~tcarrio/ansible-okd

eb1fc6161a8f9741cd8d4251275c1a43d929fa76 — Tom Carrio 3 years ago
Initial fork of hexbit ansible-okd
A  => .gitignore +2 -0
@@ 1,2 @@
*.retry
roles/*

A  => README.md +5 -0
@@ 1,5 @@
# ansible-okd

This is a fork on anothers original work. Thanks to @hexbit for his contributions thus far.

## 

A  => inventory/hosts +10 -0
@@ 1,10 @@
apu.k8s.carrio.dev ansible_user=root

[dns_servers]
apu.k8s.carrio.dev ansible_user=root

[okd_support_servers]
apu.k8s.carrio.dev ansible_user=root

[matchbox_servers]
apu.k8s.carrio.dev ansible_user=root

A  => okd.yml +3 -0
@@ 1,3 @@
- import_playbook: playbooks/dns.yml
- import_playbook: playbooks/haproxy.yml
- import_playbook: playbooks/matchbox.yml

A  => playbooks/dns.yml +80 -0
@@ 1,80 @@
- name: Setup DNS
  hosts: dns_servers
  any_errors_fatal: true
  vars:
    bind_allow_query: ['any']
    bind_allow_recursion: ['any']
    bind_forwarders: ['1.1.1.1', '1.0.0.1']
    bind_listen_ipv4: ['10.10.10.5']
    bind_recursion: true
    bind_zone_master_server_ip: '10.10.10.5'
    bind_zone_domains:
      - name: int.carrio.dev
        networks:
          - '10.10.10'
        hosts:
          - name: apu
            ip: 10.10.10.5
            aliases:
              - ns
          - name: filer1
            ip: 10.10.10.10
            aliases:
              - netdata
              - flood
              - kibana
              - wazuh
              - mirror
              - www
              - gitlab
              - cockpit

          - name: okdbs
            ip: 10.10.10.200
          - name: node1
            ip: 10.10.10.201
          - name: node2
            ip: 10.10.10.202
          - name: node3
            ip: 10.10.10.203
          - name: node4
            ip: 10.10.10.204
          - name: node5
            ip: 10.10.10.205

          - name: api.okd
            ip: 10.10.10.5
          - name: api-int.okd
            ip: 10.10.10.5
          - name: '*.apps.okd'
            ip: 10.10.10.5
          - name: etcd-0.okd
            ip: 10.10.10.201
          - name: etcd-1.okd
            ip: 10.10.10.202
          - name: etcd-2.okd
            ip: 10.10.10.203

        services:
          - name: _etcd-server-ssl._tcp.okd
            weight: 10
            port: 2380
            target: etcd-0.okd
          - name: _etcd-server-ssl._tcp.okd
            weight: 10
            port: 2380
            target: etcd-1.okd
          - name: _etcd-server-ssl._tcp.okd
            weight: 10
            port: 2380
            target: etcd-2.okd

  roles:
    - role: bertvv.bind

  tasks:
    - name: Add DNS firewalld rule
      firewalld:
        service: dns
        permanent: yes
        state: enabled
\ No newline at end of file

A  => playbooks/haproxy.yml +43 -0
@@ 1,43 @@
- name: Setup HAProxy
  hosts: okd_support_servers
  any_errors_fatal: true
  tasks:
    - name: Install HAProxy
      package:
        pkg: haproxy
        state: present
    - name: Set haproxy_connect_any sebool
      seboolean:
        name: haproxy_connect_any
        state: yes
        persistent: yes
    - name: Copy haproxy.cfg
      template:
        src: ../templates/haproxy.cfg.j2
        dest: /etc/haproxy/haproxy.cfg
        validate: /usr/sbin/haproxy -c -V -f %s
    - name: Start HAProxy service
      service:
        name: haproxy
        state: started
        enabled: yes
    - name: Add HTTP firewalld rule
      firewalld:
        service: http
        permanent: yes
        state: enabled
    - name: Add HTTPS firewalld rule
      firewalld:
        service: https
        permanent: yes
        state: enabled
    - name: Add 6443/tcp firewalld rule
      firewalld:
        port: 6443/tcp
        permanent: yes
        state: enabled
    - name: Add 22623/tcp firewalld rule
      firewalld:
        port: 22623/tcp
        permanent: yes
        state: enabled
\ No newline at end of file

A  => playbooks/matchbox.yml +108 -0
@@ 1,108 @@
- name: Setup Matchbox
  hosts: matchbox_servers
  any_errors_fatal: true
  vars:
    matchbox_config_user: matchbox
    matchbox_config_group: matchbox
    matchbox_config_data_path: /var/lib/matchbox
    matchbox_config_address: 10.10.10.5:8080
    matchbox_config_activate: False
    fcos_kernel_url: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/32.20200629.3.0/x86_64/fedora-coreos-32.20200629.3.0-live-kernel-x86_64
    fcos_initramfs_url: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/32.20200629.3.0/x86_64/fedora-coreos-32.20200629.3.0-live-initramfs.x86_64.img
    fcos_metal_url: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/32.20200629.3.0/x86_64/fedora-coreos-32.20200629.3.0-metal.x86_64.raw.xz
    fcos_metal_sig_url: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/32.20200629.3.0/x86_64/fedora-coreos-32.20200629.3.0-metal.x86_64.raw.xz.sig
    nodes:
      node1:
        mac: '00:00:00:00:00:00'
        role: master
      node2:
        mac: '00:00:00:00:00:00'
        role: master
      node3:
        mac: '00:00:00:00:00:00'
        role: master
      node4:
        mac: '00:00:00:00:00:00'
        role: worker
      node5:
        mac: '00:00:00:00:00:00'
        role: worker
      okdbs:
        mac: '00:00:00:00:00:00'
        role: bootstrap
  roles:
    - andrewrothstein.matchbox
    - andrewrothstein.matchbox-config
  tasks:
    - name: Download FCOS kernel
      get_url:
        url: '{{ fcos_kernel_url }}'
        dest: '{{ matchbox_config_data_path }}/assets/fedora-coreos-kernel-x86_64'
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
    - name: Download FCOS initramfs
      get_url:
        url: '{{ fcos_initramfs_url }}'
        dest: '{{ matchbox_config_data_path }}/assets/fedora-coreos-initramfs.x86_64.img'
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
    - name: Download FCOS rootfs
      get_url:
        url: '{{ fcos_metal_url }}'
        dest: '{{ matchbox_config_data_path }}/assets/fedora-coreos-metal.x86_64.raw.xz'
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
    - name: Download FCOS rootfs sig
      get_url:
        url: '{{ fcos_metal_sig_url }}'
        dest: '{{ matchbox_config_data_path }}/assets/fedora-coreos-metal.x86_64.raw.xz.sig'
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
    - name: Ensure profiles directory exsists
      file:
        path: '{{ matchbox_config_data_path }}/profiles'
        state: directory
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
    - name: Ensure groups directory exsists
      file:
        path: '{{ matchbox_config_data_path }}/groups'
        state: directory
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
    - name: Create profile for each type of node
      template:
        src: ../templates/okd.json.j2
        dest: '{{ matchbox_config_data_path }}/profiles/okd-{{ item }}.json'
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
      with_items:
        - master
        - worker
        - bootstrap
    - name: Create group for each node
      template:
        src: ../templates/node.json.j2
        dest: '{{ matchbox_config_data_path }}/groups/{{ item.key }}.json'
        owner: '{{ matchbox_config_user }}'
        group: '{{ matchbox_config_group }}'
      loop: "{{ lookup('dict', nodes) }}"
  post_tasks:
    - name: Fix EnvFile in matchbox service file
      replace:
        path: /etc/systemd/system/matchbox.service
        regexp: 'EnvFile'
        replace: 'EnvironmentFile'
    - name: Reload systemd
      systemd:
        daemon_reload: yes
    - name: Restart matchbox service
      service: 
        name: matchbox 
        state: restarted
        enabled: yes
    - name: Add DNS firewalld rule
      firewalld:
        port: 8080/tcp
        permanent: yes
        state: enabled
\ No newline at end of file

A  => playbooks/terraform-matchbox.yml +42 -0
@@ 1,42 @@
---
- hosts: master
  become: true
  become_user: root
  vars:
    terraform_provider_matchbox_ver: 'v0.3.0'
    terraform_provider_matchbox_checksum: 'sha256:4f13f57423e5a42271c03150ff6dfe72a8fcfe8bdc05da1c6183508dcbb9b8b3'
    terraform_provider_matchbox_platform: 'linux-amd64'
    terraform_provider_matchbox_mirror: 'https://github.com/poseidon/terraform-provider-matchbox/releases/download'
    terraform_provider_matchbox_dir: 'terraform-provider-matchbox-{{ terraform_provider_matchbox_ver }}-{{ terraform_provider_matchbox_platform }}'
    terraform_provider_matchbox_targz: 'terraform-provider-matchbox-{{ terraform_provider_matchbox_ver }}-{{ terraform_provider_matchbox_platform }}.tar.gz'
    terraform_provider_matchbox_url: '{{ terraform_provider_matchbox_mirror }}/{{ terraform_provider_matchbox_ver }}/{{ terraform_provider_matchbox_targz }}'
    terraform_plugin_dir: '{{ ansible_env.HOME }}/.terraform.d/plugins'

  tasks:
    - name: check if we've done this before
      stat:
        path: '{{ terraform_plugin_dir }}/terraform-provider-matchbox_{{ terraform_provider_matchbox_ver }}'
      register: result
    - name: install matchbox plugin
      block:
        - name: create directory for terraform plugins
          file:
            path: '{{ terraform_plugin_dir }}'
            state: directory
            mode: 0755
        - name: download and unarchive terraform-provider-matchbox
          unarchive:
            src: '{{ terraform_provider_matchbox_url }}'
            dest: '/tmp'
            creates: '/tmp/{{ terraform_provider_matchbox_dir }}'
            remote_src: yes
        - name: copy terraform-provider-matchbox to plugin dir
          copy:
            src: '/tmp/{{ terraform_provider_matchbox_dir }}/terraform-provider-matchbox'
            dest: '{{ terraform_plugin_dir }}/terraform-provider-matchbox_{{ terraform_provider_matchbox_ver }}'
            mode: 0755
        - name: cleanup terraform-provider-matchbox download
          file: 
            path: '/tmp/{{ terraform_provider_matchbox_dir }}'
            state: absent
      when: result.stat.exists == false
\ No newline at end of file

A  => requirements.yml +3 -0
@@ 1,3 @@
- src: bertvv.bind
- src: andrewrothstein.matchbox
- src: andrewrothstein.matchbox-config

A  => templates/haproxy.cfg.j2 +99 -0
@@ 1,99 @@
# Global settings
#---------------------------------------------------------------------
global
    maxconn     20000
    log         /dev/log local0 info
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          300s
    timeout server          300s
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 20000

listen stats
    bind :9000
    mode http
    stats enable
    stats uri /

frontend okd4_k8s_api_fe
    bind :6443
    default_backend okd4_k8s_api_be
    mode tcp
    option tcplog

backend okd4_k8s_api_be
    balance source
    mode tcp
    #server      okdbs 10.10.10.200:6443 check
    server      node1 10.10.10.201:6443 check
    server      node2 10.10.10.202:6443 check
    server      node3 10.10.10.203:6443 check

frontend okd4_machine_config_server_fe
    bind :22623
    default_backend okd4_machine_config_server_be
    mode tcp
    option tcplog

backend okd4_machine_config_server_be
    balance source
    mode tcp
    #server      okdbs 10.10.10.200:22623 check
    server      node1 10.10.10.201:22623 check
    server      node2 10.10.10.202:22623 check
    server      node3 10.10.10.203:22623 check

frontend okd4_http_ingress_traffic_fe
    bind :80
    default_backend okd4_http_ingress_traffic_be
    mode tcp
    option tcplog

backend okd4_http_ingress_traffic_be
    balance source
    mode tcp
    #server      node4 10.10.10.201:80 check
    #server      node4 10.10.10.202:80 check
    #server      node4 10.10.10.203:80 check
    server      node4 10.10.10.204:80 check
    server      node5 10.10.10.205:80 check

frontend okd4_https_ingress_traffic_fe
    bind *:443
    default_backend okd4_https_ingress_traffic_be
    mode tcp
    option tcplog

backend okd4_https_ingress_traffic_be
    balance source
    mode tcp
    #server      node4 10.10.10.201:443 check
    #server      node4 10.10.10.202:443 check
    #server      node4 10.10.10.203:443 check
    server      node4 10.10.10.204:443 check
    server      node5 10.10.10.205:443 check
\ No newline at end of file

A  => templates/node.json.j2 +7 -0
@@ 1,7 @@
{
  "name": "{{ item.key }}",
  "profile": "okd-{{ item.value.role }}",
  "selector": {
    "mac": "{{ item.value.mac }}"
  }
}

A  => templates/okd.json.j2 +15 -0
@@ 1,15 @@
{
  "id": "okd-{{ item }}",
  "name": "Fedora CoreOS for okd {{ item }}",
  "boot": {
    "kernel": "/assets/fedora-coreos-kernel-x86_64",
    "initrd": [
      "/assets/fedora-coreos-initramfs.x86_64.img"
    ],
    "args": [
      "coreos.inst.install_dev=/dev/sda",
      "coreos.inst.image_url=http://10.10.10.5:8080/assets/fedora-coreos-metal.x86_64.raw.xz",
      "coreos.inst.ignition_url=http://10.10.10.5:8080/assets/{{ item }}.ign"
    ]
  }
}