From 3c8c788623c50d13d4e253751a12482c006f8698 Mon Sep 17 00:00:00 2001 From: Adrien Date: Tue, 4 Aug 2020 00:33:38 +0200 Subject: [PATCH] Split deployment to add k3s easily --- tasks/RedHat.yml | 1 + tasks/cluster_kubeadm.yml | 223 ++++++++++++++++++++++++++++++++++++++ tasks/install_server.yml | 222 ++----------------------------------- tasks/main.yml | 2 + 4 files changed, 235 insertions(+), 213 deletions(-) create mode 100644 tasks/cluster_kubeadm.yml diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 08ce66e..7eaf639 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -19,6 +19,7 @@ when: - not ansible_machine == "armv7l" - not ansible_machine == "armv6l" + - kubernetes_cri != "k3s" - name: Register kubernetes firewalld service template: diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml new file mode 100644 index 0000000..bf9a114 --- /dev/null +++ b/tasks/cluster_kubeadm.yml @@ -0,0 +1,223 @@ +--- +- name: Install Containerd + include_role: + name: containerd + when: + - kubernetes_cri == "containerd" + #register: kubernetes_cri_changed + +- name: Install CRI-O + include_role: + name: cri-o + when: + - kubernetes_cri == "cri-o" + #register: kubernetes_cri_changed + +#- name: Restart kubelet after kubernetes cri installation +# service: +# name: kubelet +# status: restarted +# when: +# - kubernetes_cri_changed is changed + +- name: Configuring IPVS kernel module to be load on boot + template: + src: "etc/modules-load.d/ipvs.conf.j2" + dest: "/etc/modules-load.d/ipvs.conf" + group: root + owner: root + mode: 0644 + when: + - kubernetes_kubeproxy_mode == "ipvs" + +- name: Load IPVS kernel module + modprobe: + name: "{{ item }}" + state: present + with_items: + - ip_vs + - ip_vs_rr + - ip_vs_wrr + - ip_vs_sh + - nf_conntrack_ipv4 + - nf_conntrack_ipv6 + when: + - kubernetes_kubeproxy_mode == "ipvs" + +- name: Secure etcd directory + file: + path: "/var/lib/etcd" + state: directory + owner: root + group: root + mode: 0700 + when: + - kubernetes_master|bool + +- name: Ensuring /etc/systemd/system/kubelet.service.d Folder Exists + file: + path: "/etc/systemd/system/kubelet.service.d" + state: "directory" + group: root + owner: root + mode: 0755 + when: + - ansible_service_mgr == "systemd" + +- name: Configure kubelet service + template: + src: "etc/{{ item }}.j2" + dest: "/etc/{{ item }}" + group: root + owner: root + mode: 0644 + with_items: + - "systemd/system/kubelet.service.d/0-kubelet-extra-args.conf" + - "sysconfig/kubelet" + when: + - ansible_service_mgr == "systemd" + +- name: Configure kubelet service + template: + src: "etc/{{ item }}.j2" + dest: "/etc/{{ item }}" + group: root + owner: root + mode: 0644 + with_items: + - "sysconfig/kubelet" + when: + - not ansible_service_mgr == "systemd" + +- name: Enable kubelet on boot + service: + name: kubelet + state: started + enabled: yes + +# First controler +- name: Check if /etc/kubernetes/admin.conf already existe + stat: + path: /etc/kubernetes/admin.conf + register: st + changed_when: False + +- name: Create KubernetesMasterConfigured group + group_by: + key: KubernetesMasterConfigured + when: + - st.stat.exists + +- name: Retreive kubeadm Major version + shell: set -o pipefail && kubeadm version | sed 's/.*{Major:"\([0-9]\)".*/\1/' + register: kubeadm_version_major + changed_when: False + +- name: Retreive kubeadm Minor version + shell: set -o pipefail && kubeadm version | sed -e 's/.* Minor:"\([0-9]*\)".*/\1/' + register: kubeadm_version_minor + changed_when: False + +- name: Defined a default lb_kubemaster + set_fact: + lb_kubemaster: "{{ groups['KubernetesMasters'][0] }}" + when: + - lb_kubemaster is undefined +# - groups['KubernetesMasters'] | length > 1 + changed_when: False + +- name: Deploy initial kubeadm config + template: + src: kubeadm-config.yaml.j2 + dest: /root/kubeadm-config.yaml + owner: root + group: root + mode: 0600 + when: + - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasters'][0] == ansible_hostname + - kubeadm_version_major.stdout | int == 1 + - kubeadm_version_minor.stdout | int >= 15 + +- name: Init Kubernetes on {{ groups['KubernetesMasters'][0] }} + command: kubeadm init --config=/root/kubeadm-config.yaml + when: + - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasters'][0] == ansible_hostname + - kubeadm_version_major.stdout | int == 1 + - kubeadm_version_minor.stdout | int >= 15 + +- name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group + group_by: + key: KubernetesMasterConfigured + when: + - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasters'][0] == ansible_hostname + +# End of first controler + +- name: Test if server node already included + command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes {{ ansible_hostname | lower }} + delegate_to: "{{ lb_kubemaster }}" + register: server_enrolled + changed_when: False + ignore_errors: yes + +#- name: Deploy kubeadm config +# template: +# src: kubeadm-config.yaml.j2 +# dest: /root/kubeadm-config.yaml +# owner: root +# group: root +# mode: 600 +# when: +# - not groups['KubernetesMasters'][0] == ansible_hostname +# - kubeadm_version_major.stdout | int == 1 +# - kubeadm_version_minor.stdout | int >= 15 +# - server_enrolled.rc == 1 + +- name: Retreive certificats key on {{ lb_kubemaster }} + shell: set -o pipefail && kubeadm init phase upload-certs --upload-certs | grep -v upload-certs + register: kubernetes_certificateKey + delegate_to: "{{ lb_kubemaster }}" + when: + - server_enrolled.rc == 1 + - kubernetes_master|bool + - kubeadm_version_major.stdout | int == 1 + - kubeadm_version_minor.stdout | int >= 15 + +- name: Retreive token on "{{ lb_kubemaster }}" + command: kubeadm token create + register: kubetoken + delegate_to: "{{ lb_kubemaster }}" + when: + - server_enrolled.rc == 1 + +- name: Retreive hash certificat + shell: > + set -o pipefail && + openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | + openssl rsa -pubin -outform der 2>/dev/null | + openssl dgst -sha256 -hex | + sed 's/^.* //' + register: cacerthash + delegate_to: "{{ lb_kubemaster }}" + when: + - server_enrolled.rc == 1 + +- name: Deploy kubeadm config + template: + src: kubeadm-config.yaml.j2 + dest: /root/kubeadm-config.yaml + owner: root + group: root + mode: 0600 + when: + - server_enrolled.rc == 1 + +- name: Join '{{ ansible_hostname }}' to Kubernetes cluster + command: kubeadm join --config=/root/kubeadm-config.yaml + when: + - kubeadm_version_major.stdout | int == 1 + - kubeadm_version_minor.stdout | int >= 15 + - server_enrolled.rc == 1 diff --git a/tasks/install_server.yml b/tasks/install_server.yml index b0b9c3a..50a487d 100644 --- a/tasks/install_server.yml +++ b/tasks/install_server.yml @@ -1,25 +1,4 @@ --- -- name: Install Containerd - include_role: - name: containerd - when: - - kubernetes_cri == "containerd" - #register: kubernetes_cri_changed - -- name: Install CRI-O - include_role: - name: cri-o - when: - - kubernetes_cri == "cri-o" - #register: kubernetes_cri_changed - -#- name: Restart kubelet after kubernetes cri installation -# service: -# name: kubelet -# status: restarted -# when: -# - kubernetes_cri_changed is changed - - name: Disable SWAP since kubernetes can't work with swap enabled (1/2) command: swapoff -a changed_when: false @@ -30,121 +9,23 @@ fstype: swap state: absent -- name: Configuring IPVS kernel module to be load on boot - template: - src: "etc/modules-load.d/ipvs.conf.j2" - dest: "/etc/modules-load.d/ipvs.conf" - group: root - owner: root - mode: 0644 - when: - - kubernetes_kubeproxy_mode == "ipvs" - -- name: Load IPVS kernel module - modprobe: - name: "{{ item }}" - state: present - with_items: - - ip_vs - - ip_vs_rr - - ip_vs_wrr - - ip_vs_sh - - nf_conntrack_ipv4 - - nf_conntrack_ipv6 - when: - - kubernetes_kubeproxy_mode == "ipvs" - -- name: Ensuring /etc/systemd/system/kubelet.service.d Folder Exists - file: - path: "/etc/systemd/system/kubelet.service.d" - state: "directory" - group: root - owner: root - mode: 0755 - when: - - ansible_service_mgr == "systemd" - -- name: Configure kubelet service - template: - src: "etc/{{ item }}.j2" - dest: "/etc/{{ item }}" - group: root - owner: root - mode: 0644 - with_items: - - "systemd/system/kubelet.service.d/0-kubelet-extra-args.conf" - - "sysconfig/kubelet" - when: - - ansible_service_mgr == "systemd" - -- name: Configure kubelet service - template: - src: "etc/{{ item }}.j2" - dest: "/etc/{{ item }}" - group: root - owner: root - mode: 0644 - with_items: - - "sysconfig/kubelet" - when: - - not ansible_service_mgr == "systemd" - -- name: Enable kubelet on boot - service: - name: kubelet - state: started - enabled: yes - # Install API loadbalancer - include_tasks: "load_balancer.yml" when: - kubernetes_master|bool - groups['KubernetesMasters'] | length > 1 -- name: Check if /etc/kubernetes/admin.conf already existe - stat: - path: /etc/kubernetes/admin.conf - register: st - changed_when: False - -- name: Create KubernetesMasterConfigured group - group_by: - key: KubernetesMasterConfigured - when: - - st.stat.exists - -- name: Retreive kubeadm Major version - shell: set -o pipefail && kubeadm version | sed 's/.*{Major:"\([0-9]\)".*/\1/' - register: kubeadm_version_major - changed_when: False - -- name: Retreive kubeadm Minor version - shell: set -o pipefail && kubeadm version | sed -e 's/.* Minor:"\([0-9]*\)".*/\1/' - register: kubeadm_version_minor - changed_when: False - -- name: Defined a default lb_kubemaster - set_fact: - lb_kubemaster: "{{ groups['KubernetesMasters'][0] }}" - when: - - lb_kubemaster is undefined -# - groups['KubernetesMasters'] | length > 1 - changed_when: False - -- name: Secure etcd directory +- name: Audit policies directory file: - path: "{{ item }}" + path: "/etc/kubernetes/policies" state: directory owner: root group: root mode: 0700 - with_items: - - "/var/lib/etcd" - - "/etc/kubernetes/policies" when: - kubernetes_master|bool -- name: Configure kubelet service +- name: Configure audit policy file: src: "etc/kubernetes/policies/audit-policy.yaml" dest: "/etc/kubernetes/policies/audit-policy.yaml" @@ -154,99 +35,14 @@ when: - kubernetes_master|bool -- name: Deploy initial kubeadm config - template: - src: kubeadm-config.yaml.j2 - dest: /root/kubeadm-config.yaml - owner: root - group: root - mode: 0600 +- name: Kubernetes cluster with kubeadm + include_tasks: "cluster_kubeadm.yml" when: - - groups['KubernetesMasterConfigured'] is not defined - - groups['KubernetesMasters'][0] == ansible_hostname - - kubeadm_version_major.stdout | int == 1 - - kubeadm_version_minor.stdout | int >= 15 - -- name: Init Kubernetes on {{ groups['KubernetesMasters'][0] }} - command: kubeadm init --config=/root/kubeadm-config.yaml + - kubernetes_cri != "k3s" +- name: Kubernetes cluster with k3s + include_tasks: "cluster_k3s.yml" when: - - groups['KubernetesMasterConfigured'] is not defined - - groups['KubernetesMasters'][0] == ansible_hostname - - kubeadm_version_major.stdout | int == 1 - - kubeadm_version_minor.stdout | int >= 15 - -- name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group - group_by: - key: KubernetesMasterConfigured - when: - - groups['KubernetesMasterConfigured'] is not defined - - groups['KubernetesMasters'][0] == ansible_hostname - -- name: Test if server node already included - command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes {{ ansible_hostname | lower }} - delegate_to: "{{ lb_kubemaster }}" - register: server_enrolled - changed_when: False - ignore_errors: yes - -#- name: Deploy kubeadm config -# template: -# src: kubeadm-config.yaml.j2 -# dest: /root/kubeadm-config.yaml -# owner: root -# group: root -# mode: 600 -# when: -# - not groups['KubernetesMasters'][0] == ansible_hostname -# - kubeadm_version_major.stdout | int == 1 -# - kubeadm_version_minor.stdout | int >= 15 -# - server_enrolled.rc == 1 - -- name: Retreive certificats key on {{ lb_kubemaster }} - shell: set -o pipefail && kubeadm init phase upload-certs --upload-certs | grep -v upload-certs - register: kubernetes_certificateKey - delegate_to: "{{ lb_kubemaster }}" - when: - - server_enrolled.rc == 1 - - kubernetes_master|bool - - kubeadm_version_major.stdout | int == 1 - - kubeadm_version_minor.stdout | int >= 15 - -- name: Retreive token on "{{ lb_kubemaster }}" - command: kubeadm token create - register: kubetoken - delegate_to: "{{ lb_kubemaster }}" - when: - - server_enrolled.rc == 1 - -- name: Retreive hash certificat - shell: > - set -o pipefail && - openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | - openssl rsa -pubin -outform der 2>/dev/null | - openssl dgst -sha256 -hex | - sed 's/^.* //' - register: cacerthash - delegate_to: "{{ lb_kubemaster }}" - when: - - server_enrolled.rc == 1 - -- name: Deploy kubeadm config - template: - src: kubeadm-config.yaml.j2 - dest: /root/kubeadm-config.yaml - owner: root - group: root - mode: 0600 - when: - - server_enrolled.rc == 1 - -- name: Join '{{ ansible_hostname }}' to Kubernetes cluster - command: kubeadm join --config=/root/kubeadm-config.yaml - when: - - kubeadm_version_major.stdout | int == 1 - - kubeadm_version_minor.stdout | int >= 15 - - server_enrolled.rc == 1 + - kubernetes_cri == "k3s" - name: Check if a node is still tainted command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes '{{ ansible_hostname | lower }}' -o jsonpath='{.spec.taints}' diff --git a/tasks/main.yml b/tasks/main.yml index 164058c..b57a12b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,6 +45,8 @@ state: present update_cache: yes # notify: Restart kubelet + when: + - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") - name: Include kubernetes server rules include_tasks: "install_server.yml"