmChart exists
|
||||
kubernetes.core.k8s_info:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: coredns
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
register: coredns_helmchart
|
||||
|
||||
- name: Coredns | Wait for Coredns to rollout
|
||||
when: coredns_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s_info:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: helm-install-coredns
|
||||
kind: Job
|
||||
namespace: kube-system
|
||||
wait: true
|
||||
wait_condition:
|
||||
type: Complete
|
||||
status: true
|
||||
wait_timeout: 360
|
||||
|
||||
- name: Coredns | Patch the Coredns HelmChart to unmanage it
|
||||
when: coredns_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s_json_patch:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: coredns
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
patch:
|
||||
- op: add
|
||||
path: /metadata/annotations/helmcharts.helm.cattle.io~1unmanaged
|
||||
value: "true"
|
||||
|
||||
- name: Coredns | Delete the Coredns HelmChart CR
|
||||
when: coredns_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: coredns
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
state: absent
|
||||
|
||||
- name: Coredns | Force delete the Coredns HelmChart
|
||||
when: coredns_helmchart.resources | count > 0
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: coredns
|
||||
kind: HelmChart
|
||||
namespace: kube-system
|
||||
state: patched
|
||||
definition:
|
||||
metadata:
|
||||
finalizers: []
|
|
@ -1,32 +0,0 @@
|
|||
---
|
||||
# https://github.com/k3s-io/k3s/issues/1971
|
||||
- name: Cruft
|
||||
block:
|
||||
- name: Cruft | Get list of custom manifests
|
||||
ansible.builtin.find:
|
||||
paths: "{{ k3s_server_manifests_dir }}"
|
||||
file_type: file
|
||||
use_regex: true
|
||||
patterns: ["^custom-.*"]
|
||||
register: custom_manifest
|
||||
|
||||
- name: Cruft | Delete custom manifests
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: absent
|
||||
loop: "{{ custom_manifest.files }}"
|
||||
|
||||
- name: Cruft | Get list of custom addons
|
||||
kubernetes.core.k8s_info:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
kind: Addon
|
||||
register: addons_list
|
||||
|
||||
- name: Cruft | Delete addons
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: "{{ item.metadata.name }}"
|
||||
kind: Addon
|
||||
namespace: kube-system
|
||||
state: absent
|
||||
loop: "{{ addons_list.resources | selectattr('metadata.name', 'match', '^custom-.*') | list }}"
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
- name: Helm Controller
|
||||
block:
|
||||
- name: Helm Controller | Disable Helm controller
|
||||
ansible.builtin.replace:
|
||||
path: /etc/rancher/k3s/config.yaml
|
||||
regexp: '^disable-helm-controller: false$'
|
||||
replace: 'disable-helm-controller: true'
|
||||
|
||||
- name: Helm Controller | Delete Helm controller CRDs
|
||||
kubernetes.core.k8s:
|
||||
kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||||
name: "{{ item }}"
|
||||
kind: CustomResourceDefinition
|
||||
state: absent
|
||||
loop: ["helmcharts.helm.cattle.io", "helmchartconfigs.helm.cattle.io"]
|
|
@ -1,36 +0,0 @@
|
|||
---
|
||||
# https://github.com/k3s-io/k3s/issues/1900
|
||||
- name: Enabled Stale containers
|
||||
when: stale_containers_state == "enabled"
|
||||
block:
|
||||
- name: Stale containers | Create systemd unit
|
||||
ansible.builtin.copy:
|
||||
src: files/stale-containers.service
|
||||
dest: /etc/systemd/system/stale-containers.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: Stale containers | Create systemd timer
|
||||
ansible.builtin.copy:
|
||||
src: files/stale-containers.timer
|
||||
dest: /etc/systemd/system/stale-containers.timer
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: Stale containers | Start the systemd timer
|
||||
ansible.builtin.systemd:
|
||||
name: stale-containers.timer
|
||||
enabled: true
|
||||
daemon_reload: true
|
||||
masked: false
|
||||
state: started
|
||||
|
||||
- name: Disable Stale containers
|
||||
when: stale_containers_state == "disabled"
|
||||
block:
|
||||
- name: Stale containers | Mask the systemd timer
|
||||
ansible.builtin.systemd:
|
||||
name: stale-containers.timer
|
||||
masked: true
|
|
@ -1,51 +0,0 @@
|
|||
---
|
||||
# https://docs.k3s.io/helm
|
||||
apiVersion: helm.cattle.io/v1
|
||||
kind: HelmChart
|
||||
metadata:
|
||||
name: cilium
|
||||
namespace: kube-system
|
||||
spec:
|
||||
# renovate: datasource=helm
|
||||
repo: https://helm.cilium.io/
|
||||
chart: cilium
|
||||
version: 1.14.5
|
||||
targetNamespace: kube-system
|
||||
bootstrap: true
|
||||
valuesContent: |-
|
||||
cluster:
|
||||
name: homelab
|
||||
id: 1
|
||||
containerRuntime:
|
||||
integration: containerd
|
||||
socketPath: /var/run/k3s/containerd/containerd.sock
|
||||
hubble:
|
||||
enabled: true
|
||||
relay:
|
||||
enabled: true
|
||||
ui:
|
||||
enabled: true
|
||||
ipam:
|
||||
mode: kubernetes
|
||||
ipv4NativeRoutingCIDR: "{{ k3s_server['cluster-cidr'] }}"
|
||||
k8sServiceHost: "{{ k3s_registration_address }}"
|
||||
k8sServicePort: 6443
|
||||
kubeProxyReplacement: true
|
||||
localRedirectPolicy: true
|
||||
operator:
|
||||
rollOutPods: true
|
||||
rollOutCiliumPods: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
policyAuditMode: true
|
||||
hostFirewall:
|
||||
enabled: true
|
||||
extraConfig:
|
||||
allow-localhost: policy
|
||||
bgp:
|
||||
enabled: false
|
||||
announce:
|
||||
loadbalancerIP: true
|
||||
podCIDR: false
|
||||
bgpControlPlane:
|
||||
enabled: true
|
|
@ -1,77 +0,0 @@
|
|||
---
|
||||
# https://docs.k3s.io/helm
|
||||
apiVersion: helm.cattle.io/v1
|
||||
kind: HelmChart
|
||||
metadata:
|
||||
name: coredns
|
||||
namespace: kube-system
|
||||
spec:
|
||||
# renovate: datasource=helm
|
||||
repo: https://coredns.github.io/helm
|
||||
chart: coredns
|
||||
version: 1.29.0
|
||||
targetNamespace: kube-system
|
||||
bootstrap: true
|
||||
valuesContent: |-
|
||||
fullnameOverride: coredns
|
||||
replicaCount: 2
|
||||
k8sAppLabelOverride: kube-dns
|
||||
service:
|
||||
name: kube-dns
|
||||
clusterIP: {{ k3s_server['service-cidr'] | ansible.utils.nthhost(10) }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
deployment:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
servers:
|
||||
- zones:
|
||||
- zone: .
|
||||
scheme: dns://
|
||||
use_tcp: true
|
||||
port: 53
|
||||
plugins:
|
||||
- name: log
|
||||
- name: errors
|
||||
- name: health
|
||||
configBlock: |-
|
||||
lameduck 5s
|
||||
- name: ready
|
||||
- name: kubernetes
|
||||
parameters: cluster.local in-addr.arpa ip6.arpa
|
||||
configBlock: |-
|
||||
pods insecure
|
||||
fallthrough in-addr.arpa ip6.arpa
|
||||
ttl 30
|
||||
- name: prometheus
|
||||
parameters: 0.0.0.0:9153
|
||||
- name: forward
|
||||
parameters: . /etc/resolv.conf
|
||||
- name: cache
|
||||
parameters: 30
|
||||
- name: loop
|
||||
- name: reload
|
||||
- name: loadbalance
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: coredns
|
|
@ -1,8 +0,0 @@
|
|||
ansible==9.3.0
|
||||
ansible-lint==24.2.0
|
||||
# https://github.com/pyca/bcrypt/issues/684
|
||||
bcrypt==4.1.2
|
||||
jmespath==1.0.1
|
||||
netaddr==1.2.1
|
||||
openshift==0.13.2
|
||||
passlib==1.7.4
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
collections:
|
||||
- name: ansible.posix
|
||||
version: 1.5.4
|
||||
- name: ansible.utils
|
||||
version: 3.1.0
|
||||
- name: community.general
|
||||
version: 8.4.0
|
||||
- name: community.sops
|
||||
version: 1.6.7
|
||||
- name: kubernetes.core
|
||||
version: 3.0.0
|
||||
- name: onepassword.connect
|
||||
version: 2.2.4
|
||||
roles:
|
||||
- name: xanmanning.k3s
|
||||
src: https://github.com/PyratLabs/ansible-role-k3s
|
||||
version: v3.4.4
|
Loading…
Reference in a new issue