adrien/ansible-role-k8s-storage
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Big update af the role
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2022-03-03 12:06:46 +01:00
parent 10f4eb6ef0
commit d97acb68b0
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
14 changed files with 156 additions and 246 deletions
Download patch file Download diff file Expand all files Collapse all files

34
defaults/main.yml
View file

@ -1,24 +1,32 @@
my_context: minikube my_context: minikube
storage_manual: true storage_manual:
enabled: true
storage_localpath: true storage_localpath:
storage_localpath_version: "v0.0.21" enabled: true
storage_localpath_default_path: "/mnt/local" version: "v0.0.21"
storage_localpath_namespace: "local-path-storage" default_path: "/mnt/local"
namespace: "local-path-storage"
storage_longhorn: false storage_longhorn:
storage_longhorn_version: "v1.2.3" enabled: false
storage_longhorn_namespace: "longhorn-system" version: "v1.2.3"
namespace: "longhorn-system"
storage_nfs: false storage_nfs:
storage_nfs_namespace: "nfs-client-provisioner" enabled: false
namespace: "nfs-client-provisioner"
storage_secrets_store: false storage_secrets_store:
storage_secrets_store_version: "v1.1.0" enabled: false
version: "v1.1.0"
storage_secrets_store_azure:
version: "v1.1.0"
storage_linode: false storage_linode: false
storage_digitalocean: false storage_digitalocean: false
# local-path, longhorn, linode-block-storage, linode-block-storage-retain, do-block-storage # local-path, longhorn, linode-block-storage, linode-block-storage-retain, do-block-storage
storage_default_storageclass: local-path #storage_default_storageclass: local-path

49
files/local-path/ClusterRole.yml
View file

@ -1,49 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: local-path-provisioner
app.kubernetes.io/name: local-path-provisioner
name: local-path-provisioner
rules:
- apiGroups:
- policy
resourceNames:
- local-path-policy
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- ""
resources:
- nodes
- persistentvolumeclaims
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- endpoints
- persistentvolumes
- pods
verbs:
- '*'
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch

15
files/local-path/ClusterRoleBinding.yml
View file

@ -1,15 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: local-path-provisioner
app.kubernetes.io/name: local-path-provisioner
name: local-path-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: local-path-provisioner
subjects:
- kind: ServiceAccount
name: local-path-provisioner
namespace: local-path-storage

24
files/local-path/PodSecurityPolicy.yml
View file

@ -1,24 +0,0 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: local-path-policy
spec:
privileged: true
fsGroup:
rule: RunAsAny
allowedCapabilities:
- DAC_READ_SEARCH
- SYS_RESOURCE
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
- hostPath

7
files/local-path/ServiceAccount.yml
View file

@ -1,7 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: local-path-provisioner
app.kubernetes.io/name: local-path-provisioner
name: local-path-provisioner

79
tasks/local-path.yml
View file

@ -1,72 +1,51 @@
--- ---
- name: Local-path - name: Local-path
block: block:
- name: Include file list
include_vars: "local-path.yaml"
- name: Defined local-path-storage state to present
set_fact:
storage_localpath_state: present
when:
- storage_localpath|bool
- name: find state of local-path-storage
set_fact:
storage_localpath_state: absent
when:
- not storage_localpath|bool
# - name: namespace
# kubernetes.core.k8s:
# state: present
# context: "{{ my_context }}"
# merge_type: merge
# definition:
# api_version: v1
# kind: Namespace
# metadata:
# name: "{{ storage_localpath_namespace }}"
# labels:
# namespace: '{{ storage_localpath_namespace }}'
# when:
# - storage_localpath|bool
#
# - name: local-path-storage need to be {{ storage_localpath_state }}
# kubernetes.core.k8s:
# state: "{{ storage_localpath_state }}"
# context: "{{ my_context }}"
# namespace: "{{ storage_localpath_namespace }}"
# apply: true
# resource_definition: "{{ lookup('file', 'local-path/' + item) | from_yaml }}"
# with_items:
# - "{{ storage_localpath_files_list }}"
# https://github.com/rancher/local-path-provisioner/tree/master/deploy/chart # https://github.com/rancher/local-path-provisioner/tree/master/deploy/chart
- name: Downloal Local-path repository - name: Install Local-path
block: block:
- name: Git clone stable repo on HEAD - name: Git clone stable repo on HEAD
ansible.builtin.git: ansible.builtin.git:
repo: "https://github.com/rancher/local-path-provisioner.git" repo: "https://github.com/rancher/local-path-provisioner.git"
dest: tmp/local-path-provisioner dest: tmp/local-path-provisioner
version: "{{ storage_localpath_version }}" version: "{{ storage_localpath.version }}"
- name: Deploy local-path chart from local path - name: Deploy local-path chart from local path
kubernetes.core.helm: kubernetes.core.helm:
state: "{{ storage_localpath_state }}" state: "present"
name: local-path-provisioner name: local-path-provisioner
context: "{{ my_context }}" context: "{{ my_context }}"
chart_ref: tmp/local-path-provisioner/deploy/chart chart_ref: tmp/local-path-provisioner/deploy/chart
release_namespace: "{{ storage_localpath_namespace }}" release_namespace: "{{ storage_localpath.namespace }}"
create_namespace: true create_namespace: true
values: values:
# rbac:
# create: false
# serviceAccount:
# create: false
# name: local-path-provisioner
nodePathMap: nodePathMap:
- node: DEFAULT_PATH_FOR_NON_LISTED_NODES - node: DEFAULT_PATH_FOR_NON_LISTED_NODES
paths: ["{{ storage_localpath_default_path }}"] paths: ["{{ storage_localpath.default_path }}"]
when:
- storage_localpath.enabled
- name: Uninstall Local-path
block:
- name: Uninstall local-path
kubernetes.core.helm:
context: "{{ my_context }}"
name: local-path-provisioner
release_state: absent
release_namespace: "{{ storage_localpath.namespace }}"
- name: namespace
kubernetes.core.k8s:
state: absent
context: "{{ my_context }}"
namespace: "{{ storage_localpath.namespace }}"
resource_definition: "{{ lookup('template', 'local-path/' + item) | from_yaml }}"
with_items:
- "local-path-namespace.yml.j2"
when:
- not storage_localpath.enabled
tags: tags:
- storage - storage
- local-path - local-path

27
tasks/longhorn.yml
View file

@ -10,9 +10,9 @@
context: "{{ my_context }}" context: "{{ my_context }}"
name: longhorn name: longhorn
chart_ref: longhorn/longhorn chart_ref: longhorn/longhorn
chart_version: "{{ storage_longhorn_version }}" chart_version: "{{ storage_longhorn.version }}"
create_namespace: yes create_namespace: yes
release_namespace: "{{ storage_longhorn_namespace }}" release_namespace: "{{ storage_longhorn.namespace }}"
values: values:
# persistence: # persistence:
# defaultClass: true # defaultClass: true
@ -62,19 +62,19 @@
# traefik.ingress.kubernetes.io/router.middlewares: {{ traefik_namespace }}-traefik-dashboard-basicauth@kubernetescrd # traefik.ingress.kubernetes.io/router.middlewares: {{ traefik_namespace }}-traefik-dashboard-basicauth@kubernetescrd
# traefik.ingress.kubernetes.io/router.middlewares: basic-auth@file # traefik.ingress.kubernetes.io/router.middlewares: basic-auth@file
#{% endif %} #{% endif %}
enablePSP: true # enablePSP: true
- name: Install longhorn UI Ingress - name: Install longhorn UI Ingress
k8s: kubernetes.core.k8s:
state: present state: present
context: "{{ my_context }}" context: "{{ my_context }}"
apply: true apply: true
namespace: "{{ storage_longhorn_namespace }}" namespace: "{{ storage_longhorn.namespace }}"
resource_definition: "{{ lookup('template', 'longhorn/' + item) | from_yaml }}" resource_definition: "{{ lookup('template', 'longhorn/' + item) | from_yaml }}"
with_items: with_items:
- "longhorn_ingressroute.yaml.j2" - "longhorn_ingressroute.yaml.j2"
when: when:
- storage_longhorn|bool - storage_longhorn.enabled
tags: tags:
- longhorn - longhorn
- storage - storage
@ -85,23 +85,20 @@
kubernetes.core.helm: kubernetes.core.helm:
context: "{{ my_context }}" context: "{{ my_context }}"
name: longhorn name: longhorn
chart_ref: longhorn/longhorn state: absent
# chart_version: 1.2.0 release_namespace: "{{ storage_longhorn.namespace }}"
release_state: absent
release_namespace: "{{ storage_longhorn_namespace }}"
create_namespace: true
- name: Remove Ingress for longhorn UI - name: Remove Ingress for longhorn UI
k8s: kubernetes.core.k8s:
state: absent state: absent
context: "{{ my_context }}" context: "{{ my_context }}"
namespace: "{{ storage_longhorn_namespace }}" namespace: "{{ storage_longhorn.namespace }}"
resource_definition: "{{ lookup('template', 'longhorn/' + item) | from_yaml }}" resource_definition: "{{ lookup('template', 'longhorn/' + item) | from_yaml }}"
with_items: with_items:
- "longhorn_ingressroute.yaml.j2" # - "longhorn_ingressroute.yaml.j2"
- "longhorn-namespace.yml.j2" - "longhorn-namespace.yml.j2"
when: when:
- not storage_longhorn|bool - not storage_longhorn.enabled
tags: tags:
- longhorn - longhorn
- storage - storage

12
tasks/main.yml
View file

@ -13,7 +13,7 @@
volumeBindingMode: WaitForFirstConsumer volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true allowVolumeExpansion: true
when: when:
- storage_manual|bool - storage_manual.enabled
tags: tags:
- manual - manual
- storage - storage
@ -52,11 +52,11 @@
apiVersion: v1 apiVersion: v1
kind: StorageClass kind: StorageClass
metadata: metadata:
name: "{{ storage_default_storageclass }}" name: "{{ storage.default_storageclass }}"
annotations: annotations:
storageclass.kubernetes.io/is-default-class: "true" storageclass.kubernetes.io/is-default-class: "true"
when: when:
- storage_default_storageclass is defined - storage.default_storageclass is defined
tags: tags:
- manual - manual
- local-path - local-path
@ -72,9 +72,9 @@
apiVersion: v1 apiVersion: v1
kind: VolumeSnapshotClass kind: VolumeSnapshotClass
metadata: metadata:
name: "{{ storage_default_storageclass }}" name: "{{ storage.default_storageclass }}"
annotations: annotations:
snapshot.storage.kubernetes.io/is-default-class: "true" snapshot.storage.kubernetes.io/is-default-class: "true"
when: when:
- storage_default_storageclass is defined - storage.default_storageclass is defined
- storage_default_storageclass == "do-block-storage" - storage.default_storageclass == "do-block-storage"

80
tasks/nfs.yml
View file

@ -1,43 +1,51 @@
--- ---
- name: NFS client setup
block:
# https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md # https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md
# Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage # Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage
# ou alors tourner le container en privileged # ou alors tourner le container en privileged
- name: Defined nfs-provisioner state to present
check_mode: false
set_fact:
storage_nfs_state: present
when:
- storage_nfs|bool
- name: find state of nfs-provisioner
check_mode: false
set_fact:
storage_nfs_state: absent
when:
- not storage_nfs|bool
# https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/charts/nfs-subdir-external-provisioner/README.md # https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/charts/nfs-subdir-external-provisioner/README.md
- name: Defined NFS Provisioner repository - name: Defined NFS Provisioner repository
kubernetes.core.helm_repository: kubernetes.core.helm_repository:
name: nfs-subdir-external-provisioner name: nfs-subdir-external-provisioner
repo_url: "https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner" repo_url: "https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner"
- name: Deploy latest version of NFS Provisioner - name: Deploy latest version of NFS Provisioner
kubernetes.core.helm: kubernetes.core.helm:
context: "{{ my_context }}" context: "{{ my_context }}"
state: "{{ storage_nfs_state }}" state: "present"
name: nfs-subdir-external-provisioner name: nfs-subdir-external-provisioner
chart_ref: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner chart_ref: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner
create_namespace: yes create_namespace: yes
release_namespace: "{{ storage_nfs_namespace }}" release_namespace: "{{ storage_nfs.namespace }}"
values: values:
nfs: nfs:
server: x.x.x.x server: x.x.x.x
path: /exported/path path: /exported/path
podSecurityPolicy: # podSecurityPolicy:
enabled: true # enabled: true
# storageClass: # storageClass:
# name: nfs-client # name: nfs-client
# defaultClass: false # defaultClass: false
# provisionerName: "" # provisionerName: ""
# accessModes: ReadWriteOnce # accessModes: ReadWriteOnce
when:
- storage_nfs.enabled
tags:
- nfs
- storage
- name: NFS client need to be absent
block:
- name: Uninstall nfs-subdir-external-provisioner
kubernetes.core.helm:
context: "{{ my_context }}"
name: nfs-subdir-external-provisioner
release_state: absent
release_namespace: "{{ storage_nfs.namespace }}"
when:
- not storage_nfs.enabled
tags:
- nfs
- storage

54
tasks/secrets-store.yml
View file

@ -1,18 +1,6 @@
--- ---
- name: Secrets Store - name: Install Secrets Store
block: block:
- name: Defined secrets-storage state to present
set_fact:
storage_secrets_store_state: present
when:
- storage_secrets_store|bool
- name: find state of secrets-storage
set_fact:
storage_secrets_store_state: absent
when:
- not storage_secrets_store|bool
# https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver # https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver
- name: Defined Secrets Store repository - name: Defined Secrets Store repository
kubernetes.core.helm_repository: kubernetes.core.helm_repository:
@ -22,16 +10,15 @@
- name: Deploy Secrets Store chart - name: Deploy Secrets Store chart
kubernetes.core.helm: kubernetes.core.helm:
context: "{{ my_context }}" context: "{{ my_context }}"
state: "{{ storage_secrets_store_state }}"
name: csi-secrets-store name: csi-secrets-store
namespace: "kube-system" release_namespace: "kube-system"
chart_version: "{{ storage_secrets_store_version }}" chart_version: "{{ storage_secrets_store.version }}"
chart_ref: secrets-store-csi-driver/secrets-store-csi-driver chart_ref: secrets-store-csi-driver/secrets-store-csi-driver
# https://github.com/camptocamp/secrets-store-csi-driver-provider-gopass # https://github.com/camptocamp/secrets-store-csi-driver-provider-gopass
- name: Deploy Secrets Store CSI driver provider gopass - name: Deploy Secrets Store CSI driver provider gopass
kubernetes.core.k8s: kubernetes.core.k8s:
state: "{{ storage_secrets_store_state }}" state: "present"
context: "{{ my_context }}" context: "{{ my_context }}"
namespace: "kube-system" namespace: "kube-system"
apply: true apply: true
@ -45,16 +32,43 @@
- name: Deploy Secrets Store chart - name: Deploy Secrets Store chart
kubernetes.core.helm: kubernetes.core.helm:
context: "{{ my_context }}" context: "{{ my_context }}"
state: "{{ storage_secrets_store_state }}"
name: csi-secrets-store-provider-azure name: csi-secrets-store-provider-azure
namespace: "kube-system" release_namespace: "kube-system"
chart_version: "{{ storage_secrets_store_azure.version }}"
chart_ref: csi-secrets-store-provider-azure/csi-secrets-store-provider-azure chart_ref: csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
values: values:
secrets-store-csi-driver: secrets-store-csi-driver:
install: false install: false
when:
- storage_secrets_store.enabled
tags: tags:
- storage - storage
- secrets-store - secrets-store
# https://github.com/hashicorp/vault-csi-provider # https://github.com/hashicorp/vault-csi-provider
- name: Secret Store need to be absent
block:
- name: Uninstall Secrets Store
kubernetes.core.helm:
context: "{{ my_context }}"
name: "{{ item }}"
state: absent
release_namespace: "kube-system"
with_items:
- "csi-secrets-store"
- "csi-secrets-store-provider-azure"
- name: Remove Ingress for longhorn UI
kubernetes.core.k8s:
state: absent
context: "{{ my_context }}"
namespace: "kube-system"
resource_definition: "{{ lookup('file', item) | from_yaml }}"
with_items:
- "secrets-provider-gopass/provider-gopass-installer.yaml"
when:
- not storage_secrets_store.enabled
tags:
- secrets-store
- storage

5
templates/local-path/local-path-namespace.yml.j2 Normal file
View file

@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: "{{ storage_localpath.namespace }}"

2
templates/longhorn/longhorn-namespace.yml.j2
View file

@ -2,4 +2,4 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: "{{ storage_longhorn_namespace }}" name: "{{ storage_longhorn.namespace }}"

8
templates/longhorn/longhorn_ingressroute.yaml.j2
View file

@ -24,12 +24,12 @@ spec:
{% if basic_auth is defined or ingress_whitelist is defined %} {% if basic_auth is defined or ingress_whitelist is defined %}
middlewares: middlewares:
{% if ingress_whitelist is defined %} {% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist - name: traefik-ipwhitelist@file
namespace: {{ traefik_namespace }} # namespace: {{ traefik_namespace }}
{% endif %} {% endif %}
{% if basic_auth is defined %} {% if basic_auth is defined %}
- name: basic-auth - name: basic-auth@file
namespace: {{ traefik_namespace }} # namespace: {{ traefik_namespace }}
{% endif %} {% endif %}
{% endif %} {% endif %}
services: services:

6
vars/local-path.yaml
View file

@ -1,6 +0,0 @@
---
storage_localpath_files_list:
- "PodSecurityPolicy.yml"
- "ClusterRole.yml"
- "ClusterRoleBinding.yml"
- "ServiceAccount.yml"