bring in the single k8s master stuff

Author: lbrick

.gitignore

@@ -2,6 +2,7 @@ terraform/.terraform.lock.hcl
 terraform/.terraform/*
 host.ini
 terraform/terraform.tfstate
+terraform/terraform.tfstate.d/*
 terraform/terraform.tfstate.backup
 terraform/terraform.tfvars
 env.sh

config/.gitkeep

@@ -0,0 +1,40 @@
+# K8s cluster name
+cluster_name: "training-k8s"
+
+# Change this to use another Kubernetes version, e.g. a current beta release
+apt_kube_version: 1.23.0-00
+kube_version: v1.23.4
+
+kube_apiserver_bind_address: 0.0.0.0
+kube_apiserver_port: 6443  # (https)
+
+# Kubernetes internal network for services, unused block of space.
+kube_service_addresses: 10.233.0.0/18
+
+# internal network. When used, it will assign IP
+# addresses from this range to individual pods.
+# This network must be unused in your network infrastructure!
+kube_pods_subnet: 10.233.64.0/18
+
+# A port range to reserve for services with NodePort visibility.
+# Inclusive at both ends of the range.
+kube_apiserver_node_port_range: "30000-32767"
+
+# Kubernetes settings
+kube_api_anonymous_auth: true
+
+## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
+## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
+
+kube_oidc_auth: true
+kube_oidc_url: https://ood-idp.training.data.nesi.org.nz/realms/ondemand
+kube_oidc_client_id: kubernetes
+## Optional settings for OIDC
+kube_oidc_username_claim: preferred_username
+kube_oidc_username_prefix: "-"
+kube_oidc_groups_claim: groups
+kube_oidc_groups_prefix: 'oidc:'
+# Copy oidc CA file to the following path if needed
+kube_oidc_ca_file: "{{ kube_cert_dir }}/zero_ca.crt"
+# Optionally include a base64-encoded oidc CA cert
+kube_oidc_ca_cert: <I_WILL_PASS_YOU_THIS-MAYBE_SET_AS_AN_ENV>

group_vars/k8s_cluster/k8s_cluster.yml

@@ -0,0 +1,16 @@
+---
+- name: Creates directory
+  file:
+    path: /etc/docker
+    state: directory
+    
+- name: Copy daemon.json to nodes
+  copy:
+    src: ../template/daemon.json
+    dest: /etc/docker/daemon.json
+
+- name: Docker Installation
+  apt:
+    name: docker.io
+    state: present
+    update_cache: true

roles/docker/tasks/main.yml

@@ -0,0 +1,8 @@
+{
+    "exec-opts": ["native.cgroupdriver=systemd"],
+    "log-driver": "json-file",
+    "log-opts": {
+      "max-size": "100m"
+    },
+    "storage-driver": "overlay2"
+  }

roles/docker/template/daemon.json

@@ -0,0 +1,14 @@
+---
+- name: Wait for nodes to become accessible
+  wait_for_connection:
+    # Wait for 10 mins for host to become available
+    timeout: 30
+  vars:
+    ansible_connection: ssh
+    ansible_host: "{{ hostvars[item]['ansible_host'] }}"
+    ansible_user: "ubuntu"
+    ansible_ssh_private_key_file: "~/.ssh/id_flexi"
+    ansible_python_interpreter: auto_legacy
+    ansible_ssh_common_args: "{{ hostvars[item]['ansible_ssh_common_args'] }}"
+  with_items:
+    - "{{ groups['all'] }}"

roles/infra/wait-for-hosts/tasks/main.yml

@@ -0,0 +1,52 @@
+cluster_name: "kubernetes"
+
+## Change this to use another Kubernetes version, e.g. a current beta release
+apt_kube_version: 1.23.0-00
+kube_version: v1.23.4
+
+kube_apiserver_bind_address: 0.0.0.0
+kube_apiserver_port: 6443  # (https)
+
+# Kubernetes internal network for services, unused block of space.
+kube_service_addresses: 10.233.0.0/18
+
+# internal network. When used, it will assign IP
+# addresses from this range to individual pods.
+# This network must be unused in your network infrastructure!
+kube_pods_subnet: 10.233.64.0/18
+
+# A port range to reserve for services with NodePort visibility.
+# Inclusive at both ends of the range.
+kube_apiserver_node_port_range: "30000-32767"
+
+is_kube_master: "{{ inventory_hostname in groups['kube_control_plane'] }}"
+kube_apiserver_count: "{{ groups['kube_control_plane'] | length }}"
+kube_apiserver_address: "{{ ansible_host | default(fallback_ips[inventory_hostname]) }}"
+first_kube_control_plane_address: "{{ hostvars[groups['kube_control_plane'][0]]['ansible_host'] }}"
+kube_apiserver_endpoint: https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
+
+# Kubernetes settings
+kube_api_anonymous_auth: true
+
+# Editing those values will almost surely break something.
+kube_config_dir: /etc/kubernetes
+kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+
+# This is where all the cert scripts and certs will be located
+kube_cert_dir: "{{ kube_config_dir }}/ssl"
+
+## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
+## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
+
+kube_oidc_auth: false
+kube_oidc_url: https://ood-idp.training.data.nesi.org.nz/realms/ondemand
+kube_oidc_client_id: kubernetes
+## Optional settings for OIDC
+kube_oidc_username_claim: preferred_username
+kube_oidc_username_prefix: "-"
+kube_oidc_groups_claim: groups
+kube_oidc_groups_prefix: 'oidc:'
+# Copy oidc CA file to the following path if needed
+kube_oidc_ca_file: "{{ kube_cert_dir }}/zero_ca.crt"
+# Optionally include a base64-encoded oidc CA cert
+kube_oidc_ca_cert: LS0tLS1CRU.....

roles/kubernetes/control-plane/defaults/main.yml

@@ -0,0 +1,116 @@
+---
+- name: Create Kubernetes ssl directory
+  file:
+    path: "{{ kube_cert_dir }}"
+    state: directory
+
+- name: Install OIDC certificate
+  copy:
+    content: "{{ kube_oidc_ca_cert | b64decode }}"
+    dest: "{{ kube_oidc_ca_file }}"
+    owner: root
+    group: root
+    mode: "0644"
+  when:
+    - kube_oidc_auth
+    - kube_oidc_ca_cert is defined
+
+- name: Check if kubeadm has already run
+  stat:
+    path: "/var/lib/kubelet/config.yaml"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
+  register: kubeadm_already_run
+
+- name: Create hardcoded kubeadm token for joining nodes with 24h expiration (if defined)
+  shell: >-
+    kubeadm token generate
+  changed_when: false
+  when:
+    - inventory_hostname ==  first_kube_control_plane
+    - kubeadm_token is defined
+  register: temp_token
+
+- name: Set kubeadm_token
+  set_fact:
+    kubeadm_token: "{{ temp_token.stdout_lines[0] }}"
+  when:
+    - temp_token.stdout is defined
+    - inventory_hostname ==  first_kube_control_plane
+
+- name: Create kubeadm config
+  template:
+    src: "kubeadm-config.yaml.j2"
+    dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
+    mode: 0640
+  when:
+    - inventory_hostname ==  first_kube_control_plane
+
+- name: Initialize first master
+  command: >-
+    kubeadm init
+    --config={{ kube_config_dir }}/kubeadm-config.yaml
+    --ignore-preflight-errors=all
+    --upload-certs
+  when:
+    - inventory_hostname == first_kube_control_plane
+    - not kubeadm_already_run.stat.exists
+
+- name: create .kube directory
+  file:
+    path: $HOME/.kube
+    state: directory
+    mode: 0755
+  when:
+    - inventory_hostname == first_kube_control_plane
+    - not kubeadm_already_run.stat.exists
+
+- name: copy admin.conf to user's kube config
+  copy:
+    src: /etc/kubernetes/admin.conf
+    dest: $HOME/.kube/config
+    remote_src: yes
+  when:
+    - inventory_hostname == first_kube_control_plane
+    - not kubeadm_already_run.stat.exists
+
+- name: copy admin.conf to loacal
+  fetch:
+    src: /etc/kubernetes/admin.conf
+    dest: ./config/k8s-admin.conf
+    flat: yes
+  when:
+    - inventory_hostname == first_kube_control_plane
+    - not kubeadm_already_run.stat.exists
+
+- name: install Pod network
+  command: >-
+    kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
+  when:
+    - inventory_hostname == first_kube_control_plane
+    - not kubeadm_already_run.stat.exists
+
+# - name: Create a New Certificate Key
+#   become: true
+#   command: >-
+#     kubeadm init phase upload-certs --upload-certs
+#   register: join_certificate_key
+#   changed_when: join_certificate_key.rc != 0 # Uses the return code to define when the task has changed.
+#   when:
+#     - inventory_hostname == first_kube_control_plane
+
+# - name: Generate Master Join Command
+#   become: true
+#   command: >-
+#     kubeadm token create --print-join-command --certificate-key "{{ join_certificate_key.stdout_lines[2] }}"
+#   register: join_master_command_raw
+#   changed_when: join_master_command.rc != 0 # Uses the return code to define when the task has changed.
+#   when:
+#     - inventory_hostname == first_kube_control_plane
+
+# - name: Set Master Join Command
+#   set_fact:
+#     master_join_command: "{{ join_master_command_raw.stdout_lines[0] }}"
+#   when:
+#     - inventory_hostname == first_kube_control_plane

roles/kubernetes/control-plane/tasks/control-plane-setup.yml

@@ -0,0 +1,18 @@
+---
+- name: Check which kube-control nodes are already members of the cluster
+  command: "kubectl get nodes --selector=node-role.kubernetes.io/control-plane -o json"
+  register: kube_control_planes_raw
+  ignore_errors: true
+  changed_when: false
+
+- name: Set fact joined_control_panes
+  set_fact:
+    joined_control_planes: "{{ ((kube_control_planes_raw.stdout | from_json)['items']) | default([]) | map(attribute='metadata') | map(attribute='name') | list }}"
+  delegate_to: item
+  loop: "{{ groups['kube_control_plane'] }}"
+  when: kube_control_planes_raw is succeeded
+  run_once: true
+
+- name: Set fact first_kube_control_plane
+  set_fact:
+    first_kube_control_plane: "{{ joined_control_planes | default([]) | first | default(groups['kube_control_plane'] | first) }}"

roles/kubernetes/control-plane/tasks/define-first-kube-control.yml

@@ -0,0 +1,12 @@
+---
+- name: Install Kubectl
+  apt:
+    name: kubectl={{ apt_kube_version }}
+    state: present
+    force: yes
+
+- name: Define nodes already joined to existing cluster and first_kube_control_plane
+  import_tasks: define-first-kube-control.yml
+
+- name: Setup first master
+  include_tasks: control-plane-setup.yml