From 7dda2e1fdc1c8007f5cb7f6b543562149f246f63 Mon Sep 17 00:00:00 2001
From: srw <srw@20c.com>
Date: Thu, 6 Jun 2024 20:05:18 +0000
Subject: [PATCH] prune old address, add basic template files

---
 .gitignore                                    |   3 +
 .vault/vault-keys                             |   4 ++
 .vault/vault-open.sh                          |  14 ++++
 .vault/vault-pass.gpg                         | Bin 0 -> 1867 bytes
 .vault/vault-rekey.sh                         |  52 ++++++++++++++
 README.md                                     |  68 ++++++++++++++++++
 ansible.cfg                                   |   3 +
 files/manifests/digitalocean-dns.yaml         |  16 +++++
 files/manifests/wildcard-pwa-audubon.yaml     |  15 ++++
 group_vars/all/nginx-vault.yml                |   7 ++
 group_vars/lx_cad/k8s-vault.yml               |   8 +++
 group_vars/lx_cad/k8s.yml                     |  39 ++++++++++
 .../lx-cad-cluster-control/firewalld.yml      |  15 ++++
 host_vars/lx-cad-cluster-worker/firewalld.yml |  15 ++++
 host_vars/lx-daemon/firewalld.yml             |  17 +++++
 host_vars/lx-daemon/nginx.yml                 |  21 ++++++
 hosts                                         |  11 +++
 roles/requirements.yml                        |  20 ++++++
 site.yml                                      |  25 +++++++
 19 files changed, 353 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .vault/vault-keys
 create mode 100755 .vault/vault-open.sh
 create mode 100644 .vault/vault-pass.gpg
 create mode 100755 .vault/vault-rekey.sh
 create mode 100644 README.md
 create mode 100644 ansible.cfg
 create mode 100644 files/manifests/digitalocean-dns.yaml
 create mode 100644 files/manifests/wildcard-pwa-audubon.yaml
 create mode 100644 group_vars/all/nginx-vault.yml
 create mode 100644 group_vars/lx_cad/k8s-vault.yml
 create mode 100644 group_vars/lx_cad/k8s.yml
 create mode 100644 host_vars/lx-cad-cluster-control/firewalld.yml
 create mode 100644 host_vars/lx-cad-cluster-worker/firewalld.yml
 create mode 100644 host_vars/lx-daemon/firewalld.yml
 create mode 100644 host_vars/lx-daemon/nginx.yml
 create mode 100644 hosts
 create mode 100644 roles/requirements.yml
 create mode 100644 site.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0457da1
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+vault-pass.gpg-*
+roles/*
+!roles/requirements.yml
diff --git a/.vault/vault-keys b/.vault/vault-keys
new file mode 100644
index 0000000..9dddb9f
--- /dev/null
+++ b/.vault/vault-keys
@@ -0,0 +1,4 @@
+D749E2966193DF63
+EE3E0A7A87192BB7
+3C8D0C7EF49AB5A3
+388DD8D74903017E
diff --git a/.vault/vault-open.sh b/.vault/vault-open.sh
new file mode 100755
index 0000000..10a6372
--- /dev/null
+++ b/.vault/vault-open.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+VAULT_PATH=$(dirname "$(realpath "$0")")
+VAULT_CMD="gpg --quiet --batch --use-agent --decrypt"
+VAULT_KEY_FILE=vault-pass.gpg
+
+# define the password in a static env
+# VAULT_KEY
+
+if [ -n "$VAULT_KEY" ]; then
+  echo "$VAULT_KEY"
+else
+  $VAULT_CMD "$VAULT_PATH/$VAULT_KEY_FILE"
+fi
diff --git a/.vault/vault-pass.gpg b/.vault/vault-pass.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..7b6b4dda051f9c695f0d0e551cf3fda5017276bf
GIT binary patch
literal 1867
zcmV-R2ekNw0t^E|ZUeYT?=PwW5CE2}{!IHGsnXz15`azg8K9~vs}1YVj~Y1PX(5_#
z5?!bXLK8r<^aFUg`E<kT*EUkB-FgLdd!pD^<*BENC}c*l27=I;!3TIRB@!(N@@7Av
zQd*?$Ti=AU!+X!acc>0|Bo^J8#v6r+`(B4eRd{@*DRTv?*d{~BU$Ms(9LsRlqPzY)
zQe2f!ML%F=X>8a3+~s&dx8|H>kJs(T6?Ht1`9dKS+ck-LD|m3NKjj{$`L1n*71+EG
zp&;n3Z@Cqdo)4MK5uBlAU?X4#4@Ely@Z4Ja;bA*K0yEt0h0468Lntmamkki(vS%NG
zVou$@jYg*{ez;&c;6#l=7aj#ij`KbtKW=`ZSRujF!qXK-i|Z=L@L)K+gy+GC&v}Dk
zmxCyN4lyGHh{iJD3PlTjg5yw{xIk!4SAtj*!^w2W2E|Ax-86hCxZL@)L$b<@U=6$m
z?Jz+YQ4HCD6I%dxWOQ7*<|`*sPKi~pVdO#^ZYOHWE}y2s-#x_YNKtcKebT*+Whpj~
zcb&#0%R@c+f$%HAX1nQccA?N*vLsQv!J)8mx++hE{DohfQ}@w5;6z!IgQ`dY#(M53
z5y|eds5b)T#5eBlIqNHn3{AVN+clhJsWBqxgj{eZy@dD9L!Ba8u;mdYD>BOmGVal8
zN!H)e0-!N=EaNum`uc?e3<K^y3VMebE4Kj<0GseYTSidy)NP&DA;xLP5=&wpR;Ty<
z199>+b8TO=FG{qFyARygrT?o3&fQcV`NgSjvM8ov+&Hs?9`Wu_gkex)Pc?4&K$KCM
zqAM)iJA+FCK_~%S@Xjj@aq0JN@+Bf*SEP&~4GqBf4?NTJN!5KoAXgF?y#Ldk0a>0M
z=&?f6m5p#l5mgzw$O{MK2GGnYze3aglojglX6{)O3b3#Af;4{5pRD9ST62$tSz4Y3
z>OuoUA2Zcl%DN|c!<?3sV(gS2RyNLac_}c(8y7ub?P#z_A^ex$q?hB{X09%_{rz62
z3?w(!{UEx~-q`&U(*=^xBQvo1wy+HLEZQcss;)PckMS-?&^DwBYu3_V$jrLHcO`XG
zNXCvJ>=b5h=z!mQQBY0D1<$olLvIiHvOZ9T#7l$j_ElS&X`DkP1}mJ$gDN!3*&jN%
z(rhLoG*pnFG1JSE$}sCiZKF9nO6)~YLmgj@r}(Kp?N@^JaumD@eu2@dx?bcGX-!aW
z&^><?1mn^X4@~<vo<cS>Kd65weHh-7zh&bj+vIO`6KE&BrT(9dti*zQ0oI)PSO9}r
z?gJoBzaKIL+i*#WS}8CPA$55aC>oen@+1q`29*J(1NHG=HL%6+h6;c@^8^PF0~d4f
zpCLzR)*tOrVwa4=R1hNckbAqS>V*Of18xZ<flTMJg#i!z2x6B2;kofjh$+*I>e26T
zRiaFDYKaFZ8;%~bw90>)QoZOAew^nT`zWIwsux>>WU--9r<lnq^fo-hhaw){M}py=
z2HB$_XRU3Y*UJ3cH#C9J41ORo-IQ~iyPI_z-kz%9+&sS>V`?iH4FEl;3GRsoOOsDr
z5%R(Hw&bizs}Caabh^i*2{01;GYL)&-2_cY)j&4L0T#Kjn+EM51ox&amKZuXxkw@8
z41Hk{3%>Mcq8uEefg(#H1xc&jC(f{M=5ItZd?3U7tclFu&Vfl)n}tjUVZ`vT_M6tC
zyk>5j-}?j*FXf+;c{Z=7K5#RO-q=&c^QIKBEteuH7au4y&$}6=WNk-sRT>=W)Yep}
z?);lT8R=39lsLj33b}VWZ8dBMw7L~u@$|a5sjA8mU(5!LfypK3(wXw{7dE)d9mvvv
zaFe#0nD$2O3oLE!r|L&$whK2RQ{_F6px(-()Vq-mYn|B>Q-H}WDms0mwoUbsB4#%6
zDo_r%0F}&ZNQN7ioGZI5ohGHW9fe};$gCp$St;j{A#zh#3TS>sD5oL=i!>9A@shug
zv$BPrdw|`#5R)<#70nL0*bU))PAgv$5^#KcU#TS^qZ%tJe0uwLv<~pNeo_N53iZKh
zbmtzQ;t=mc9xhQ6ubu#4{?xuESEV<;b#3W>gkA%z$<*NHwTmti0S7=)0$OQH2_^&%
z5L!`rt-O!#q>#FH?j)2Zq-oVFHOEsh0@KAGB88eYO<LSMLggWh4DT~)&dPdF+E~d6
zabOkdo*rOxr6(cy^Cuu0ft9xg(!2r5IBb*86^K<KW47J!Nazvd8Na)k$_p~=KNNlH
zC+_MKxMHmC%3;p~8m*?bXHu3;Gs_p$h|zz*imd?WNDa9F5Gj9!t(McR6UgBPzm%I5
z2($D9O=4LB#CSQ9iEhefRBWZnVsj?|><P(qp$}^MFi{=2`uOQ#3qpmV(FM;GfvEcw
z7+b4BL~w@btqt)Q{s6Zx$b+4t17RW5<6?hjcpjAkucB{b7y}9QqeyB8-^pTiw2Xw(
Fld?C}cXR*%

literal 0
HcmV?d00001

diff --git a/.vault/vault-rekey.sh b/.vault/vault-rekey.sh
new file mode 100755
index 0000000..531251f
--- /dev/null
+++ b/.vault/vault-rekey.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+DATE=$(date "+%Y%m%d-%s")
+
+# default key locations
+TARGET=".vault/vault-pass.gpg"
+KEYFILE=".vault/vault-keys"
+
+# read keys from here, overridden by KEYFILE
+#KEYS="XXX" 
+
+check_input()
+{
+  if [ -z "$KEYS" ]; then
+    if [ -z "$1" ]; then
+      echo >&2 "supply at least one key ID"
+      exit 1
+    fi
+  fi
+}
+
+if [ -f "$KEYFILE" ]; then
+    KEYS="$(cat $KEYFILE | tr '\n' ' ')"
+fi 
+
+if [ -f "$1" ]; then
+  TARGET=$1
+  check_input "$2"
+  shift
+else
+  if [ -f "$TARGET" ]; then
+    check_input "$1"
+  else
+    echo >&2 "default target not found: $TARGET"
+    exit 2
+  fi 
+fi
+
+# backup existing vault
+mv "$TARGET" "$TARGET-$DATE"
+
+# build key list
+# loop twice once for the array and once for the flat var to maintain sh compat
+for KEY in $KEYS; do KEY_LIST=$KEY_LIST"-r $KEY "; done
+for KEY in "$@"; do KEY_LIST=$KEY_LIST"-r $KEY "; done
+
+# rekey target file, ignore shellcheck globbing/word splitting warning
+gpg -q -d "$TARGET-$DATE" | gpg -q -e --trust-model always $KEY_LIST -o "$TARGET"
+
+# verification
+#md5sum "$TARGET-$DATE"
+#md5sum "$TARGET"
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..35bc98e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,68 @@
+# Ansible Playbook to setup a simple k8s cluster
+
+Checkout repo and switch to the directorty `~/lx-cad-deploy`
+
+Install ansible via virtual env
+
+```
+sudo apt install python3-pip python3.10-venv
+python3.10 -m venv ~/.local/venv/ansible
+source ~/.local/venv/ansible/bin/activate
+pip install ansible
+ansible --version
+```
+
+Install required roles:
+
+```
+ansible-galaxy install -f -p roles -r roles/requirements.yml
+```
+
+Generate token for the cluster, this assumes ansible vault has been setup
+
+```
+./roles/k8s/files/token-vault.sh ./group_vars/lx_cad/k8s-vault.yml
+```
+
+Configure firewalld and nginx for hosts
+
+```
+ansible-playbook -i hosts site.yml --tags=firewalld,nginx
+```
+
+Install Stack Orchestrator for control hosts
+
+```
+ansible-playbook -i hosts site.yml --tags=so --limit=so
+```
+
+Deploy k8s
+
+```
+ansible-playbook -i hosts site.yml --tags=k8s --limit=lx_cad
+```
+
+Install k8s helper tools
+
+```
+sudo ~/lx-cad-deploy/roles/k8s/files/get-kube-tools.sh
+```
+
+Verify cluster creation
+
+```
+kubie ctx lx-cad
+kubectl get nodes -o wide
+```
+
+DNS Secret example
+
+```
+apiVersion: v1
+data:
+  access-token: XXX
+kind: Secret
+metadata:
+  name: someprovider-dns
+  namespace: cert-manager
+```
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..5d3b69a
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,3 @@
+[defaults]
+roles_path = roles:galaxy-roles:git-roles:ansible-roles:~/.ansible/roles
+vault_password_file = .vault/vault-open.sh
diff --git a/files/manifests/digitalocean-dns.yaml b/files/manifests/digitalocean-dns.yaml
new file mode 100644
index 0000000..4d469f8
--- /dev/null
+++ b/files/manifests/digitalocean-dns.yaml
@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+32383162626163663734653236646538626464643665323334666363306662363434346133653737
+3766373965626437376630303837663339383664643466300a336463366335636634336437303036
+32626138646662633337663037393538336438643363303962326263656636316336346462643937
+6337363463626265630a663964386638633133613465363436376533346336333066663664363062
+65333864353338656437333762313937376538376634383438643134313266366236393039376131
+35646533353539633436343435316465386534646663316234336263363163343463626632663837
+66633432376136323961336437613465303635303966343530383162653766373736333661386163
+30303233333939626537303631313532373130363866306165343732653064643866393933323230
+31373035653332363961343464613134626464643733313666333861623961373264303462633334
+63653638356666656163343266353133396236313231643664313764663761363634643063323466
+36623266393166316138343239393663393739666266653730323766643566343936386436666164
+30616637656563626634306634336631613564396234613836396537636363643466323762393166
+33623534613462306130356631626265373462343065333132666439623333663135336437323536
+36303131386135333763356565323962666233353263353331653065333435613138343939393530
+633664316538643432303731366233653831
diff --git a/files/manifests/wildcard-pwa-audubon.yaml b/files/manifests/wildcard-pwa-audubon.yaml
new file mode 100644
index 0000000..b048501
--- /dev/null
+++ b/files/manifests/wildcard-pwa-audubon.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pwa.audubon.app
+  namespace: default
+spec:
+  secretName: pwa.audubon.app
+  issuerRef:
+    name: letsencrypt-prod-wild
+    kind: ClusterIssuer
+    group: cert-manager.io
+  commonName: "*.pwa.audubon.app"
+  dnsNames:
+    - ".pwa.audubon.app"
+    - "*.pwa.audubon.app"
diff --git a/group_vars/all/nginx-vault.yml b/group_vars/all/nginx-vault.yml
new file mode 100644
index 0000000..9bad4e6
--- /dev/null
+++ b/group_vars/all/nginx-vault.yml
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+61643936333265303166353936373164393663353565343136313838663932646663653165393262
+3435356136353463633330333861666638613831306439350a636462346339343465343864363233
+63643831653462383462623639653439336239313831383333326135303662363830326235396666
+3164653535666539390a356133333438306332383537616331336138333161643361393462653037
+32626534346339303662643138336639646530626561393834303663626464646364616433633263
+3233303765316363373061376262366239633864353437383136
diff --git a/group_vars/lx_cad/k8s-vault.yml b/group_vars/lx_cad/k8s-vault.yml
new file mode 100644
index 0000000..f939c98
--- /dev/null
+++ b/group_vars/lx_cad/k8s-vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+35636161616230343863626538626535303366383363623336636166343331626664326230626661
+3937353665346130663263653132393634333736343962610a343732303062353436636232653731
+65393839356235336434343038373530313136306563656633346561633839656238613838616634
+3537363938303830340a373435396561656433303632366132343765323139653930316531356337
+39353865386535633339306537646465336438353030616631326136636138336332373965646439
+65666530666263326165653162373633306139613266616364616435626138666433326365333334
+333662376231636163356430636438656565
diff --git a/group_vars/lx_cad/k8s.yml b/group_vars/lx_cad/k8s.yml
new file mode 100644
index 0000000..3d0ae10
--- /dev/null
+++ b/group_vars/lx_cad/k8s.yml
@@ -0,0 +1,39 @@
+---
+k8s_cluster_name: lx-cad
+k8s_cluster_url: lx-cad-cluster-control.audubon.app
+k8s_taint_servers: true
+
+k8s_manifests:
+  - name: cert-manager
+    url: https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
+  
+  # issuer for basic http certs
+  - name: letsencrypt-prod
+    type: template
+    source: shared/clusterissuer-acme.yaml
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers: 
+      - type: http
+        ingress: nginx
+
+  # issuer for wildcard dns certs
+  - name: letsencrypt-prod-wild
+    type: template
+    source: shared/clusterissuer-acme.yaml
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers: 
+      - type: dns
+        provider: digitalocean
+        tokenref: tokenSecretRef
+        secret_name: digitalocean-dns
+        secret_key: access-token
+
+  # initiate wildcard cert
+  - name: pwa.audubon.app
+    type: file
+    source: wildcard-pwa-audubon.yaml
+
+k8s_secrets:
+  - name: digitalocean-dns
+    type: file
+    source: secret-digitalocean-dns.yaml
diff --git a/host_vars/lx-cad-cluster-control/firewalld.yml b/host_vars/lx-cad-cluster-control/firewalld.yml
new file mode 100644
index 0000000..eb0aeed
--- /dev/null
+++ b/host_vars/lx-cad-cluster-control/firewalld.yml
@@ -0,0 +1,15 @@
+---
+firewalld_add:
+  - name: public
+    interfaces:
+      - enp9s0
+    services:
+      - http
+      - https
+
+  - name: trusted
+    sources:
+      - 10.42.0.0/16
+      - 10.43.0.0/16
+      - 23.111.78.182/32
+      - 23.111.69.218/32
diff --git a/host_vars/lx-cad-cluster-worker/firewalld.yml b/host_vars/lx-cad-cluster-worker/firewalld.yml
new file mode 100644
index 0000000..71af218
--- /dev/null
+++ b/host_vars/lx-cad-cluster-worker/firewalld.yml
@@ -0,0 +1,15 @@
+---
+firewalld_add:
+  - name: public
+    interfaces:
+      - enp9s0
+    services:
+      - http
+      - https
+
+  - name: trusted
+    sources:
+      - 10.42.0.0/16
+      - 10.43.0.0/16
+      - 23.111.78.179/32
+      - 23.111.69.218/32
diff --git a/host_vars/lx-daemon/firewalld.yml b/host_vars/lx-daemon/firewalld.yml
new file mode 100644
index 0000000..62c4493
--- /dev/null
+++ b/host_vars/lx-daemon/firewalld.yml
@@ -0,0 +1,17 @@
+---
+firewalld_add:
+  - name: public
+    interfaces:
+      - ens3
+    services:
+      - http
+      - https
+    ports:
+      - 22657/tcp
+      - 22656/tcp
+      - 1317/tcp
+
+  - name: trusted
+    sources:
+      - 23.111.78.179/32
+      - 23.111.78.182/32
diff --git a/host_vars/lx-daemon/nginx.yml b/host_vars/lx-daemon/nginx.yml
new file mode 100644
index 0000000..0557caf
--- /dev/null
+++ b/host_vars/lx-daemon/nginx.yml
@@ -0,0 +1,21 @@
+---
+nginx_packages_intall: false
+nginx_server_name_hash: 64
+nginx_proxy_read_timeout: 1200
+nginx_proxy_send_timeout: 1200
+nginx_proxy_connection_timeout: 75
+
+nginx_sites:
+  - name: lx-console
+    url: lx-console.audubon.app
+    upstream: http://localhost:8080
+    template: basic-proxy
+    ssl: true
+
+  - name: lx-daemon
+    url: lx-daemon.audubon.app
+    upstream: http://localhost:9473
+    configs:
+      - rewrite ^/deployer(/.*)? https://webapp-deployer.pwa.audubon.app permanent
+    template: websocket-proxy
+    ssl: true
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..174990d
--- /dev/null
+++ b/hosts
@@ -0,0 +1,11 @@
+[all]
+lx-daemon ansible_host=
+lx-cad-cluster-control ansible_host=
+lx-cad-cluster-worker ansible_host=
+
+[so]
+lx-daemon
+
+[lx_cad]
+lx-cad-cluster-control k8s_node_type=bootstrap
+lx-cad-cluster-worker k8s_node_type=agent k8s_pod_limit=1024 k8s_external_ip=
diff --git a/roles/requirements.yml b/roles/requirements.yml
new file mode 100644
index 0000000..7803c4e
--- /dev/null
+++ b/roles/requirements.yml
@@ -0,0 +1,20 @@
+---
+- name: firewalld
+  scm: git
+  src: https://github.com/srwadleigh/ansible-role-firewalld
+  version: main
+
+- name: nginx
+  scm: git
+  src: https://github.com/srwadleigh/ansible-role-nginx
+  version: main
+
+- name: so
+  scm: git
+  src: https://github.com/srwadleigh/ansible-role-so
+  version: main
+
+- name: k8s
+  scm: git
+  src: https://github.com/srwadleigh/ansible-role-k8s
+  version: main
diff --git a/site.yml b/site.yml
new file mode 100644
index 0000000..f30d9a4
--- /dev/null
+++ b/site.yml
@@ -0,0 +1,25 @@
+---
+- name: Setup hosts
+  hosts: all
+  become: true
+  roles:
+    - role: firewalld
+    - role: nginx
+
+- name: Setup stack orchestrator
+  hosts: so
+  become: true
+  roles:
+    - role: so  
+  tags:
+    - never
+    - so
+
+- name: Setup k8s clusters
+  hosts: k8s
+  become: true
+  roles:
+    - role: k8s  
+  tags:
+    - never
+    - k8s