diff --git a/defaults/main.yml b/defaults/main.yml index 9ce1bb2..4b0c03d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,24 +1,32 @@ my_context: minikube -storage_manual: true +storage_manual: + enabled: true -storage_localpath: true -storage_localpath_version: "v0.0.21" -storage_localpath_default_path: "/mnt/local" -storage_localpath_namespace: "local-path-storage" +storage_localpath: + enabled: true + version: "v0.0.21" + default_path: "/mnt/local" + namespace: "local-path-storage" -storage_longhorn: false -storage_longhorn_version: "v1.2.3" -storage_longhorn_namespace: "longhorn-system" +storage_longhorn: + enabled: false + version: "v1.2.3" + namespace: "longhorn-system" -storage_nfs: false -storage_nfs_namespace: "nfs-client-provisioner" +storage_nfs: + enabled: false + namespace: "nfs-client-provisioner" -storage_secrets_store: false -storage_secrets_store_version: "v1.1.0" +storage_secrets_store: + enabled: false + version: "v1.1.0" + +storage_secrets_store_azure: + version: "v1.1.0" storage_linode: false storage_digitalocean: false # local-path, longhorn, linode-block-storage, linode-block-storage-retain, do-block-storage -storage_default_storageclass: local-path +#storage_default_storageclass: local-path diff --git a/files/local-path/ClusterRole.yml b/files/local-path/ClusterRole.yml deleted file mode 100644 index c57e674..0000000 --- a/files/local-path/ClusterRole.yml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/name: local-path-provisioner - name: local-path-provisioner -rules: -- apiGroups: - - policy - resourceNames: - - local-path-policy - resources: - - podsecuritypolicies - verbs: - - use -- apiGroups: - - "" - resources: - - nodes - - persistentvolumeclaims - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - endpoints - - persistentvolumes - - pods - verbs: - - '*' -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch diff --git a/files/local-path/ClusterRoleBinding.yml b/files/local-path/ClusterRoleBinding.yml deleted file mode 100644 index 580fc80..0000000 --- a/files/local-path/ClusterRoleBinding.yml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/name: local-path-provisioner - name: local-path-provisioner -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: local-path-provisioner -subjects: -- kind: ServiceAccount - name: local-path-provisioner - namespace: local-path-storage diff --git a/files/local-path/PodSecurityPolicy.yml b/files/local-path/PodSecurityPolicy.yml deleted file mode 100644 index 4e4c0ca..0000000 --- a/files/local-path/PodSecurityPolicy.yml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: local-path-policy -spec: - privileged: true - fsGroup: - rule: RunAsAny - allowedCapabilities: - - DAC_READ_SEARCH - - SYS_RESOURCE - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - secret - - hostPath diff --git a/files/local-path/ServiceAccount.yml b/files/local-path/ServiceAccount.yml deleted file mode 100644 index 3a44d92..0000000 --- a/files/local-path/ServiceAccount.yml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/name: local-path-provisioner - name: local-path-provisioner diff --git a/tasks/local-path.yml b/tasks/local-path.yml index e4b1c03..57bf76e 100644 --- a/tasks/local-path.yml +++ b/tasks/local-path.yml @@ -1,72 +1,51 @@ --- - name: Local-path block: - - name: Include file list - include_vars: "local-path.yaml" - - - name: Defined local-path-storage state to present - set_fact: - storage_localpath_state: present - when: - - storage_localpath|bool - - - name: find state of local-path-storage - set_fact: - storage_localpath_state: absent - when: - - not storage_localpath|bool - -# - name: namespace -# kubernetes.core.k8s: -# state: present -# context: "{{ my_context }}" -# merge_type: merge -# definition: -# api_version: v1 -# kind: Namespace -# metadata: -# name: "{{ storage_localpath_namespace }}" -# labels: -# namespace: '{{ storage_localpath_namespace }}' -# when: -# - storage_localpath|bool -# -# - name: local-path-storage need to be {{ storage_localpath_state }} -# kubernetes.core.k8s: -# state: "{{ storage_localpath_state }}" -# context: "{{ my_context }}" -# namespace: "{{ storage_localpath_namespace }}" -# apply: true -# resource_definition: "{{ lookup('file', 'local-path/' + item) | from_yaml }}" -# with_items: -# - "{{ storage_localpath_files_list }}" - # https://github.com/rancher/local-path-provisioner/tree/master/deploy/chart - - name: Downloal Local-path repository + - name: Install Local-path block: - name: Git clone stable repo on HEAD ansible.builtin.git: repo: "https://github.com/rancher/local-path-provisioner.git" dest: tmp/local-path-provisioner - version: "{{ storage_localpath_version }}" + version: "{{ storage_localpath.version }}" - name: Deploy local-path chart from local path kubernetes.core.helm: - state: "{{ storage_localpath_state }}" + state: "present" name: local-path-provisioner context: "{{ my_context }}" chart_ref: tmp/local-path-provisioner/deploy/chart - release_namespace: "{{ storage_localpath_namespace }}" + release_namespace: "{{ storage_localpath.namespace }}" create_namespace: true values: -# rbac: -# create: false -# serviceAccount: -# create: false -# name: local-path-provisioner nodePathMap: - node: DEFAULT_PATH_FOR_NON_LISTED_NODES - paths: ["{{ storage_localpath_default_path }}"] + paths: ["{{ storage_localpath.default_path }}"] + + when: + - storage_localpath.enabled + + - name: Uninstall Local-path + block: + - name: Uninstall local-path + kubernetes.core.helm: + context: "{{ my_context }}" + name: local-path-provisioner + release_state: absent + release_namespace: "{{ storage_localpath.namespace }}" + - name: namespace + kubernetes.core.k8s: + state: absent + context: "{{ my_context }}" + namespace: "{{ storage_localpath.namespace }}" + resource_definition: "{{ lookup('template', 'local-path/' + item) | from_yaml }}" + with_items: + - "local-path-namespace.yml.j2" + + when: + - not storage_localpath.enabled + tags: - storage - local-path diff --git a/tasks/longhorn.yml b/tasks/longhorn.yml index bc70bf6..26a119a 100644 --- a/tasks/longhorn.yml +++ b/tasks/longhorn.yml @@ -10,9 +10,9 @@ context: "{{ my_context }}" name: longhorn chart_ref: longhorn/longhorn - chart_version: "{{ storage_longhorn_version }}" + chart_version: "{{ storage_longhorn.version }}" create_namespace: yes - release_namespace: "{{ storage_longhorn_namespace }}" + release_namespace: "{{ storage_longhorn.namespace }}" values: # persistence: # defaultClass: true @@ -62,19 +62,19 @@ # traefik.ingress.kubernetes.io/router.middlewares: {{ traefik_namespace }}-traefik-dashboard-basicauth@kubernetescrd # traefik.ingress.kubernetes.io/router.middlewares: basic-auth@file #{% endif %} - enablePSP: true +# enablePSP: true - name: Install longhorn UI Ingress - k8s: + kubernetes.core.k8s: state: present context: "{{ my_context }}" apply: true - namespace: "{{ storage_longhorn_namespace }}" + namespace: "{{ storage_longhorn.namespace }}" resource_definition: "{{ lookup('template', 'longhorn/' + item) | from_yaml }}" with_items: - "longhorn_ingressroute.yaml.j2" when: - - storage_longhorn|bool + - storage_longhorn.enabled tags: - longhorn - storage @@ -85,23 +85,20 @@ kubernetes.core.helm: context: "{{ my_context }}" name: longhorn - chart_ref: longhorn/longhorn -# chart_version: 1.2.0 - release_state: absent - release_namespace: "{{ storage_longhorn_namespace }}" - create_namespace: true + state: absent + release_namespace: "{{ storage_longhorn.namespace }}" - name: Remove Ingress for longhorn UI - k8s: + kubernetes.core.k8s: state: absent context: "{{ my_context }}" - namespace: "{{ storage_longhorn_namespace }}" + namespace: "{{ storage_longhorn.namespace }}" resource_definition: "{{ lookup('template', 'longhorn/' + item) | from_yaml }}" with_items: - - "longhorn_ingressroute.yaml.j2" +# - "longhorn_ingressroute.yaml.j2" - "longhorn-namespace.yml.j2" when: - - not storage_longhorn|bool + - not storage_longhorn.enabled tags: - longhorn - storage diff --git a/tasks/main.yml b/tasks/main.yml index bfe14a2..32d240c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,7 +13,7 @@ volumeBindingMode: WaitForFirstConsumer allowVolumeExpansion: true when: - - storage_manual|bool + - storage_manual.enabled tags: - manual - storage @@ -52,11 +52,11 @@ apiVersion: v1 kind: StorageClass metadata: - name: "{{ storage_default_storageclass }}" + name: "{{ storage.default_storageclass }}" annotations: storageclass.kubernetes.io/is-default-class: "true" when: - - storage_default_storageclass is defined + - storage.default_storageclass is defined tags: - manual - local-path @@ -72,9 +72,9 @@ apiVersion: v1 kind: VolumeSnapshotClass metadata: - name: "{{ storage_default_storageclass }}" + name: "{{ storage.default_storageclass }}" annotations: snapshot.storage.kubernetes.io/is-default-class: "true" when: - - storage_default_storageclass is defined - - storage_default_storageclass == "do-block-storage" + - storage.default_storageclass is defined + - storage.default_storageclass == "do-block-storage" diff --git a/tasks/nfs.yml b/tasks/nfs.yml index 7620809..c288efc 100644 --- a/tasks/nfs.yml +++ b/tasks/nfs.yml @@ -1,43 +1,51 @@ --- + - name: NFS client setup + block: # https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md # Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage # ou alors tourner le container en privileged - - name: Defined nfs-provisioner state to present - check_mode: false - set_fact: - storage_nfs_state: present - when: - - storage_nfs|bool - - - name: find state of nfs-provisioner - check_mode: false - set_fact: - storage_nfs_state: absent - when: - - not storage_nfs|bool # https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/charts/nfs-subdir-external-provisioner/README.md - - name: Defined NFS Provisioner repository - kubernetes.core.helm_repository: - name: nfs-subdir-external-provisioner - repo_url: "https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner" + - name: Defined NFS Provisioner repository + kubernetes.core.helm_repository: + name: nfs-subdir-external-provisioner + repo_url: "https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner" - - name: Deploy latest version of NFS Provisioner - kubernetes.core.helm: - context: "{{ my_context }}" - state: "{{ storage_nfs_state }}" - name: nfs-subdir-external-provisioner - chart_ref: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner - create_namespace: yes - release_namespace: "{{ storage_nfs_namespace }}" - values: - nfs: - server: x.x.x.x - path: /exported/path - podSecurityPolicy: - enabled: true -# storageClass: -# name: nfs-client -# defaultClass: false -# provisionerName: "" -# accessModes: ReadWriteOnce + - name: Deploy latest version of NFS Provisioner + kubernetes.core.helm: + context: "{{ my_context }}" + state: "present" + name: nfs-subdir-external-provisioner + chart_ref: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner + create_namespace: yes + release_namespace: "{{ storage_nfs.namespace }}" + values: + nfs: + server: x.x.x.x + path: /exported/path +# podSecurityPolicy: +# enabled: true +# storageClass: +# name: nfs-client +# defaultClass: false +# provisionerName: "" +# accessModes: ReadWriteOnce + when: + - storage_nfs.enabled + tags: + - nfs + - storage + + - name: NFS client need to be absent + block: + - name: Uninstall nfs-subdir-external-provisioner + kubernetes.core.helm: + context: "{{ my_context }}" + name: nfs-subdir-external-provisioner + release_state: absent + release_namespace: "{{ storage_nfs.namespace }}" + when: + - not storage_nfs.enabled + tags: + - nfs + - storage diff --git a/tasks/secrets-store.yml b/tasks/secrets-store.yml index 459fdd5..4690aa8 100644 --- a/tasks/secrets-store.yml +++ b/tasks/secrets-store.yml @@ -1,18 +1,6 @@ --- -- name: Secrets Store +- name: Install Secrets Store block: - - name: Defined secrets-storage state to present - set_fact: - storage_secrets_store_state: present - when: - - storage_secrets_store|bool - - - name: find state of secrets-storage - set_fact: - storage_secrets_store_state: absent - when: - - not storage_secrets_store|bool - # https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver - name: Defined Secrets Store repository kubernetes.core.helm_repository: @@ -22,16 +10,15 @@ - name: Deploy Secrets Store chart kubernetes.core.helm: context: "{{ my_context }}" - state: "{{ storage_secrets_store_state }}" name: csi-secrets-store - namespace: "kube-system" - chart_version: "{{ storage_secrets_store_version }}" + release_namespace: "kube-system" + chart_version: "{{ storage_secrets_store.version }}" chart_ref: secrets-store-csi-driver/secrets-store-csi-driver # https://github.com/camptocamp/secrets-store-csi-driver-provider-gopass - name: Deploy Secrets Store CSI driver provider gopass kubernetes.core.k8s: - state: "{{ storage_secrets_store_state }}" + state: "present" context: "{{ my_context }}" namespace: "kube-system" apply: true @@ -45,16 +32,43 @@ - name: Deploy Secrets Store chart kubernetes.core.helm: context: "{{ my_context }}" - state: "{{ storage_secrets_store_state }}" name: csi-secrets-store-provider-azure - namespace: "kube-system" + release_namespace: "kube-system" + chart_version: "{{ storage_secrets_store_azure.version }}" chart_ref: csi-secrets-store-provider-azure/csi-secrets-store-provider-azure values: secrets-store-csi-driver: install: false - + when: + - storage_secrets_store.enabled tags: - storage - secrets-store # https://github.com/hashicorp/vault-csi-provider + +- name: Secret Store need to be absent + block: + - name: Uninstall Secrets Store + kubernetes.core.helm: + context: "{{ my_context }}" + name: "{{ item }}" + state: absent + release_namespace: "kube-system" + with_items: + - "csi-secrets-store" + - "csi-secrets-store-provider-azure" + - name: Remove Ingress for longhorn UI + kubernetes.core.k8s: + state: absent + context: "{{ my_context }}" + namespace: "kube-system" + resource_definition: "{{ lookup('file', item) | from_yaml }}" + with_items: + - "secrets-provider-gopass/provider-gopass-installer.yaml" + + when: + - not storage_secrets_store.enabled + tags: + - secrets-store + - storage diff --git a/templates/local-path/local-path-namespace.yml.j2 b/templates/local-path/local-path-namespace.yml.j2 new file mode 100644 index 0000000..1ab47a9 --- /dev/null +++ b/templates/local-path/local-path-namespace.yml.j2 @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: "{{ storage_localpath.namespace }}" diff --git a/templates/longhorn/longhorn-namespace.yml.j2 b/templates/longhorn/longhorn-namespace.yml.j2 index b448b0c..cf696ba 100644 --- a/templates/longhorn/longhorn-namespace.yml.j2 +++ b/templates/longhorn/longhorn-namespace.yml.j2 @@ -2,4 +2,4 @@ apiVersion: v1 kind: Namespace metadata: - name: "{{ storage_longhorn_namespace }}" + name: "{{ storage_longhorn.namespace }}" diff --git a/templates/longhorn/longhorn_ingressroute.yaml.j2 b/templates/longhorn/longhorn_ingressroute.yaml.j2 index 2d7f192..aafb0f7 100644 --- a/templates/longhorn/longhorn_ingressroute.yaml.j2 +++ b/templates/longhorn/longhorn_ingressroute.yaml.j2 @@ -24,12 +24,12 @@ spec: {% if basic_auth is defined or ingress_whitelist is defined %} middlewares: {% if ingress_whitelist is defined %} - - name: traefik-ipwhitelist - namespace: {{ traefik_namespace }} + - name: traefik-ipwhitelist@file +# namespace: {{ traefik_namespace }} {% endif %} {% if basic_auth is defined %} - - name: basic-auth - namespace: {{ traefik_namespace }} + - name: basic-auth@file +# namespace: {{ traefik_namespace }} {% endif %} {% endif %} services: diff --git a/vars/local-path.yaml b/vars/local-path.yaml deleted file mode 100644 index 92f7d10..0000000 --- a/vars/local-path.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -storage_localpath_files_list: - - "PodSecurityPolicy.yml" - - "ClusterRole.yml" - - "ClusterRoleBinding.yml" - - "ServiceAccount.yml"