gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Feature/dev 243

Browse Source
master
Görz, Friedrich 4 years ago committed by Ketelsen, Sven
parent 83c0473afe
commit aecd51a58b
9 changed files with 208 additions and 18 deletions
Show Stats Download Patch File Download Diff File

1
group_vars/k8s-cluster/plain.yml
Unescape Escape View File

@ -4,3 +4,4 @@ cloud_provider: external
kube_network_plugin: calico kube_network_plugin: calico
kubelet_preferred_address_types: InternalIP,ExternalIP,Hostname kubelet_preferred_address_types: InternalIP,ExternalIP,Hostname
docker_log_opts: "--log-opt max-size=100m --log-opt max-file=5 --log-opt compress=true" docker_log_opts: "--log-opt max-size=100m --log-opt max-file=5 --log-opt compress=true"
helm_enabled: true

5
kubernetes.yml
Unescape Escape View File

@ -1,4 +1,7 @@
--- ---
- hosts: k8s-cluster - hosts: k8s-cluster
roles: roles:
- kubernetes-ccm - kubernetes-base
# - kubernetes-ccm # DEV-243 is waiting for hetzner support << Ticket#2021110303010972 RE: Anderes Problem (Server: #15275628) >>
- kubernetes-certmanager
- kubernetes-ingress

17
roles/kubernetes-base/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,17 @@
---
- name: k8s-base | install needed pip dependencies
ansible.builtin.package:
name: "{{ item }}"
state: latest
loop:
- python3-pip
when:
- inventory_hostname == groups['kube-master'][0]
- name: k8s-base | install needed pip dependencies
pip:
name: "{{ item }}"
loop:
- kubernetes
when:
- inventory_hostname == groups['kube-master'][0]

20
roles/kubernetes-ccm/tasks/main.yml
Unescape Escape View File

@ -1,19 +1,5 @@
--- ---
- name: K8S-CCM | install needed pip dependencies - name: k8s-CCM | download Hetzner CCM
ansible.builtin.package:
name:
- python3-pip
state: latest
when:
- inventory_hostname == groups['kube-master'][0]
- name: K8S-CCM | install needed pip dependencies
pip:
name: kubernetes
when:
- inventory_hostname == groups['kube-master'][0]
- name: K8S-CCM | download Hetzner CCM
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.12.0/ccm-networks.yaml url: https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.12.0/ccm-networks.yaml
dest: /tmp/ccm.yaml dest: /tmp/ccm.yaml
@ -21,7 +7,7 @@
when: when:
- inventory_hostname == groups['kube-master'][0] - inventory_hostname == groups['kube-master'][0]
- name: K8S-CCM | create secret for Hetzner CCM - name: k8s-CCM | create secret for Hetzner CCM
community.kubernetes.k8s: community.kubernetes.k8s:
definition: definition:
api_version: v1 api_version: v1
@ -39,7 +25,7 @@
when: when:
- inventory_hostname == groups['kube-master'][0] - inventory_hostname == groups['kube-master'][0]
- name: K8S-CCM | Apply Hetzner CCM manifest to the cluster. - name: k8s-CCM | Apply Hetzner CCM manifest to the cluster.
community.kubernetes.k8s: community.kubernetes.k8s:
state: present state: present
src: /tmp/ccm.yaml src: /tmp/ccm.yaml

12
roles/kubernetes-certmanager/defaults/main.yml
Unescape Escape View File

@ -0,0 +1,12 @@
---
k8s_certmanager_helm__release_values:
installCRDs: true
webhook.timeoutSeconds: 4
k8s_certmanager_helm__cluster_issuers:
prod:
email: friedrich.goerz@netgo.de
server: https://acme-v02.api.letsencrypt.org/directory
staging:
email: friedrich.goerz@netgo.de
server: https://acme-staging-v02.api.letsencrypt.org/directory

51
roles/kubernetes-certmanager/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,51 @@
---
- name: k8s-certmanager | install cert-manager via helm
community.kubernetes.helm:
name: cert-manager
chart_ref: "{{ k8s_certmanager_helm__chart_ref | default('jetstack/cert-manager') }}"
chart_version: "{{ k8s_certmanager_helm__chart_version | default('v1.5.4') }}"
release_namespace: "{{ k8s_certmanager_helm__release_namespace | default('cert-manager') }}"
create_namespace: yes
release_values: "{{ k8s_certmanager_helm__release_values }}"
when:
- inventory_hostname == groups['kube-master'][0]
- name: k8s-certmanager | create secret for digitalocean-dns
community.kubernetes.k8s:
definition:
api_version: v1
kind: Secret
metadata:
namespace: "{{ k8s_certmanager_helm__release_namespace | default('cert-manager') }}"
name: digitalocean-dns
type: Opaque
data:
access-token: "{{ digitalocean_authentication_token | string | b64encode }}"
when:
- inventory_hostname == groups['kube-master'][0]
- name: k8s-certmanager | create ClusterIssuer_letsencrypt_prod
community.kubernetes.k8s:
definition:
api_version: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: "letsencrypt-{{ item.key }}"
spec:
acme:
email: "{{ item.value.email }}"
server: "{{ item.value.server }}"
privateKeySecretRef:
name: issuer-account-key
solvers:
- dns01:
digitalocean:
tokenSecretRef:
name: digitalocean-dns
key: access-token
selector:
dnsZones:
- 'smardigo.digital'
loop: "{{ k8s_certmanager_helm__cluster_issuers | dict2items }}"
when:
- inventory_hostname == groups['kube-master'][0]

31
roles/kubernetes-ingress/defaults/main.yml
Unescape Escape View File

@ -0,0 +1,31 @@
---
k8s_ingress_helm__release_values:
controller:
replicaCount: 2
config:
use-forwarded-headers: "true"
compute-full-forwarded-for: "true"
use-proxy-protocol: "true"
ssl-ciphers: "EECDH+AESGCM:EDH+AESGCM"
ssl-protocols: "TLSv1.3"
service:
externalTrafficPolicy: Local
healthCheckNodePort: &healthchecknodeport 31066
nodePorts:
http: &httpnodeport 30473
https: 30474
annotations:
load-balancer.hetzner.cloud/location: nbg1
load-balancer.hetzner.cloud/name: "{{ stage }}-ingress"
load-balancer.hetzner.cloud/type: "lb11"
load-balancer.hetzner.cloud/disable-public-network: "true"
load-balancer.hetzner.cloud/network-zone: "dev"
load-balancer.hetzner.cloud/use-private-ip: "true"
load-balancer.hetzner.cloud/uses-proxyprotocol: "true"
load-balancer.hetzner.cloud/health-check-interval: "3s"
load-balancer.hetzner.cloud/health-check-timeout: "1s"
load-balancer.hetzner.cloud/health-check-retries: 3
load-balancer.hetzner.cloud/health-check-protocol: "tcp"
load-balancer.hetzner.cloud/health-check-port: *httpnodeport
defaultBackend:
enabled: true

65
roles/kubernetes-ingress/files/hello-node__fullobjects.yaml
Unescape Escape View File

@ -0,0 +1,65 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: hello-node
name: hello-node
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: hello-node
template:
metadata:
labels:
app: hello-node
spec:
containers:
- image: k8s.gcr.io/echoserver:1.4
name: echoserver
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hello-node
name: hello-node
namespace: default
spec:
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: hello-node
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/issue-temporary-certificate: "true"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: ingress-nginx-helloworld
namespace: default
spec:
rules:
- host: microservice.smardigo.digital
http:
paths:
- backend:
service:
name: hello-node
port:
number: 8080
path: /
pathType: Prefix
tls:
- hosts:
- microservice.smardigo.digital
secretName: myingress-cert

24
roles/kubernetes-ingress/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,24 @@
---
- name: k8s-ingress | install ingress via helm
community.kubernetes.helm:
name: ingress
chart_repo_url: "{{ k8s_ingress_helm__chart_repo_url | default('https://kubernetes.github.io/ingress-nginx') }}"
chart_ref: "{{ k8s_ingress_helm__chart_ref | default('ingress-nginx') }}"
chart_version: "{{ k8s_ingress_helm__chart_version | default('4.0.6') }}"
release_namespace: "{{ k8s_ingress_helm__release_namespace | default('ingress') }}"
create_namespace: yes
release_values: "{{ k8s_ingress_helm__release_values }}"
when:
- inventory_hostname == groups['kube-master'][0]
- set_fact:
ingress_demo_app: "{{ lookup('file','hello-node__fullobjects.yaml') }}"
when:
- inventory_hostname == groups['kube-master'][0]
- name: k8s-ingress | adding hello-node test app
community.kubernetes.k8s:
state: "{{ k8s_ingress_helm__enable_demoapp | default('absent') }}"
definition: "{{ ingress_demo_app }}"
when:
- inventory_hostname == groups['kube-master'][0]
Write Preview
Loading…
Cancel
Save