diff --git a/group_vars/k8s-cluster/plain.yml b/group_vars/k8s-cluster/plain.yml index 99009a6..95fc64c 100644 --- a/group_vars/k8s-cluster/plain.yml +++ b/group_vars/k8s-cluster/plain.yml @@ -4,3 +4,4 @@ cloud_provider: external kube_network_plugin: calico kubelet_preferred_address_types: InternalIP,ExternalIP,Hostname docker_log_opts: "--log-opt max-size=100m --log-opt max-file=5 --log-opt compress=true" +helm_enabled: true diff --git a/kubernetes.yml b/kubernetes.yml index b9464eb..f2603ed 100644 --- a/kubernetes.yml +++ b/kubernetes.yml @@ -1,4 +1,7 @@ --- - hosts: k8s-cluster roles: - - kubernetes-ccm + - kubernetes-base +# - kubernetes-ccm # DEV-243 is waiting for hetzner support << Ticket#2021110303010972 RE: Anderes Problem (Server: #15275628) >> + - kubernetes-certmanager + - kubernetes-ingress diff --git a/roles/kubernetes-base/tasks/main.yml b/roles/kubernetes-base/tasks/main.yml new file mode 100644 index 0000000..a13f9e4 --- /dev/null +++ b/roles/kubernetes-base/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: k8s-base | install needed pip dependencies + ansible.builtin.package: + name: "{{ item }}" + state: latest + loop: + - python3-pip + when: + - inventory_hostname == groups['kube-master'][0] + +- name: k8s-base | install needed pip dependencies + pip: + name: "{{ item }}" + loop: + - kubernetes + when: + - inventory_hostname == groups['kube-master'][0] diff --git a/roles/kubernetes-ccm/tasks/main.yml b/roles/kubernetes-ccm/tasks/main.yml index 920eaa7..fa6ccc6 100644 --- a/roles/kubernetes-ccm/tasks/main.yml +++ b/roles/kubernetes-ccm/tasks/main.yml @@ -1,19 +1,5 @@ --- -- name: K8S-CCM | install needed pip dependencies - ansible.builtin.package: - name: - - python3-pip - state: latest - when: - - inventory_hostname == groups['kube-master'][0] - -- name: K8S-CCM | install needed pip dependencies - pip: - name: kubernetes - when: - - inventory_hostname == groups['kube-master'][0] - -- name: K8S-CCM | download Hetzner CCM +- name: k8s-CCM | download Hetzner CCM ansible.builtin.get_url: url: https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.12.0/ccm-networks.yaml dest: /tmp/ccm.yaml @@ -21,7 +7,7 @@ when: - inventory_hostname == groups['kube-master'][0] -- name: K8S-CCM | create secret for Hetzner CCM +- name: k8s-CCM | create secret for Hetzner CCM community.kubernetes.k8s: definition: api_version: v1 @@ -39,7 +25,7 @@ when: - inventory_hostname == groups['kube-master'][0] -- name: K8S-CCM | Apply Hetzner CCM manifest to the cluster. +- name: k8s-CCM | Apply Hetzner CCM manifest to the cluster. community.kubernetes.k8s: state: present src: /tmp/ccm.yaml diff --git a/roles/kubernetes-certmanager/defaults/main.yml b/roles/kubernetes-certmanager/defaults/main.yml new file mode 100644 index 0000000..581ea3b --- /dev/null +++ b/roles/kubernetes-certmanager/defaults/main.yml @@ -0,0 +1,12 @@ +--- +k8s_certmanager_helm__release_values: + installCRDs: true + webhook.timeoutSeconds: 4 + +k8s_certmanager_helm__cluster_issuers: + prod: + email: friedrich.goerz@netgo.de + server: https://acme-v02.api.letsencrypt.org/directory + staging: + email: friedrich.goerz@netgo.de + server: https://acme-staging-v02.api.letsencrypt.org/directory diff --git a/roles/kubernetes-certmanager/tasks/main.yml b/roles/kubernetes-certmanager/tasks/main.yml new file mode 100644 index 0000000..58c123b --- /dev/null +++ b/roles/kubernetes-certmanager/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: k8s-certmanager | install cert-manager via helm + community.kubernetes.helm: + name: cert-manager + chart_ref: "{{ k8s_certmanager_helm__chart_ref | default('jetstack/cert-manager') }}" + chart_version: "{{ k8s_certmanager_helm__chart_version | default('v1.5.4') }}" + release_namespace: "{{ k8s_certmanager_helm__release_namespace | default('cert-manager') }}" + create_namespace: yes + release_values: "{{ k8s_certmanager_helm__release_values }}" + when: + - inventory_hostname == groups['kube-master'][0] + +- name: k8s-certmanager | create secret for digitalocean-dns + community.kubernetes.k8s: + definition: + api_version: v1 + kind: Secret + metadata: + namespace: "{{ k8s_certmanager_helm__release_namespace | default('cert-manager') }}" + name: digitalocean-dns + type: Opaque + data: + access-token: "{{ digitalocean_authentication_token | string | b64encode }}" + when: + - inventory_hostname == groups['kube-master'][0] + +- name: k8s-certmanager | create ClusterIssuer_letsencrypt_prod + community.kubernetes.k8s: + definition: + api_version: cert-manager.io/v1 + kind: ClusterIssuer + metadata: + name: "letsencrypt-{{ item.key }}" + spec: + acme: + email: "{{ item.value.email }}" + server: "{{ item.value.server }}" + privateKeySecretRef: + name: issuer-account-key + solvers: + - dns01: + digitalocean: + tokenSecretRef: + name: digitalocean-dns + key: access-token + selector: + dnsZones: + - 'smardigo.digital' + loop: "{{ k8s_certmanager_helm__cluster_issuers | dict2items }}" + when: + - inventory_hostname == groups['kube-master'][0] diff --git a/roles/kubernetes-ingress/defaults/main.yml b/roles/kubernetes-ingress/defaults/main.yml new file mode 100644 index 0000000..2d482f5 --- /dev/null +++ b/roles/kubernetes-ingress/defaults/main.yml @@ -0,0 +1,31 @@ +--- +k8s_ingress_helm__release_values: + controller: + replicaCount: 2 + config: + use-forwarded-headers: "true" + compute-full-forwarded-for: "true" + use-proxy-protocol: "true" + ssl-ciphers: "EECDH+AESGCM:EDH+AESGCM" + ssl-protocols: "TLSv1.3" + service: + externalTrafficPolicy: Local + healthCheckNodePort: &healthchecknodeport 31066 + nodePorts: + http: &httpnodeport 30473 + https: 30474 + annotations: + load-balancer.hetzner.cloud/location: nbg1 + load-balancer.hetzner.cloud/name: "{{ stage }}-ingress" + load-balancer.hetzner.cloud/type: "lb11" + load-balancer.hetzner.cloud/disable-public-network: "true" + load-balancer.hetzner.cloud/network-zone: "dev" + load-balancer.hetzner.cloud/use-private-ip: "true" + load-balancer.hetzner.cloud/uses-proxyprotocol: "true" + load-balancer.hetzner.cloud/health-check-interval: "3s" + load-balancer.hetzner.cloud/health-check-timeout: "1s" + load-balancer.hetzner.cloud/health-check-retries: 3 + load-balancer.hetzner.cloud/health-check-protocol: "tcp" + load-balancer.hetzner.cloud/health-check-port: *httpnodeport + defaultBackend: + enabled: true diff --git a/roles/kubernetes-ingress/files/hello-node__fullobjects.yaml b/roles/kubernetes-ingress/files/hello-node__fullobjects.yaml new file mode 100644 index 0000000..f50153e --- /dev/null +++ b/roles/kubernetes-ingress/files/hello-node__fullobjects.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: hello-node + name: hello-node + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: hello-node + template: + metadata: + labels: + app: hello-node + spec: + containers: + - image: k8s.gcr.io/echoserver:1.4 + name: echoserver +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: hello-node + name: hello-node + namespace: default +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: hello-node +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/issue-temporary-certificate: "true" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/preserve-trailing-slash: "true" + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/ssl-redirect: "false" + name: ingress-nginx-helloworld + namespace: default +spec: + rules: + - host: microservice.smardigo.digital + http: + paths: + - backend: + service: + name: hello-node + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - microservice.smardigo.digital + secretName: myingress-cert diff --git a/roles/kubernetes-ingress/tasks/main.yml b/roles/kubernetes-ingress/tasks/main.yml new file mode 100644 index 0000000..616582c --- /dev/null +++ b/roles/kubernetes-ingress/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: k8s-ingress | install ingress via helm + community.kubernetes.helm: + name: ingress + chart_repo_url: "{{ k8s_ingress_helm__chart_repo_url | default('https://kubernetes.github.io/ingress-nginx') }}" + chart_ref: "{{ k8s_ingress_helm__chart_ref | default('ingress-nginx') }}" + chart_version: "{{ k8s_ingress_helm__chart_version | default('4.0.6') }}" + release_namespace: "{{ k8s_ingress_helm__release_namespace | default('ingress') }}" + create_namespace: yes + release_values: "{{ k8s_ingress_helm__release_values }}" + when: + - inventory_hostname == groups['kube-master'][0] + +- set_fact: + ingress_demo_app: "{{ lookup('file','hello-node__fullobjects.yaml') }}" + when: + - inventory_hostname == groups['kube-master'][0] + +- name: k8s-ingress | adding hello-node test app + community.kubernetes.k8s: + state: "{{ k8s_ingress_helm__enable_demoapp | default('absent') }}" + definition: "{{ ingress_demo_app }}" + when: + - inventory_hostname == groups['kube-master'][0]