From 88c4127364439dbbee59e4adea3a4b068c564e19 Mon Sep 17 00:00:00 2001 From: staffadmin Date: Thu, 23 Nov 2023 13:32:04 +0100 Subject: [PATCH] Add kub cluster --- dockerapps.yml | 2 +- group_vars/{perso.yml => controller.yml} | 15 +--- group_vars/kubernetes.yml | 87 +++++++++++++++++++++++- host_vars/ovh_fr.yml | 33 --------- host_vars/ovhmaster.yml | 37 ++++++++++ host_vars/ovhworker.yml | 35 ++++++++++ host_vars/scaleway_fr.yml | 8 +-- hosts | 16 ++--- kubernetes.yml | 46 ++++++++++++- 9 files changed, 212 insertions(+), 67 deletions(-) rename group_vars/{perso.yml => controller.yml} (79%) delete mode 100644 host_vars/ovh_fr.yml create mode 100644 host_vars/ovhmaster.yml create mode 100644 host_vars/ovhworker.yml diff --git a/dockerapps.yml b/dockerapps.yml index a1deee5..17c4540 100644 --- a/dockerapps.yml +++ b/dockerapps.yml @@ -1,6 +1,6 @@ --- - name: Docker-Compose playbook - hosts: all + hosts: controller become: true # # diff --git a/group_vars/perso.yml b/group_vars/controller.yml similarity index 79% rename from group_vars/perso.yml rename to group_vars/controller.yml index 3118f12..5f595b0 100644 --- a/group_vars/perso.yml +++ b/group_vars/controller.yml @@ -14,17 +14,6 @@ management_user_list: as: ALL commands: ALL nopasswd: ALL - - name: test - shell: '/bin/bash' - state: absent - authorized_keys: - - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDESF0dAkjZmai3X4bP8/kVv1NXfoOhlssKdcTs/AU1nopRQ3EYJj/lBsGAEMwQJVYuyCaSmQB4nOGGZfeqDX1OqxyQq+FyOPPh37Dx120H+NXdhGzWNI4KXt18auzZeujr9WOeGVZGKbdHCTwS17sC93wBqdmI7zO4+XGYDkdx16l6K8H7Ke1oo7BJ4qAj57eZVg+lHZs1C5TCZhbMxSer6rQ+YOHKnaqY6cz0uafB3JSqGhOoPDU2xCxAVNRfTcIaA3y12Oab7pgTxEdBpUohmuZ31HBbmXxdM9HoLxuqkDe00TJt/a5akkguRst7kmc5VXqViaA0sHTgbwtyrWe1nlTvWX26LOcRuNMemxWiNmrpv4LdLJ2mONu0NhSi36lOZWpXOvYh5zna9tnptisIFF79YPzWMuHCZzXj0kjrU//sHQrq5Uy3XVxoiTq8IokC00RPEx7W4CpJtL+kbJIQ8Sxtl4feA+Y/vpytzKVFTOrRw3H6Tjy7WrI+X96iB373Gkfgd4zHbp8wm5hMZUtfcN6H7k2HfvMv7m4niNkPRh/ru2jXeaXTsZmho847OFNSHxFrTma+QQzk2favBi7KLo0A8ECraiGZh6fk+YK6Ynk0oJG/rRxO99pp4IhaM22yvZ+QYJWpyPendQqvS0qIHwMjFPqQV/VD1S21jmBYLw==" - exclusive: yes - sudo: - hosts: ALL - as: ALL - commands: ALL - nopasswd: ALL ################ # SSH - CLIENT # @@ -97,7 +86,7 @@ apt_ppas: [] # # not needed on ubuntu distribution # #codename: trusty # apt_packages: -# - name: openssh-server +# - name: python3-pip ######### @@ -137,4 +126,4 @@ test_vault: !vault | 6166363235383964626463353061343635626431396664660a333231303661343362353162353938 32373332373362656635393365363635313137306532366536323765346464336634653366383961 3965626433316138320a366336393034383065363134623239646230396432356431383935346463 - 6330 \ No newline at end of file + 6330 diff --git a/group_vars/kubernetes.yml b/group_vars/kubernetes.yml index bea3f8e..aa2ed9f 100644 --- a/group_vars/kubernetes.yml +++ b/group_vars/kubernetes.yml @@ -1,8 +1,63 @@ --- +apt_packages: + - name: openssh-server + - name: proxychains + +sshd_skip_defaults: true +sshd_config_file: /etc/ssh/sshd_config +sshd_AuthorizedKeysFile: .ssh/authorized_keys +sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL" +sshd_Protocol: 2 +sshd_LoginGraceTime: 30 +sshd_SyslogFacility: AUTH +sshd_LogLevel: VERBOSE +sshd_PermitRootLogin: 'no' +sshd_StrictModes: 'yes' +sshd_IgnoreRhosts: 'yes' +sshd_HostbasedAuthentication: 'no' +sshd_PasswordAuthentication: 'no' +sshd_PermitEmptyPasswords: 'no' +sshd_ChallengeResponseAuthentication: 'no' +sshd_GSSAPIAuthentication: 'no' +sshd_X11DisplayOffset: 10 +sshd_PrintMotd: 'yes' +sshd_PrintLastLog: 'yes' +sshd_TCPKeepAlive: 'yes' +sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server" +sshd_UsePAM: 'yes' +sshd_UseDNS: 'no' +sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" +sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr" +sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" +sshd_HostKey: + - /etc/ssh/ssh_host_rsa_key + + ####### + # APT # + ####### + +apt_repositories_sources: + - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal main restricted + - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates main restricted + - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal universe + - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates universe + - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal multiverse + - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates multiverse + - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse + - deb http://security.ubuntu.com/ubuntu focal-security main restricted + - deb http://security.ubuntu.com/ubuntu focal-security universe + - deb http://security.ubuntu.com/ubuntu focal-security multiverse + + + ######## + # KUBE # + ######## disable_firewall: true # Need public_network for argocd -kubernetes_subnet: 192.168.0.0/24 +# I use any because both worker and master are not on the same network ( +# They have only one public IP +kubernetes_subnet: 0.0.0.0/0 # vip control plan 192.168.25.255 setup_vip: false @@ -10,4 +65,32 @@ install_nginx_ingress: false install_longhorn: false # This variable is used when the cluster is bootstrapped for the first time -kubernetes_init_host: k8s-ubuntu-0 \ No newline at end of file +kubernetes_init_host: ovh-master + +kubernetes_init_app: true + +kubernetes_app: + - url: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml + namespace: argocd + +kubernetes_alias_bashrc: + - path: "/root/.bashrc" + regexp: "^source /usr/share/bash-completion/bash_completion" + state: present + line: "source /usr/share/bash-completion/bash_completion" + - path: "/root/.bashrc" + regexp: "^source /etc/bash_completion" + state: present + line: "source /etc/bash_completion" + - path: "/root/.bashrc" + regexp: "^source <(kubectl completion bash)" + state: present + line: "source <(kubectl completion bash)" + - path: "/root/.bashrc" + regexp: "^alias k=kubectl" + state: present + line: "alias k=kubectl" + - path: "/root/.bashrc" + regexp: "^complete -F __start_kubectl k" + state: present + line: "complete -F __start_kubectl k" diff --git a/host_vars/ovh_fr.yml b/host_vars/ovh_fr.yml deleted file mode 100644 index 6acc874..0000000 --- a/host_vars/ovh_fr.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apt_repositories_sources: - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal main restricted - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates main restricted - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal universe - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates universe - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal multiverse - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates multiverse - - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse - - deb http://security.ubuntu.com/ubuntu focal-security main restricted - - deb http://security.ubuntu.com/ubuntu focal-security universe - - deb http://security.ubuntu.com/ubuntu focal-security multiverse - - ########## - # CHISEL # - ########## - -chisel_server: false -chisel_client_server_url: "{{ chisel_server_host }}:8080" -chisel_client_remotes: "R:{{ chisel_server_host }}:socks" -chisel_service_name: chisel-client -chisel_config_name: chisel-client - -chisel_conf: -# chisel enable auth and finder - - path: "/etc/chisel/{{ chisel_config_name }}.conf" - regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" - state: present - line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" - - path: "/etc/chisel/{{ chisel_config_name }}.conf" - regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" - state: present - line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" diff --git a/host_vars/ovhmaster.yml b/host_vars/ovhmaster.yml new file mode 100644 index 0000000..ae86a6c --- /dev/null +++ b/host_vars/ovhmaster.yml @@ -0,0 +1,37 @@ +--- +pip_executable: pip +pip_install_packages: + - kubernetes + +management_user_list: + - name: stephane + shell: '/bin/bash' + authorized_keys: + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" + exclusive: yes + sudo: + hosts: ALL + as: ALL + commands: ALL + nopasswd: ALL + +# ########## +# # CHISEL # +# ########## + +# chisel_server: false +# chisel_client_server_url: "{{ chisel_server_host }}:8080" +# chisel_client_remotes: "R:{{ chisel_server_host }}:socks" +# chisel_service_name: chisel-client +# chisel_config_name: chisel-client + +# chisel_conf: +# # chisel enable auth and finder +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# state: present +# line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" +# state: present +# line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" diff --git a/host_vars/ovhworker.yml b/host_vars/ovhworker.yml new file mode 100644 index 0000000..eef66a4 --- /dev/null +++ b/host_vars/ovhworker.yml @@ -0,0 +1,35 @@ +--- + + +management_user_list: + - name: ubuntu + shell: '/bin/bash' + authorized_keys: + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" + exclusive: yes + sudo: + hosts: ALL + as: ALL + commands: ALL + nopasswd: ALL + +# ########## +# # CHISEL # +# ########## + +# chisel_server: false +# chisel_client_server_url: "{{ chisel_server_host }}:8080" +# chisel_client_remotes: "R:{{ chisel_server_host }}:socks" +# chisel_service_name: chisel-client +# chisel_config_name: chisel-client + +# chisel_conf: +# # chisel enable auth and finder +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# state: present +# line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" +# state: present +# line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" diff --git a/host_vars/scaleway_fr.yml b/host_vars/scaleway_fr.yml index bc13833..48f526e 100644 --- a/host_vars/scaleway_fr.yml +++ b/host_vars/scaleway_fr.yml @@ -3,10 +3,6 @@ # APT # ####### -apt_packages: - - name: openssh-server - - name: proxychains - apt_repositories_sources: - deb http://mirrors.online.net/ubuntu focal main restricted - deb http://mirrors.online.net/ubuntu focal-updates main restricted @@ -19,6 +15,10 @@ apt_repositories_sources: - deb http://security.ubuntu.com/ubuntu focal-security universe - deb http://security.ubuntu.com/ubuntu focal-security multiverse +apt_packages: + - name: openssh-server + - name: proxychains + ############ # ALERTING # ############ diff --git a/hosts b/hosts index b28ac89..786c94d 100644 --- a/hosts +++ b/hosts @@ -4,28 +4,20 @@ kubemaster kubeworker [kubemaster] -k8s-ubuntu-0 ansible_host=192.168.25.110 +ovh-master ansible_host=37.187.127.90 ansible_user=stephane [kubeworker] -k8s-ubuntu-1 ansible_host=192.168.25.111 +ovh-worker ansible_host=5.135.181.11 ansible_user=ubuntu +[controller] +scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane -; [perso] -; ovh_fr ansible_host=37.187.127.90 ansible_user=stephane -; scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane - ; # TO KNOW WHOIS CHISEL SERVER ; [server] ; scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane -; [ovh] -; ovh_fr ansible_host=37.187.127.90 ansible_user=stephane - -; [perso] -; scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane - ; [local] ; vagrant ansible_host=192.168.33.10 ansible_user=vagrant ansible_password=vagrant ; ubuntu-worker ansible_host=192.168.33.11 ansible_user=vagrant ansible_password=vagrant diff --git a/kubernetes.yml b/kubernetes.yml index 15efffc..d221fe3 100644 --- a/kubernetes.yml +++ b/kubernetes.yml @@ -2,10 +2,52 @@ - name: Main playbook for Kubernetes cluster hosts: kubernetes become: true - remote_user: vagrant roles: - - { role: ansible-role-linux-kubernetes } + - { role: ansible-role-linux-kubernetes, tags: [setup-cluster] } + tasks: + + - name: Add kubectl alias and completion only on master nodes + ansible.builtin.lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + state: "{{ item.state|default('present') }}" + line: "{{ item.line|default(omit) }}" + loop: "{{ kubernetes_alias_bashrc }}" + when: + - inventory_hostname in groups['kubemaster'] + tags: + - kubernetes + +# pip install kubernetes + - block: + - name: Download manifest on master + ansible.builtin.get_url: + url: "{{ item.url }}" + dest: "~/{{ item.url.split('/') | last }}" + mode: '0664' + run_once: true + loop: "{{ kubernetes_app }}" + + - name: Create namespace + kubernetes.core.k8s: + name: "{{ item.namespace }}" + api_version: v1 + kind: Namespace + state: present + loop: "{{ kubernetes_app }}" + + - name: Apply manifest + kubernetes.core.k8s: + namespace: "{{ item.namespace }}" + state: present + src: "~/{{ item.url.split('/') | last }}" + loop: "{{ kubernetes_app }}" + when: + - inventory_hostname in groups['kubemaster'] + - kubernetes_init_app + tags: + - kubernetes