clean up cluster type env, update k3s config template

2024-04-30 03:30:58 +00:00 · 2024-04-30 03:30:58 +00:00 · 495e79438f
commit 495e79438f
parent 8ae38be0bf
10 changed files with 131 additions and 169 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -6,62 +6,77 @@ k8s_action: create

 # k3s | rke2
 k8s_type: k3s
-k8s_channel: stable

 k8s_cluster_name: default
 k8s_cluster_url: localhost
-
-# bootstrap | server | agent
-k8s_node_type: bootstrap
 k8s_node_ip: "{{ ansible_host }}"

+# paths
+k8s_install_script: /usr/local/bin/{{ k8s_type }}-install.sh
+k8s_config_path: "/etc/rancher/{{ k8s_type }}"
+k8s_cmd_path: /usr/local/bin
+k8s_nm_path: /etc/NetworkManager/conf.d
+k8s_manifests_path: "/var/lib/rancher/{{ k8s_type }}/server/manifests/"
+
 # sysctl set fs.inotify.max_user_instances
 k8s_inotify_max: 1024

 # hardcoded kublet default value is 110
 k8s_pod_limit: 110

-# we can set this by platform later
+# overriden by vars/sysetms/
 k8s_selinux: false

-# if the host is using network manager, see vars/sys/ for overrides
+# if the host is using network manager, overriden by vars/sysetms/ 
 k8s_has_nm: false

-# if the host is using an http proxy
+# if the host is using an http proxy for external access
 k8s_http_proxy: false

-# cni
-# k8s_cni_type:
-
+# kubeconfig chmod
 k8s_config_mode: 600
+
+# rke2 server listens on a dedicatged port for new nodes to register
+k8s_supervisor_port: 9345
+
+# shared k8s api port
 k8s_api_port: 6443
+
+# misc options
 k8s_debug: false
-k8s_skip_start: false
 k8s_taint_servers: false
 k8s_flannel_wireguard: false
 k8s_disable_kube_proxy: false
+k8s_disable_network_policy: false

-# paths
-k8s_install_script: /usr/local/bin/{{ k8s_type }}-install.sh
-k8s_config_path: "/etc/rancher/{{ k8s_type }}"
-k8s_cmd_path: /usr/local/bin
-k8s_nm_path: /etc/NetworkManager/conf.d
+# k8s_kubelet_args
+#  - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
+#  - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
+#  - "eviction-hard=memory.available<500Mi,nodefs.available<10%"
+#  - "max-pods={{ k8s_pod_limit }}"
+#  - "v=2"
+k8s_kubelet_args:
+ - "max-pods={{ k8s_pod_limit }}"

-k8s_manifests_path: "/var/lib/rancher/{{ k8s_type }}/server/manifests/"
+# Define
+
+# you can pre-generate this ina vault with the token.sh script
+# k8s_cluster_token
+
+# stable, latest, testing, ...
+# k8s_channel: stable
+
+# k8s_version to deploy a specific version
+# k8s_version: v1.27.7+k3s2
+
+# bootstrap | server | agent
+# k8s_node_type: bootstrap

 # if defined, install manifests
 # k8s_manifests:
 #  - name: cert-manager
 #    path: https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml

-# Override
-# k8s_cluster_name
-# k8s_cluster_url
-
-# Define
-# k8s_cluster_token
-# you can pre-generate this ina vault with the token.sh script
-
 # k8s_node_taints
 # --node-taint CriticalAddonsOnly=true:NoExecute
 # k8s_node_taints:
@ -69,15 +84,30 @@ k8s_manifests_path: "/var/lib/rancher/{{ k8s_type }}/server/manifests/"
 #    value: true
 #    effect: NoExecute

-# these are provided simply for the opportunity to override in cases where some ajustment isnt supported by the config templates
-# k8s_install_bootstrap: >-
-#  server --cluster-init --tls-san {{ k8s_cluster_url }} --node-taint CriticalAddonsOnly=true:NoExecute
-#  {% if k8s_disable is defined %}
-#  {% for disable in k8s_disable %}
-#  --disable={{ disable }}
-#  {% endfor %}
-#  {% endif %}

-# k8s_install_agent: >-
-#  agent --kubelet-arg=config=/etc/rancher/k3s/kubelet.config --node-ip={{ ansible_host }}
-#  {% if k8s_external_ip is defined %}--node-external-ip={{ k8s_external_ip }}{% endif %}
+# K3S
+
+# flannel-backend: 'vxlan', 'host-gw', 'wireguard-native', 'none'
+# k8s_flannel_backend: vxlan
+# k8s_flannel_ipv6_masq: false
+# k8s_flannel_external_ip: false
+
+# disable builtin services
+# k8s_disable: 
+#  - traefik
+#  - servicelb
+
+
+# RKE2
+
+# canal, cilium, calico, flannel
+# k8s_cni_type: canal
+
+# disable builtin services
+# k8s_disable: 
+#  - rke2-coredns
+#  - rke2-ingress-nginx
+#  - rke2-metrics-server
+#  - rke2-snapshot-controller
+#  - rke2-snapshot-controller-crd
+#  - rke2-snapshot-validation-webhook
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,38 +1,25 @@
 ---
-dependencies: []
-
 galaxy_info:
-  role_name: k8s
-  author: srw
-  description: Ansible role for configuring k3s and rke2 kubernetes clusters
-  company: "NMD, LLC"
-  license: "license (BSD, MIT)"
-  min_ansible_version: "2.10"
+  author: Shane Wadleigh
+  description: An Ansible role for configuring nginx and letsencrypt certificates
+  company: 20C
+  license: Apache
+  min_ansible_version: "2"
  platforms:
-    - name: Fedora
-      versions:
-        - all
-    - name: Debian
-      versions:
-        - buster
-        - bullseye
-        - bookworm
-    - name: Ubuntu
-      versions:
-        - bionic
-        - focal
-        - jammy
-    - name: Alpine
-      version:
-        - all
-    - name: ArchLinux
-      versions:
-        - all
-  galaxy_tags:
-    - server
-    - system
-    - containers
-    - kubernetes
-    - k8s
-    - k3s
-    - rke2
+  - name: EL
+    versions:
+      - all
+  - name: Fedora
+    versions:
+      - all
+  - name: Ubuntu
+    versions:
+      - all
+  - name: Debian
+    versions:
+      - all
+dependencies: []
+#dependencies:
+#  - name: common
+#    src: https://github.com/your-username/common-role
+#    version: master  # You can specify a specific tag or branch
--- a/tasks/k3s/config.yml
+++ b/tasks/k3s/config.yml
@ -1,8 +1,8 @@
 ---

  # PRE-DEPLOY
-  - name: template k3s kubelet config
-    ansible.builtin.template:
-      src: "templates/k3s-kubelet.config.j2"
-      dest: "/etc/rancher/k3s/kubelet.config"
-      mode: 0644
+  # - name: template k3s kubelet config
+  #  ansible.builtin.template:
+  #    src: "templates/k3s-kubelet.config.j2"
+  #    dest: "/etc/rancher/k3s/kubelet.config"
+  #    mode: 0644
--- a/tasks/k3s/main.yml
+++ b/tasks/k3s/main.yml
@ -3,20 +3,20 @@
  # BOOTSTRAP
  - name: k3s boostrap initial server node
    ansible.builtin.shell: "{{ k8s_install_script }}"
-    environment: "{{ k8s_env | combine({'INSTALL_K3S_EXEC': '{{ k8s_install_bootstrap }}'}) }}"
+    environment: "{{ k8s_env }}"
    when:
      - k8s_node_type == "bootstrap"

  # ADD SERVERS
  - name: k3s add additional server nodes
    ansible.builtin.shell: "{{ k8s_install_script }}"
-    environment: "{{ k8s_env | combine({'INSTALL_K3S_EXEC': '{{ k8s_install_server }}'}) }}"
+    environment: "{{ k8s_env }}"
    when:
      - k8s_node_type == "server"

  # ADD AGENTS
  - name: k3s add agent nodes
    ansible.builtin.shell: "{{ k8s_install_script }}"
-    environment: "{{ k8s_env | combine({'INSTALL_K3S_EXEC': '{{ k8s_install_agent }}'}) }}"
+    environment: "{{ k8s_env }}"
    when:
      - k8s_node_type == "agent"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -10,10 +10,10 @@
      local_user: "{{ lookup('env', 'USER') }}"
      delegate_to: localhost

-  # useful to set this bc k8s_node_type has a special value bootstrap which is not an actual type
+  # resolve actual node type, boostrap is not recognized 
  - name: set true node type
    set_fact:
-      node_type: "{{ 'agent' if k8s_node_type == 'agent' else 'server' }}"
+      node_type: "{{ 'server' if k8s_node_type == 'bootstrap' else k8s_node_type }}"

  - name: load type specific values
    ansible.builtin.include_vars:
@ -50,7 +50,7 @@

  - name: download install script
    ansible.builtin.get_url:
-      url: "{{ k8s_install_url }}"
+      url: "{{ k8s_install_url | d(k8s_default_install_url) }}"
      timeout: 120
      dest: "{{ k8s_install_script }}"
      owner: root
--- a/tasks/rke2/config.yml
+++ b/tasks/rke2/config.yml
@ -13,7 +13,7 @@
      dest: "{{ k8s_nm_path }}/{{ k8s_type }}-canal.conf"
      mode: 0600
    when:
-      - k8s_cni_type == "canal"
+      - k8s_cni_type == "canal" or k8s_cni_type is not defined
      - k8s_has_nm
    tags:
      - k8s-config
--- a/tasks/rke2/main.yml
+++ b/tasks/rke2/main.yml
@ -3,14 +3,14 @@
  # BOOTSTRAP
  - name: rke2 boostrap initial server node
    ansible.builtin.shell: "{{ k8s_install_script }}"
-    environment: "{{ k8s_env | combine({'INSTALL_RKE2_TYPE': 'server'}) }}"
+    environment: "{{ k8s_env }}"
    when:
      - k8s_node_type == "bootstrap"

  - name: rke2 template cni manifests
    ansible.builtin.template:
-      src: "templates/{{ k8s_type }}-{{ k8s_cni_type }}-config.yaml.j2"
-      dest: "{{ k8s_manifests_path }}/{{ k8s_type }}-{{ k8s_cni_type }}-config.yaml"
+      src: "templates/{{ k8s_type }}-{{ k8s_cni_type | d('canal') }}-config.yaml.j2"
+      dest: "{{ k8s_manifests_path }}/{{ k8s_type }}-{{ k8s_cni_type | d('canal') }}-config.yaml"
      mode: 0600
    when:
      - k8s_node_type == "bootstrap"
@ -23,14 +23,14 @@
  # ADD SERVERS
  - name: rke2 add additional server nodes
    ansible.builtin.shell: "{{ k8s_install_script }}"
-    environment: "{{ k8s_env | combine({'INSTALL_RKE2_TYPE': 'server'}) }}"
+    environment: "{{ k8s_env }}"
    when:
      - k8s_node_type == "server"

  # ADD AGENTS
  - name: rke2 add agent nodes
    ansible.builtin.shell: "{{ k8s_install_script }}"
-    environment: "{{ k8s_env | combine({'INSTALL_RKE2_TYPE': 'agent'}) }}"
+    environment: "{{ k8s_env }}"
    when:
      - k8s_node_type == "agent"

--- a/templates/k3s-config.yaml.j2
+++ b/templates/k3s-config.yaml.j2
@ -22,6 +22,13 @@ tls-san: {{ k8s_cluster_url }}
 selinux: true
 {% endif -%}

+{% if k8s_disable_kube_proxy and k8s_node_type != "agent" -%}
+disable-kube-proxy: true
+{% endif -%}
+{% if k8s_disable_network_policy and k8s_node_type != "agent" -%}
+disable-network-policy: true
+{% endif -%}
+
 {% if k8s_disable is defined and k8s_node_type != "agent" %}
 # disable builtin services
 {% for disable in k8s_disable %}
@ -30,6 +37,13 @@ disable: {{ disable }}
 {% endif -%}
 {% endif %}

+{% if k8s_flannel_backend is defined and k8s_node_type != "agent" -%}
+# cofigure or disable flannel cni
+flannel-backend: {{ k8s_flannel_backend | d('vxlan') }}
+flannel-ipv6-masq: {{ k8s_flannel_ipv6_masq | d('false') }}
+flannel-external-ip: {{ k8s_flannel_external_ip | d('false') }}
+{% endif %}
+
 # node network
 {% if k8s_node_ip is defined -%}
 node-ip: {{ k8s_node_ip }}
@ -38,13 +52,6 @@ node-ip: {{ k8s_node_ip }}
 node-external-ip: {{ k8s_external_ip }}
 {% endif -%}

-{% if k8s_flannel_backend is defined and k8s_node_type != "agent" -%}
-# cofigure or disable flannel cni
-flannel-backend: {{ k8s_flannel_backend }}
-flannel-ipv6-masq: {{ k8s_flannel_ipv6_masq }}
-flannel-external-ip: {{ k8s_flannel_external_ip }}
-{% endif %}
-
 {% if k8s_node_taints is defined -%}
 # initial node taints
 {% for taint in k8s_node_taints -%}
--- a/vars/types/k3s.yml
+++ b/vars/types/k3s.yml
@ -1,45 +1,13 @@
 ---
 # See https://docs.k3s.io/

-# define k8s_version to deploy a specific version
-# channel: stable, latest, testing
-k8s_install_url: https://get.k3s.io
-k8s_channel_url: https://update.k3s.io/v1-release/channels
-
-# cluster network (cni)
-# flannel-backend: 'vxlan', 'host-gw', 'wireguard-native', 'none'
-k8s_flannel_backend: vxlan
-k8s_flannel_ipv6_masq: false
-k8s_flannel_external_ip: false
-
-# disable builtin services
-k8s_disable: 
-  - "traefik"
-
-# kubelet configs
-#  - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
-#  - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
-#  - "eviction-hard=memory.available<500Mi,nodefs.available<10%"
-k8s_kubelet_args:
- - config=/etc/rancher/k3s/kubelet.config
+k8s_default_install_url: https://get.k3s.io
+k8s_default_channel_url: https://update.k3s.io/v1-release/channels

 k8s_env:
-  INSTALL_K3S_CHANNEL_URL: "{{ k8s_channel_url }}"
-  INSTALL_K3S_CHANNEL: "{{ k8s_channel }}"
-  INSTALL_K3S_SKIP_START: "{{ k8s_skip_start }}"
-
-  # will attempt to download from channel if not specified
+  #K3S_KUBECONFIG_MODE: "{{ k8s_config_mode }}"
+  INSTALL_K3S_SKIP_START: "{{ k8s_skip_start | d('false') }}"
+  INSTALL_K3S_CHANNEL_URL: "{{ k8s_channel_url | d(k8s_default_channel_url) }}"
+  INSTALL_K3S_CHANNEL: "{{ k8s_channel | d('stable') }}"
  INSTALL_K3S_VERSION: "{{ k8s_version | d() }}"
-
-  # there is some consider for where the token lives after initial node creation, this could get pruned from env or config most likely
-  #K3S_TOKEN: "{{ k8s_cluster_token }}"
-  K3S_KUBECONFIG_MODE: "{{ k8s_config_mode }}"
-
-k8s_install_bootstrap: >-
-  server
-
-k8s_install_server: >-
-  server
-
-k8s_install_agent: >-
-  agent
+  INSTALL_K3S_EXEC: "{{ node_type }} {{ node_install_args | d() }}"
--- a/vars/types/rke2.yml
+++ b/vars/types/rke2.yml
@ -1,41 +1,11 @@
 ---
 # See https://docs.rke2.io/

-# define k8s_version to deploy a specific version
-# channel: stable, latest, testing
-k8s_install_url: https://get.rke2.io
-k8s_channel_url: https://update.rke2.io/v1-release/channels
-k8s_cmd_path: /usr/bin
-
-# rke2 server listens on a dedicatged port for new nodes to register
-k8s_supervisor_port: 9345
-
-# canal, cilium, calico, flannel
-k8s_cni_type: canal
-
-# disable builtin services
-# k8s_disable: 
-#  - rke2-coredns
-#  - rke2-ingress-nginx
-#  - rke2-metrics-server
-#  - rke2-snapshot-controller
-#  - rke2-snapshot-controller-crd
-#  - rke2-snapshot-validation-webhook
-
-# kubelet configs
-#  - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
-#  - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
-#  - "eviction-hard=memory.available<500Mi,nodefs.available<10%"
-k8s_kubelet_args:
- - "max-pods={{ k8s_pod_limit }}"
+k8s_default_install_url: https://get.rke2.io
+k8s_default_channel_url: https://update.rke2.io/v1-release/channels

 k8s_env:
-  INSTALL_RKE2_CHANNEL_URL: "{{ k8s_channel_url }}"
-  INSTALL_RKE2_CHANNEL: "{{ k8s_channel }}"
-
-  # will attempt to download from channel if not specified
+  INSTALL_RKE2_CHANNEL_URL: "{{ k8s_channel_url | d(k8s_default_channel_url) }}"
+  INSTALL_RKE2_CHANNEL: "{{ k8s_channel | d('stable') }}"
  INSTALL_RKE2_VERSION: "{{ k8s_version | d() }}"
-
-  # server or agent
-  #INSTALL_RKE2_TYPE: "{{ k8s_channel }}"
-  
+  INSTALL_RKE2_TYPE: "{{ node_type }} {{ node_install_args | d() }}"