diff --git a/service-provider-setup/k8s-vars.example.yml b/service-provider-setup/k8s-vars.example.yml index 3ceb227..53b09d7 100644 --- a/service-provider-setup/k8s-vars.example.yml +++ b/service-provider-setup/k8s-vars.example.yml @@ -1,3 +1,6 @@ target_host: "" gpg_key_id: "" vault_passphrase: "" +org_id: "" +location_id: "" +dns_domain: "" diff --git a/service-provider-setup/templates/control-firewalld.yml.j2 b/service-provider-setup/templates/control-firewalld.yml.j2 new file mode 100644 index 0000000..cb32ffa --- /dev/null +++ b/service-provider-setup/templates/control-firewalld.yml.j2 @@ -0,0 +1,16 @@ +--- +firewalld_add: + - name: public + interfaces: + - enp9s0 + services: + - http + - https + ports: + - 6443/tcp + + - name: trusted + sources: + - 10.42.0.0/16 + - 10.43.0.0/16 + - "{{ cluster_control_ip }}" diff --git a/service-provider-setup/templates/daemon-firewalld.yml.j2 b/service-provider-setup/templates/daemon-firewalld.yml.j2 new file mode 100644 index 0000000..64a94c8 --- /dev/null +++ b/service-provider-setup/templates/daemon-firewalld.yml.j2 @@ -0,0 +1,16 @@ +--- +firewalld_add: + - name: public + interfaces: + - ens3 + services: + - http + - https + ports: + - 26657/tcp + - 26656/tcp + - 1317/tcp + + - name: trusted + sources: + - "{{ cluster_control_ip }}" diff --git a/service-provider-setup/templates/hosts.j2 b/service-provider-setup/templates/hosts.j2 new file mode 100644 index 0000000..7985902 --- /dev/null +++ b/service-provider-setup/templates/hosts.j2 @@ -0,0 +1,12 @@ +[all] +{{ org_id }}-daemon ansible_host={{ cluster_control_ip }} +{{ org_id }}-{{ country_id }}-cluster-control ansible_host={{ cluster_control_ip }} + +[so] +{{ org_id }}-daemon + +[{{ org_id }}-{{ country_id }}] +{{ org_id }}-{{ country_id }}-cluster-control k8s_node_type=bootstrap k8s_pod_limit=1024 k8s_external_ip={{ cluster_control_ip }} + +[k8s:children] +{{ org_id }}-{{ country_id }} diff --git a/service-provider-setup/templates/k8s.yml.j2 b/service-provider-setup/templates/k8s.yml.j2 new file mode 100644 index 0000000..6cd2c08 --- /dev/null +++ b/service-provider-setup/templates/k8s.yml.j2 @@ -0,0 +1,55 @@ +--- +# default context is used for stack orchestrator deployments, for testing a custom context name can be usefull +#k8s_cluster_name: "{{ org_id }}-{{ country_id }}-cluster" +k8s_cluster_name: default +k8s_cluster_url: "{{ org_id }}-{{ country_id }}-cluster-control.{{ dns_domain }}.com" +k8s_taint_servers: false + +k8s_acme_email: "{{ support_email }}" + +# k3s bundles traefik as the default ingress controller, we will disable it and use nginx instead +k8s_disable: + - traefik + +# secrets can be stored in a file or as a template, the template secrets gets dynamically base64 encoded while file based secrets must be encoded by hand +k8s_secrets: + - name: digitalocean-dns + type: file + source: secret-digitalocean-dns.yaml + +k8s_manifests: + # ingress controller, replaces traefik which is explicitly disabled + - name: ingress-nginx + type: url + source: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml + + # cert-manager, required for letsencrypt + - name: cert-manager + type: url + source: https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml + + # issuer for basic http certs + - name: letsencrypt-prod + type: template + source: shared/clusterissuer-acme.yaml + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - type: http + ingress: nginx + + # issuer for wildcard dns certs + - name: letsencrypt-prod-wild + type: template + source: shared/clusterissuer-acme.yaml + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - type: dns + provider: digitalocean + tokenref: tokenSecretRef + secret_name: digitalocean-dns + secret_key: access-token + + # initiate wildcard cert + - name: "pwa.{{ dns_domain }}.com" + type: file + source: "wildcard-pwa-{{ dns_domain }}.yaml" diff --git a/service-provider-setup/templates/nginx.yml.j2 b/service-provider-setup/templates/nginx.yml.j2 new file mode 100644 index 0000000..c031511 --- /dev/null +++ b/service-provider-setup/templates/nginx.yml.j2 @@ -0,0 +1,21 @@ +--- +nginx_packages_intall: false +nginx_server_name_hash: 64 +nginx_proxy_read_timeout: 1200 +nginx_proxy_send_timeout: 1200 +nginx_proxy_connection_timeout: 75 + +nginx_sites: + - name: "{{ org_id }}-console" + url: "{{ org_id }}-console.{{ dns_domain }}.com" + upstream: http://localhost:8080 + template: basic-proxy + ssl: true + + - name: "{{ org_id }}-daemon" + url: "{{ org_id }}-daemon.{{ dns_domain }}.com" + upstream: http://localhost:9473 + configs: + - rewrite "^/deployer(/.*)? https://webapp-deployer.pwa.{{domain}}.com" permanent + template: websocket-proxy + ssl: true \ No newline at end of file diff --git a/service-provider-setup/templates/wildcard-pwa-example.yml.j2 b/service-provider-setup/templates/wildcard-pwa-example.yml.j2 new file mode 100644 index 0000000..d131562 --- /dev/null +++ b/service-provider-setup/templates/wildcard-pwa-example.yml.j2 @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "pwa.{{ dns_domain }}.com" + namespace: default +spec: + secretName: "pwa.{{ dns_domain }}.com" + issuerRef: + name: letsencrypt-prod-wild + kind: ClusterIssuer + group: cert-manager.io + commonName: "*.pwa.{{ dns_domain }}.com" + dnsNames: + - "pwa.{{ dns_domain }}.com" + - "*.pwa.{{ dns_domain }}.com"